Friday, January 9, 2009

Getting rid of spyware

ASM826 asks a good question in a comment to yesterday's spyware post:
So the trojan this popup installs, how do you get rid of it? I got a user's machine, I think it's clean and then the next day it's back.
Welcome to the thankless world of IT Security, non-IT Security folks. Someone clicked on the dancing baby, or the phishing popup, and now the computer is "acting wierd." Slow. Applications don't start.

Infected.

First, shoot the user and hang the body at your company's front door, pour encourager les autres.

Now to the problem. Modern spyware has two nasty characteristics:
  • It often installs its executable files using random names, so that you can't find it by looking for a file name.
  • It often hides it's bootup sequence, so deleting most of the files means that it recreates them the next time the system starts. ASM826 is probably seeing this.
Now I've been in Internet Security for years and years, and this is a nasty, difficult job. I'm also lazy - as both my regular readers know - so I'll offer several things to do, in order from easiest to hardest. This may not actually be the best approach, but if you have less-than-smart spyware, you may get a quick win. In any case, it is often worth a try. Certainly for folks at home where this is their home computer, the effort will almost certainly be worth it.

Step 1. Try a bunch of antivirus scanners. I talked about a bunch of good free ones yesterday, so I won't repeat myself. I would recommend starting with the online (browser-based) ones, like Trend Micro's House Call. The reason is that some of the nasty malware will try to attack/shut down/delete antivirus scanners. I haven't heard of them doing this to the online ones.

I'd fire up one of these and give it a spin. Reboot when you're done, and see if the Spyware comes back. There's a decent chance it will, but if you run this while you're at lunch, you probably haven't lost much. You can try running all of the online ones in sequence before rebooting - in this case, more is definitely merrier.

Step 2. If that didn't work, try installing an antivirus agent. I gave a selection of good ones in yesterday's post. The malware may try to disable the antivirus, so you need to make sure that the malware isn't running, and for that, you need to boot into Safe Mode. Download the antivirus installer on a different computer, and copy the installer to a USB drive. Use the USB to install it on the infected machine when it's been booted into Safe Mode. Run the scan. This takes time, which is annoying, but won't hurt anything. If it works, then you don't have to try any of the other steps, which may indeed hurt something. Again, reboot into regular mode when you're done, and see if the system is clean (do the symptoms come back?).

Step 3. If that didn't work, you're in for some surgery. Here's where you can start breaking things, so be careful. If you're nervous, skip to the next step which sounds even worse, but actually isn't.

The first thing that you need to do is take out the infected computer's hard disk. Yeah, I know - welcome to the thankless world of IT Security. Put the hard disk into a clean computer. Boot the clean computer. MAKE SURE THAT YOU BOOT FROM THE CLEAN COMPUTER'S HARD DISK, OR YOU'LL INFECT THE CLEAN COMPUTER!

Try running the clean system's antivirus before you go mucking around in the Registry, or you'll make Baby Jesus cry. If that doesn't work, you can try to manually delete the spyware from the infected system's hard drive. There are detailed instructions at this site, although I'm not a big fan of Ad-Aware (can't say about Spybot). In any case, the clean computer's antivirus scanner will likely be as good.

Step 4. If none of this worked, then you Nuke it from Orbit. Back up the user's data, and then re-install the OS. You'll now have an unhappy user, because they'll have to reinstall their applications, and they'll be in iTunes DRM Hell, and probably lost their bookmarks, but their system is now guaranteed malware-free. Run Windows Update to get the latest security fixes, make sure that the antivirus is installed and up to date, and let them grumble about stupid IT can't fix my @#$% computer.

Welcome to the thankless world of IT Security. Mac and Linux fanbois can stop smirking, thank you very much.

Now my experience is that many corporate IT departments start with Step 4. It's just faster (meaning less expensive) to nuke it until it glows and then reinstall. If IT does a good job of backing up user data (some don't), then this is actually the preferred strategy, as any scan can miss something, but Hydrogen Fusion won't.

7 comments:

TOTWTYTR said...

For option #3, would taking out the infected HD, putting in into one of those external HD carriers and plugging it in via USB port work? That would remove the risk of booting to that computer by accident, wouldn't it?

blogger said...

TOTWTYTR, that should do it, if you have one of the carriers that has USB output.

TOTWTYTR said...

I have a couple of them as it happens. I've used them to back up data and transfer it back to a new hard drive. Stuff like that.

A friend of mine had a computer that was infected with the Malware that has "Anti Virus 2009" or something on it. One of the IT guys where he works gave him a program to run from a thumb drive that is supposed to fix that. Once I have a copy, I'll let you know what it is and hopefully you'll give us an appraisal of it.

Borepatch said...

TOTWTYTR, great idea.

TheUnpaidBill said...

In our shop if it can't be fixed in less than 20 minutes, it's time to reimage it. I think the turn-around time on a reimage is just under an hour so it's really pretty time-efficient. The user files had best be on the file server or in "My docs" or the user is going to be hating life. As I like to tell my wife, the burned hand is the quickest way to learn. :-)

Borepatch said...

Bill, it's same at our shop, although I'm not in IT.

Where this is probably worth the effort is at home. You're still probably hating life, though.

Orphan said...

One trick I discovered the last time I cleaned out a family member's computer - if the virus kills your antivirus processes, sometimes just renaming the antivirus executable can bypass them.

This actually goes for task manager too, actually, when the virus is killing your task manager.

(Sure, you could boot it in safe mode, but I like being able to look it in its eyes when I kill it.)