It’s increasingly common to hear of an Internet Explorer home page becoming stuck at some unwanted search directory or commercial web site, as the result of some malicious program taking control of a Windows PC. People can even be reluctant to report these ‘browser hijacks’ because of a number of associated pornographic links and pop-ups. Here is a DIY guide to cleaning up the mess after a hijack or spyware attack.

(Written Summer 2004, updated January 2009 with technical details.)

The basic problems with internet security are three: {a} most internet users don’t know what to trust and what not to trust; {b} mass distribution of a single operating system configuration makes its security flaws a big target; and {c} commercial competition can reward malicious programming. The pay-per-click system that advertising websites use means there’s a financial motive in directing the punter, whether openly or through trickery, into a commercial web site (or a premium rate phone line) and taking any commission. Similar techniques can also be used to steal security information such as internet banking passwords. You may be saf_er_ if you use a browser like Firefox instead of Internet Explorer, but the most vulnerable group must be people running Windows XP SP1, connecting via a USB broadband modem without any kind of firewall.

Thus ‘adware’ and ‘spyware’ are often attached to other programs, or enter through security holes; while they don’t replicate like computer viruses, they can install themselves on a system like an irritating parasite. Even large, otherwise reputable, companies can be involved in distributing certain Adware such as ‘Gator’, ‘Date Manager’ and ‘Precision Time’. The line between adware, spyware, trojans, worms and viruses is esoteric and blurry, so they are often collectively now called “malware”.

So Adware can’t be blamed on idle teenagers, and fortunately there are young hackers (i.e. programmers) involved in countering this, producing effective anti-adware systems, making them free for personal use, profiting only by selling them to business. The most reputable of these is Ad-Aware http://www.lavasoft.com/products/ad_aware_free.php although SpyBot http://www.safer-networking.org/ has its advocates too. Bazooka, SpywareBlaster and HijackThis are detection tools for more advanced users. HijackThis is now available from http://majorgeeks.com/download3155.html as is CWShredder, a removal tool for the ‘CoolWebSearch’ (CWS) class of hijacker which was particularly troublesome around 2004-6.

But the situation is complicated again by the bad guys pretending to be good guys. There are a number of supposed spyware removal tools produced or promoted in association with the spyware makers, such as SpywareBegone and eBlocs/SpyBlocs. These are advertised in place of effective tools, and actually making cleaning your system more difficult. Many of these have also been known to claim to be free and then demand credit card details after a few minutes. Here’s a list: http://pcpitstop.ibforums.com/axslinger/helpfiles/bogu... [edit: try the following instead] http://www.spywarewarrior.com/rogue_anti-spyware.htm. Then, of course, we have those (not remotely credible) pop-ups which imply they have analysed your PC and discovered a spyware problem, in order to get downloads and payments – this is called “scareware” and although we first saw it around 2003, Sophos saw its increase as a major trend of 2008. Note for example that various domains have been set up to promote Search and Destroy, a fake and at best worthless product trading on the good reputation of Spybot Search and Destroy Indeed people occasionally post comments on this page about it – what a sad job.

In the light of all this, you may not feel like downloading any more software ever again. In fact, if you are serious about security and never download software voluntarily, there is a good case for wiping the computer and reinstalling from your backups – a CD writer or flash drive and your software installation CDs is all that is needed for this, and busy computer repair shops may take this approach, at the expense of losing some configuration.

Here’s a rough guide, for ambitious Windows users, to dealing with an adware infestation on your own. If you keep Windows and an anti-virus up to date, and have a firewall (if on broadband), this shouldn’t have happened at all, but often it’s hard to find the source.

1) Attempt a first-pass Windows Update.
Assuming you don’t happen to have a CD handy with up-to-date antivirus and anti-spyware programs, patches and useful tools from sysinternals like ProcessExplorer and FileMon, you may have to leave the PC connected to the internet. (If you have a router that allows it, you should block port 25 from that PC in case it is sending spam.) If you are particularly prepared and tech-savvy, you might also want to download onto CD a suitable Windows service pack from Microsoft, and a current version of Knoppix or Ubuntu live and ClamAV (open-source antivirus for Linux) so you can scan the computer without starting Windows.

This stage, updating Windows, is not just shutting the stable door, it may also help prevent re-infection during cleaning. Start Internet Explorer, and go to Tools > Windows Update. Click ‘Scan for Updates’, and install any critical updates, particularly updates to the Microsoft Java Virtual Machine. Restart the PC if suggested. If the adware prevents a successful update just go to the next stage. If you have an anti-virus installed, update it and run a full anti-virus scan.

Look at the Internet Options (via the Control Panel, or right-click on Internet Explorer > properties if it’s on the desktop). If you can’t even get this far, look here and maybe here (use regedit to check HKEY_CURRENT_USER\Control Panel\don’t load\ and any control.ini).
Take a note of the current home page, and try changing it to your desired page. Check the Security settings: remove any suspicious Trusted sites, and on the Internet, change settings to medium, then custom level – download unsigned controls should be disabled, and signed should be ‘prompt’, IFRAME should be disabled, as should run controls or .NET components not marked as safe.

2) Get rid of spyware processes.
Disconnect from the internet and close all open programs. Pause any Task Scheduler by right clicking on its icon near the clock. Bring up the Task Manager by holding down Ctrl and Alt keys and pressing Delete. On Windows NT/2000/XP click on the processes tab. It’s good to know your PC well enough to know what belongs there and what doesn’t, so try this now if you know your system is clean.

Click ‘End Task’ or ‘terminate process’ for each line which you don’t fully recognise. On Windows 95/98/ME you could just leave ‘Explorer’ (the taskbar) and ‘Systray’ running (plus Rnaapp and Tapisrv if you need a current internet connection). These Windows versions don’t show the full program location, but if you have MS Office, you can try \program files\common files\microsoft shared\msinfo\msinfo.exe. Keep trying to terminate processes until they stay terminated. (If this doesn’t work, you’d have to reboot in Safe mode.)

Spyware process can sometimes be easy to recognise, but difficult to terminate. You may find something suspicious restarting every few seconds with administrator privileges in Windows 2000/XP, even in Safe Mode. This is where Process Explorer, mentioned above, can come in handy – for example, it allows you to terminate Winlogon to which the malware process can be attached, provided you stop other kernel-mode processes in the right order, first smss.exe, then winlogon.exe, then lsass (csrss can’t be safely terminated in XP). For another approach see Kaspersky’s instructions.

3) Stop the spyware processes loading on reboot.
Start > Run > type ‘msconfig’ and press Enter. (On XP you may need other administrative tools.) Click on the startup tab. Untick any lines which you don’t recognise: mstask, taskmon , scanregw and powrprof.dll are all intrinsic to Windows, but adware may be disguised with similar but not identical names, and may be stored in a suspicious directory or in Windows\system. (You could use Google or Lycos to search on the suspicious keys if you like – many of these have been reported.) Also check the win.ini tab (and expand the windows category) for any load= or run= lines. Check that in system.ini > boot that shell=Explorer.exe.

This is also where you would run any anti-adware program.

4)Remove spyware files.
Go to My Computer > C Drive. Right click on Windows and choose Find/ Search; you can restrict the file names to *.exe; *.dll; *.ocx; *.reg; *.hta; .js to speed things up (or look through the windows, system and system 32 files individually). Look for files containing the text of the domain name from step 1. The domain name is the bit after ‘http://’ and before the first forward oblique. (It is uncommon for the domain to be encrypted in these files) The files it find may be DLLs with completely random names. Send all these to the recycle bin.

The following step is probably unnecessary. If you are used to editing the registry, you could now start ‘regedit’, export the whole file as a backup, and delete any keys containing the domain or suspicious task names. You’ll probably find these under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ Main and Search, and HKCU\Software\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects They may be ‘obfuscated’ with lots of ‘%’ sequences.

Check for a hosts file (in \Windows for 98, \Windows\System32 for XP) and delete lines with unfamiliar domains.

5) Change the home and search pages.
Go to Internet Options again and change the home page. Test that this change is permanent a few times: close and open the browser, try the search bar, etc.. Reboot and test again. Repeat stages 2-4 if the adware is still there. Install any search function you had before, and remove bookmarks/favourites left by the adware.

6) Run Windows Update again.
Install any critical updates. Install an anti-virus if you didn’t have one before (see ‘software to download’ section), and the Java VM from www.java.com. Consider a different browser or operating system.

E&OE. Edit:

There’s now a Microsoft anti-spyware for Windows 2000, XP and Vista Good they’re being more responsible about the security holes.

And also a malicious software removal tool, updated on the 2nd Tuesday of each month. This can be pseudo-installed for XP via Windows Update, but for Win 2000 and Windows Server 2003, can be run online.

Comments

Re: Browser hijacking - software NOT to download

http://spyware.(munged).siteburg.com
http://Spywarekill.(munged).narod.ru

[ed note: The above have been submitted to this phorum and are further examples of tedious cons which don't help counter spyware]

Good Software

I too have had the same thing happen as described in this post. I searched around and found a program called “Malwarebytes Anti-Malware” It worked wonders and helped me. I had to make a post over on my blog about it, it was that good. Even removed that annoying XP Antivirus.

Rob Miller
http://news-about-spyware(munged).blogspot.com/

– Editor’s note: Malwarebytes OK, although those above are more tried and tested. Antivirus 2008/9 are apparently rootkits, so almost impossible to eradicate. The link you posted I’m not confident about though, I’m afraid. Moderation on…

search-and-destroy

Can it run if user turn on the firewall and the security of antivirus software ? i have one software, [URL removed by editor] which is always benificial.

Re: Windows malware and personal firewalls

(Cof) I think that link you posted was ‘scareware’ – more bogus spyware. I mean surely what you meant was Spybot search and destroy ? :)

An antivirus isn’t necessarily going to stop malware from running – it may stop 99% of it, but there is always a time lag between a new piece of malicious software coming out that doesn’t even match ‘heuristic’ virus signatures, and the anti-virus being updated to recognise it. Usually that delay is a few hours, in which a botnet can spread itself quite widely.

A firewall can stop some exploits, but it isn’t principally about stopping you from downloading and running something. What a personal firewall (like Comodo) can do is tell you in some detail what an unrecognised application is trying to do with with your network resources.

Featured services

Ethical home & organisational broadband, ADSL up to 8Mbps & 20Mbps, unlimited bandwidth, fixed IP, and GreenNet’s excellent support team ensuring you’re online all of the time.

GreenNet web projects are all about planning, designing, building and hosting websites that work for you and the issues you’re working on.

Our managed Drupal hosting is for organisations who want a managed and dynamic presence on the web with easy access to expert Drupal advice and development support.