Recover from Spyware Infections

Spyware/Adware/Malware software can cause your system to lose Internet access, slowdown, and generate pop-up windows. These are general steps for removing the above programs that have infected a computer. There is no real guarantee that this steps will completely remove the infections. This will take a MINIMUM of 2 hours to complete. If feasible, you may want to backup data, re-image the machine, re-load the data.

 

If the description of the any detected spyware-malware used the words or phrases: "backdoor", "allows arbitrary code to be run", or "remote access trojan", and if it is likely that a hacker may have used the backdoor, strong consideration should be given to backing-up data to be retained, and then re-formatting and re-installing programs on the computer. Do not even start these steps. It's a lot of work, but it's the only way you can be sure the computer is clean.

 

If in the course of these steps, you determine that the computer is infected with a virus or Trojan, you should also change all of your passwords and any account numbers that you may have used on the machine.

 

These steps are written for College of Ag Sciences Enterprise computers with Windows XP Professional.

---

---

Download WinsockxpFix.exe & Get List of Spyware

NOTE: If your computer has been infected with spyware, and if this spyware is removed, you may loose Network access. Assuming that you still have network access, as a preemptive step, you should download the WinsockxpFix.exe file to the computer. WinsockxpFix.exe will reset the TCP/IP settings to a default state.

1. Download this file to your desktop.
   ftp://128.118.82.20/Windows/AntiVirus/Winsock_XP_Fix/WinsockxpFix.exe
   
   NOTE: You will now inventory the Spyware on the machine. The ONLINE program called Spy Audit will scans the computer and show you what spyware is on your system. It DOES not remove or modify any files.
   
2. Go here: http://www.webroot.com/services/spyaudit_03.htm
3. Click the Start Spy Audit button. Click Run twice to start the scan.
4. When finished, click any "(See List)" links to expand the selection. Print this page. Close the window.
5. Open the Controls Panel folder. Open the Add/Remove Programs control panel.
6. Write down the list of non-standard products installed. This could be anything that you are not familiar with (unlike Microsoft Office or VPN client).
   * Later, you can use the Google search site, from ANOTHER machine, to look for specific uninstall instructions if the Symantec tools, Spy Sweeper and SpyBot programs are unable to remove the infections.
   * Later, if searching with Google, just use "remove" plus the program name.
   * Here are known "bad" programs:
   New.Net, nhupdater , updater , starter , wupdt , wapdate , wupdate, ILookup
   Anything with 'Search', 'HotBar', 'Web Tools by Hotbar', or 'Screensaver'
   Gator.com applications - Date Manager, Precision Time or Gator eWallet.
7. Close the Add/Remove Programs control panel.

   NOTE: Now starts the real work or removing the infection.

---

Verify that the HOSTS file is not hijacked

1. Remove the computer from the network.
2. Click Start and select Run. Enter the following command:

   C:\Windows\system32\drivers\etc\

3. Right Click the HOSTS file and choose Properties. Make sure that it is not set to Read-only. Click OK.
4. Double-clickto open the HOSTS file.
5. In the Open With box, select Wordpad. Do not check the "Always open this program with. . ." box. Click OK.
   NOTE: Do not delete these lines. Users with a full install of Symantec or Norton SystemWorks may use them for Email Protection.
   127.0.0.1 pop3.norton.antivirus
   127.0.0.1 pop3.spa.norton.antivirus
6. Delete every line below 127.0.0.1 but DO NOT delete "127.0.0.1 localhost" line.
7. BE SURE TO SCROLL DOWN to look for extra entries even it appears blank directly below 127.0.0.1 localhost !!!
   * Lines like these will prevent a machine from reaching these sites.
   127.0.0.1 www.symantec.com
   127.0.0.1 securityresponse.symantec.com
   127.0.0.1 symantec.com
   127.0.0.1 www.mcafee.com
   127.0.0.1 mcafee.com
8. Close Wordpad and save your changes when prompted.
9. Right Clickthe HOSTS file and choose Properties. Set to Read-only. Click OK.

---

Turn off System Restore and Basic Cleanup

1. Turn off System Restore.
   Go to Start... All Programs... Accessories... System Tools... System Restore.
   Select Turn off System Restore check box. Click Apply.
   A warning message appears. Click Yes. Click OK.
   Close.
2. Open the Internet Options control panel.
   Delete Cookies. Delete Files (all Offline Content). Clear History.
   Click the Security tab. Set the four choices to their Default Levels using the Default Level button.
   Close.
3. Delete all files from the following folders:
   Note: you may click Start and Run and enter these commands to open the folder. Where it says "%UserName%", that stands for your username.

   C:\Windows\Temp
   C:\Windows\Prefetch
   C:\Documents and Settings\%UserName%\Local Settings\Temp
   C:\Documents and Settings\%UserName%\Local Settings\Temporary Internet Files

---

Use Add/Remove Programs and Tools to Remove Adware Programs

1. While still disconnected from the network, open the Controls Panel folder. Open the Add/Remove Programs control panel.
2. Scroll to the bottom of the Add/Remove programs list.
3. Select the first "bad" program from your earlier list. Click Remove.
4. If asked to Restart. Click No or Cancel. You will remove as many of these programs as you can.
5. KEY STEP. Many of these programs will say that they need Internet Access when being removed. Tell the uninstaller to continue (even though you have no Internet Access). Then if the process seems to stall, press CTRL + ALT + DELETE and click the Task Manager button. Go to Processes tab. End the iExplorer process. This is the Adware trying to access the Internet. Close Task Manager. When you go back to Add/Remove, the program *may* have be removed.
   Note: At some point, you may need to try the Uninstall while connected, but for now, see what can be removed without a connection.
6. When you have removed as many as you can, close the Control Panel. Restart the computer. Do not connect to the network.
7. Open the Controls Panel folder. Open the Add/Remove Programs control panel.
8. If you have Adware programs still listed, continue with the steps.
   

---

Look at START-UP folder

1. Create a folder on the desktop called BAD EXE - Do not open. Open this folder.
   * You will place the bad files here as a backup. Again, these files can be searched with Google to find the programs that are using them.
2. Right Click on the Start button and choose Explore.
3. Under the Start Menu folder, click the Programs folder. Click the Startup folder.
4. Move any suspicious files or folders to the BAD EXE - Do not open folder.
   

---

What's Running? What's Set to Run? What's OK to run?

You will now determine what may be running on the computer. This list will be used in removing the Adware/Spyware/Malware.

1. Right Clickon an blank portion of the Taskbar and choose Task Manager.
2. Click the Processes tab.
3. Click Show processes from all users box.
4. Click the Image Name column heading to sort the list by name.
5. Write down the list.
   Note: you may skip obvious 'OK' processes like Rtsvan (Symantec).
6. Close the Task Manage window.
7. Click Start and select Run. Type MSCONFIG and click OK.
8. Click the Startup tab.
   Note: To get more information about a listing, expand the width of the Command column near the top of the Startup tab. Expand it enough and you'll see the start-up command that the program issues, including its location, such as C:\Program Files\Free Surfer\fs20.exe. The directory location should be another hint to help you know the name of the program.
9. Write down the list.
10. Click Cancel to close the window.
11. Click Start and select Run. Type REGEDIT and click OK.
12. The most common locations for applications to start through the registry are below. Expand the needed folders to view these keys. The first entry is called Default. Ignore this. Double Click on any suspicious or unknown entries. Write down the Value Name and Value Data. Click Cancel. Do not delete any entries yet.

    Example: to see HKCU\Software\Microsoft\Windows\CurrentVersion\Run you would:
    Click the + sign next to HKEY_CURRENT_USER
    Click the + sign next to Software
    Click the + sign next to Microsoft
    Click the + sign next to Windows
    Click the + sign next to CurrentVersion
    Click the Run folder.
    Look on the right for entries. Double Click. Write down info. Click Cancel.

    * HKCU = HKEY_CURRENT_USER
    * HKLM = HKEY_LOCAL_MACHINE

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices (you may not have this key)

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices (you may not have this key)

13. Look at the entries in the above keys. Note (write down) any suspicious keys on the right.
14. Close the Registry Editor. NOTE: Here is a short list of "good" RUN items. HP direct connect printers will also add items to the RUN folder.
    
    Acrobat Assistant ................... Adobe Distiller driver
    Adobe Gamma Loader.exe .............. Adobe Systems, Adobe Gamma Loader
    ccApp.exe ........................... Symantec
    ctfmon.exe .......................... Microsoft CTF Loader
    Cisco Systems VPN Client ............ Cisco Systems VPN dialer
    DELLMMKB.EXE ........................ Dell Touch Keyboard
    Digital Line Detect ................. Dell laptop driver
    DirectCD.exe ........................ Easy CD Creator
    dumprep 0 -u ........................ Microsoft's User Fault Check
    HPBMOBIL ............................ HP Mobile Printer driver
    jusched.exe ......................... Sun Java Update Scheduler
    mobsync.exe ......................... Synchronization Manager
    MSMSGS .............................. Windows Messenger
    MsnMsgr.Exe ......................... MSN Messenger
    NvCpl ............................... NVIDIA Display
    NvCplDaemon ......................... NVIDIA Display (NvCpl.dll,NvStartup)
    NvMcTray.dll ........................ NVIDIA Media Center Library
    NvTaskbarInit ....................... NVIDIA Media Center Library
    nwiz.exe ............................ NVIDIA nView Wizard
    OSA.EXE ............................. Microsoft Office Autostart
    qttask .............................. QuickTime updater
    PSFree.exe .......................... Pop-Up Stopper Free Edition
    qttask.exe........................... Apple QuickTime
    TKBellexe ........................... RealPlayer
    VPtray .............................. Symantec AntiVirus Tray icon
    WLtray .............................. Dell Wireless driver
    Wfxctl32.exe ........................ WinFax

    NOTE: Here is a very short list of "bad" RUN items.
    TV Media, WIN TOOLS, tficvf.exe, Zserv.dll, aklsp.dll, woyryr.exe

    * This site has a list of Good and Bad items that run on Startup.
    http://answersthatwork.com/Tasklist_pages/tasklist.htm

    * This site has a list of Spyware and the processes they use.
    http://www3.ca.com/securityadvisor/pest/search.aspx

15. Research on another machine. Use Google if unsure about a process or key. Come up with a list of what you can stop or delete.

---

Stop Processes. Uncheck MSCONFIG. Delete RUN keys in Registry

Note: Trojan processes will often restart by themselves. You are attempting to stop them here so you can delete their Registry keys later.

1. Stop Processes.
   Right Click on an blank portion of the Taskbar and choose Task Manager.
   Click the Processes tab.
   Click the Show processes from all users box.
   Click the Image Name column heading to sort the list by name.
   Select a process. Click End Process. Click Yes.
   Repeat until you stop as many processes as you can.
   Close the Task Manage window.

2. MSCONFIG Startup items.
   Click Start and select Run. Type MSCONFIG and click OK.
   Click the Startup tab.
   Look for "bad" items in the list of Startup Items. If there, un-check as needed.
   Click Apply. Click OK. Click Close.
   Click Exit without Restart.

3. Registry Run Items
   Click Start and select Run. Type REGEDIT and click OK.
   Expand the needed folders to find the "bad" keys.
   To delete a key, Right Click on it and choose Delete. Click Yes.
   If you delete a key, click on any folder on the left. Click back on the RUN key.
   If the "bad" key reappears, take note. You will need to find and use Manual instructions to remove it.
   Exit the Registry Editor when Done.

4. Restart the computer.
   Note: If you unchecked items in MSCONFIG, you'll get a warning that you've used the System Configuration Utility to disable a program from starting automatically. Disable the warning by checking the box in the dialog. Click OK.

5. Start over at Step 1. Look again at the three areas keys. Did any processes or keys reappear?
   
   NOTE: If "bad" entries came back, you will need to find and perform a manual remove of this Trojan - Adware. But first, lets see if Spy Sweeper, SpywareBlaster and SpyBot can help.

---

Test Internet Access

1. Re-boot the machine. DO NOT re-connect to the network until AFTER the restart. Don't let the Adware programs "see" that you are connected just yet.
2. Plug in the Network cable.
3. Verify that the Local Area Connection is enabled
   Click Start and choose My Network Places. Click View network connections.
   From the View menu choose Details.
   Verify that the Local Area Connection (or other Ethernet name - not the Cisco Systems or 1394 net adapter) is listed as Connected in the Status column.
   If it isn't, Right Click on Local Area Connection (or other Ethernet name) and choose Enable.
4. Once you have the Local Area Connection turned on, Open Internet Explorer. If it opens successfully, go to the next section.

   NOTE: If you are un-able to get on-line, you will need to use the WinsockxpFix.exe tool in steps 6 - 9.

5. Write down the current IP Address and setting information.
   Right Click on Local Area Connection (or other Ethernet name) and choose Properties.
   Scroll to the bottom of the connect list and select Internet Protocol (TCP/IP). Click Properties.
   Write down the settings at this screen.
   Click Advanced. Click the DNS tab. Write down the settings at this screen.
   Click the WINS tab. Write down the settings at this screen.
   Click OK as needed. Click Close
6. Double click on WinsockXPFix.exe application on the desktop.
7. Click Fix. Click Yes.
8. In the Reboot Notice window, click OK.
9. After the computer restarts, Re-open the Local Area Connection properties . Re-enter the information from Step 5. (It has been reset to defaults).
10. Open Internet Explorer. Attempt to access the Internet.
    

---

Install and Run Anti-Spyware programs

1. If this machine was deeply infected, you should consider running another program like CounterSpy V2 and Ad-Aware. They are not free for educational use. Like Spy Sweeper, if you run this software you should remove it when finished.
   
   http://www.sunbeltsoftware.com/Home-Home-Office/Anti-Spyware/

   http://www.lavasoftusa.com/software/adaware/

   
   NOTE: If you lose Internet access again, repeat the WinsockxpFix tool steps.

---

Delete Programs with Add/Remove or simply Delete their folders

1. Repeat the steps from the "Use Add/Remove Programs" section. You will now have an Internet connection. Be wary of Uninstaller links.
2. If you are unable to remove a program from Add/Remove, you will need to find and perform a manual remove of this Trojan - Adware.
3. When you have exhausted this means, open the Program Files folder. Delete any suspicious folders by dragging them to the Recycle Bin.

   Ex: DashBar, Date Manager, Internet Keyword, PrecisionTime, GAIN, Gator, Target Soft, TV Media, Win Tools. Again, if you can't delete this folder, they will need to be manually uninstalled.

4. Restart the computer.

---

Run Trend Micro's House Call & Symantec Security Check

1. Follow the steps from these How To's.

   House Call

   Symantec Security Check
   
   

2. Here are other on-line scanners to try. In each case, visit the link and follow their on-screen steps to install the software and scan.
   
   Panda ActiveScan
   
   BitDefender Online Scanner (look for the Scan Online button)

---

Delete Software folders from Registry

At this point you should can go back into the Registry and manually delete Folders that pertain to some of the Adware that you had found.

1. Click Start and select Run. Type REGEDIT and click OK.
2. Click the My Computer icon. Press CTRL + F.
3. In Find What, type SOFTWARE. Search only in KEYS and Match whole string only.
4. Click Find Next.
5. Expand the 'Software' folder on the left.
6. Look for suspicious folders under Software. If you find any, double-check.
   If needed, Right Click and Delete them.
7. Press F3 to search again. Repeat steps 6 - 7.
8. Restart the computer.
   

---

Run an Anti-Trojan (AT) program

If problem seems to be gone, you may skip this step. Otherwise download, install and update an anti-trojan (AT) program. Record exactly the names of any problems it turns up. Then quarantine and cure the malware.

 

1. Download and run the free version of Swat It! from here: http://swatit.org/download.html

 

NOTE: Other Anti-Trojan programs are listed here: http://www.dslreports.com/faq/8428

If the machine remains infected, you should backup the data, have Computer Support re-image the machine, and re-load the data.

---

Cleanup and Restore IE Settings. Re-enable System Restore

1. Delete all files from the following folders:
   C:\Windows\Temp
   C:\Documents and Settings\%UserName%\Local Settings\Temp
   C:\Documents and Settings\%UserName%\Local Settings\Temporary Internet Files
2. Open the Internet Options control panel.
   Delete Cookies. Delete Files (all Offline Content). Clear History.
   Click the Programs tab. Click the Reset Web Settings button.
   Uncheck the Also reset my home page box. Click Yes.
   Close.
3. Turn System Restore back on.
   Go to Start... All Programs... Accessories... System Tools... System Restore.
   De-select Turn off System Restore check box. Click Apply. Click OK.
   Close.
   

---

Re-secure your computer and accounts

1. College of Ag Science users SHOULD FOLLOW the steps on this page to change their Penn State Access Account password. 
   Change Your Password 

NOTE: The reason why you should change your password is described here: http://www.dslreports.com/faq/8428

If the description of the adware- malware used the words or phrases: "backdoor", "allows arbitrary code to be run", or "remote access trojan", and if it is likely that a hacker may have used the backdoor, strong consideration should be given to backing-up data to be retained, and then re-formatting and re-installing programs on the computer.

This is because a backdoor allows a hacker to make other changes that may reduce your security settings, but that are not readily detectable with current tools.

If a keystroke logger was detected then hackers may have access to what was typed into your computer, including passwords, credit card numbers, and account numbers. Immediately cancel any credit cards used on the computer, and ask for replacements with new account numbers. Using an uninfected computer, change any website or server passwords that were entered on the infected computer.

---

Watch and Wait

For the next several days you should do the following steps.

1. Run Spy Sweeper and SpyBot.
2. Click Start then Run. Enter MSCONFIG. Look at the Startup tab, did anything re-appear?
3. Delete all files from the following folders:
   C:\Windows\Temp
   C:\Documents and Settings\%UserName%\Local Settings\Temp
   C:\Documents and Settings\%UserName%\Local Settings\Temporary Internet Files
   

---

Advanced Manual Removal Steps

If your computer remains infected with Spyware, please see this How To for advanced steps. Be aware that these steps require a higher level of Windows experience. If you don't feel comfortable doing these more advanced techniques, please contact Computer Support for assistance.

 

How To Recover from Spyware Infections - Advanced