Although I have never managed to fall victim to spyware or other variants, I am the de-facto Help Desk for my family, as I’m sure many tech-savvy family members are.
My brother-in-law lives in Atlanta and whenever I visit, I check their computers, apply any required updates and patches, and install anything I think they need. This time, I had known for a few months that his computer was totally hosed, since he described the problems over the phone to me. I instructed him to disconnect his network cable so that the problems wouldn’t get any worse. About all he wanted to do was play video games as a single player, so losing network access wasn’t a big deal.
Oh, and this is a post about cleaning up Spyware, so of course, he’s running Windows (2000).
When I got here, I expected the clean-up effort to be pretty easy: a little virus scan here, two or three runs of Spybot: Search & Destroy, and that would be that.
Boy, was I wrong.
It turned out that, not only had he fallen victim to some spyware and adware, but that he had been successfully attacked by several Trojan Horses. These programs were running on startup and basically re-installing all the stuff that I kept uninstalling every time.
My first mistake was not running the virus scanner as my first order of business. I ran Spybot a few times between reboots, and some of the things couldn’t be removed for one reason or another, so I ended up performing some boot-time scans as well. Apparently, this kind of pissed-off whatever was installed and everything seemed to get worse: there was a new program running called SpySherrif, which is a thinly-veiled effort to get you to buy something that you don’t need (i.e. a spyware cleaner that installs more spyware).
After wising up and installing my favorite anti-virus package, Avast!, it detected virii running in memory and recommended a boot-time scan. Of course, I accepted the offer and rebooted.
Along with a host of other files that were infected with things like win32:Trojano, win32:Trojan-XYZ (where XYZ is a random number between 1 and 1000), win32:Beavis-A, and a host of festering, adware-style trash, I was dismayed to learn that explorer.exe was infected with something. I tried to “repair” the file, but there was nothing to be done: it had to be deleted. I did that with a heavy heart, since I didn’t know how Windows would act with it’s primary shell gone. I figured that I would have to reinstall the OS if it was that badly damaged, anyway, so I’d better just delete the damned thing.
After all that, Windows started up, but with no desktop (as I would have expected). Fortunately, CTRL-ALT-DEL still worked, and I was able to run the command prompt and get some real work done. Conveniently, Windows still comes with expand.exe and I had conveniently copied all of the original files from the installation CD to his hard drive. Using those, I was able to restore explorer.exe and make some more progress.
It took several grueling rounds of reboot, virus scan, kill evil-looking resident programs, spyware scan, and then cleanup of Internet Explorer’s “Temporary Internet Files” folder because it ended up containing adware on every reboot. But, I was able to finally exorcize the machine of all the crap that was on it. Below is a list of extremely
useful programs that I keep in my bag of tricks to clean computers:
- Avast! AntiVirus. Nice, ’cause it’s free for home use and very reliable.
- Spybot: Search & Destroy. There’s no better spyware cleaner if you ask me.
- Process Explorer from sys-internals. This puppy shows you everything, and will even let you scan for which program is using a particular file and snoop what resources a program is using.
- Autoruns, also from sys-internals. This one was new to me, but I had to root-out lots of stuff that was re-installing itself on boot, and Windows has like 12 different places where run-on-boot programs can be specified.
Now, it was time to fix everything that was broken. For example, SpySheriff (or another program, it’s pretty much impossible to tell) changed the Desktop to be a web page telling me that my computer had been “stopped” due to spyware and virus activity. Now that I had cleaned it out (no thanks to SpySheriff), I was going to restore the desktop to its previous state. Unfortunately, the options to change any desktop settings were mysteriously greyed-out. This was obviously the work of nefarious software. I set about finding out what happened and how to fix it. Along the way, I discovered that the following items had been hosed by all the software that had taken over my brother-in-law’s computer.
- ActiveDesktop permanently* enabled
- Desktop wallpaper permanently disabled
- Windows AutoUpdate permanently disabled
After much searching, I found out how to fix each of these problems. Below, I describe them so that others might have an easier time finding this information.
- ActiveDesktop is Disabled
I feel bad that I can’t remember precicely where I found this information or what it was, but I believe that checking this registry value will help you out a lot:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerForceActiveDesktopOn (you’ll want this to be set to “0” — zero).
- Desktop Wallpaper is Disabled
Using the information found at this site (http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_or_Wpexe_bswexe_WindowsFY-t17258.html), I found a registry script that you can run to clean up after a handful of evil programs. I was leery of blindly running that script on my own registry, so I picked out those changes that seemed to make sense for me. Here they are for convenience:
Delete the following keys and their values:
NoDispAppearancePage, Wallpaper, WallpaperStyle, and NoDispBackgroundImage
In HKEY_CURRENT_USERControl PanelDesktop:
- AutoUpdate is Disabled
I first found this site (http://www.amset.info/windows/auto-updates.asp, which told me which registry keys were significant, here (search for “greyed out”). Unfortunately, there was more to it than their suggested fix, so I went looking for more information about those registery values. I found this site (http://www.susserver.com/FAQs/FAQ-InterpretingAUStateValues.asp) which described all the possible values and their meaning. That didn’t help too
much, so I kept looking and found this site (http://snakefoot.fateback.com/tweak/winnt/service/abc.html#AUTOMATIC_UPDATES) which pretty much lays it all out there for you. Using that information, I was able to correct all of the registry values that had been hosed.
Since I was both working and enjoying my family — including my nephew who was celebrating his 1st birthday — it took me 4 days to do all this. *Sigh*
Needless to say, he’s now running with all the latest OS patches, Avast!, Spybot, and, of course, Mozilla Firefox as a replacement for Internet Explorer.