Fighting Windows Viruses and Malicious Software

There are some similar pages on the Internet but so far none put together quite as much information in one place as this document.  Not everything listed below pertains to every version of Windows, but there is information here for every version of Windows.  Most of what is here is very concise and meant to be enough only for people that are quite familiar with Windows and DOS.  If you can't understand this material or it seems too vague, you probably shouldn't be trying to use it.

Remember that prevention is the best medicine.  Preach this as well as practice it.  Never open email attachments without careful scrutiny, if at all.  Treat downloads from peer-to-peer software and the Usenet newsgroups with utmost caution.  Be careful what you click on while you surf the web.  Keep all your software up to date with the latest patches and updates, Microsoft's in particular, install well-known anti-virus software AND keep it current with the publisher's latest virus signature database.  Weekly signature updates are good, daily is best.  It also helps to use anti-spyware software such as Microsoft's Anti-SpywareLavasoft's Ad-Aware SE Pro and Patrick Kolla's Spybot Search & Destroy, to get rid of the annoying, resource-hogging bullshit that so many people naively pick up from web sites as as they surf the Internet.  Webroot's Spy Sweeper is also very highly rated, but less immediately accessible.  Spybot S&D is donation-ware and Ad-Aware is available in free and enhanced commercial versions.  Spy Sweeper is strictly commercial AND requires a yearly subscription.

Once the machine is infected...

Now that you have an infected machine, it may be impossible to install anti-virus software and/or update it properly.  Sometimes you may not even be able to run REGEDIT or the Task Manager, nor even start the machine in safe mode!  If you're really well-equipped, you have a bootable floppy or CD with any NTFS and RAID drivers you may need, a very up-to-date DOS version of some anti-virus software, and some of the utilities mentioned above.  The virus and malware scans will run slowly on a large drive with many files, but a time consuming remedy is a remedy just the same.

A good toolkit includes some free utilities such as Sysinternals' Process Explorer, a substitute for Windows' Task manager that is far more informative than what is built into Windows, and which helps greatly when malware is disrupting access to the Task Manager, and Definitive Solutions' BHODemon, which helps hunt down software that installs as a Browser Helper Object.

Sysinternals also has a few other utilities that are useful for hunting down rogue processes.  At the top of the list is the Rootkit Revealer, or RKR.

The web sites http://www.spywareinfo.com and http://www.netrn.net both have lots of up to date information about the latest spyware and pests, and have lots of very useful utilities available for download, many of them free.  The most useful ones include StartupList, HijackThis and for rare circumstances, ADS Spy.  All of these are free to download and use.

If you are not quite so well equipped (or if there are problems with the boot devices) you very often end up with a catch-22, which is that the viruses tend to interfere with the installation of anti-virus software, either intentionally or coincidentally.  If you suffer this problem...

Follow this checklist!

Disconnect the machine from your LAN or broadband modem/router until the machine is clean.  This protects you and everyone else from further infection and may even prevent the virus, worm or trojan from loading at all.

SAFE MODE IS YOUR FRIEND.  It keeps many things from loading automatically, hopefully one of them being the virus you're trying to get rid of.  They are often impossible to delete when they're running!  The method for reaching Safe Mode varies a little.  In all cases pressing and/or holding [F8] during startup will bring you the boot menu.  In 98 and ME, you can also reach the boot menu by pressing/holding [Ctrl].  In NT 4 there is no true Safe Mode; start the system in VGA mode and hope for the best.  Some viruses and other malicious software are so tenacious that the "Safe Mode Command Prompt Only" option is required.

This is a good time to try installing or updating your anti-virus and anti-adware/spyware software.  If you still can't get it going in safe mode, you're going to have to do some thorough detective work and house-cleaning!

Some initial clean-up will probably delete many intruding programs and will make virus and malware scanning run faster too, giving them less files to chew on.  Empty the web browser caches for all users, then find all the TEMP folders and empty them out too, and empty Windows' wastebasket.

In Windows ME and XP it may be helpful to disable the System Restore feature before cleanup.  Many malicious programs find their way into the restore database and so keep coming back after you delete them.

Configure Windows Explorer for a "details" view and set it to show hidden and system files and not to hide extensions for known file types.

Use the Windows Task Manager to look for suspiciously named processes.  Check the properties of EXE's you find there to confirm or allay your suspicions.  Be particularly wary of executables that lack a Version tab in the Properties page.  If you're not sure, plug the filename into Google and see what comes up.

Use NETSTAT to look for suspicious ports and processes.  Use the -a switch, and speed things up with -n.  In XP, the new -o switch reveals which processes have which ports open (by PID only, then refer to Task Manager).  Third-party shareware and freeware utilities such as Foundstone's FPORT or SysInternals' TCPVIEW can reveal more details via a single interface.

Check for suspicious executable files in the root of your hard drive, and be aware of search path precedence and .exe filename conflicts.  An innocently named but destructive file in the volume root could precede the use of a similarly named file in the Windows folder.

Check for suspicious files in the %WINDIR%, SYSTEM and SYSTEM32 folders.  Do a directory listing and sort by creation date (DIR /OD /TC) to turn up the latest files planted there.  Don't ignore files with earlier dates, but do focus more suspicion on the recent ones.  Many nasties have one or more of the Hidden and System bits set, so also combine the /AH or /AS switches on the DIR commands.  Also check the IOSUBSYS and VMM32 folders.  More recently I've found things buried in DRIVERS, or in COMMON FILES.

Check for suspicious files in all the temporary folders, including the ones under Documents and Settings, or under Profiles.  And don't forget the Recycler.

Check the "Run" keys in the registry for suspicious startup processes:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

Check the shell association keys in the registry - should look like:

HKCR\exefile\shell\open\command = "%1" %*
HKCR\scrfile\shell\open\command = "%1" /S
HKCR\comfile\shell\open\command = "%1" %*
HKCR\batfile\shell\open\command = "%1" %*
HKCR\htafile\shell\open\command = "%1" %*
HKCR\piffile\shell\open\command = "%1" %*
HKCR\cmdfile\shell\open\command = "%1" %*

Check similarly named keys under HKLM\Software\Classes\...

Check for rogue running services and their keys:

HKLM\System\CurrentControlSet\Services
HKLM\System\CurrentControlSet\Services\VxD

Check for anything suspicious in the following keys:

HKCR\dllfile\shell\open
HKCR\dllfile\ScriptEngine
HKCR\dllfile\shellex
HKCR\dllfile\ScriptHostEncode
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\AppInit_DLLs
HKLM\Software\Microsoft\Active Setup\Installed Components

If you delete or fix a suspicious registry key and it re-appears or reverts to a suspicious form after a reboot, you've almost surely found at least one virus that was running!

Check the following files for suspicious startup code:

\AUTOEXEC.*
\CONFIG.*
%WINDIR%\SYSTEM.INI: shell=
%WINDIR%\WIN.INI: load=, run=
%WINDIR%\WININIT.INI
STARTUP.BAT
WINSTART.BAT
DOSSTART.BAT

Check the Autostart directory and its contents:

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\windows\start menu\programs\startup"
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
"Common Startup"="C:\windows\start menu\programs\startup"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Startup="C:\windows\start menu\programs\startup"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup="C:\windows\start menu\programs\startup"

Check the common and user-specific Startup groups in Windows.

Check for suspicious installations of GINA DLL's or unusual, non-standard Windows shells here:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Should normally be no GinaDLL key or may refer to MSGINA.DLL, but some legitimate remote-control software do implement their own, i.e. AWGINA.DLL for PCAnywhere.

Many trojans exploit otherwise non-viral software such as ICQ, which anti-virus software won't bother to report.  Watch out for evidence of chat or peer-to-peer software on your system, particularly if it's in your Windows folder structure rather than in its own folder under Program Files.

If ICQ is installed, check this key for apps that start when ICQ auto-detects a connection:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

Radmin is another legitimate program that many virus and worm authors like to deliver and exploit to gain complete control over your computer.

Check HKLM\Software\Classes for instances of "NeverShowExt", which in the Windows GUI can obfuscate the true extension of a full filename in the given class.

If you are dealing with a boot sector virus (increasingly rare!), available RAM memory shown may not correspond precisely to the installed physical RAM.  Do the math!

Some spyware can be easily found as installed applications where they may be listed in your Control Panel's Add/Remove Programs applet.  The undesirable programs are not always obvious by name, so check the entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall to find out everything that's been installed on your system and where their files are.  Uninstall anything suspicious, then double-check to make sure they're really, totally gone.

Spyware has shown increasing reliance on ActiveX controls and Browser Helper Objects.  If you get pop-ups when Internet Explorer isn't even open, or in safe mode, that's often a BHO at work.  Use BHODemon to identify and delete BHOs, or find them in the registry under HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Help Objects.  Usually all that's in there is a list of GUIDs, whose references you then have to search for through the registry to find out what they belong to.

ActiveX browser plug-ins can be found in Internet Options / General / Settings / View Objects.  Right click on each, select properties, and look at the codebase URL and the Version tab to find out where it came from and who it belongs to.  Delete anything suspicious or unverifiable.  Check the objects and/or GUIDs against possible entries in HKCR\CLSID and HKLM\Software\Classes for further identification and removal of leftover references.  You can use OLEVIEW to investigate ActiveX controls as well.

A few spyware programs use the LSP functionality in Windows.  You can use LSP-Fix to remove TCP/IP -related bits of stubborn spyware or to correct damage to the TCP/IP stack caused by incomplete uninstalls, or by amateurish software removal attempts.

When the machine is finally clean, change ALL the passwords (in XP don't forget the Administrator account, even though it's existence is often obscured) and fully review Windows' and Internet Explorer's security settings.  If you suspect that spyware may have been able to capture your passwords to any important web sites, change those passwords, too.  If there's ANY doubt that your PC is perfectly clean, change your web site passwords ONLY from a machine whose security is certain.

If this web site has helped save your ass or your client's ass, or both, please consider donating a token amount of money (US$2) to help me keep this and my other web sites (Bytebrothers.org, Rectaltronics, etc.) going without bombarding visitors with annoying advertisements.  If you're one of the millions of folks who are already registered with PayPal it's particularly easy.  Thanks in advance!