Tools and techniques for ridding a system of viruses, adware, or spyware
If despite all your best efforts, a system in your organization has managed to pick up some unwanted executable code, you'll no doubt want to remove it. Assuming that the standard Add/Remove Programs approach can't remove the code, let me offer you some alternative approaches for each kind of unwanted code.
First, if it's a virus, you'll want to get rid of it with a virus-cleaning utility. If the system has virus prevention in place, but it didn't manage to catch the unwanted code, check the signature file's date. If the file is out of date, update it and run a scan. If the system doesn't have virus prevention in place, try the free online virus scanning that Trend Micro offers at http://housecall.trendmicro.com. Trend Micro's HouseCall is an ActiveX control that's downloaded to and executes in the user's browser (make sure the system's Microsoft Internet Explorer—IE— security settings allow this behavior) and scans the local system with the latest signature file from Trend Micro. If you want it to do so, the utility can remove any virus infections it finds.
If the virus-scanning utility doesn't work, you can also try Microsoft's Malicious Software Removal Tool (MSRT), available at http://www.microsoft.com/security/malwareremove/default.mspx to rid your system of the unwanted executable code. Microsoft updates the tool at least once a month with new viruses and worms to be removed.
Removing Adware and Spyware
If the unwanted executable code isn't a virus and MSRT doesn't remove it, you're probably dealing with adware or spyware. Adware and spyware exist in a gray area; antivirus utilities don't always automatically detect them. Because most adware and spyware are intended to run on client systems at all times, the applications typically configure themselves to launch when the OS launches. You can examine the various locations and methods such applications can use to launch themselves, including the following:
- Start, Programs, Startup folder— Look for application shortcuts, which are a common way to have an application start up at the same time that a user logs on. It's relatively easy to remove adware and spyware from this location—just delete the shortcut.
- Win.ini file—Check the win.ini file (located in the %SystemRoot% directory) for any evidence of applications configured to launch with the OS. In the win.ini file, check the \[Windows\] section for any programs listed after a Run= or Load= statement. Because file names can be hidden by padding them with enough spaces to push them out of view, make sure you check the entire line.
- System.ini file—In the system.ini file (same location as win.ini, the %System Root% directory), be wary of any program listed on a Shell= statement in the \[Boot\] section.
- Startup registry subkeys—Several areas in the registry can trigger a program to execute automatically at system startup. Check the following subkeys for any evidence of applications you're unsure about: In the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion subkey, check Run, RunOnce, Run Services, and RunServicesOnce; in the HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version subkey, check Run, Run Once, and RunServices.
Note: As always, take great care when you edit the registry. An incorrectly applied change could have a severe impact on your system, including making it unbootable.
Checking Components Before Removal
The tricky part about going after programs isn't so much in finding the applications that start automatically with the OS but knowing which autostart executables are valid—part of the OS or valid third-party software—and which are unwanted. Before you start removing references to applications configured to start up automatically, you should consult two references for each application you find. The first is the Microsoft DLL Help component-lookup utility, which you can find at http://support.micro soft.com/dllhelp. Enter an executable name (e.g., mstask.exe), and the tool tells you whether it's a valid Microsoft executable.
As a second check, go to the Win-Tasks Process Library that UniBlue (formerly LiUtilities) maintains at http://www.liutilities.com/products/wintaskspro/processlibrary/ to see whether a component is part of a valid third-party application.
To make the process of removing unwanted executable code easier, you can use the System Configuration Utility (Msconfig) available on Windows XP and Windows 98 (click Start, Run and enter msconfig) to check automatic startup components. Figure 1 shows the Msconfig utility. Go to the Startup tab to see all applications configured to start up with the system or to the *.INI tabs to inspect the local .ini files.
If you run a system other than XP or Win98 or you want a more in-depth look at what components start up with your system, you can download the free Autoruns utility from Sysinternals at http://www.sysinternals.com/utilities/autoruns.html. Autoruns gives you an incredible amount of detail about the components configured to start up as your system boots or as you log on to your desktop. Figure 2 shows a sample Autoruns screen.
Finding Spyware in Browser Helper Objects
One of the most difficult locations in which spyware can hide is the IE Browser Helper Object. Browser Helper Objects are designed to provide add-on features and functionality to IE to improve a user's browsing experience. For example, many popular IE toolbars are Browser Helper Objects. However, Browser Helper Objects' level of access to users' browsing data (e.g., URLs entered, form data provided) is significant. When you combine that with the fact that Browser Helper Objects are harder to find and remove than simple startup applications, you can understand why Browser Helper Objects are a popular mechanism for spyware and malware authors for installing their software.
You can use two techniques to find Browser Helper Objects configured on your system. If you use XP with Service Pack 2 (SP2), you can use the Add-On Manager (in IE, select Tools, Manage Add-ons) to view all Browser Helper Objects currently loaded in IE and disable any of them. Figure 3 shows the IE Manage Addons dialog box. By selecting an add-on from the list and disabling it, you can effectively remove the capabilities of any application that has integrated itself into the browser.
If you don't run XP SP2, the process is a bit more manual. You need to inspect the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects to see what has been configured for your system. The subkeys are class IDs, which will correlate to another area in the registry. In each subkey, you might or might not have a descriptive tag for the Browser Helper Object that the class ID represents. Figure 4, shows a view of this section of the registry.
You can skip the class IDs for the Browser Helper Objects that have a descriptive tag and whose applications you recognize as valid. All other class IDs are worth investigating. Make a list of them, then look in the HKEY_CLASSES_ROOT\CLSID subtree for the unique class IDs you've identified. Figure 5, shows a suspicious class ID that I found and isolated.
Two things stand out about this Browser Helper Object. First, in the Browser Helper Object registry subkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects, this item didn't have a description associated with it. Second, when I look at the class ID details, I see that it calls a DLL directly from the Windows %SystemRoot% directory for my system. My cross-referencing of the DLL against the Microsoft site shows that it's not a valid part of the OS. Therefore, the Browser Helper Object is highly suspect and a likely candidate for removal. To remove the Browser Helper Object completely, remove the references from both registry subkeys (the Browser Helper Object subkey and the CLSID subkey), then delete any .dll or .exe files named in the CLSID subkey.
Instead of going through that manual effort, you might want to use the Microsoft Windows Defender antispyware application. Installing Defender on a system infected with spyware is probably the quickest and easiest method of getting rid of unwanted executable code on a user's workstation.
Removing unwanted executable code from a system in your organization isn't a pleasant task, but it isn't an impossible one either. Through careful planning, policy development, and architecture design and implementation, you can significantly decrease the chances that users will bring unwanted code into your organization. But if or when some piece of malware does make it onto one of your systems, you now have some tools for getting rid of it.