Last Revised: 7/31/05
After watching Mark Russinovich's malware talk at TechEd I decided it would be cool to write an article on the techniques you can use to detect, remove and prevent spyware. Having a copy of VMWare 5 and from Mark's talk, a copy of a program that knowingly installs spyware I had all the ingredients I needed. I've always loved VMWare. It allows you to run a virtual machine and host an operating system with in that virtual machine without comprising your own machine. The product is $189, but is worth every penny for the IT Professional. What's better is that if you are MCSE or MCP certified you can get a $100 rebate which takes the price down to $89! With this version we can take snapshots meaning that we can rollback in time (or move forward) with a click of a mouse. Before getting started we should first define spyware. As I am lazy, I went on Google to find the best definition I liked:Programs that, when installed on your computer, change settings, display advertising, and/or track Internet behavior and report information back to a central database. Spyware sometimes installed unintentionally by users along with other wanted software, and can be very hard to remove. Also known as malware. (Cite: dtp.epsb.net/glossary.htm).The example program that bundles in spyware I will use is the one used by Mark. It's called the Orange Audio Encoder and I'm hosting a copy locally on my web site as it is getting hard to find it. Again, this program contains spyware, do NOT load it on a production machine. You have been warned! Let us load up Windows XP Professional in our virtual world:
Pictured above is the latest version of process explorer that I am running and I highly recommend downloading it if you are using an older one as this new version has some cool new features. We see that there are processes in pink and some that are in blue. Basically, it is showing us what spawned from what. Everything in pink spawned from winlogin.exe and everything in blue spawned from explorer.exe. Some spyware programs spawn from multiple processes making them hard to kill. Let us install the orange audio encoder:
Hopefully you can see the telling signs of what spyware infection looks like. For starters: Internet Explorer has a new toolbar called Mysearch. Look at the cute puppy in the taskbar! Ahhhh, a cute little puppy to sync our clock, isn't that precious? Let's go back to Process Explorer to see what happened:
Some new friends have joined the party! We have iehost.exe, save.exe, sync.exe, exactUpdate.exe, bargains.exe, nls.exe, cashback.exe and ~mysetup.exe! Using TCPView from Sysinternals we find out that save.exe is communicating back to the mothership:
Are you scared yet? If you have this crap within the borders of your corporate LAN you are in some serious trouble! Unless you have outbound firewall rules you truly have no security on a machine infected with spyware. Even with firewall rules in place save.exe is using port 80 to communicate with the mothership. How many companies block port 80 outgoing at the firewall? Now lets load up autoruns to see what it put in our startup places:
Even if we killed the processes via process explorer they would reappear on the next boot. So how do we determine what is legitimate or not? Experience! The more you work with files and processes the better you will be able to determine what is legitimate and what is not. I can tell you right now that nsvsvc.exe and vidctrl.exe are part of the spyware crap. Yes, they look legitimate, but you will not find them on your source Windows XP Professional CD. Remember: Google is your friend! If I was unsure about nsvsvc.exe I could go to www.google.com and input nsvsvc.ex e and I would find this:
This won't always work as the file is sometimes named something like y32489.exe or something close to gibberish, but that should be a red flag for you. Let's kill all of those processes in Process Explorer. The spyware that comes with the Orange Audio Encoder is probably the weakest I've seen. Usually when you kill one process another one spawns in its place making it very hard to kill. All the processes listed above all went down without a fight. In the case they do go down with a fight we can use pskill from pstools to kill multiple processes at the same time or we can just suspend them from process explorer. Once they are suspended or killed we can start the clean up process. Now I'll go in and remove the entries it make in Autoruns. After deleting them in Autoruns be sure to hit the F5 key. This will refresh the startup list. If you see something reappear that you deleted that means there is still a process(es) running that you did not kill and it's repairing itself by placing itself back in the startup location.Now there are plenty of spyware removal tools: Spybot, Adware, Pest Patrol, Spysweeper, etc. Personally, I found the best one to be Spysweeper by Webroot. Let's download and install it. There is a 30 day trial version that will detect and cleanup spyware for us. Now I load up Internet Explorer and I get the immediate return of our friends! How is this possible? Well, you can install addins with Internet Explorer called Browser Help Objects.
Here's a definition of BHOs: A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then creates them. Created BHO's then have access to all the events and properties of that browsing session. The APIs for building BHO's are very cool -- they give developers almost complete control over Internet Explorer.
Applications which install BHOs are becoming more and more popular because BHOs allow application developers to control Internet Explorer. For example Alexa uses a BHO to monitor page navigation and show related page links. GetRight and Go!Zilla use BHO's to monitor and control file downloading. Flyswat, Quiver, Blink, iHarvest, etc use BHOs to extend and control Internet Explorer. BHO technology has allowed the development of some very powerful (and cool) applications. (Cite: http://www.spywareinfo.com/articles/bho/)Let's hurry up and download SpySweeper, close down Internet Explorer and clean out those bad boys in Process Explorer and Autoruns again. Upon installing and running SpySweeper we find this:
I've been hijacked! Yes, please clean me up Scotty, I mean SpySweeper.
OK, maybe I was wrong about the weak part. Navisearch is coming back for more!
It found 13 spyware programs. That is all from the installation of ONE program! I opt to remove all of them. I noticed at work and on this virtual machine that explorer.exe seemed to crash and that SpySweeper takes a huge amount of resources, looking as if itself was about to crash when you start the removal process. However, it did not and kept right on churning. Now we'll reboot the virtual machine and re-run Internet Explorer, Autoruns and Process Explorer to see if all is well. It looks better, but the BHO Mysearch is still there. Maybe this is not considered spyware? There is an uninstall rountine for MySearch bar listed in Add/Remove programs. What fun would it be if we removed it that way? Let's load up HiJackThis! which deals nicely with BHOs:
Now, you really got to be careful with this program! You can really mess up your system if you delete the wrong thing and it's very easy to identify something as spyware when it isn't. I recommend taking a visit to the forums at SpywareInfo if you feel uncomfortable or are unsure of what you are doing. In the above screenshot the three components we want to zap are all the ones that say BHO. Remember: not all BHOs are bad! That's what can make this tricky! Upon removing these three entries and restarting Internet Explorer MySearch is gone! Good job!
I HIGHLY recommend reading the FAQ posts in the Malware Removal forum on SpywareInfo. There are people there that can help you remove malware. Please contact them and not me as they are better equipped to handle such problems.Unfortunately, this problem is going to get much worse thanks to Root Kits. Root Kits allow a program to hide from system processes. So you won't be able to see them in task manager, Process Explorer or even Windows explorer itself! One of these is called Hacker Defender made by a guy named "Holy Father". It's now a cat and mouse cat between him and the rest of the community. Russinovich does have program called RootKit Revealer which Hacker Defender attacks. So Russinovich updates his program to thwart these attacks and of course "Holy Father" strikes back by modifying his program once again to keep up.
Preventing Spyware
There are many ways of preventing spyware. If you are running Windows XP upgrade to SP2 immediately and make sure Internet Explorer is up-to-date. I run Firefox on my home PC for an Internet browser, but understandably that won't work in a corporate environment. Spysweeper does have a on demand antispyware solution, but is a resource hog and therefore do not recommend it. On my home PC I simply use Spyware Blaster. This is a freeware program that will add a list of "banned" ActiveX controls and sites into the registry so you don't have to have it running all the time. You can periodically update these sites with the update feature in the program. Before Internet Explorer goes into a site it checks the "naughty site list". If it finds one of those sites in its list it refuses to go to that site.