digg

Facebook Connect Join Digg About

Get Rid Of Spyware Using Sysinternals Tools (Definitive Guide)

codinghorror.com As it turns out, you can delete all malware manually. But it requires good tools to delete files protected by malware running inside critical Windows processes and renewing its hooks. Anyway, sysinternals rock!

Who dugg this? Made popular Jun 19, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

69 Comments

show profanity settings
expand all
  • Romanito, on 10/11/2007, -1/+42Better solution: don't use a computer, run naked in the fields and sing along with the birds.
  • thenikola, on 10/11/2007, -1/+29Theres ALOT of viruses that Spybot cant remove. Basically any form of SmitFraud for instance
  • grumpyrain, on 10/11/2007, -0/+25No, Sysinternals is in a different league, so much so that Microsoft actually bought them out. It is not like spybot or adaware, in that it won't actively scan and remove malware. It just shows you what is running. (In fact I am sure that some of the Vista task manager improvements are of a direct result of this aquisition.)
  • nevesis, on 10/11/2007, -0/+16I was surprised how accurate this article actually is.

    I suggest you turn on Verify Code Signatures, because the signed company name isn't definitive unless you do.

    Also, some Microsoft ones don't verify (wtf Microsoft?) but shouldn't be deleted.

    You can right click any entry and Google (now MSN Live) it. Do this if you're new.
  • cyssero, on 04/18/2009, -2/+18Spyware is usually pretty easy to remove, if you had a persistent virus though, only maybe then would you format. But really, malware/spyware is simple to clean out these days, thanks to tools like these.
  • JimmyTheClam, on 10/11/2007, -1/+12I think KnightMareInc is right.
    If you have been root-kited, God knows what is REALLY running on your machine and a good root kit will never be detected either through common means; even Microsoft admits that. After an infection, you can never be sure you haven't been RK'd either.
  • SatanHimself, on 10/11/2007, -0/+11@portis
    "Sypbot Search and Destroy is all you ever need really"

    Afraid not. Anything that is signature based will never be all you need because it is a flawed design because it is reactive instead of proactive. How often have you seen a spyware located in the HKLMSoftwareMicrosoftWindows NTWinlogonNotify or HKLMSoftwareMicrosoftWindowsCurrentVersionpolicies registry keys be cleaned by an antispyware program?
  • MetaDFF, on 10/11/2007, -0/+10One useful suggestion that the article doesn't mention is that if your computer is infected, you should immediately disconnect it from the internet to prevent it from further infection / reinfection. Then proceed to clean it either with tools you downloaded before you disconnected from the internet or tools from a usb pen.
  • synik, on 10/11/2007, -2/+10Sure I'll run linux... now, just tell me how I can run Battlefield 1942 and Visual Studio - spending 3 hours ***** around with WINE is not valid answer.
  • adenansu, on 10/11/2007, -1/+9better solution: don't install random programs. tell the people that turn to you for tech advice to not install random programs.

    since i've taken that approach, i haven't had a virus, a root kit, etc installed. nor has anyone that used to call me all the time because their kids downloaded something with a "cool" file name off a p2p program. i do the occasional checks on mine, and on theirs when i work on them. nothings found, ever.
  • SatanHimself, on 10/11/2007, -0/+7The reason they don't spoof the "Company Name" is because the company name is linked to a digital signature:

    http://en.wikipedia.org/wiki/Digital_signature

    Most people who write spyware prefer to stay anonymous and not link every piece of software they write back to them.
  • bigtomrodney, on 10/11/2007, -0/+6I alays remove it manually when I work on people's machines. You can chase some of it but the quickest solution is boot to safe mode and delete it. You can then remove the registry entries (or maybe do this first). Generally most malware is in HKEY Local Machine/Software/Microsoft/Windows/CurrentVersion/Run

    You also get the occasional bit in the Internet Explorer policies section. It's just important to remember none of this software is magic, it runs like anything else. It runs as a user, it needs to be started and it can be stopped by hand.
  • kicken18, on 10/11/2007, -2/+7I have windows and never get spywhere....so....bit pointless changing tbh
  • MrKC, on 10/11/2007, -0/+4Get Firefox and the No Script add-on. Having a program like Acronis or Ghost, and having good images, has saved my ass from format hell.
  • rkdotan, on 06/06/2008, -0/+4no games, no mac.
  • diggydougie, on 10/11/2007, -0/+3Here's the problem:
    I can go through this and clean up my system 100%
    and then tomorrow I'll have a bunch more stuff to clean out.
    The really bad stuff that will let the bad guys know your financial info or passwords only needs to work for a very short time to do any damage.
    It needs to be prevented in the first place and with certainty..
  • TechCF, on 10/11/2007, -0/+3Well, lazy as I am I usually run Hitman Pro (which runs the ones you talk about and more). Then I go the manual route...

    If in a hurry, I go the manual route
  • JQP123, on 10/11/2007, -1/+4Or simply stop surfing the Net while logged in as administrator in Windows.

    The single biggest security "innovation" of *nix is the simple fact that root (admin) status is not the default.
  • stephenwq, on 10/11/2007, -1/+4I think i'd only resort to doing it manually if Spybot couldn't remove it automatically.
    If worst comes to worst, then perhaps this could come in handy.
  • Nineless, on 10/11/2007, -1/+4I love Process Explorer and Sysinternals.

    Thanks for the guide, it's fast and easy.
  • Zaggynl, on 10/11/2007, -4/+7I don't use an active AV or antispyware tools, just updated winxp, installed firefox and a bunch of useful extensions.
    I do scan once every..half year or so with a few good AV's, and I have Avira and Clamscan installed, but disabled the on-access scan.
    Common sense is so more lightweight ;-)
    Oh, making regular offline backups really helps too.

    People who cannot administer their own computers should stop using them.
    Seriously, AV's and antispyware tools don't help that much, and in fact can make things worse.
    Buy a Mac, install some easy understandable Linux distro, namely, Ubuntu, Suze, etc. or simply LEARN how to surf safely.
    Think of the people that get called every once and a while because YOU got spyware again!

    Oh my, that became quite a rant.
  • cphelps, on 10/11/2007, -2/+4I run XP, I use Firefox and I manually scan occasionally with Ad-Aware. I don't get viruses or spyware, because I don't surf and download stupid ***** like 90% of internet users. If you are having trouble with spyware or are getting viruses, it's user error and you need to take a class.
  • sremick, on 10/11/2007, -0/+2"You can right click any entry and Google (now MSN Live) it."

    One of the ways Microsoft is degrading these once-priceless utilities now that they own them. Google is a far-better choice for searching.
  • grumpyrain, on 10/11/2007, -0/+2Well the OPs suggestion of "Run Linux & stop wasting time" seems to be at odds with your suggestion to petition games vendors (and with the current state of video card drivers on Linux, do you honestly think Games authors will spend a long time attempting it?) Using Mono to deliver .NET apps to Linux or Mac is certainly a good idea (even ModMono for ASP.NET work), but to suggest to switch IDEs is not a suggestion. Particularly when you have to relearn things the new IDE does differently, and have to deal with the fact that your integrated plugins may not have ports.

    The average developer is clued up enough to not get themselves riddled with spyware, and clued up enough to know how to restore an image if their development machine ever did. This theory that developers are sitting there running spybot all day is just ridiculous. It does not save you time to have to learn a new OS, file system structure, a bunch of command line text to share a printer, then search for equivalent programs and learn how to use it. It may be a worthwhile longterm exercise if it removes your dependence on a single software vendor, but you can not justify it by the time you will save.
  • JQP123, on 10/11/2007, -0/+2"Eventually they get fed up and get rights one way or another."

    A switch to LInux won't relieve their frustration. And if they "get rights" under Linux by running as root, they become much more vulnerable.

    For most users, the single biggest security threat is between their ears.
  • grumpyrain, on 10/11/2007, -0/+2Did you see what he did? Changed 'ws' to 'ze'.

    Genius.
  • Epyn, on 10/11/2007, -0/+2He wants to play his stupid war game, not petition developers to release on alternative operating systems, is that too complicated or did you gloss over it so you could quickly redirect blame to the devs?
    /runs wine, but not TS and wine, that's too much work for one linux install.
  • Epyn, on 10/11/2007, -0/+2Yeah because user-level access will protect your windows install from more than the weakest minority of malware out there. The thing is, account rights in XP don't do anything but annoy the user when they go to update something, check the clock's calendar or defrag their drive. Eventually they get fed up and get rights one way or another.

    Using non active X enabled browsers, not downloading and running shady archives and exes from nowhere sites, and using a vanilla hardware firewall is enough to protect the vast unwashed users from ever seeing this crap.
  • KnightMareInc, on 10/11/2007, -0/+2I rather spend the extra couple of minutes restoring the snapshot drive image than not knowing if my system is really safe or not.
  • jekinh, on 07/10/2008, -0/+1I've used http://spywarekiller.awardspace.com
  • simplejoe79, on 10/11/2007, -0/+1GOOOOD......till now .......i wasnt able to find a "sensible" anti-spyware......
  • Zergo, on 10/11/2007, -2/+3That's where SmitRem comes in very handy - it's never failed me yet.
  • MrFatalistic, on 10/11/2007, -0/+1It's true for Unix systems because once you're in, there's a half a million ways to stay in. With windows, a virus usually can be cleaned up because most virii target some really common tasks like winlogon which can be repaired. Plus if you're running unix there's a greater chance it's a production system and not just joe in helpdesk's PC, you can afford to clean it up and run it for a while to verify it's a clean. If a production system is compromised the first action is powerdown and take it off the network.
  • JQP123, on 10/11/2007, -0/+1(deleted)
  • MrFatalistic, on 10/11/2007, -0/+1Maybe you should prove that and then I'll digg you, but as is XP has no VM built in, so I highly doubt it could be running and procexp not able to display it. If you're running on a VM already, as in his example, I could see your point. Otherwise however, since this is meant to be a virgin XP copy running on any machine (and not a VM), I don't think you have a foot to stand on. If the host machine had been infected, anyone on a VM would be clueless, that I will agree with.
  • ronjohnson, on 10/10/2007, -0/+1Sysinternals and its utilities aren't just utilities they are learning tools to master how the windows enviroment runs.
  • inactive, on 10/11/2007, -0/+1A friend's system was owned recently. It was so bad that the firewall settings were altered and there was a keystroke logger running. The problem with not reinstalling windows is that you can't truly be sure of all the places where the virus may be deposited. I'm not a windows expert but it seems to me that a virus of sufficient complexity could be hidden such that it only becomes active again on a certain date.

    People really need to practice safe computing. If I see even one virus on a system my inclination is to do a clean reinstall.
  • Osmanthus, on 10/11/2007, -1/+2This technique gives a false sense of security. Modern malware is able to create a virtual machine that runs windows inside it. There is no way to detect its presence. Easily removed junk like in this article's example is a red-herring that leads you to believe it is acceptable to remove malware from the tasklist to be safe. In fact,reformatting after booting from external media like a cd-rom is the only truly safe thing to do.
  • sremick, on 10/11/2007, -0/+1That's not saying much, since Ad-Aware doesn't even come close to detecting most of the stuff out there.
  • MrFatalistic, on 10/11/2007, -0/+1wow I want you cleaning my PC!
  • mymidgetfriend, on 10/11/2007, -0/+1http://xkcd.com/c272.html
  • burclar, on 10/11/2007, -0/+0http://burclar.alemsohbet.net
    http://oyun.alemsohbet.net
    http://www.sohbet-tr.com
    http://www.iddaa.bz
    http://www.antikchat.net
    http://www.nuturk.com

    Theme site lince looks nice!
  • link2, on 06/18/2008, -0/+0Go to: http://toptenantispyware.com
    It gives you the Comparison of the best ten softwares.
  • phjr, on 10/11/2007, -2/+2Yeah, you should only reformat after a rootkit (and then you really should). With spyware it would be too much painful.
  • grumpyrain, on 10/11/2007, -1/+1... and run as a limited user (and in Vista, leave UAC enabled). Although running naked through fields instead of using your PC will work just as well.
  • popothebright, on 10/11/2007, -2/+2Why can't Spyware just spoof the "Company Name"?

    This process depends on spyware companies accurately reporting the author-company.

  • ThrillSeeker78, on 07/17/2008, -0/+0People need to protect themselves on the internet. http://www.marketwithartemis.com
  • hark659, on 10/11/2007, -2/+1Spysweeper is good but it's like Norton Antivirus, it's Bloatware which can consume CPU usage.
  • peppino, on 06/03/2008, -2/+1I've been a spyware hunter for about 5 years and have never used sysinternals. I have probably cleaned hundreds of machines. Nevermind that I have reformatted a drive or 2 at the begining of my career.

    I have a friend that's been doing it for 10 years and he says he's used sysinternals once. He says it has it's place but my solution to spyware is usually Ad-Aware, Spybot, Hijackthis. Double check in regedit (backup 1st) HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run & RunOnce



  • deadlikeoscar, on 10/11/2007, -2/+1No, I read it. I read every word of it. He said WITHOUT messing with wine. If he doesn't want to do that (which I could have told him how to do in minutes, not hours) then using alternative software and changing developers minds about which operating systems they will support is really the only other option when using Linux.
  • Fetching more discussions...
    Show 51 - 70 of 70 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.