Removing Unwanted Software from Windows Computers (or how to get rid of those pesky viruses, worms, trojans, and spyware)
Windows operators often end up with unwanted software on their computers. First it was viruses, then worms, then trojans, then adware, then spyware. Who knows what is next. They all have one thing in common - they are all programs running on our computers doing things we don't want. The definitions of "virus", "worm", "trojan", and "spyware" are more and more useless and unimportant as the unwanted software gets increasingly sophisticated and multi-purpose. One blends in to another and new unwanted functionality is sure to follow. Don't get hung up on names.
Perhaps surprisingly, most of this software gets on our computer because we install it ourselves. We run an email attachment. We run something offered over instant messaging, Microsoft file sharing, or a peer to peer sharing network (Kazaa, Gnutella, Limewire, etc.) We download and install software and don't read the license agreements telling us they're going to install additional software. We download and install software from untrustworthy places or individuals.
Some get on our computer because of defects or misconfigurations. We share the our entire hard drive. We don't apply a strong password. Or we fail to regularly apply security updates that fix defects found in all computers that allow others to install and run programs on our computers from afar...often without any mouse clicks required.
Quite a few web sites are taking advantage of defects in Internet Explorer to install a wide variety of malicious software including password stealers, remote control trojans, and spyware. Visit one of these web sites while using unpatched Internet Explorer and the software will be installed on your computer without your knowing it.
The end results of vary widely subject to the whims of the persons who wrote the software.
More general preventive measures include:
When the preventative measures aren't followed or fail, we're faced with a cleanup.
Before we get started, it is important to know that many malicious programs will open backdoors on our computers so that they can be controlled from afar. When that happens, all bets are off. While we may run some standard removal tools or follow some standard procedures to remove known malicious software, the third parties controlling our computers may have done any number of things to allow themselves to retain access unseen by our removal tools. In the case of a "hacked" computer or an accessible remote control trojan, often the best course of action is to wipe the computer clean, rebuild it from scratch, and change all our passwords. While not a pleasant task, there are too many straws to look through in the bale of hay formed by today's computers to have 100% assurance that the computer is under our control using any other method. The more important the information stored on or accessed from our computer, the more important that we be sure they are under our control. And even if we use a computer purely for entertainment, others will find it useful from which to launch a crime.
The cleanup procedures here are general in nature. They do not discuss details specific to a particular virus or piece of spyware. What they try to do is introduce the general principles to use in removal of all such software, tell you how to identify the particular piece of software on your computer, and tell you where you can get detailed information if needed.
General Removal Goals
1. Identify the unwanted software. Sometimes all we know is that our computer is doing something undesirable. To fix the problem, we have to know what software is performing the undesirable action.
2. Kill the running program. Whether its a worm sending itself via email messages or a trojan holding open a door on our computer for others to enter, we need to stop it.
2. Keep the running program from starting again. Almost always, somewhere on our computer are instructions to start the unwanted program when our computer starts up. We need to remove those instructions.
3. Remove the unwanted software from our computer. We want to remove the files that make up the unwanted software.
4. Undo any changes the unwanted software made. If the unwanted software made changes to our computer, for example by changing our home page or the security configuration of our computer, we want to restore the previous values.
5. Keep it from happening again. This was covered in the introduction under prevention.
Most problems today can be detected by either anti-virus software or anti-spyware software. Both are generally reactionary. New types of viruses, worms, trojans, or spyware will slip right by them leaving prevention up to the individual. Lets look at each one individually but keep in mind, that there are gray areas.
Which to use? Generally, if your computer is popping up ads, altering your browser configuration, or taking you to undesired sites, you can try the spyware section first. Otherwise, start with the next section.
Anti-virus software, or specialized removal tools provided by anti-virus vendors, are the primary detection and removal tools. These instructions assume you are running an up to date copy of Symantec's anti-virus software.
First, lets see if we can identify the unwanted software. After making sure you have the latest LiveUpdate definitions (click LiveUpdate button on the Symantec startup window), scan the entire hard drive. If it doesn't detect anything, then the unwanted software
Once the unwanted software is identified, we can move on to killing the running program, removing the unwanted software, and, hopefully, reversing its effects. But before doing so, check the Symantec site for the software in question to see if there are special removal instructions or removal tools. Download any removal tools offered.
Kill Running Program(s)
Killing the running program is what usually causes the most problems. Anti-virus software, as a preventative tool, stops known malicious programs as they try to start running on our computer. Anti-virus software, as a removal tool, is usually unable to stop a malicious program that is already running. This might happen if you ran a newly released virus unrecognized by current anti-virus definitions. Even after the anti-virus software is updated, it cannot stop an already running program because it wasn't designed to do so.
There are a couple options. First, we can run a special removal tool that kills the running program (or kill it ourselves in the task manager). While this works sometimes, there are enough conditions where it won't to make it part of a general purpose removal procedure. For example, if the process name changes from computer to computer or if it automatically restarts. That leaves us with keeping the program from running in the first place so our anti-virus software or removal tools can get rid of the unwanted software without any interference. (If desired, you can read the software description on the Symantec site to see if you can manually kill the running program without resorting to safe mode. But you'll still have to disable System Restore as describe below.)
The first thing we have to do is deal with a Window feature that is supposed to keep us from damaging our systems. This feature, only on Windows ME and XP, is called System Restore. System Restore keeps track of certain files and, if they are changed or deleted, will restore them from known good copies. Unfortunately, this feature has the unpleasant habit of restoring virus and other unwanted software files after we finally manage to remove them. So we must disable this feature before continuing.
Windows XP instructions:
To keep the unwanted software from running, we need to start up our Windows computer in something called "safe mode". In safe mode, only the most necessary programs are started hopefully leaving out the unwanted software. Then our tools are free to remove the unwanted software and sometimes undo the damage they have caused.
Windows XP and 2000 safe mode instructions:
We didn't really kill the running software or keep it from running if we reboot normally, but we kept it from running temporarily so it won't interfere from the rest of the removal process.
Remove Unwanted Software
Now we can either run a full scan of the disk using our Symantec anti-virus software or run any special removal tools. Either step should remove the unwanted software. But only a special tool with help with the next step if needed.
Keep Program from Restarting
Most unwanted programs of this type configure our computer so that it restarts the unwanted software each time the computer is started. Since we removed the software, the computer will display an error message about something not being found.
The computer can start programs in a number of places but usually it is from a registry entry. Anti-virus software is not designed to modify the registry so either a special tool must be used or the entries have to be removed manually.
Undo the damage
Luckily, the most common unwanted software we are exposed to does not change anything else on the computer. When they do, the changes are very specific to the particular piece of software in question and will usually require a special removal tool for that software. Check on the Symantec site for the software in question for details.
We should always keep in mind that any unwanted software can take any action on our computers the author of the software desires. Past limitations to spreading e-mail should not lead us into a false sense of security. The next piece of unwanted software may delete all our files, make them all public, reconfigure our computer to allow third party control, or silently send our passwords out to the Internet...like some have already done.
There are a multitude of definitions for this type of software. Like the term "trojan", it is very generic to the point of being almost meaningless. Functions can range widely including web site visit audits, browser redirection, and sending keystrokes containing sensitive data to third parties. There are gray areas where functionality may fall into areas often handled by anti-virus software. Once again, in a broad sense, it is just software we don't want on our computers under any name.
There are several free tools available on the Internet that specialize in detecting and removing this type of software. Among the most popular are AdAware and SpyBot Search and Destroy. Several reviews have also been published describing the problem and the software solutions:
There has even been a push recently for legislation to control it. Note, however, it depends on the operator reading warnings that are popped up.
In many, if not most, cases, this type of software is generally included with other software and the operator is informed of this during the installation process, generally in the license agreement. Of course, if the operator does not read the license agreement and accepts it blindly....
Sometimes it is installed as operators visit web sites...the so called "drive-by installations". This is particularly common with unpatched versions of Internet Explorer. Using unpatched defects, a web site can install software on your computer, or take anything it wants off your computer, with no prompts, no warnings, and no indication letting you know it is happening. Of course, if you keep your software updated with security updates but still click on a box allowing the site to install software, you have no defense.
Advanced Detection and Removal Information
This section provides procedures to use if anti-virus and anti-spyware software cannot detect or remove suspicious software. It also discusses ways you can find out what software on your computer is doing, perhaps explaining unexpected behavior. Using this knowledge you can also help assure yourself that your computer is under your control rather than someone else's.
There is some introductory computer architecture terminology introduced here to make sure we're all talking from the same page.
What programs are running on my computer?
A program is a list of instructions for your computer to execute. All computer behavior is controlled by programs. Without programs, your computer is a hunk of metal, plastic, and silicon. The author of a program controls your computer, not you:
Your computer, its data, and everything accessed from it is at the mercy of the programs running on it. That is why, among security recommendations, refusing to run unknown programs is at the top of the list.
Programs are generally stored in files. The computer loads a file into its memory and starts executing its instructions at which time the program becomes a running process. This happens as the computer starts up with the initial program coming from a special type of "start-up memory" called a BIOS. The big, overseer of programs, called the operating system, gives a computer its basic personality and is the first program loaded. It may be Windows, or MacOSX, or unix, or some other operating system. Each operating system provides ways to allow other programs to be started as the computer comes to life.
Then, of course, the operator can run programs. They may be run as a result of a mouse click over an icon representing the file where the program is stored (be it a word processor or a virus in an email attachment). They may be run as external computers connect to the local computer to provide some service to the external computer (be it a web client, file share, or a worm). They may be run in a browser as a web site requests a particular translation program for a particular type of sound or graphic file being offered by the web server (be it an audio player or a drive-by installation of spyware).
In today's computers, one program starts up or calls on many other programs as needed to perform the desired function making them very complex.
Programs rule our computer, our data, our privacy, and our security. Lets see what is ruling ours.
What network doors is the software opening on my computer?
What programs start when my computers starts?
How can I stop a running program?