20 August 2007
A typical case of spyware removal
by Roger Karlsson
In this document I'll show how to clean a typical spyware infection with the help of FreeFixer. The spyware identified in this case was non-consensually installed on my lab computer just by visiting a web site. The spyware distributors are able do this by exploiting security holes in the web browser. Another common distribution method is to bundle the spyware with another program, such as file sharing programs. If you are a first time user of FreeFixer this is recommended reading before proceeding to clean your own machine.
Identifying spyware components
The first sign of infection was the computer all of a sudden started running very slow while browsing a web site. Later on new icons and a pop-up adverts appeared on the desktop and two new programs - SpyVampire and UltimateCleaner 2007 - appeared on the computer. The Task Manager was also disabled, preventing me from shutting down the intruding processes.
The first step is to identify the various spyware components that are installed on the infected machine, so I download and install FreeFixer and scan the infected machine. The scan result:
FreeFixer v0.19 log http://www.freefixer.com/ Operating system: Windows NT 5.1 Log dated 2007-08-17 13:42 System policies HKCU\..\policies\system, DisableTaskMgr = 1 Browser Helper Objects {98B822AD-6BE7-49BC-B773-97240B774080}, HttpGuard Class, C:\WINDOWS\system32\AClient.dll Registry Startups HKLM\..\Run, avp = C:\WINDOWS\avp.exe HKLM\..\Run, System = C:\WINDOWS\System32\kernelwind32.exe HKLM\..\Run, smgr = mgrs.exe HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background HKCU\..\Run, SpyVampire = C:\Program\SpyVampire\SpyVampire.exe Processes (15 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Program\FreeFixer\freefixer.exe C:\WINDOWS\avp.exe C:\WINDOWS\mgrs.exe C:\Program\ucleaner_setup.exe
If you have plenty of experience removing spyware you can probably immediately identify the unwanted files and settings from the scan result. However, as a first time user it can be difficult, so I'll show some techniques that will help you along the way. Let's look at the first process entry in the scan result:
C:\Program\Messenger\msmsgs.exeBy clicking the more info link in FreeFixer's application scan result, you can get additional info about the msmsgs.exe file. The version information for msmsgs.exe indicates that it is part of Microsoft's Messenger. You can also see that most of the other users chose to keep this file. I'm running Messenger on this machine and other users have voted to keep this file, so it seems to be legitimate and I move on to the next file in the scan result:
C:\Program\FreeFixer\freefixer.exeThis is the FreeFixer program. Better keep this file.
C:\WINDOWS\avp.exeThe file above seems suspicious. The version information says that it's an
Anti-Virus Project (AVP) spyware removal moduleby a company called MskSoftStudy Corp. I know for a fact that I've never installed any anti-virus program on this machine, and definitely not from a company called MskSoftStudy Corp. However, before removing this file I want to be 100% sure it's a spyware file so I upload it at Jotti's malware scanner and the result speak volumes:
14 scanners reports this is a bad file, so I check the "Delete" checkbox in FreeFixer. To assist other users that find this file on their computers I post a comment about my findings. The remain two files,File: avp.exe
Status: INFECTED/MALWARE
MD5: acbdefe4d65b897395a1d2388b246145
Packers detected: -
Bit9 reports:
Scanner results
Scan taken on 18 Aug 2007 07:31:51 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.Alphabet.LH1
ArcaVir Found nothing
Avast Found Win32:Alphabet-D
AVG Antivirus Found Downloader.Generic5.BNH
BitDefender Found Generic.Drop.Alpha.C153CCA5
ClamAV Found Trojan.Downloader-11633
CPsecure Found nothing
Dr.Web Found Trojan.DownLoader.25873
F-Prot Antivirus Found W32/Downldr2.AMHV
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Alphabet.k
Fortinet Found Nonaco!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Nonaco-Gen
VirusBuster Found Trojan.DL.Alphabet.BJ
VBA32 Found Trojan-Downloader.Win32.Alphabet.k
C:\WINDOWS\mgrs.exe C:\Program\ucleaner_setup.exe
seems suspicious too. Most legitimate files has proper version information clearly stating a product and company name, the files above has no version information what so ever and ucleaner_setup.exe, seems to be part of the unwanted UltimateCleaner software. Both files are detected at Jotti's scanner, so I check these for removal as well.
By using the same procedure on the remaining files in the scan result, I check these for removal:
{98B822AD-6BE7-49BC-B773-97240B774080}, HttpGuard Class, C:\WINDOWS\system32\AClient.dll
HKLM\..\Run, avp = C:\WINDOWS\avp.exe
HKLM\..\Run, System = C:\WINDOWS\System32\kernelwind32.exe
HKLM\..\Run, smgr = mgrs.exe
HKCU\..\Run, SpyVampire = C:\Program\SpyVampire\SpyVampire.exe
The last entry that I check for removal is:
HKCU\..\policies\system, DisableTaskMgr = 1
since I want to remove the setting that prevent me from starting the Task Manager.
Removing the spyware
Now that I've identified the spyware and the unwanted settings and checked them for removal, I just press the "Fix" button and FreeFixer starts to delete the unwanted files and settings. In this case FreeFixer were able to immediately delete all files except AClient.dll:
The following file could not be removed at the moment. It will be deleted when you reboot your machine. Please reboot as soon as possible.
C:\WINDOWS\system32\AClient.dll
What happens now is that FreeFixer has registered this file for deletion to occur before the login prompt appear. The following screen will appear during the reboot:
To verify that all unwanted files were removed, I log in and scan the system again, and now a clean log appears:
FreeFixer v0.19 log http://www.freefixer.com/ Operating system: Windows NT 5.1 Log dated 2007-08-17 14:01 Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (15 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Program\FreeFixer\freefixer.exe