General discussion

  • Creator
  • #2272471

    My recent experience with a spyware/malware infested XP SP2 laptop…


    by unclerob ·

    One of our company’s salesman recently called me complaining of his laptop’s poor performance, nagging pop-up’s, frequent reboots, etc.

    His laptop is a couple years old already but it isn’t a slouch by any stretch. Aside from my own desktop computer, I run the same model laptop as he currently uses (bkgrnd info: IBM Thinkpad T40, 1.5Ghz, 512mb ram, 30Gb HD, 32mb ATI video card, CDRW/DVD, etc.), I find that the laptop is a workhorse, I use it more than my desktop and I can only say good things about it and look forward to my next IBM (I mean Lenovo) Thinkpad when the lease expires on this unit.

    He’s a sales manager and he’s on the road on a regular basis, travelling in his sales territory, attending meetings, visiting his dealer network, etc. Any support I usually provide him with is usually remote assistance, thankfully he’s always at a location that provides him with a decent highspeed wired/wireless connection. However his laptop’s performance had degraded to such a poor level that maintaining a remote assistance connection using XP’s remote assistance tool or another remote connection tool that we use proved painful & ultimately useless.

    The problem with his laptop was spyware/malware – alot of it. Although he isn’t sure how he acquired so much of it, one thing was sure that he couldn’t continue operating with the laptop in it’s present condition, it locked up and prevented him from working with his email and other applications, office apps no longer functioned telling him they needed to be re-installed, etc. We managed to perform some spyware scans which took extraordinary amounts of time to complete and yielded poor results and cleaned up very little of the problem. He ended up shipping the laptop to me and said he would swing by the office in a week to pick it up. I informed him that if I deemed that the spyware/malware infestation was too bad, I would just re-image his laptop after backing up his data. He would still need to deal with bringing in his other computer equipment (printers, scanners, digital camera’s, ipod, etc.) to arrange to have the required drivers & software installed to restore their functionality which would require more time – all in all this was turning into a big bowl of $hit soup and I wasn’t really that hungry to begin with. I got the machine the next day and began the cleanup process.

    We sometimes have spyware/malware problems with the office machines connected to our local network but using a combination of Ad Aware and Symantec Antivirus took care of any problems so I assumed I would start with that approach – the results of which seemed like wasted effort.

    I proceeded to downloading & installing the latest version of SpyBot S&D (v1.04) and I also tried out MS Defender Beta 2, updating all the required components and performing the necessary scans. My first full scan took almost an hour to complete and resulted in finding 100+ different items, I thought I was gaining ground on this problem finally and fixed the items that it found and rebooted the laptop for another scan. I was disenchanted to find that most of the items returned after a reboot.

    I rebooted the laptop into safe mode with networking ability, turned off winxp’s system restore and attempted the same repairs again, I first tried Ad Aware again, updating the latest spyware def’s and it found very little. I ran Spybot and found alot more, MS Defender Beta 2 found very little during it’s scans, rebooted and subsequent spyware scans in safe mode showed that I was apparently gaining ground. Each reboot revealed fewer instances of spyware and I was feeling confident that I had licked the problem, I rebooted normally and logged on as the local machine’s admin (I didn’t login to our network domain) and performed another scan along with downloading the latest windows & office updates (there weren’t that many, less than a dozen combined thanks to automatic updates being enabled), after completing those operations and rebooting, I continued performing other maintenance tasks: disk cleanup, disk defrag, running Norton Windoctor to tuneup the windows registry, cleaning up temp files that disk cleanup never seems to want to flag & remove (ex. C:\Documents and Settings\userid\Local Settings\Temp ), etc.

    When I was confident that the pc was running normally again, I rebooted and logged in as the user in question and began to test out his office apps, sync up his email, etc. The pc began to exhibit the same spyware infested behavior again, windows popped up randomly, I noticed command windows popping up and I could literally see files being copied to other locations, internet explorer’s default home page had been changed & redirected, attempting to go to other pages wouldn’t work and it would bring me back to the pages it wanted, etc., on top of that office apps wouldn’t work, etc. I tell you at that moment, it took everything in me to stop myself from turning that laptop into a frisbee and setting a long distance throwing record!

    I rebooted the laptop into safemode and began my spyware scans again, which revealed nothing – how could this be?

    From my clean laptop, I began researching this spyware epidemic on the net and I found alot of helpful resources and downloaded alot of spyware removal software I hadn’t heard of. All in all, it took alot of effort to finally clean this laptop of it’s problems. I won’t go into every detail because this post has already proven that I’m quite verbose. I will give you a list of what I tried and what worked/what didn’t:

    1. Hijack this, download available at
    – this apps gives you an idea of what is running on your pc, you can use it to identify spyware and their site will also analyze your logs for you and help you identify what’s ok and what isn’t. Highly recommend this app, I used it alot in conjuction with any new spyware app I tried out to see if they were working or not. I would also identify files by filename that I didn’t recognize and show me their locations on the local pc, I would research the filenames on the net and manually remove them from the pc when the spyware removal tools wouldn’t. Can’t say enough good things about HiJack This!

    2. SpyBot S&D v1.04 you can download this app at

    It’s a good start but isn’t a total solution, it helps find alot of the spyware that doesn’t hide itself very well. Their spyware scanning engine needs more work when it comes to scanning the windows registry.

    3. Ad Aware SE v1.06 available at
    It used to be pretty good software but based on my last experience, it has developed into nothing more than a “cookie eater”, it didn’t detect any of the nasties that had infected this user’s laptop. The personal home user’s version is free including updates but I guess you get what you pay for, I can’t complain that much if it’s free (change that I can still complain, it didn’t work well at all)

    4. PrevX1 available at
    During my spyware battle I searched alot of discussion forums on this topic and alot of times those in the know mentioned this product, I tried it and I would say it’s very good but it has some cons also. Cons: it doesn’t work in safe mode which I’ve learned is probably the only environment to scan for & remove spyware/viruses/malware,etc. It doesn’t play nice with symantec antivirus/norton antivirus. The software caused several winxp bsod’s when it started scanning for spyware – reading up on this topic informed me to uninstall my existing antivirus apps, afterwhich Prevx1 was able to successfully scan for & remove alot of spyware that Spybot, Ad Aware & MS Defender Beta didn’t find. It’s scan engine doesn’t work in safe mode and it tends to be chatty during it’s real time monitoring and announce every running process & application as it starts, it’s a resource hog but again it found more than a few of the other well known apps so I can’t complain. Once I was done with this app, I uninstalled it and reinstalled Symantec Antivirus client and got my antivirus protection back (as much as symantec can provide anyways)

    5. MS Defender Beta 2 available at
    This app didn’t find anything, a whole lot of nothing. I’m very disappointed in the performance of this app. I’m assuming that if you release a beta it would mean that product has some useful functionality but it doesn’t. Updating the spyware def’s doesn’t work even though they provide a button to perform this function, reading up in an msdn forum shows that Microsoft acknowledges this problem and really wants you to download the definition updates by way of the windowsupdate site or having automatic updates turned on, my question is why have a check for updates button if it doesn’t work? Maybe something more important, shouldn’t the makers of the OS have a better idea & ability to create a tool for scanning & cleaning spyware from it’s flagship OS? Maybe it’s my logic that’s out of whack for assuming this but I can’t get over this point at all. Maybe it’s why the leeches that create spyware & viruses are so successful, because Microsoft just doesn’t have a clue when it comes to the problems inherently engineered into their OS. It’s very sad, Microsoft if you read this, smarten up, nobody should be better at cleaning up your backyard than yourselves. Telling me to purchase Vista to cure me of my WinXP SP2 spyware problems won’t work either.

    6. Ewido Anti-Malware available at
    – Who knew this product existed? This company’s marketing team needs to kick it up a notch, an excellent product, and the trial version is fully functional and it caught alot of what the other spyware apps were missing. Maybe I shouldn’t be surprised, Ewido is a Grisoft company and Grisoft makes great antivirus software. Highly recommend it, works great in safe & regular windows modes.

    7. Webroot SpySweeper available at
    – they don’t have a functional download you can try, just a scanning tool. I however found a site which offers a fully functional trial version which I used (I will look for the link and post it here) and it found everything that the other spyware apps mentioned above missed. I was impressed because the laptop’s performance had been restored to it’s original state and I was figuring I was done with my cleanup, on a hunch based on my previous failed assumption that the laptop was clean, I installed the trial and it found a whole bunch of spyware that was cleverly hidden. It flagged the spyware that it couldn’t remove immediately and upon reboot, removed the stuff it found in previous scans. This is a spyware app that would be worth purchasing, it is that good, and it has a special diagnostic mode meant for use in windows safe mode. Needless to say, it caught everything the others missed, removed those stubborn replicating items and upon several reboots & re-scans cleaned the laptop to the point where 0 instances of spyware were found. Rebooting the laptop normally and logging in as the afore mentioned user, office applications worked again, internet explorer no longer suffered it’s hijacked state, browsing the net worked, no more pop up windows, hijack this revealed no spyware hiding in the background.

    8. Cleanup 4.51
    – Great utility for removing temporary files created while surfing, empties the Recycle Bin, deletes files from your temporary folders, prefetch folders, and more.

    All in all, this spyware battle easily took over 8 hours (spanned across a few days) to finish. I only went through with this laborious effort because the user didn’t need the laptop for a few days and also to see if it was possible to clean a badly infected machine and it is but it is not economically viable to do this. I could have backed up the user’s personal data and formatted the drive & re-imaged the laptop in less than an hour, joined the machine to our network domain and copied over his personal data and attempted to restore some of his personal settings. The method I used was appreciated by the user because he didn’t have to re-install any personal software/hardware devices and restore any personal settings but I wouldn’t be able to do this on a regular basis.

    I can say that I wasn’t defeated by spyware and didn’t have to resort to wiping the drive clean and starting from scratch again but I don’t know if that’s ultimately the truth. If I had to spend this many hours cleaning up this spyware mess then maybe I was defeated, I definitely didn’t get an ego boost out of this (a lesson in spyware removal – yes I definitely got that). If that’s the case I can also say that Microsoft was defeated as well, a machine running Windows XP SP2 with windows firewall enabled, with an up to date antivirus solution in place along with having the most recent windows/office security & critical updates installed didn’t a prevent a machine from getting infected/damaged in the first place. This user was running as a Standard user, not as an administrator of the local machine and was still able to encounter this much problem with spyware infecting the very core of operating system. Obviously this user’s habits need to be curbed and he needs to learn that his online activities and email habits led to this problem and he needs to change his current ways to stop this from happening again.

    It doesn’t lend much confidence to the current state of affairs with the windows operating system. I can only hope Vista isn’t like this. Another question is why does it take several different spyware removal tools working together to get the job done? Why can’t one tool do it all? A neat idea would be to have one tool which makes use of several different detection engines used by each of the most popular spyware removal apps (since they all seem to catch something the others don’t) to perform a few consecutive sweeps, reboot again into safe mode, repeat these sweeps just to confirm everything was completely removed, reboot again and that’s it. Instead of 8+ hours, less than 1+ hour and you’re spyware free. What a novel idea, wonder how much it would cost to patent this idea?

    Thank you for reading this long winded post, I await your responses both good & bad (be nice).

    … rob,wpg

All Comments

  • Author
    • #3144691

      I would have wiped it

      by jdclyde ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      long before you did. Takes less time, especially if you have that image.

      After cleaning out the infections, a system is never as stable, which is the other reason I chose to reload vs clean.

      It really is amazing that XP would get as infected as it does, and even more amazing that people blame the user for not running third party software to protect the system, instead of blaming MS for making the OS so vulnerable that you need to buy three other packages to protect XP.

      The user needs to stop using IE and outlook, and not run the system as an admin.

      • #3144637

        I’m either too patient or too stupid…

        by unclerob ·

        In reply to I would have wiped it

        yes, I think if someone brought me another laptop with the same problem, I would probably just backup the data/re-image it and be done with it.

        You are right, there is probably some other permanent damage that can’t be repaired by the spyware removal tools but currently the user is happy with the laptop functioning again so I leave it at that. What’s really sad is that the lease on the machine expires in 6 months, I did all that work and he’ll be getting a new machine in 6 months – doesn’t seem worth it now that I look back at this.

        IE & Outlook is an occupational hazard, we use IE6 because of a company developed website that was developed for the IE environment, doesn’t work with Netscape, Firefox or Opera. Outlook 2003 is a nice email client and I like it alot myself, the user just needs to stop clicking on every !@#$% link and needs to stop opening every !@#$% attachment.

        He was never running as an admin, just as a standard user, I may even rethink that and change to run as a restricted user but that would probably just generate more phone calls in my direction, “I can’t do this anymore, I can’t do that anymore, what changed?, etc. etc. etc.”

        • #3144555

          If you HAVE to use IE

          by jdclyde ·

          In reply to I’m either too patient or too stupid…

          put your local servers in as trusted, and shut off java/activeX and all the other crap in every other zone. This will stop a lot of the issues you are running into.

          Just make sure to trust ALL the sites the user NEEDS for business, and too bad for everything else.

          Set your firewall to delete all executables and bats.

          The big thing lately is viruses in Word Docs. Turn off scripts.

          Hopefully you won’t deal with this (l)user again until he breaks his new system, and lock it down good before giving it to him. I wouldn’t do the restricted user as MS is too stupid to make a valid account set of permissions.

      • #3143098

        Blaming MS is REALLY a solution…

        by rmazzeo ·

        In reply to I would have wiped it

        First of all, if my company spent that amount of time on each PC, we’d be out of business in a month. We strongly urge our clients to save important files, because in this situation we don’t even bother to look at the HDD, except to make sure the drive itself is healthy. We simply wipe it & start anew. Matter of fact, it’s in the contract that we are not responsible for lost data. In non-infestation cases we will try to save data, but the client knows that this cost is extra & we still don’t guarantee saving anything. Most of our clients now know to copy important stuff to other media, so it’s all about education, first of all, & making the client aware that any data that we try to save will cost them. It works, as our business is booming & we have few complaints.
        That said, your comment about blaming MS instead of the user taking control is counter productive. It’s no longer an excuse to state that “oh, I’m computer illiterate…”. If that’s the case, you shouldn’t own a PC at all. The user must take the responsibility of knowing the basics of computer use & security, including anti-virus & anti-spyware programs. After all, most 6-year olds can use a PC these days, there’s no excuse for an adult to be stupid or ignorant about a PC if they own one. The OS is the OS, it is what it is, other add-on SW is necessary now & always will be. Even Linux & Mac are starting to see trojans & virii, so let’s take our collective heads out of the sand & take responsibility for our PC use, rather that blame everyone around us, including the OS makers.

    • #3144683

      You were too good to them

      by oldbag ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I agree with JD. I would have backed up the user data and started fresh. Yes, there are holes in the OS that allow spyware, even if the user is not admin but I’m willing to bet that this user would be more careful if they had to get all the drivers etc reloaded.

      I am finding that I am less and less sympathetic to users who do not take appropriate steps to protect company equipment. I’m tired of users complaining about pop-ups and slow systems when they have been told repeatedly that the systems are for business use.

      Maybe I am getting grumpier but I am now more inclined to wipe a system and start over. It just works out better that way.

      • #3144636

        You’re right, next time will be different…

        by unclerob ·

        In reply to You were too good to them

        plus I’m too tired to do that again,

        it’s very depressing to spend all that time on a system, you get to a point where you have invested too much time to go back and yet you feel like you aren’t gaining any ground either.

        • #3144554

          Rule of thumb

          by jdclyde ·

          In reply to You’re right, next time will be different…

          know when to pull the plug on a project, and don’t be afraid to do it.

          A few scans to see how bad things are is fine, but after the third utility and there are still issues, dump it.

          I JUST got done working on a Thinkpad that was crashing. I cleared off the MANY malwares and viruses, but it still kept crashing. After working on this for a day, I was able to determine that the hard drive was bad. 🙁

          Normally I would not have spent so much time, but this user is on the board of trustees, so special treatment, if you know what I mean! 😀

          I showed him where he could get the same laptop off ebay for $75. or get a new system for $500. (it is for his kids, so they won’t use his work system)

      • #3155403

        Yes – but not quite

        by pkr9 ·

        In reply to You were too good to them

        It is not always the users fault, and it is certainly not the users fault that Microsoft ships an OS that will be infected in virtually seconds after being connected to the WEB. Unless you shovel out a sizeable sum on third-party SW and HW to protect it. A lot of car analogies spring to mind, but I’ll spare you this time.

        I have demonstrated a PC getting so infected during INSTALL, that install wouldn’t finish. Let alone download all the needed fixes, and this was a preloaded PC. Manual read, “Connect and power on all your HW, connect to your moden or broadband, and power up the PC. The installation will run without you having to interact. Congratulations on selecting a leading quality **** PC, recommending Windows”.
        There are several areas in Windows where it is very difficult to create a PC in a central IT admin, that will function hands-off at a remote site, maybe even in a different part of the world. Anyway I am afraid DRM and region coding soon will make it impossible.

        We did the “If it is not fixable in 10 minutes re-image.” Supported by the strictly enforced rule of storing ALL data on central servers. Later we switched everything to Domino/Notes plus a knowledgemanagement system on top of that, with locally replicated DB’s for off-site personel. This removed the need of local datastorage on individual PC to a point where scrapped all PC’s and changed to a full Citrix/Wyse thin client set-up. That removes effectively 90% of you support jobs.

        Thanks for the article, it makes good readings and confirm my opinion that AdAware is slacking off.

        • #3270047

          Thanks for the reply…

          by unclerob ·

          In reply to Yes – but not quite

          I really appreciate the good comments & feedback I’ve rec’d thus far. It’s also confirmed a fact that everyone else pretty much believes that re-imaging the pc was the best way to go, a point I believe as well although I find it to be pretty sad that you have to re-image a pc to combat spyware – a very sad state of affairs for the Windows OS, you would think that M$ better than anyone else would have an idea as to how to combat spyware for their operating systems since they aren’t open source systems, they have a definite advantage as to the workings of their operating system and how to make it strong enough to survive / prevent a spyware/virus infestation without resorting to re-imaging. Is it really practical to do this? Can you imagine if this epidemic affected servers as much as it affects desktop operating systems – thank god my servers are locked down tighter than a new inmates butt in a prison!

          I recently downloaded & installed Windows Vista Beta 2 on a newer workstation just to see what all the fuss was about. Vista is supposed to be a very robust OS with built-in antispyware protection and since I wrote my little blurb on my spyware experience I thought I would see what kind of protection Vista is touting. It turns out Vista comes with M$ Defender, the same antispyware software you can download from M$’s website: M$ Defender Beta 2. If this is what they call built-in spyware protection which will eliminate the need for 3rd party tools, believe me: you will need additional 3rd party tools for combating spyware if you run Vista.

          I hear what you’re saying about thin clients, for the office & distribution center that I work at, I believe our not to distant future may include a migration to a thin client architecture where the bottleneck becomes the network connection because the cpu/hd are no longer as important to the pc landscape and when you remove the hd – you remove the need to scan it for spyware/viruses. It’s funny when you think about it, we started (our company) with mainframes & terminals, the pc came into being and we started installing desktops & networks, now the terminal/thin client is coming back into vogue again, all you need is a network connection and you can get at everything. Web 2.0/Ajax web technologies will probably make installing office productivity apps a thing of the past, if you need a word processor or spreadsheet application, just open up this site address and poof the application runs – no licenses to purchase or worry about, nothing gets saved locally so you don’t have personal backups to worry about, crazy stuff when you think about it. No matter how many steps you take forward, if you examine your travels close enough you’ll notice that sometimes instead of walking forwards we’re just walking in circles and improving what we did in the past (or attempting to at any rate).

          thanks again for the positive feedback, it is appreciated.

        • #3154740


          by pkr9 ·

          In reply to Thanks for the reply…

          I’ve been in IT since it was invented – first job in 1969.

          The ‘PC experiment’ has been one of the costliest failures in the business world. At a time it was called ‘decentralised computing’, and some even stated that people should write their own programs – if the staff in accounting didn’t like their data-entry programs they should make their own. Utter nonsense.

          The office PC might have been better if the OS and apps generally used on them supplied by Microsoft had been better, at least adhering to some quality standard. I won’t burden with examples of really bad SW, there are lots to show.

          It was a stupid move to store company data spread around the organisation on unstable OS’s on unstable HW and maintained by people hired to do something else. The information and knowledge base is the core asset of any organisation – knowledge is power, and it is very strange indeed the even highly qualified management allowed a company base asset to be spread on maybe thousands of PC’s with any degree of backup and security. No other business asset would be treated this way, even petty cash is locked away and only a few people have the keys and/or combination the the safe.

          Base assets are valuable, and should be stored centrally and taken care of by professionals, just as any othe important business assets.

          The thin client is a very good way of taking the best of two worlds. The central security and stability known from the mainframe world, and the GUI and possibilities known from the PC world. One must be very careful when selecting th HW set-up in the serverfarm, as this will be crucial for operation. Optimal would be Linux server inside a mainframe, but my set-up’s have been a high-availability set-up using IBM blades. Installed 4 years ago, and still running with NO DOWNTIME when I left that company 1 year ago.

    • #3144671

      I’d of wiped it too.

      by mr.wiz ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      Anyting that ties up that much time is keeping you (or me) away from something more important. If we have a machine that takes more than a hour or so to fix, we’ll normally reimage it. Saves time and money.

    • #3144662

      Thanks for the info

      by stress junkie ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I really appreciate the information about each of the AV tools that you used. Thanks.

      • #3144526

        hopefully my effort can save you time…

        by unclerob ·

        In reply to Thanks for the info

        … we should be able to learn from other people’s mistakes, otherwise we’re doomed to repeat them.

        Download the apps, burn them on to a cd along with other useful system utilities, I will upload the spyware apps to a personal site and provide the link when it’s ready.

        Thanks for the reply back! I’m glad you liked my list.

    • #3145550


      by pcolabove ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…




    • #3141630

      Hidden Files

      by xt john ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      After running adaware and spybot, we’ll also run msconfig.exe, to uncheck suspicious programs trying to run on startup (This utility is NOT available on Windows 2000). Problem is, really malicious spyware will reinstall itself at the next bootup, and even change its name. Check for suspicious folders in your program files directory. I agree with the other posters, you deserve a medal for patience and perseverance. We do a 2 hour rule… if after 2 hours we can’t clean it, re-image it. This is nice if you’re using the same pc’s throughout the enterprise, have an image of what the machine should look like, and Ghost it over to the infected machine. Prevention is the key! Go-Back software is a consideration, too:)

    • #3141629

      Hidden Files

      by xt john ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      After running adaware and spybot, we’ll also run msconfig.exe, to uncheck suspicious programs trying to run on startup (This utility is NOT available on Windows 2000). Problem is, really malicious spyware will reinstall itself at the next bootup, and even change its name. Check for suspicious folders in your program files directory. I agree with the other posters, you deserve a medal for patience and perseverance. We do a 2 hour rule… if after 2 hours we can’t clean it, re-image it. This is nice if you’re using the same pc’s throughout the enterprise, have an image of what the machine should look like, and Ghost it over to the infected machine. Prevention is the key! Go-Back software is a consideration, too:)

    • #3164786

      What you forgot to do at the end

      by stv9 ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      The last step after the “it is completely restored and back to normal” is to do an image of the drive! Then, next time, you can copy his personal files to somewhere, restore the clean image containing all his camera and printer drivers and everything, and then put back the personal data created since this image. (Then, create another image for the time after that!) I have a big box of disk images for all the computers I work with, and I use it a lot!

      Ghost and Acronis TI are the two best image utilities that I’ve found.

      That would be 1/2 hour to restore his personal image instead of the 1 hour to re-stamp to the corporate image and re-personalize it.

      Other than this missing step, an excellent article, thanks!

      • #3164755

        that’s an excellent point…

        by unclerob ·

        In reply to What you forgot to do at the end

        You’re totally correct, that is the last piece of the puzzle. Instead of relying on an already few month’s old corporate image of that laptop, I should have a created a personalized image of his laptop after the cleanup operation.

        You know what will happen, he’ll be back in a month from now and when I attempt to “steal” his laptop from him for a 1/2 day to create the image, I’ll run some scans on his laptop and find that he’s mucked it up again, I’ll repeat my work and then create an image.

        Yes, that’s an excellent point you’ve raised and ultimately the last required piece of this puzzle.

        We run Ghost (I’ve heard good things about Acronis) and prior to Ghost, we used Powerquest’s DriveImage software (also known as DeployCenter).

        Thanks again for the reply and the great feedback, it is appreciated.


        • #3164735

          Virus Center

          by g.luis ·

          In reply to that’s an excellent point…

          I?ve worked on many systems with the express intent of learning all I can from infected systems and how they get that way. I?ve had clients who?ve challenged me in getting rid of these so called ?issues? by staying the course and eliminating them one by one. I?ve come across many anti-virus systems, firewalls, and other blockers to check their ability to do the job.

          It would be nice to have one utility capable of eradicating all spyware but that?s not possible. These days, you have to contend with root kits which require a different scanner altogether.

          My solution would have been to remove his drive from his system and set it up as a slave on a working system via USB. I would then scan it and have all issues found removed. I would then go in and remove the contents of the temp file manually, remove items from the recycle bin and so forth by hand. I would then check the root of the drive for any suspicious issues. And then run some of the utilities mentioned. Once done, put back into his system and boot up into safe mode and run registered versions of NO ADWARE, registry booster by uniblue, and AVG by Grisoft. Most of the time, I?m able to clear most issues. There is also a program called ROOTKIT REVEALER by a company called sysenternals that can detect root kits. After finding one, I usually hit the Internet for clues on removing it.

          Yes, It?s not worth the time and effort, but it?s nice to know. Windows will never be patched to a point of painless bliss, but for now, I?ve got a job to do.

          But to answer, yes. Most of my clients refuse to be careful and are usually infected hours later. Why, because they want to do shopping they “think” is ok, hence browser hijacking. They insist on getting that latest picture of Jessica Alba from their friends even if they don’t really look at who really sent the attachment. But then, like I said, make the pitch that it’s up to them, and keep going back. I’ve had the fortune of having clients not care about the cost, but would rather have the convenience of not needing to reset all their settings. There are very few exceptions where I really had no choice.

        • #3269868


          by cmiller5400 ·

          In reply to that’s an excellent point…

          I use Acronis True Image at home and love it. It is so easy to backup and restore images. I especially like the fact you can do an image on the fly while working in Windows. It also has a linux boot cd that will run if you need to restore images for a dead machine.

        • #3269844

          “What he say…”

          by markemark ·

          In reply to Acronis

          ‘Acronis TI’ totally rocks. I can’t believe the number of times previously, when we resorted to rebuilding laptops and then customising them for the user. Acronis TI Enterprise version is even better; imaging servers as well. This product is the ‘best of ‘breed and certainly saved myself / the company, a fortune in terms of potential laptop / server downtime.
          This product is at the top of the pile, in the DR emergency procedure box.
          …and no, I don’t work for Acronis or any affiliates. It’s just nice to actually use a piece of software that ‘does exactly what it says on the tin!’ Nuf said. (bout time I crawled back into my computer)

    • #3270060

      Site for free Spy Sweeper trial

      by pennyman2 ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      Try this link: . This site also rates competing products for spyware removal and has links to other related programs.


    • #3269994

      More useful anti-spyware resources to look at…

      by unclerob ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      Spyware Information and Resources
      Spyware-related news and articles.
      Spyware Information from wikipedia
      Spyware Information

      Spyware Related Forum

      Online Virus and Trojan Scanning
      PandaActive Scan from Pandasoftware

      Network Associates’ McAfee AVERT Stinger

      Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Latest version: 2.5.4 Size: 1.05MB
      Download Page:

      Also definitely check out for the following useful downloads:

      StartupList : A simple tool that lists all and every auto starting program on your system. You might be surprised what it finds, this is way better than Msconfig. Commonly used to troubleshoot malfunctioning systems, trojan/viral infections, new spyware/malware breed and the likes.

      HijackThis : A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you’re doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
      Currently at version: 1.99.1

      Itty Bitty Process Manager (IBProcMan): A standalone version of the little process manager included in HijackThis (Misc Tools section). Shows full paths to processes, optionally shows DLLs loaded by processes. Can save the process list (and dll list) to file, as well as copy it to the clipboard. Compatible with at least Windows 98, 98SE, ME, 2000, XP and newer.
      Very useful for cleaning up systems infected with trojans or viruses that kill antivirus and antispyware programs.
      Currently at version: 1.04

      Brute Force Uninstaller (BFU): BFU is a scripting program that can execute a series of preset commands like a Windows batch file, aimed at uninstalled programs that are hard to remove, uninstall improperly or simply unwanted. Scripts are plaintext and can be written with Notepad, and the command syntax is very transparent.
      BFU is very complete and powerful, has a small memory footprint and has no uninstaller.
      Documentation for the commands is available here (RTF).
      Currently at version: 1.00

      CWShredder: A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out. CWShredder is owned and maintained by InterMute since October 19, 2004. It is available from them for free seperately, or integrated into SpySubstract PRO.
      The free version is available for download here:

      BugOff: This little app disables a few exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection. This does not remove an existing infection! Applicable to everyone that uses Internet Explorer.
      Currently at version: 1.10

      ADS Spy: A small tool to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems. ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4. Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system. Use with caution.
      Currently at version: 1.11

      BHOList: A frontend for TonyKlein’s BHO Collection that downloads the list, and displays it in a sortable, searchable list. You can also export it to a file and load that file back instead of downloading it from
      Currently at version: 1.5

      Kill2Me: A removal tool specifically for the Look2Me parasite. This tool removes versions 115, 116, 117 118, 120, 121 and 122 (the most recent ones) on Windows versions 95, 98, 98SE and ME.
      Currently at version: 1.11

      Uptimer4: A bar that sits at the top of your screen and can display over 20 pieces of system information that might be useful to you. System time, system date, uptime, free RAM, free pagefile, free disk space, CPU usage, IP address(es), Winamp controls, battery status, running programs, netstat, etc.
      (Some functions may not work properly with Windows 95 and Windows NT4 without SP6.)
      Currently at version: 1.0 (beta)

      KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it.
      Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. An update is being worked on. If you still want to use KazaaBegone, download LSPFix to fix your Internet connection (download it before you run KazaaBegone, of course).
      Currently at version: 1.10

      I’ll post more useful anti-spyware/anti-virus links as I find them.

    • #3269993


      by ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I had a win xp pro with similar symptoms. I first used Stinger

      because it is a “stand alone” free virus killer. It allows work on the machine disconnected from the Internet. It is not a full featured virus cleaner but gives you a start. It fits on a floppy if you still use those things.

      The machine belonged to my sister. It took all day to clean if after Stinger did it’s thing. Yeah, I wasn’t sure I won or lost!

    • #3269983

      Also not confident with Windows O/S

      by stevegoss ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      Excellent article. Thanks for posting it.

      I’m not the IT guy in our office, but I’ve been through some of this on the home networked computers (on a lesser scale). I also feel the Windows O/S has let us down since it is so easy for the crap to get in. Why should we have to download or purchase extra software to stay protected? When I bought my house the builder installed doors with locks, same for every car I’ve owned. But this operating system seems to not only allow villains in, it encourages them!

    • #3269934

      The Same Problem

      by hailet ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I just went through the same situation but with my home network and a family member.
      Ultimately I found the tools available useless.
      Spybot did a free scan but of course unless you buy the product it won’t remove anything.
      It was a lot easier for me (retired IT guy) to wipe the machine and reload everything.
      Thanks for the links to other products though. The Ewido thing seems to work well.

      • #3154805

        your situation raises an interesting point…

        by unclerob ·

        In reply to The Same Problem

        My network users have an advantage that most home users don’t have – they have access to IT tech support. I have a clue (somewhat) as to what’s required in cleaning/removing spyware (at least I do now after this recent fiasco) and if the problem was bad enough I could resort to re-imaging the system with a recent corporate image for that machine and personalize afterwards accordingly.

        Home users have a distinct disadvantage because they don’t have access to IT tech support and usually don’t have the required knowledge to search the internet and download the software tools that would work to remove spyware/malware infections on the scale that I was dealing with.
        And most users don’t have/use tools to image their pc’s, heck most users don’t perform regular personal data backups, let alone perform regular full system imaging. Alot of user’s will have the original system restore cd/dvd that came with their pc systems and a decent percentage of those users I’m betting are lacking the knowledge to backup personal data and system settings (dsl PPPOE account settings, email account settings, etc. for example) so when they throw that system restore cd into their pc as a last resort, they cringe knowing that they will lose everything on their pc’s and have to start from scratch – a very daunting task to say the least.

        Spyware removal tools need to work better and be much more thorough than they currently are. I used to be of the mindset (and this is quite recently too) that Ad Aware & Spybot was all that I needed to keep my machines clean, I now know that I was quite naive about this whole spyware epidemic and that several different tools are needed to remove spyware from your systems when they have been compromised to a great extent. Plus how many users would know how to boot up their winxp systems into safe mode to perform these spyware scans? Very few for sure would have a clue about this. Some of the spyware removal process may also involve searching the windows registry manually – I don’t know any home users that have the ability to do that. I recently scanned a friends pc using Webroot’s spysweeper software and it revealed over 600 instances of spyware on the first scan – I can’t be sure of every online habit he has but I can say for sure that he isn’t a smut addict but he does download music & software using various P2P clients – I don’t think his actions are unique whatsoever, it’s probably what everyone with a high speed internet connection does. The sad thing was that I had worked on his system maybe only several weeks prior to this last session, it doesn’t take long to wreak havoc on your systems especially when you’re under the impression that you’re habits are normal and don’t appear to be menacing.

        I think more than anything, things definitely need to change and improve for the regular home user who encounters problems with their pc because of a spyware infection, we can’t all be so lucky to have access to an IT dept to help us with these problems and the home user can go broke bringing their systems into a local fixit shop on a regular basis. Legislation needs to be introduced so that spyware/malware authors are prosecuted and decent penalties are imposed on those individuals that would seek to cause this kind of harm on your pc. Software vendors, especially M$ need to get involved to a greater extent than they’re currently participating at, spyware problems are only possible because the current operating system environment allows for these security problems – Vista won’t cure or provide better protection from spyware than Windows XP currently does, you can bank on that. Spyware removal software needs to be re-engineered to be more comprehensive than it currently is, SpySweeper, Ewide Anti-malware and PrevX1 seem to have a better idea as to what to look for and remove but these tools still aren’t the holy grail for spyware removal if I need to use multiple tools to catch spyware that another tool missed. Sybari has a Antigen antivirus tool product line for servers (specifically exchange, IM & collaboration servers) and the idea behind Antigen is that it uses several different scanning engines to catch all the viruses. It’s a good idea, I’m hoping a spyware vendor out there will hop on that bandwagon and create a tool that makes use of several spyware scanning engines and incorporates them into one tool. Heck, even if the software acted as a management console for other apps you had to install (like the titles I mentioned above) and once these spyware apps were installed, this mgmt console would run these tools in unison making use of each spyware scanning engine and on top of that being smart enough to reboot the pc into safe mode for the user (bypassing login if necessary) to continue it’s spyware scans and ensure that all spyware was removed. Spyware removal shouldn’t require 1/2 dozens scans by several different tools to ensure that the malware is removed, I figure a couple of scans should be sufficient to do the job, the first scan to get rid of everything it can find, the 2nd scan in safe mode to get rid of spyware that repairs/replicates itself after it’s originally removed.

        My idea can’t be unique, I’m hoping a software vendor is working on the same idea right now and hopefully it won’t be long until a product similar to what I’m describing is available. While we’re at it, how about lumping the antivirus product along with the antispyware product, in the end both are considered malware and maybe we need just one tool to take care of both threats since both tools do similar jobs, scan the pc’s drive, download virus/spyware definitions and scanning engine updates to ensure the tool is updates, provide a quarantine area to place suspicious items, get rid of the obvious stuff, etc.

        It’s 2006, computing power has never been greater yet our pc’s are running slower now than they did 10 years ago because of this malware epidemic. It’s getting sad when I have to upgrade my system’s memory from 512mb of Ram to 1GB of Ram just to get it to operate at a decent speed, regardless of the fact that hardware is cheaper now than it was 10 years ago, our systems should be lighting quick comparatively speaking.

        Boy am I verbose or what, I’ll end this post right now before everyone falls asleep.

        Thanks again for your comment!


    • #3269862

      a couple more

      by dr dij ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      trend micro has a nice online scanner that can find things others don’t:

      I recommend siteadvisor (mcafee, both as plug in, shows / prevents browsing to drive-by download sites with big red x, other means.

      I’ve seen suggestions that ad rotations on major ad sites include some that cause infections (via wmf, etc). I have added major ad sites such as doubleclick to my hosts file with loopback so they never show on screen.

      and whatever sw you can have that checks and questions you for immediate changes. (Tea-timer for example, I think this is ad-aware or spyware blaster; is optional, and is pain if you have to install software because it blocks it, you have to kill it 1st)

      zone alarm couldn’t hurt, as it checks outgoing packets. spyware can get around it by using IE to send packets tho. many don’t.

      ca has online scanner for pest patrol still I think, haven’t used for a while. they make link harder to find with ads to buy it.

    • #3154986

      Wiped, then use RIS…

      by now left tr ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      Would have wiped also. Best bet (I think) is to keep an image of your base installs. Say on a 2000 / 2003 with RIS via RIPREP. This is what I do and it saves so much time. Better still you could have a duel boot laptop. One partition could be a server running RIS. Very handy for the unexpected!!

      • #3154812

        that’s a unique/interesting solution…

        by unclerob ·

        In reply to Wiped, then use RIS…

        Maybe when you get a chance (and some motivation for this size of project), you could write a TR article on the setup of a dual boot system with one of the partitions running Win2k/2k3 server with RIS – it’s very intriguing! I would definitely be interested.

        • #3268584

          Brief Method….

          by now left tr ·

          In reply to that’s a unique/interesting solution…

          It is not that hard! Make sure you have XP installed on partition A first. After which install 2003 on partition B. The 2003 install creates the boot menu for you. Make sure you install RIS Services on the 2003 insall along with DNS and an authorised DHCP. Upload an XP image folllowing the RIS instructions (Via AD – best to use a Volume Licence XP SP2 CD). Install a new laptop with apps and then run RIPREP from the share created by RIS. This will upload the image to the server for later use. You can then either use PXE boot on your recipient computer(s) or create a boot disk / USB stick via the RIS default share.

          Edited for clarity.

        • #3268515

          hey that’s english even I can understand…

          by unclerob ·

          In reply to Brief Method….

          but I still have some questions,
          on an existing network where DHCP & DNS services are already being handled by an existing Domain Controller, won’t installing Win2k3 with DNS & DHCP possibly cause a conflict with the existing Domain controller in place if this machine connects to the existing network? I don’t want this new Win2k3 RIS server to assist my existing domain controller and start assigning ip addresses to machines that happen to logon to the network. Am I worrying too much or have I missed the point you were trying to explain altogether?

          I will try it on a machine that isn’t connect to the network though, you have an excellent solution which I would like to possibly implement at my end.

          Thanks again for the method description!

        • #3268483

          More Info…

          by now left tr ·

          In reply to hey that’s english even I can understand…

          If it is just the single machine then a quick switch / hub or between client(s) would work. If you are looking at a bigger picture then the existing LAN DNS / DCHCP would only be usefull so long as he RIS server is on the local or extended WAN network. Problem is that latency / connection speed may be a problem here. By having the laptop (and beibg are on site) you are only creating a local network between the target machine and the laptop. Remember PXE booting looks for the nearest DHCP and then RIS if it is available. You normally have to press F12 to get the PXE boot to work as it is a BIOS feature

    • #3154985

      Another tool – A Squared

      by the weekly geek ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I appreciate your article. I have written many similar ones and give many lectures on this topic. I am sorry you did not know about Ewido, I have used them for quite a while.
      Another very good program is A2 (A Squared)
      It has been a major help in the war on malware and spyware.

      • #3154815

        thank you!

        by unclerob ·

        In reply to Another tool – A Squared

        I will definitely download the trial (and the beta preview they’re apparently offering) and try it out!

    • #3154922

      But it is an IBM–ThinkPad

      by bmw_rider ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      If you’re not using the rapid recovery/system restore program that comes with ThinkPads and ThinkCentres; you’re making SO-O-O much more work for yourself. My “shop” is strictly “IBM” and it has been a life saver.

      • #3154814

        I’ve used RR in the past…

        by unclerob ·

        In reply to But it is an IBM–ThinkPad

        a few years ago and I wasn’t that fond of the product back then. I’ve never bothered to give the newer versions a try but you’re right, maybe I should revisit the product and give it another try, maybe it’s improved since then. We’re pretty much an “IBM” shop (except for a few Compaq’s) so we pretty much have the software available for most of the machines in the building plus I have 1/2 dozen new thinkcentres to deploy so I will setup it up on them and give it a try before I deploy them. Thanks for the suggestion.

    • #3154720

      Why not using linux?

      by agrange ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I use Linux since 1996 with no spyware, no virus. Dual boot: Linux for internet and Window for applications not available on Linux (few).

      • #3154701


        by unclerob ·

        In reply to Why not using linux?

        First, Although you definitely provide an alternative, our company runs M$ only, no linux. No one around here is proficient enought to be able to support linux in any of it’s various distributions plus none of the users would be proficient at using Linux on their desktops/laptops, they have a hard enough time running Windows.

        Secondly, I’ve tried it out and noticed that dual-booting linux & windows on the same machine makes that machine run slower than if you were dual-booting 2 different windows OS’s (ex. WinXP & Win98), that’s been my personal experience and it may not be the actual rule of how that experience normally goes but that’s what I observed when I attempted on my personal system.

        But thanks for the suggestion all the same, you’re definitely thinking and you are probably correct, I doubt that Linux has the kind of problems Windows has when it comes to spyware.

    • #3146064

      See my post on

      by zlitocook ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      How long would you work on a computer. If you give it your best just back up reimage and restore. But scan and rescan the back up before you copy it back to the computer.

    • #3143006

      Web Root’s SpySweeper is Great!

      by it cowgirl ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I too have suffered in trying to clean spyware and adware, but finally gave up and would wipe and rebuild. Then I hear about SpySweeper and tried it on a Win98 machine so I could pull off the user’s docs. It worked perfect! I was able to clean off the machine and recover the docs.

      Of course then I wiped it and installed XP. But it was a great test.

      I am sold on this product!

    • #2596931

      Maware removal procedures.

      by tonyackerman ·

      In reply to My recent experience with a spyware/malware infested XP SP2 laptop…

      I realize this thread is a bit dated and my response is late to the discussion.

      First, there is an excellent procedural outline to be found at

      As mentioned by several respondents, prevention is key, but be aware that this is the new battlefront and the enemy is very clever. No matter what prevention package you use, understand that it will be breached at some time. Scheduling regular maintenance and tuneups will keep this infestation level down to a manageable level.

      Couple of other notes, SpybotS&D is not a purchased item for personal use, only the corporate edition is a purchased item. You can contribute if you so choose, but it is not required. If the site where you are downloading Spybot is asking for $, you’re being scammed and you should immediately take steps to protect your account. Spybot, properly configured and run in advanced mode, is a very effective tool. Make sure that you apply the latest updates and install the latest version. I’ve tried and continue to try everything that comes up as a tool in this battle, but it seems that I always come back to Spybot as one of the most effective tools. Others take too long, are ineffective or just plain don’t work. I have to admit that I’ve been rather disappointed in Windows Defender, I expected more, especially since Giant actually had a decent product.

      Make sure that you disable system restore when you start the malware scans.

      Run a good cleanup tool and registry scrubber (cleanup by steven gould, lexun regscrubxp, or combination tools such as ezcleaner, crap cleaner, advanced windows care).

      Make SURE that you deploy a good antivirus program that has anti-trojan capabilities. A lot of malware has trojan like behavior and a good antivirus program with anti-trojan capabilities will catch a lot of this stuff before it inflicts damage.

      Use a less vulnerable browser (firefox, opera) or spend the time and effort to harden IE.

      Don’t overlook that possibility that IE has been compromised, (IEFix 1.5 will do amazing things to resolve this).

      After your malware scans come up clean, run xp’s system file check (sfc) to make sure that you’re system files are not compromised. After all this “stuff” has been done, defrag the disk and then re-enable system restore.

      This business of clearing malware is not necessarily easy, but it is rare that you have to resort to formatting and reinstalling, or even re-imaging the disk.

Viewing 20 reply threads