General discussion

Locked

My recent experience with a spyware/malware infested XP SP2 laptop...

By UncleRob ·
One of our company's salesman recently called me complaining of his laptop's poor performance, nagging pop-up's, frequent reboots, etc.

His laptop is a couple years old already but it isn't a slouch by any stretch. Aside from my own desktop computer, I run the same model laptop as he currently uses (bkgrnd info: IBM Thinkpad T40, 1.5Ghz, 512mb ram, 30Gb HD, 32mb ATI video card, CDRW/DVD, etc.), I find that the laptop is a workhorse, I use it more than my desktop and I can only say good things about it and look forward to my next IBM (I mean Lenovo) Thinkpad when the lease expires on this unit.

He's a sales manager and he's on the road on a regular basis, travelling in his sales territory, attending meetings, visiting his dealer network, etc. Any support I usually provide him with is usually remote assistance, thankfully he's always at a location that provides him with a decent highspeed wired/wireless connection. However his laptop's performance had degraded to such a poor level that maintaining a remote assistance connection using XP's remote assistance tool or another remote connection tool that we use proved painful & ultimately useless.

The problem with his laptop was spyware/malware - alot of it. Although he isn't sure how he acquired so much of it, one thing was sure that he couldn't continue operating with the laptop in it's present condition, it locked up and prevented him from working with his email and other applications, office apps no longer functioned telling him they needed to be re-installed, etc. We managed to perform some spyware scans which took extraordinary amounts of time to complete and yielded poor results and cleaned up very little of the problem. He ended up shipping the laptop to me and said he would swing by the office in a week to pick it up. I informed him that if I deemed that the spyware/malware infestation was too bad, I would just re-image his laptop after backing up his data. He would still need to deal with bringing in his other computer equipment (printers, scanners, digital camera's, ipod, etc.) to arrange to have the required drivers & software installed to restore their functionality which would require more time - all in all this was turning into a big bowl of $hit soup and I wasn't really that hungry to begin with. I got the machine the next day and began the cleanup process.

We sometimes have spyware/malware problems with the office machines connected to our local network but using a combination of Ad Aware and Symantec Antivirus took care of any problems so I assumed I would start with that approach - the results of which seemed like wasted effort.

I proceeded to downloading & installing the latest version of SpyBot S&amp (v1.04) and I also tried out MS Defender Beta 2, updating all the required components and performing the necessary scans. My first full scan took almost an hour to complete and resulted in finding 100+ different items, I thought I was gaining ground on this problem finally and fixed the items that it found and rebooted the laptop for another scan. I was disenchanted to find that most of the items returned after a reboot.

I rebooted the laptop into safe mode with networking ability, turned off winxp's system restore and attempted the same repairs again, I first tried Ad Aware again, updating the latest spyware def's and it found very little. I ran Spybot and found alot more, MS Defender Beta 2 found very little during it's scans, rebooted and subsequent spyware scans in safe mode showed that I was apparently gaining ground. Each reboot revealed fewer instances of spyware and I was feeling confident that I had licked the problem, I rebooted normally and logged on as the local machine's admin (I didn't login to our network domain) and performed another scan along with downloading the latest windows & office updates (there weren't that many, less than a dozen combined thanks to automatic updates being enabled), after completing those operations and rebooting, I continued performing other maintenance tasks: disk cleanup, disk defrag, running Norton Windoctor to tuneup the windows registry, cleaning up temp files that disk cleanup never seems to want to flag & remove (ex. C:\Documents and Settings\userid\Local Settings\Temp ), etc.

When I was confident that the pc was running normally again, I rebooted and logged in as the user in question and began to test out his office apps, sync up his email, etc. The pc began to exhibit the same spyware infested behavior again, windows popped up randomly, I noticed command windows popping up and I could literally see files being copied to other locations, internet explorer's default home page had been changed & redirected, attempting to go to other pages wouldn't work and it would bring me back to the pages it wanted, etc., on top of that office apps wouldn't work, etc. I tell you at that moment, it took everything in me to stop myself from turning that laptop into a frisbee and setting a long distance throwing record!

I rebooted the laptop into safemode and began my spyware scans again, which revealed nothing - how could this be?

From my clean laptop, I began researching this spyware epidemic on the net and I found alot of helpful resources and downloaded alot of spyware removal software I hadn't heard of. All in all, it took alot of effort to finally clean this laptop of it's problems. I won't go into every detail because this post has already proven that I'm quite verbose. I will give you a list of what I tried and what worked/what didn't:

1. Hijack this, download available at http://hijackthis.de/
- this apps gives you an idea of what is running on your pc, you can use it to identify spyware and their site will also analyze your logs for you and help you identify what's ok and what isn't. Highly recommend this app, I used it alot in conjuction with any new spyware app I tried out to see if they were working or not. I would also identify files by filename that I didn't recognize and show me their locations on the local pc, I would research the filenames on the net and manually remove them from the pc when the spyware removal tools wouldn't. Can't say enough good things about HiJack This!

2. SpyBot S&amp v1.04 you can download this app at http://hijackthis.de/

It's a good start but isn't a total solution, it helps find alot of the spyware that doesn't hide itself very well. Their spyware scanning engine needs more work when it comes to scanning the windows registry.

3. Ad Aware SE v1.06 available at http://www.lavasoft.com/support/download/
It used to be pretty good software but based on my last experience, it has developed into nothing more than a "cookie eater", it didn't detect any of the nasties that had infected this user's laptop. The personal home user's version is free including updates but I guess you get what you pay for, I can't complain that much if it's free (change that I can still complain, it didn't work well at all)

4. PrevX1 available at http://www.prevx.com/security.asp
During my spyware battle I searched alot of discussion forums on this topic and alot of times those in the know mentioned this product, I tried it and I would say it's very good but it has some cons also. Cons: it doesn't work in safe mode which I've learned is probably the only environment to scan for & remove spyware/viruses/malware,etc. It doesn't play nice with symantec antivirus/norton antivirus. The software caused several winxp bsod's when it started scanning for spyware - reading up on this topic informed me to uninstall my existing antivirus apps, afterwhich Prevx1 was able to successfully scan for & remove alot of spyware that Spybot, Ad Aware & MS Defender Beta didn't find. It's scan engine doesn't work in safe mode and it tends to be chatty during it's real time monitoring and announce every running process & application as it starts, it's a resource hog but again it found more than a few of the other well known apps so I can't complain. Once I was done with this app, I uninstalled it and reinstalled Symantec Antivirus client and got my antivirus protection back (as much as symantec can provide anyways)

5. MS Defender Beta 2 available at http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx
This app didn't find anything, a whole lot of nothing. I'm very disappointed in the performance of this app. I'm assuming that if you release a beta it would mean that product has some useful functionality but it doesn't. Updating the spyware def's doesn't work even though they provide a button to perform this function, reading up in an msdn forum shows that Microsoft acknowledges this problem and really wants you to download the definition updates by way of the windowsupdate site or having automatic updates turned on, my question is why have a check for updates button if it doesn't work? Maybe something more important, shouldn't the makers of the OS have a better idea & ability to create a tool for scanning & cleaning spyware from it's flagship OS? Maybe it's my logic that's out of whack for assuming this but I can't get over this point at all. Maybe it's why the leeches that create spyware & viruses are so successful, because Microsoft just doesn't have a clue when it comes to the problems inherently engineered into their OS. It's very sad, Microsoft if you read this, smarten up, nobody should be better at cleaning up your backyard than yourselves. Telling me to purchase Vista to cure me of my WinXP SP2 spyware problems won't work either.

6. Ewido Anti-Malware available at http://www.ewido.net/en/download/
- Who knew this product existed? This company's marketing team needs to kick it up a notch, an excellent product, and the trial version is fully functional and it caught alot of what the other spyware apps were missing. Maybe I shouldn't be surprised, Ewido is a Grisoft company and Grisoft makes great antivirus software. Highly recommend it, works great in safe & regular windows modes.

7. Webroot SpySweeper available at http://www.webroot.com/
- they don't have a functional download you can try, just a scanning tool. I however found a site which offers a fully functional trial version which I used (I will look for the link and post it here) and it found everything that the other spyware apps mentioned above missed. I was impressed because the laptop's performance had been restored to it's original state and I was figuring I was done with my cleanup, on a hunch based on my previous failed assumption that the laptop was clean, I installed the trial and it found a whole bunch of spyware that was cleverly hidden. It flagged the spyware that it couldn't remove immediately and upon reboot, removed the stuff it found in previous scans. This is a spyware app that would be worth purchasing, it is that good, and it has a special diagnostic mode meant for use in windows safe mode. Needless to say, it caught everything the others missed, removed those stubborn replicating items and upon several reboots & re-scans cleaned the laptop to the point where 0 instances of spyware were found. Rebooting the laptop normally and logging in as the afore mentioned user, office applications worked again, internet explorer no longer suffered it's hijacked state, browsing the net worked, no more pop up windows, hijack this revealed no spyware hiding in the background.

8. Cleanup 4.51 http://www.stevengould.org/software/cleanup/
- Great utility for removing temporary files created while surfing, empties the Recycle Bin, deletes files from your temporary folders, prefetch folders, and more.

All in all, this spyware battle easily took over 8 hours (spanned across a few days) to finish. I only went through with this laborious effort because the user didn't need the laptop for a few days and also to see if it was possible to clean a badly infected machine and it is but it is not economically viable to do this. I could have backed up the user's personal data and formatted the drive & re-imaged the laptop in less than an hour, joined the machine to our network domain and copied over his personal data and attempted to restore some of his personal settings. The method I used was appreciated by the user because he didn't have to re-install any personal software/hardware devices and restore any personal settings but I wouldn't be able to do this on a regular basis.

I can say that I wasn't defeated by spyware and didn't have to resort to wiping the drive clean and starting from scratch again but I don't know if that's ultimately the truth. If I had to spend this many hours cleaning up this spyware mess then maybe I was defeated, I definitely didn't get an ego boost out of this (a lesson in spyware removal - yes I definitely got that). If that's the case I can also say that Microsoft was defeated as well, a machine running Windows XP SP2 with windows firewall enabled, with an up to date antivirus solution in place along with having the most recent windows/office security & critical updates installed didn't a prevent a machine from getting infected/damaged in the first place. This user was running as a Standard user, not as an administrator of the local machine and was still able to encounter this much problem with spyware infecting the very core of operating system. Obviously this user's habits need to be curbed and he needs to learn that his online activities and email habits led to this problem and he needs to change his current ways to stop this from happening again.

It doesn't lend much confidence to the current state of affairs with the windows operating system. I can only hope Vista isn't like this. Another question is why does it take several different spyware removal tools working together to get the job done? Why can't one tool do it all? A neat idea would be to have one tool which makes use of several different detection engines used by each of the most popular spyware removal apps (since they all seem to catch something the others don't) to perform a few consecutive sweeps, reboot again into safe mode, repeat these sweeps just to confirm everything was completely removed, reboot again and that's it. Instead of 8+ hours, less than 1+ hour and you're spyware free. What a novel idea, wonder how much it would cost to patent this idea?

Thank you for reading this long winded post, I await your responses both good & bad (be nice).

... rob,wpg

This conversation is currently closed to new comments.

43 total posts (Page 1 of 5)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

I would have wiped it

by jdclyde In reply to My recent experience with ...

long before you did. Takes less time, especially if you have that image.

After cleaning out the infections, a system is never as stable, which is the other reason I chose to reload vs clean.

It really is amazing that XP would get as infected as it does, and even more amazing that people blame the user for not running third party software to protect the system, instead of blaming MS for making the OS so vulnerable that you need to buy three other packages to protect XP.

The user needs to stop using IE and outlook, and not run the system as an admin.

Collapse -

I'm either too patient or too stupid...

by UncleRob In reply to I would have wiped it

yes, I think if someone brought me another laptop with the same problem, I would probably just backup the data/re-image it and be done with it.

You are right, there is probably some other permanent damage that can't be repaired by the spyware removal tools but currently the user is happy with the laptop functioning again so I leave it at that. What's really sad is that the lease on the machine expires in 6 months, I did all that work and he'll be getting a new machine in 6 months - doesn't seem worth it now that I look back at this.

IE & Outlook is an occupational hazard, we use IE6 because of a company developed website that was developed for the IE environment, doesn't work with Netscape, Firefox or Opera. Outlook 2003 is a nice email client and I like it alot myself, the user just needs to stop clicking on every !@#$% link and needs to stop opening every !@#$% attachment.

He was never running as an admin, just as a standard user, I may even rethink that and change to run as a restricted user but that would probably just generate more phone calls in my direction, "I can't do this anymore, I can't do that anymore, what changed?, etc. etc. etc."

Collapse -

If you HAVE to use IE

by jdclyde In reply to I'm either too patient or ...

put your local servers in as trusted, and shut off java/activeX and all the other crap in every other zone. This will stop a lot of the issues you are running into.

Just make sure to trust ALL the sites the user NEEDS for business, and too bad for everything else.

Set your firewall to delete all executables and bats.

The big thing lately is viruses in Word Docs. Turn off scripts.

Hopefully you won't deal with this (l)user again until he breaks his new system, and lock it down good before giving it to him. I wouldn't do the restricted user as MS is too stupid to make a valid account set of permissions.

Collapse -

Blaming MS is REALLY a solution...

by rmazzeo In reply to I would have wiped it

First of all, if my company spent that amount of time on each PC, we'd be out of business in a month. We strongly urge our clients to save important files, because in this situation we don't even bother to look at the HDD, except to make sure the drive itself is healthy. We simply wipe it & start anew. Matter of fact, it's in the contract that we are not responsible for lost data. In non-infestation cases we will try to save data, but the client knows that this cost is extra & we still don't guarantee saving anything. Most of our clients now know to copy important stuff to other media, so it's all about education, first of all, & making the client aware that any data that we try to save will cost them. It works, as our business is booming & we have few complaints.
That said, your comment about blaming MS instead of the user taking control is counter productive. It's no longer an excuse to state that "oh, I'm computer illiterate...". If that's the case, you shouldn't own a PC at all. The user must take the responsibility of knowing the basics of computer use & security, including anti-virus & anti-spyware programs. After all, most 6-year olds can use a PC these days, there's no excuse for an adult to be stupid or ignorant about a PC if they own one. The OS is the OS, it is what it is, other add-on SW is necessary now & always will be. Even Linux & Mac are starting to see trojans & virii, so let's take our collective heads out of the sand & take responsibility for our PC use, rather that blame everyone around us, including the OS makers.

Collapse -

You were too good to them

by oldbag In reply to My recent experience with ...

I agree with JD. I would have backed up the user data and started fresh. Yes, there are holes in the OS that allow spyware, even if the user is not admin but I'm willing to bet that this user would be more careful if they had to get all the drivers etc reloaded.

I am finding that I am less and less sympathetic to users who do not take appropriate steps to protect company equipment. I'm tired of users complaining about pop-ups and slow systems when they have been told repeatedly that the systems are for business use.

Maybe I am getting grumpier but I am now more inclined to wipe a system and start over. It just works out better that way.

Collapse -

You're right, next time will be different...

by UncleRob In reply to You were too good to them

plus I'm too tired to do that again,

it's very depressing to spend all that time on a system, you get to a point where you have invested too much time to go back and yet you feel like you aren't gaining any ground either.

Collapse -

Rule of thumb

by jdclyde In reply to You're right, next time w ...

know when to pull the plug on a project, and don't be afraid to do it.

A few scans to see how bad things are is fine, but after the third utility and there are still issues, dump it.

I JUST got done working on a Thinkpad that was crashing. I cleared off the MANY malwares and viruses, but it still kept crashing. After working on this for a day, I was able to determine that the hard drive was bad.

Normally I would not have spent so much time, but this user is on the board of trustees, so special treatment, if you know what I mean!

I showed him where he could get the same laptop off ebay for $75. or get a new system for $500. (it is for his kids, so they won't use his work system)

Collapse -

Yes - but not quite

by pkr In reply to You were too good to them

It is not always the users fault, and it is certainly not the users fault that Microsoft ships an OS that will be infected in virtually seconds after being connected to the WEB. Unless you shovel out a sizeable sum on third-party SW and HW to protect it. A lot of car analogies spring to mind, but I'll spare you this time.

I have demonstrated a PC getting so infected during INSTALL, that install wouldn't finish. Let alone download all the needed fixes, and this was a preloaded PC. Manual read, "Connect and power on all your HW, connect to your moden or broadband, and power up the PC. The installation will run without you having to interact. Congratulations on selecting a leading quality **** PC, recommending Windows".
There are several areas in Windows where it is very difficult to create a PC in a central IT admin, that will function hands-off at a remote site, maybe even in a different part of the world. Anyway I am afraid DRM and region coding soon will make it impossible.

We did the "If it is not fixable in 10 minutes re-image." Supported by the strictly enforced rule of storing ALL data on central servers. Later we switched everything to Domino/Notes plus a knowledgemanagement system on top of that, with locally replicated DB's for off-site personel. This removed the need of local datastorage on individual PC to a point where scrapped all PC's and changed to a full Citrix/Wyse thin client set-up. That removes effectively 90% of you support jobs.

Thanks for the article, it makes good readings and confirm my opinion that AdAware is slacking off.

Collapse -

Thanks for the reply...

by UncleRob In reply to Yes - but not quite

I really appreciate the good comments & feedback I've rec'd thus far. It's also confirmed a fact that everyone else pretty much believes that re-imaging the pc was the best way to go, a point I believe as well although I find it to be pretty sad that you have to re-image a pc to combat spyware - a very sad state of affairs for the Windows OS, you would think that M$ better than anyone else would have an idea as to how to combat spyware for their operating systems since they aren't open source systems, they have a definite advantage as to the workings of their operating system and how to make it strong enough to survive / prevent a spyware/virus infestation without resorting to re-imaging. Is it really practical to do this? Can you imagine if this epidemic affected servers as much as it affects desktop operating systems - thank god my servers are locked down tighter than a new inmates butt in a max.security prison!

I recently downloaded & installed Windows Vista Beta 2 on a newer workstation just to see what all the fuss was about. Vista is supposed to be a very robust OS with built-in antispyware protection and since I wrote my little blurb on my spyware experience I thought I would see what kind of protection Vista is touting. It turns out Vista comes with M$ Defender, the same antispyware software you can download from M$'s website: M$ Defender Beta 2. If this is what they call built-in spyware protection which will eliminate the need for 3rd party tools, believe me: you will need additional 3rd party tools for combating spyware if you run Vista.

I hear what you're saying about thin clients, for the office & distribution center that I work at, I believe our not to distant future may include a migration to a thin client architecture where the bottleneck becomes the network connection because the cpu/hd are no longer as important to the pc landscape and when you remove the hd - you remove the need to scan it for spyware/viruses. It's funny when you think about it, we started (our company) with mainframes & terminals, the pc came into being and we started installing desktops & networks, now the terminal/thin client is coming back into vogue again, all you need is a network connection and you can get at everything. Web 2.0/Ajax web technologies will probably make installing office productivity apps a thing of the past, if you need a word processor or spreadsheet application, just open up this site address and poof the application runs - no licenses to purchase or worry about, nothing gets saved locally so you don't have personal backups to worry about, crazy stuff when you think about it. No matter how many steps you take forward, if you examine your travels close enough you'll notice that sometimes instead of walking forwards we're just walking in circles and improving what we did in the past (or attempting to at any rate).

thanks again for the positive feedback, it is appreciated.

Collapse -

Circles

by pkr In reply to Thanks for the reply...

I've been in IT since it was invented - first job in 1969.

The 'PC experiment' has been one of the costliest failures in the business world. At a time it was called 'decentralised computing', and some even stated that people should write their own programs - if the staff in accounting didn't like their data-entry programs they should make their own. Utter nonsense.

The office PC might have been better if the OS and apps generally used on them supplied by Microsoft had been better, at least adhering to some quality standard. I won't burden with examples of really bad SW, there are lots to show.

It was a stupid move to store company data spread around the organisation on unstable OS's on unstable HW and maintained by people hired to do something else. The information and knowledge base is the core asset of any organisation - knowledge is power, and it is very strange indeed the even highly qualified management allowed a company base asset to be spread on maybe thousands of PC's with any degree of backup and security. No other business asset would be treated this way, even petty cash is locked away and only a few people have the keys and/or combination the the safe.

Base assets are valuable, and should be stored centrally and taken care of by professionals, just as any othe important business assets.

The thin client is a very good way of taking the best of two worlds. The central security and stability known from the mainframe world, and the GUI and possibilities known from the PC world. One must be very careful when selecting th HW set-up in the serverfarm, as this will be crucial for operation. Optimal would be Linux server inside a mainframe, but my set-up's have been a high-availability set-up using IBM blades. Installed 4 years ago, and still running with NO DOWNTIME when I left that company 1 year ago.

Back to Windows Forum
43 total posts (Page 1 of 5)   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums