My recent experience with a spyware/malware infested XP SP2 laptop…Locked
One of our company’s salesman recently called me complaining of his laptop’s poor performance, nagging pop-up’s, frequent reboots, etc.
His laptop is a couple years old already but it isn’t a slouch by any stretch. Aside from my own desktop computer, I run the same model laptop as he currently uses (bkgrnd info: IBM Thinkpad T40, 1.5Ghz, 512mb ram, 30Gb HD, 32mb ATI video card, CDRW/DVD, etc.), I find that the laptop is a workhorse, I use it more than my desktop and I can only say good things about it and look forward to my next IBM (I mean Lenovo) Thinkpad when the lease expires on this unit.
He’s a sales manager and he’s on the road on a regular basis, travelling in his sales territory, attending meetings, visiting his dealer network, etc. Any support I usually provide him with is usually remote assistance, thankfully he’s always at a location that provides him with a decent highspeed wired/wireless connection. However his laptop’s performance had degraded to such a poor level that maintaining a remote assistance connection using XP’s remote assistance tool or another remote connection tool that we use proved painful & ultimately useless.
The problem with his laptop was spyware/malware – alot of it. Although he isn’t sure how he acquired so much of it, one thing was sure that he couldn’t continue operating with the laptop in it’s present condition, it locked up and prevented him from working with his email and other applications, office apps no longer functioned telling him they needed to be re-installed, etc. We managed to perform some spyware scans which took extraordinary amounts of time to complete and yielded poor results and cleaned up very little of the problem. He ended up shipping the laptop to me and said he would swing by the office in a week to pick it up. I informed him that if I deemed that the spyware/malware infestation was too bad, I would just re-image his laptop after backing up his data. He would still need to deal with bringing in his other computer equipment (printers, scanners, digital camera’s, ipod, etc.) to arrange to have the required drivers & software installed to restore their functionality which would require more time – all in all this was turning into a big bowl of $hit soup and I wasn’t really that hungry to begin with. I got the machine the next day and began the cleanup process.
We sometimes have spyware/malware problems with the office machines connected to our local network but using a combination of Ad Aware and Symantec Antivirus took care of any problems so I assumed I would start with that approach – the results of which seemed like wasted effort.
I proceeded to downloading & installing the latest version of SpyBot S&D (v1.04) and I also tried out MS Defender Beta 2, updating all the required components and performing the necessary scans. My first full scan took almost an hour to complete and resulted in finding 100+ different items, I thought I was gaining ground on this problem finally and fixed the items that it found and rebooted the laptop for another scan. I was disenchanted to find that most of the items returned after a reboot.
I rebooted the laptop into safe mode with networking ability, turned off winxp’s system restore and attempted the same repairs again, I first tried Ad Aware again, updating the latest spyware def’s and it found very little. I ran Spybot and found alot more, MS Defender Beta 2 found very little during it’s scans, rebooted and subsequent spyware scans in safe mode showed that I was apparently gaining ground. Each reboot revealed fewer instances of spyware and I was feeling confident that I had licked the problem, I rebooted normally and logged on as the local machine’s admin (I didn’t login to our network domain) and performed another scan along with downloading the latest windows & office updates (there weren’t that many, less than a dozen combined thanks to automatic updates being enabled), after completing those operations and rebooting, I continued performing other maintenance tasks: disk cleanup, disk defrag, running Norton Windoctor to tuneup the windows registry, cleaning up temp files that disk cleanup never seems to want to flag & remove (ex. C:\Documents and Settings\userid\Local Settings\Temp ), etc.
When I was confident that the pc was running normally again, I rebooted and logged in as the user in question and began to test out his office apps, sync up his email, etc. The pc began to exhibit the same spyware infested behavior again, windows popped up randomly, I noticed command windows popping up and I could literally see files being copied to other locations, internet explorer’s default home page had been changed & redirected, attempting to go to other pages wouldn’t work and it would bring me back to the pages it wanted, etc., on top of that office apps wouldn’t work, etc. I tell you at that moment, it took everything in me to stop myself from turning that laptop into a frisbee and setting a long distance throwing record!
I rebooted the laptop into safemode and began my spyware scans again, which revealed nothing – how could this be?
From my clean laptop, I began researching this spyware epidemic on the net and I found alot of helpful resources and downloaded alot of spyware removal software I hadn’t heard of. All in all, it took alot of effort to finally clean this laptop of it’s problems. I won’t go into every detail because this post has already proven that I’m quite verbose. I will give you a list of what I tried and what worked/what didn’t:
1. Hijack this, download available at http://hijackthis.de/
– this apps gives you an idea of what is running on your pc, you can use it to identify spyware and their site will also analyze your logs for you and help you identify what’s ok and what isn’t. Highly recommend this app, I used it alot in conjuction with any new spyware app I tried out to see if they were working or not. I would also identify files by filename that I didn’t recognize and show me their locations on the local pc, I would research the filenames on the net and manually remove them from the pc when the spyware removal tools wouldn’t. Can’t say enough good things about HiJack This!
2. SpyBot S&D v1.04 you can download this app at http://hijackthis.de/
It’s a good start but isn’t a total solution, it helps find alot of the spyware that doesn’t hide itself very well. Their spyware scanning engine needs more work when it comes to scanning the windows registry.
3. Ad Aware SE v1.06 available at http://www.lavasoft.com/support/download/
It used to be pretty good software but based on my last experience, it has developed into nothing more than a “cookie eater”, it didn’t detect any of the nasties that had infected this user’s laptop. The personal home user’s version is free including updates but I guess you get what you pay for, I can’t complain that much if it’s free (change that I can still complain, it didn’t work well at all)
4. PrevX1 available at http://www.prevx.com/security.asp
During my spyware battle I searched alot of discussion forums on this topic and alot of times those in the know mentioned this product, I tried it and I would say it’s very good but it has some cons also. Cons: it doesn’t work in safe mode which I’ve learned is probably the only environment to scan for & remove spyware/viruses/malware,etc. It doesn’t play nice with symantec antivirus/norton antivirus. The software caused several winxp bsod’s when it started scanning for spyware – reading up on this topic informed me to uninstall my existing antivirus apps, afterwhich Prevx1 was able to successfully scan for & remove alot of spyware that Spybot, Ad Aware & MS Defender Beta didn’t find. It’s scan engine doesn’t work in safe mode and it tends to be chatty during it’s real time monitoring and announce every running process & application as it starts, it’s a resource hog but again it found more than a few of the other well known apps so I can’t complain. Once I was done with this app, I uninstalled it and reinstalled Symantec Antivirus client and got my antivirus protection back (as much as symantec can provide anyways)
5. MS Defender Beta 2 available at http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx
This app didn’t find anything, a whole lot of nothing. I’m very disappointed in the performance of this app. I’m assuming that if you release a beta it would mean that product has some useful functionality but it doesn’t. Updating the spyware def’s doesn’t work even though they provide a button to perform this function, reading up in an msdn forum shows that Microsoft acknowledges this problem and really wants you to download the definition updates by way of the windowsupdate site or having automatic updates turned on, my question is why have a check for updates button if it doesn’t work? Maybe something more important, shouldn’t the makers of the OS have a better idea & ability to create a tool for scanning & cleaning spyware from it’s flagship OS? Maybe it’s my logic that’s out of whack for assuming this but I can’t get over this point at all. Maybe it’s why the leeches that create spyware & viruses are so successful, because Microsoft just doesn’t have a clue when it comes to the problems inherently engineered into their OS. It’s very sad, Microsoft if you read this, smarten up, nobody should be better at cleaning up your backyard than yourselves. Telling me to purchase Vista to cure me of my WinXP SP2 spyware problems won’t work either.
6. Ewido Anti-Malware available at http://www.ewido.net/en/download/
– Who knew this product existed? This company’s marketing team needs to kick it up a notch, an excellent product, and the trial version is fully functional and it caught alot of what the other spyware apps were missing. Maybe I shouldn’t be surprised, Ewido is a Grisoft company and Grisoft makes great antivirus software. Highly recommend it, works great in safe & regular windows modes.
7. Webroot SpySweeper available at http://www.webroot.com/
– they don’t have a functional download you can try, just a scanning tool. I however found a site which offers a fully functional trial version which I used (I will look for the link and post it here) and it found everything that the other spyware apps mentioned above missed. I was impressed because the laptop’s performance had been restored to it’s original state and I was figuring I was done with my cleanup, on a hunch based on my previous failed assumption that the laptop was clean, I installed the trial and it found a whole bunch of spyware that was cleverly hidden. It flagged the spyware that it couldn’t remove immediately and upon reboot, removed the stuff it found in previous scans. This is a spyware app that would be worth purchasing, it is that good, and it has a special diagnostic mode meant for use in windows safe mode. Needless to say, it caught everything the others missed, removed those stubborn replicating items and upon several reboots & re-scans cleaned the laptop to the point where 0 instances of spyware were found. Rebooting the laptop normally and logging in as the afore mentioned user, office applications worked again, internet explorer no longer suffered it’s hijacked state, browsing the net worked, no more pop up windows, hijack this revealed no spyware hiding in the background.
8. Cleanup 4.51 http://www.stevengould.org/software/cleanup/
– Great utility for removing temporary files created while surfing, empties the Recycle Bin, deletes files from your temporary folders, prefetch folders, and more.
All in all, this spyware battle easily took over 8 hours (spanned across a few days) to finish. I only went through with this laborious effort because the user didn’t need the laptop for a few days and also to see if it was possible to clean a badly infected machine and it is but it is not economically viable to do this. I could have backed up the user’s personal data and formatted the drive & re-imaged the laptop in less than an hour, joined the machine to our network domain and copied over his personal data and attempted to restore some of his personal settings. The method I used was appreciated by the user because he didn’t have to re-install any personal software/hardware devices and restore any personal settings but I wouldn’t be able to do this on a regular basis.
I can say that I wasn’t defeated by spyware and didn’t have to resort to wiping the drive clean and starting from scratch again but I don’t know if that’s ultimately the truth. If I had to spend this many hours cleaning up this spyware mess then maybe I was defeated, I definitely didn’t get an ego boost out of this (a lesson in spyware removal – yes I definitely got that). If that’s the case I can also say that Microsoft was defeated as well, a machine running Windows XP SP2 with windows firewall enabled, with an up to date antivirus solution in place along with having the most recent windows/office security & critical updates installed didn’t a prevent a machine from getting infected/damaged in the first place. This user was running as a Standard user, not as an administrator of the local machine and was still able to encounter this much problem with spyware infecting the very core of operating system. Obviously this user’s habits need to be curbed and he needs to learn that his online activities and email habits led to this problem and he needs to change his current ways to stop this from happening again.
It doesn’t lend much confidence to the current state of affairs with the windows operating system. I can only hope Vista isn’t like this. Another question is why does it take several different spyware removal tools working together to get the job done? Why can’t one tool do it all? A neat idea would be to have one tool which makes use of several different detection engines used by each of the most popular spyware removal apps (since they all seem to catch something the others don’t) to perform a few consecutive sweeps, reboot again into safe mode, repeat these sweeps just to confirm everything was completely removed, reboot again and that’s it. Instead of 8+ hours, less than 1+ hour and you’re spyware free. What a novel idea, wonder how much it would cost to patent this idea?
Thank you for reading this long winded post, I await your responses both good & bad (be nice).