Spyware cleanup

posted in: Uncategorized | 4

AKA the great cleanup of 2006.

I’ve always said that I wasn’t a good test subject to measure how effective any anti-trojan or spyware application is, so while I’ve kept a professional interest in the latest and greatest tools, I hadn’t been given a really good opportunity to try them out, until last week.

A friend of Angela had a laptop that suddenly had this program called Brave Sentry popping up, telling her she was infected, and promising to fix it once she purchased the software, naturally. It wouldn’t shut down, and it had taken over her desktop wallpaper, blocking her from changing it. I suspected that wasn’t the only thing causing problems on this machine, but I wouldn’t know for sure until I got my hands on it. I agreed to take a look at it, and try to get it back to being usable.

When I got the laptop the next night, I confirmed that very quickly. I powered it up, disconnected from any Internet connection, and was greeted by the Brave Sentry warning, and by an attempt to connect to iesettings.com, and a handful of other programs complaining that they couldn’t get connected to the Internet. This whole startup process took a good 5 minutes, so my first stop was msconfig to disable startup items. I found a good 20 to disable turned off system restore and restarted.

It was still a slow boot, and there was still a couple of complaints about not being able to connect, but it was better. At this point, I went looking for the low-hanging fruit. By that I mean the stuff that’s easy to uninstall, that actually gives you an entry in Add/Remove programs to uninstall the junk and the obvious spyware exe’s not currently running in the Windows directory, etc. That got rid of some stuff. Next was to check out her Norton A/V install. It was being disabled by another program, but the definitions subscription had expired a couple of years ago, so I just went ahead and uninstalled the whole thing. It wasn’t doing me any good at this point, and it was just slowing down the machine.

Then I grabbed my thumb drive. First I installed the free version of AVG and ran a scan.  (Let’s see how trojaned this sucker is before we get into other stuff!) That found some stuff, some it could clean, some it could not, telling me there was definitely some processes running in memory that didn’t show up as a startup item. That’s important to know going forward. I also installed Grisoft’s new anti-spyware offering, Ewido, AdAware and Spybot S&D. I ran Spybot first, and was somewhat disappointed in that it didn’t find as many spyware apps as I knew there to be on this machine. It cleaned a bunch and identified some more that it couldn’t clean, but overall, I’m beginning to wonder if Spybot’s usefulness is being surpassed. I got Ewido installed next, and was very impressed with the amount of tools and information available in this program compared to Spybot. It even gave me access to a list of running processes, which was the first time I’d been able to do that on this machine. (Task Manager had been blocked from running.) It even has a tool to identify BHO’s and open ports. (I don’t know which of these options is still available after the trial period in the free version, so take this all with that grain of salt.) The one thing that really disappointed me about Ewido, though, was the registry scan. I ran it, and it came up with nothing. Now, keep in mind that while I disabled all those startup items, I had not messed with HKLM/Software/Microsoft/Windows/CurrentVersion/Run in the registry yet, so there were a number of spyware apps listed there, and this anti-spyware tool didn’t identify any of the keys. Adaware, on the other hand, did it’s usual fine job of scanning and cleaning the registry and a number of other files/folders. After all these scans, I knew we weren’t clean yet, but I had to take a chance on connect to the Internet just long enough to update def files for all of these tools. In those 15 minutes, I got smashed with pop-up ads, and I could see something grabbing information and connecting out to the Internet to get new advertising information, so I hurriedly got my updates and disconnected again.

After updating, all the scans found some more things and cleaned them up. Ewido, however, kept identifying some randomly named dll’s as spyware. It wouldn’t get cleaned up and I couldn’t find any processes running that would keep me from being able to delete those dll’s. I tried to use Killbox to delete them, but as much as I like the ease of that tool, it didn’t clean them up either. At this point, I figured I better figure out what process was using these dll’s so I installed Process Explorer. It confirmed my fears about those couple of dll’s. They were running as part of explorer.exe. It also confirmed that in safe mode without explorer.exe running, those dll’s would gladly attach themselves to winlogin.exe or lsass.exe, basically whatever was available.

At this point, it was time to do some research about this spyware, which was being identified as Adware.Virtumonde, and it was time to assess where I was in this process. Brave Sentry was gone. Almost all of the spyware and trojan files had been removed. I had a couple of dll’s still connecting to the Internet and displaying popups that continually regenerated themselves and their registry entries whenever I tried to delete them and I still couldn’t change the desktop wallpaper, though I could get to task manager. Definitely time to set this aside and do some more reading about these specific problems. Tomorrow, I’ll talk about what I found out, and how this ends.

4 Responses

  1. Marc

    mmm, cookies …

    I recently had a paying job (woo-hoo) to clean up a pre-teen’s computer. It was goobered up like yours, but not with Bravesentry. I had the best success running Ewido in Safe Mode, then I could run Spybot and AdAware (it would not let me clean with the latter two until I ran Ewido).

    People see these offers for free toolbars or shop-bots and think they’re getting a deal. They get a deal alright – dealing with a headache. I suppose if they keep having to pay someone to clean up the mess eventually they’ll start figuring out the benefits of safe surfing and accounts with restricted rights.

  2. Anonymous

    Oh boy… Been there done this and gave up.

    Why go thru all the hassle to remove all the spyware(and possibly virii), when you never know if you got ALL of it and this person more then likely is going to reinfect their machine all over again.

    Backup their email, and anything else needing to be restored and REFORMAT/REINSTALL Windows, etc..

    By the way, I downloaded Ewido/AVG Antispyware last night to try it out.
    It seems to be a decent program, but the scanner is slow as molasses. Took three times as long as Adaware or Spyware Doctor.

    Mark

  3. Mike McBride

    Mark, a valid question, and one I’ll address in part 3, an epilogue of sorts. 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.