You know what I did for, oh, about sixteen straight hours, a few days ago?
I hunted adware.
I'm so ashamed.
I ran one little program I shouldn't have. Firefox 2.0 did actually give me its "dude, I really wouldn't download stuff from here if I were you" warning about the site, but I did it anyway. I trusted the file to be harmless just because a couple of virus checkers said so. In the adventure that followed I found out about an "online malware scan" page that lets you submit any file for easy multi-checker analysis - not that that would necessarily have helped.
Anyway, that's all I did. Executed one little program, saw one brief flicker of a command prompt window, started my descent into heck.
Because one little slip like that is, of course, enough to allow the corpsefelching murderbait who make their money by frightening grandmothers into paying for things like System Doctor and WinAntiVirusPro to leap upon my computer in much the same quivering, sweaty way that I imagine they leap upon small children. And, needless to say, their own mothers.
All I got were adware pop-ups and a few dumb-ass toolbars and such desperately attempting to install themselves, but this nuisance-level problem was extraordinarily persistent.
I'm sure some of you are familiar with the symptoms. You run one or another spyware killer, and it finds various problems and gets rid of them (the mania of anti-spyware programs for describing 90% of all known cookies as a screaming-klaxon "infection" is a subject for another day...), but you know you haven't actually dealt with the problem, because weird-named DLLs and EXEs that you can't delete keep popping up in windows\system32. And crap in the registry matching those files' names, of course. You can delete the registry entries, but they always come back, as do the files, if you or your spyware-killing software manage to delete them.
I have, however, finally gotten rid of the problem, by using an excellent tool that I didn't previously know existed. This is probably the outside scoop for most of you, since my skillz are sufficiently 1337 that I haven't even had to think about installing any sort of anti-malware app since Ad-Aware was the one and only option (digression: Word, Ray!). But perhaps you haven't been keeping up with the malware/anti-malware arms race for the last couple of years either, and I've suffered The Curse of 1001 Reboots for a couple of days. So I figure you all ought to share some of the pain.
What I tried before I found the one tool that worked:
Spybot-S&D, which successfully spotted all of the crap being dropped, but did not spot the dropper, so it all kept coming back.
Ad-Aware, which doesn't seem to be much use any more.
Windows Defender, which was worthless. Windows Defender used, of course, to be GIANT AntiSpyware before Microsoft took it over, and people spoke well of that, so I can believe that it's useful for something. Didn't do dick for me, though.
The Ewido online scanner. Which found something, I think, but didn't fix the problem. I have no clear memories of it, since I was hitting my head on the desk pretty hard around then.
Oh, and the Trend Micro online spyware scan, which I gave up on after it had been running for twenty-six hours without finishing.
Avast and AVG, neither of which noticed anything. They're antivirus programs rather than spyware/adware spotters, but these categories are blurring together.
HijackThis, over whose logs I diligently pored. I knew what every single thing in there was, and not one process had anything to do with the churd-gobbling malware.
A Knoppix boot disc, which didn't help much because it can't write to NTFS disks.
A BartPE boot disc, which was more useful, but still didn't really get me anywhere. You can install anti-malware programs as plugins for BartPE, but they generally don't work very well, because they look for malware on the running system. That, of course, is the clean BartPE environment from which you just booted, rather than the dirty hard disk Windows install from which you just didn't.
If you're dedicated enough to put together a BartPE disc containing a registry editor that can load a registry other than the one it booted with, then you can boot BartPE and load the registry from your hard drive and screw around with it. But this was starting to seem like entirely unnecessary effort to me, because I was going to find the people responsible for the spyware and do something to them with, oh, I don't know, maybe a salami slicer, after which I would presumably be put somewhere where my computer would not be available anyway.
Booting BartPE or some other NTFS-capable alternative OS allows you to look at the files created by the malware when they're not multi-locked by important Windows processes (you can only unlock such files by killing those important Windows processes, and then your computer's broken and can't go on to actually do whatever it was that you wanted to do to the now-unlocked files). Looking is about all you can do, though; if you delete them they'll come back when you restart, and many of them are automatically deleted by the spyware as the system shuts down, anyway.
Various spyware uses this horrible strategy now. It's like a highly evolved version of the old Robin Hood And Friar Tuck story.
Oh, and in case you're wondering, yes, I booted into Safe Mode. Oh, boy, did I boot into Safe Mode.
I became quite intemperately angry about all this. My computer is, to a large extent, where I live. Many crapware victims are fairly mystified by even a perfectly working computer and so aren't necessarily especially irked when windows advertising fraudulent antivirus programs keep popping up, because hey, that's just one more thing they don't understand.
When you do understand and expect the correct behaviour of your computer, though, this sort of thing is like someone breaking into your house just to piss on your bed.
And this crapware may be as persistent as herpes, but apart from that it's not even well-written. One of the pop-ups I kept getting was a series of Firefox tabs (which probably wanted to be Internet Explorer windows) that were obviously getting their "URLs" from some file that wasn't being parsed properly. The result was an attempt to open this, and some other HTML header stuff that Firefox I'm Feeling Luckied into http://www.xhtml.com/en/xhtml/reference/, http://www.strict.com/ and http://www.5,.com/.
This made it feel as if the person who kept breaking into the house and pissing on the bed was doing that because he actually wanted to steal the TV, but did not know what a television looked like.
I suppose if you investigate spyware for a living you build up some tolerance for the sheer subhuman exterminability of the people responsible. But I'm not quite there yet. You strap 'em into Old Sparky, I'll throw the switch. Or, more realistically, join the queue for my chance to do so.
Anyhoo, after all this, I stumbled upon Prevx1, when I searched for the name of one of the numerous strange DLLs that kept appearing in my system32 directory.
(Malware writers don't yet, at least, seem to have figured out how to give their files misleading dates. So if you order files by Date Modified, you can easily see the ones that were created on the day when your computer got the clap.)
Prevx1 is a commercial product, but it's got a fully functional trial period - it's not one of those stingy programs that scans for ages, finds a long list of scary problems, then tells you you've got to pay if you want them fixed.
[UPDATE: At some point after I originally wrote this post, Prevx morphed their software into "Prevx CSI", which is now the same "ransomware" as many other commercial spyware killers. It finds infections, but won't kill almost any of them until you pay for a license. I have no idea whether the new version of Prevx currently works any better than the genuinely free anti-spyware options like Ad-Aware and Spybot S&D. Actually, I suspect SUPERAntiSpyware to be the best of the freeware crop, as of mid-to-late 2008.]
It brings to malware-hunting the collaborative user-network approach that's already been employed in spam-fighting. This approach only works better than the traditional kind of virus-definition-file system if you've got a well-connected network of users, but Prevx1 does.
And Prevx1, finally, worked.
It cleared that adware right up, leaving one still-mildly-locked but easily deleted file, and a few deactivated files and pointless registry entries, plus their symptoms like an unconnected Add/Remove Programs entry for some toolbar or other. Oh, and a few more of those cookies that Spybot and the rest think are such a big deal. CCleaner tidied most of the unconnected registry garbage for me.
Anyway, if I'd tried Prevx1 first, none of the other crap would have been necessary. A regular user would be happy with the unadorned result of the Prevx1 scan.
Without Prevx1, though, it would have been damn close to impossible to clean the computer from this one, single, 28-kilobyte-file-induced infestation, without formatting the boot drive and reinstalling.
Since Prevx1 managed to fix it, I presume someone with spare time, an outboard registry editor and a few Sysinternals tools could have done the same thing. That rules out most of the people who're paid to clean up spyware for others, though, and sure as hell rules out nearly every plain old user who would like to clean their own computer.
Plenty of spy/ad/whateverware infestations are less horrible than mine, but I'm willing to believe that a lot of them are a great deal worse, given the enthusiasm of ordinary users for (a) sticking with the default Windows root access and (b) installing every darn thing they see, just to see whether the little Desktop Stripper will get it on with BonziBuddy and the Crazy Frog.
In the olden days, support people who just told callers to reinstall Windows were taking the easy way out. They may have had to do it, given the number of callers they had to get through, but reinstalling was still not by a long shot the optimal recovery strategy for almost any problem.
These days, though, I think it's quite likely that many spyware infestations just can't be fixed by any means less annoying than nuking from orbit. Prevx1 fixed mine, and perhaps it'll go from strength to strength and become the go-to guy for all such problems for the foreseeable future, but I wouldn't bet on it.
Given this fact, and also given the vast amount of time wasted and pain caused by crapware of all kinds, I suppose it would still be uncharitable of me to suggest that the persons responsible could benefit greatly from, say, having a glass turkey baster jammed up their penis, which could then be struck smartly with a club hammer.
I've had a while to develop some perspective now, though, and I'm afraid I really can't see another way.
UPDATE: As I mention here, Prevx have a malware database which you can search by filename.
Herewith, a thingy to do that from here:
26 November 2006 at 3:51 am
I ran into this a last week with a similar small file. Like you, I Knew Better and it was My Own Damn Fault.
While I'm usually up for a game of adware whack-a-mole, I couldn't afford to destroy the Windows install this time around. I gave a halfhearted effort at cleaning for about ten minutes, and then resorted to Windows XP System Restore. And it worked.
I used to hate this feature back in 2002 when XP was a resource-sucking pig of an OS and 2K was what everybody *ought* to have used. These days, I wouldn't dream of turning it off.
Now, however, every future potentially nefarious file gets its own Windows 98 sandbox in VMWare. If it trashes that install, I don't care; I can revert to an OS snapshot in about ten seconds.
David
26 November 2006 at 4:57 am
This inspires a sometime-today documents DVD backup.
26 November 2006 at 2:32 pm
Let me point out, in case you haven't noticed yet, that Micro$oft has made their Virtual PC 2004 available as a free download. Such Virtualization software provides emulates in software a set of computer hardware for running a REALLY sandboxed OS on. EULA's mean you theoretically need a full retail (not OEM) box for putting Windows into the VM; in practice, an OEM will install fine if you're not worried about a few lawyers. I have (all legal) copies of DOS, Win98, Win2K, and WinXP installed, plus a current Fedora Core.
VPC includes an easy roll-back feature, letting you undo anything done between power-on and power-off if you like. This facilitates the removal of various forms of crapware. So, if Zango wants you to install their latest piece of crapware to watch some streamed pr0n, you can download it, install the crapware on the VM, and get rid of it completely when you've, ah, finished. I use this OS routinely for browsing anything I know is in the more slime-infested part of the web. (For really toxic stuff, I use VPC, FC5, and "curl"; sort of like a containment box, gloves, and tongs.)
Once you've got an infected machine, the best tactic I know of is to remove the hard drive, hook it up to one end of a ATA to USB/FW adapter like the WiebeTech toys you reviewed once, and plug the other end into a known-clean system (with autorun disabled).
As for the punishment, I'd suggest a standard incandescent bulb suppository, with the screw-connector removed by your aforementioned hammer after insertion. Much more embarrassing to explain when you go to the hospital. Will they claim they were involved in sexual perversion, or admit to being a spammer?
26 November 2006 at 8:11 pm
I had this a couple of months ago - should have known better but had file extensions turned off, the file had a PDF icon, so I double-clicked it without thinking. Saw the command prompt flash that Dan mentioned, noted it's dissimilarity to the expected Acrobat Reader, and felt that awesome sinking feeling in my gut that's usually reserved for the innocent email-attachment-clicking drones that populate our offices/families. I -think- I got rid of it manually, the active parts anyway, but there was still that nagging doubt in my mind - what if I just got the decoy? Like most of you reading this I'm no idiot on a PC but I don't exactly have intimate knowledge of -every- facet of Windows and it's possible vulnerabilities/exploits. And where things like internet banking are concerned I couldn't take the chance, so I bit the bullet and reinstalled. It's definitely getting to the point where I'm considering setting up a virtual machine for that kind of thing.
27 November 2006 at 2:01 am
It's times like this I wish for a sort of lockdown program. Something that, when executed, will prevent any new programs from running unless they're on an approved list, and also cuts off net access until I allow it again.
Failing that, I've often had to get a little sneaky to reduce the overwhelming crapload long enough to remove the source of the infection. One thing I've done several times is delete the key files one at a time, replacing them with empty files of the same name with all the permissions removed. The result is a file that the crapware's reinstaller can't overwrite. Doesn't get rid of the installer, but at least it disables that part of the mess so I can go after the source.
27 November 2006 at 2:45 pm
Jax, would Faronics' product meet your need? But any which way, maybe read this Slashdot discussion on the subject, there's some handy info in there.
27 November 2006 at 2:52 pm
Dan, would something like GoBack or RestoreIT help in this case? Assuming you could live with losing whatever changes you've made since boot.
27 November 2006 at 5:45 pm
Back when I was a computer technician, I spent almost the entirety of 2005 getting rid of crapware from Little Johnny's computer. This taught me a thing or two about removing stubborn stains like the above mentioned. I found BartPE to be particularly useful for doing a manual System Restore for those times when even if Windows could boot into any kind of mode, it wouldn't get further than a cursor on a blank screen. Needless to say, you can distill the important parts from that KB page down to a batch file changing the file names.
Worked a treat nearly every time. Once booted to a clean state, all the dropped files are rendered more or less harmless and can be safely disposed of. Naturally, this only works if you catch it more or less straight away rather than the common "this durn com-pu-tor ain't done worked right since last harvest season".
27 November 2006 at 6:39 pm
What a coincidence... This weekend, I helped installing my dad's new computer. In the progress, he wanted a new theme/visual style (you know, StyleXP, getting rid of the blue WinXP look).
So we searched themexp's site and found a couple of interesting themes to test out.
After downloading it, I found that it was an installer (weird, it should have been a zipfile or something) and upon starting this installation, we were told that to make our lives better, the theme we wanted was encapsulated with some nice software.
At that point, I aborted the install and began the install anew on his old laptop (which would be wiped anyway) and went ahead, trying to dodge all the extra software. Unfortunately, some of the software (toolbars and the likes) was forcefully installed or we wouldn't get the theme.
To make the story short, it took less than 5 minutes after it was installed before his F-Secure antispyware started to scream of pain. And five more minutes, the system just went blank and wouldn't restart.
We managed to boot into safe mode (by stripping the battery since somehow, the powerbutton didn't work at all, not even the 4 second force off). But in safemode we weren't able to logon. And a normal reboot would send the laptop into the same spin as before after about 1-2 minutes after logon.
So if you ever get hold of the guys who make this "software", please let me know and we can take turns holding/beating before we finally cook them slowly.
And ohyeah, avoid downloading ANYTHING from http://www.themexp.org since it's wrapped in spyware and such.
27 November 2006 at 8:52 pm
Deepfreeze is useful, but not quite in the way I meant. I'd like to be able to run a program when Things Go Wrong that simply stops any new programs from launching. This would greatly slow down the spreading of malware, and let me shut down parts of it without having them start back up again a half a second later.
A few months ago I found myself in one of those delightful what-have-I-done positions, where any one of the 6 running tasks would restart any of the others if you were to shut one down. The solution I found was to launch several very processor intensive programs (Paint shop pro, emule, nero, trillian, etc) all at once in an attempt to tie up the CPU long enough to kill all 6 tasks. It worked, but I wouldn't count on it working with the next round of malware.
28 November 2006 at 12:50 am
A handy program that I always have running is Unlocker. It can get around programs that hold files in use *points finger to explorer.exe and that damn thumbnails thing*. You try to delete the offending file, normal in use message appears (even though say photoshop doesn't even have the damn file open) click ok as normal.
After clicking ok unlocker will pop up a window identifying the process holding the file open, you can choose one of actions at the bottom (rename, delete, move) and/or then press unlock.
The file will be released from memory, and you can delete as normal (if you didn't use one of the actions), no shutting down of offending program is required. If the file can't be unlocked then the program can delete immediately on reboot, before much of windows starts up.
This little (freeware!) program has got me out of a pickle more than once, the best use is when avg and norton cleaned up most traces of a virus (not my computer), but could not clear a stupid dll that was hooked into every god damn process that was running so it could not be deleted.
I installed unlocker (after clicking another 1000 detected virus screens from norton due to it running with every process). When unlocker was running I tried to delete the file (in use blah blah blah), then unlocker popped up with the scariest unlock screen I have ever seen (every running process including system idle!).
I hit unlock all which of course required a reboot due to system files holding the virus file open and boom! on reboot pesky file gone! a small registry clean up later (symantec security response told me where to look) and I was done.
Awesome little program for the grand cost of nothing.
http://ccollomb.free.fr/unlocker/
28 November 2006 at 1:02 am
Oh and another way to remove crap from single drive computers (ie. not raid) is to rip the drive out of said computer, stick it in yum cha usb drive box of your choice and plug it into another computer (making sure the drive doesn't attempt an autorun by holding the shift key) and delete said annoying file.
28 November 2006 at 1:21 am
Uh - yeah. I kinda, um, linked to my piece about unlocking programs in the post.
I use Unlocker too, now. It was perfectly useless against this adware :-).
28 November 2006 at 3:02 pm
Suggestion to MrWorf and others. When I'm trolling "free" software/screensaver/theme/etc sites I always make sure to do a Google search on the site name and "malware" before downloading anything. If a site carries bad software you'll almost always be able to figure it out by examining just the Google summaries, or by reading one or two page-one hits.
Example: http://www.google.com/search?q=themexp+malware
28 November 2006 at 11:20 pm
my favourite trick with malware files that just won't go away is to blank out the ntfs permissions and leave them in place till the system is otherwise clean then take ownership and delete.
29 November 2006 at 10:15 am
I had a similar issue with some adware a while ago, in the end I managed to track down a tool called KillBox. It is an application that allows you to delete files that are in use. This was the only way I could get rid of the offending dll.
Regarding Bart PE, I have found the Ultimate Boot CD For Windows to be very useful. It is a tool for building a Windows XP Boot CD that has a lot of useful tools on it, including a registry editory.
Mind you both of these tools aren't for the layman or faint of heart. I refuse to give Killbox (or recommend it) to anyone who is going to cause more damage than the adware with it.
James
30 November 2006 at 7:13 am
So... I run BSD. What's this "malware" thing I keep hearing about anyway?
I've done the VMWare dance though, complete with backups of the fresh install and everything. Too bad it was completely unsupported and not very useful for me.
"One of these days", I think the expression goes, I'll set up Xen so that I can play with fire too. From behind a blast screen.
24 January 2007 at 12:44 am
It isn't always guaranteed, and hopefully you won't need to do it in the future, but I've found that setting the file security to deny execute and read access to any of the files involved and then rebooting can sometimes help with the really persistent ones.
9 February 2007 at 6:48 pm
Yeah, I had a similar experience yesterday ...
Somehow a trojan got onto my computer and it took me the best part of a day to figure out how to get rid of it ...
I knew something was wrong when I heard the hard drive churning for 10 minutes non-stop when nothing was running onscreen.
I checked Task Manager and an instance of "iexplore.exe" was
sucking up CPU cycles - but Internet Explorer wasn't running so it was obviously some type of virus/trojan.
But that wasn't the worst of it.
* It somehow corrupted my install of AVG so I couldn't run it
* It also corrupted my install of Spybot S&D so I couldn't run it
* It changed all folders on my computer to Read Only, so I
couldn't download and re-install AVG or Spybot
* I tried using online scanners and other malware/AV programs but they were either automatically shut down after a period of time (I'm assuming when they come into contact with the file?) or they simply didn't detect the malware.
* It somehow generated a BSOD when I tried to boot into Safe Mode
I did some research and found a post in forum that said the only thing that someone found that got rid of it was a program called PREVX.
I'd never heard of it, so I Googled it, found it was legit, installed the free trial and it detected and removed the trojan immediately.
Needless to say, I purchased a subscription.
I hope this helps someone.
Cheers
Nick :)
4 March 2012 at 12:22 am
My preferred strategy is to throw away the user account and create a fresh one. Assuming the account is Limited (you DO use a Limited account for everything except system administration, RIGHT?), that generally solves the problem. Data can be copied over as long as you're careful not to copy malware over with it.
(Yes, theoretically privilege escalation is always possible on Windows systems, due to an API design flaw that cannot be corrected (without destroying all pretense of backward compatibility), so something that gets in through a Limited account COULD, in theory, take over the whole system. In practice, however, a very high percentage of Windows systems only have one account, with admin privileges, and so privilege escalation is generally unnecessary. There is Windows malware that uses privilege escalation, but to the best of my knowledge almost all of it gets in through other means, e.g., vulnerable network services. Trojans generally don't bother; they just run in the user account. Thus, as I said, you can throw out the account and Bob is your uncle in almost all cases.)
Incidentally, Knoppix *can* write NTFS, but at the time you posted this it didn't do so by default, so mount -o remount,rw /dev/whatever was needed to make it happen, so it's easy to understand a Windows user not really knowing it was available. And, as you discovered, the mere ability to write to the filesystem would only have solved your problem if you'd known what to write (or, more particularly, what to delete). Also, the same thing can be accomplished by logging into a different user account -- again, assuming that the compromised account is Limited, which of course it was, because you DO use a Limited account for routine day-to-day operations, obviously.