You know what I did for, oh, about sixteen straight hours, a few days ago?
I hunted adware.
I'm so ashamed.
I ran one little program I shouldn't have. Firefox 2.0 did actually give me its "dude, I really wouldn't download stuff from here if I were you" warning about the site, but I did it anyway. I trusted the file to be harmless just because a couple of virus checkers said so. In the adventure that followed I found out about an "online malware scan" page that lets you submit any file for easy multi-checker analysis - not that that would necessarily have helped.
Anyway, that's all I did. Executed one little program, saw one brief flicker of a command prompt window, started my descent into heck.
Because one little slip like that is, of course, enough to allow the corpsefelching murderbait who make their money by frightening grandmothers into paying for things like System Doctor and WinAntiVirusPro to leap upon my computer in much the same quivering, sweaty way that I imagine they leap upon small children. And, needless to say, their own mothers.
All I got were adware pop-ups and a few dumb-ass toolbars and such desperately attempting to install themselves, but this nuisance-level problem was extraordinarily persistent.
I'm sure some of you are familiar with the symptoms. You run one or another spyware killer, and it finds various problems and gets rid of them (the mania of anti-spyware programs for describing 90% of all known cookies as a screaming-klaxon "infection" is a subject for another day...), but you know you haven't actually dealt with the problem, because weird-named DLLs and EXEs that you can't delete keep popping up in windows\system32. And crap in the registry matching those files' names, of course. You can delete the registry entries, but they always come back, as do the files, if you or your spyware-killing software manage to delete them.
I have, however, finally gotten rid of the problem, by using an excellent tool that I didn't previously know existed. This is probably the outside scoop for most of you, since my skillz are sufficiently 1337 that I haven't even had to think about installing any sort of anti-malware app since Ad-Aware was the one and only option (digression: Word, Ray!). But perhaps you haven't been keeping up with the malware/anti-malware arms race for the last couple of years either, and I've suffered The Curse of 1001 Reboots for a couple of days. So I figure you all ought to share some of the pain.
What I tried before I found the one tool that worked:
Spybot-S&D, which successfully spotted all of the crap being dropped, but did not spot the dropper, so it all kept coming back.
Ad-Aware, which doesn't seem to be much use any more.
Windows Defender, which was worthless. Windows Defender used, of course, to be GIANT AntiSpyware before Microsoft took it over, and people spoke well of that, so I can believe that it's useful for something. Didn't do dick for me, though.
The Ewido online scanner. Which found something, I think, but didn't fix the problem. I have no clear memories of it, since I was hitting my head on the desk pretty hard around then.
Oh, and the Trend Micro online spyware scan, which I gave up on after it had been running for twenty-six hours without finishing.
Avast and AVG, neither of which noticed anything. They're antivirus programs rather than spyware/adware spotters, but these categories are blurring together.
HijackThis, over whose logs I diligently pored. I knew what every single thing in there was, and not one process had anything to do with the churd-gobbling malware.
A Knoppix boot disc, which didn't help much because it can't write to NTFS disks.
A BartPE boot disc, which was more useful, but still didn't really get me anywhere. You can install anti-malware programs as plugins for BartPE, but they generally don't work very well, because they look for malware on the running system. That, of course, is the clean BartPE environment from which you just booted, rather than the dirty hard disk Windows install from which you just didn't.
If you're dedicated enough to put together a BartPE disc containing a registry editor that can load a registry other than the one it booted with, then you can boot BartPE and load the registry from your hard drive and screw around with it. But this was starting to seem like entirely unnecessary effort to me, because I was going to find the people responsible for the spyware and do something to them with, oh, I don't know, maybe a salami slicer, after which I would presumably be put somewhere where my computer would not be available anyway.
Booting BartPE or some other NTFS-capable alternative OS allows you to look at the files created by the malware when they're not multi-locked by important Windows processes (you can only unlock such files by killing those important Windows processes, and then your computer's broken and can't go on to actually do whatever it was that you wanted to do to the now-unlocked files). Looking is about all you can do, though; if you delete them they'll come back when you restart, and many of them are automatically deleted by the spyware as the system shuts down, anyway.
Various spyware uses this horrible strategy now. It's like a highly evolved version of the old Robin Hood And Friar Tuck story.
Oh, and in case you're wondering, yes, I booted into Safe Mode. Oh, boy, did I boot into Safe Mode.
I became quite intemperately angry about all this. My computer is, to a large extent, where I live. Many crapware victims are fairly mystified by even a perfectly working computer and so aren't necessarily especially irked when windows advertising fraudulent antivirus programs keep popping up, because hey, that's just one more thing they don't understand.
When you do understand and expect the correct behaviour of your computer, though, this sort of thing is like someone breaking into your house just to piss on your bed.
And this crapware may be as persistent as herpes, but apart from that it's not even well-written. One of the pop-ups I kept getting was a series of Firefox tabs (which probably wanted to be Internet Explorer windows) that were obviously getting their "URLs" from some file that wasn't being parsed properly. The result was an attempt to open this, and some other HTML header stuff that Firefox I'm Feeling Luckied into http://www.xhtml.com/en/xhtml/reference/, http://www.strict.com/ and http://www.5,.com/.
This made it feel as if the person who kept breaking into the house and pissing on the bed was doing that because he actually wanted to steal the TV, but did not know what a television looked like.
I suppose if you investigate spyware for a living you build up some tolerance for the sheer subhuman exterminability of the people responsible. But I'm not quite there yet. You strap 'em into Old Sparky, I'll throw the switch. Or, more realistically, join the queue for my chance to do so.
Anyhoo, after all this, I stumbled upon Prevx1, when I searched for the name of one of the numerous strange DLLs that kept appearing in my system32 directory.
(Malware writers don't yet, at least, seem to have figured out how to give their files misleading dates. So if you order files by Date Modified, you can easily see the ones that were created on the day when your computer got the clap.)
Prevx1 is a commercial product, but it's got a fully functional trial period - it's not one of those stingy programs that scans for ages, finds a long list of scary problems, then tells you you've got to pay if you want them fixed.
[UPDATE: At some point after I originally wrote this post, Prevx morphed their software into "Prevx CSI", which is now the same "ransomware" as many other commercial spyware killers. It finds infections, but won't kill almost any of them until you pay for a license. I have no idea whether the new version of Prevx currently works any better than the genuinely free anti-spyware options like Ad-Aware and Spybot S&D. Actually, I suspect SUPERAntiSpyware to be the best of the freeware crop, as of mid-to-late 2008.]
It brings to malware-hunting the collaborative user-network approach that's already been employed in spam-fighting. This approach only works better than the traditional kind of virus-definition-file system if you've got a well-connected network of users, but Prevx1 does.
And Prevx1, finally, worked.
It cleared that adware right up, leaving one still-mildly-locked but easily deleted file, and a few deactivated files and pointless registry entries, plus their symptoms like an unconnected Add/Remove Programs entry for some toolbar or other. Oh, and a few more of those cookies that Spybot and the rest think are such a big deal. CCleaner tidied most of the unconnected registry garbage for me.
Anyway, if I'd tried Prevx1 first, none of the other crap would have been necessary. A regular user would be happy with the unadorned result of the Prevx1 scan.
Without Prevx1, though, it would have been damn close to impossible to clean the computer from this one, single, 28-kilobyte-file-induced infestation, without formatting the boot drive and reinstalling.
Since Prevx1 managed to fix it, I presume someone with spare time, an outboard registry editor and a few Sysinternals tools could have done the same thing. That rules out most of the people who're paid to clean up spyware for others, though, and sure as hell rules out nearly every plain old user who would like to clean their own computer.
Plenty of spy/ad/whateverware infestations are less horrible than mine, but I'm willing to believe that a lot of them are a great deal worse, given the enthusiasm of ordinary users for (a) sticking with the default Windows root access and (b) installing every darn thing they see, just to see whether the little Desktop Stripper will get it on with BonziBuddy and the Crazy Frog.
In the olden days, support people who just told callers to reinstall Windows were taking the easy way out. They may have had to do it, given the number of callers they had to get through, but reinstalling was still not by a long shot the optimal recovery strategy for almost any problem.
These days, though, I think it's quite likely that many spyware infestations just can't be fixed by any means less annoying than nuking from orbit. Prevx1 fixed mine, and perhaps it'll go from strength to strength and become the go-to guy for all such problems for the foreseeable future, but I wouldn't bet on it.
Given this fact, and also given the vast amount of time wasted and pain caused by crapware of all kinds, I suppose it would still be uncharitable of me to suggest that the persons responsible could benefit greatly from, say, having a glass turkey baster jammed up their penis, which could then be struck smartly with a club hammer.
I've had a while to develop some perspective now, though, and I'm afraid I really can't see another way.
UPDATE: As I mention here, Prevx have a malware database which you can search by filename.
Herewith, a thingy to do that from here: