Tuesday, February 3, 2009

Spyware and Malware and Viruses, Oh My!

I couple of years ago I built a computer for my daughter.

Last weekend she brought it back because, "it was running slow".

Those have become my least favorite words: "it's running slow". I have several computers at the house. None of them are technically slow. My oldest daughter complains that her computer is slow when www.myspace.com is slow. I gave up trying to explain that it's the website, not the computer.

But, my youngest daughter's computer was running slow. It was infested. I'm still not entirely sure what all infested it and I'm not sure I killed it all. I gave her one of my other computers to use and I'll re-install this one from scratch.

But as a warning to my multitude of happy readers I am here to tell you not to download stuff off the Internet. I've said this before. Only download it if you trust the site you are downloading from. This malware infestation is coming because kids think they can get stuff for free. My daughter, just the other day, was wanting to watch Twilight. The Twilight movie is not out on DVD. It used to be at the theaters, but it has recently been pulled. It's in that "in between" stage. It's not showing at the regular theaters, it's not yet at the dollar theaters and so it's not on DVD. But, she wanted to watch it. So, she searched for it on the Internet. This is where the majority of people go wrong. There are good bargains and good deals on the Internet, but if it's not right, don't download it unless you really know what you are doing. "If it sounds too good to be true, it probably is."

As an experiment, go to www.google.com and do a search for Twilight or something to do with Twilight Movie and watching online. I guarantee you'll get some promising results. And when you go to the site, they'll say something like, "Watch the high definition version of Twilight now for free! All you have to do is install our extra special viewing software!". Then, if you are obsessed like my daughter was, you'll be clicking on "Download", "Install", "Run", "OK", "OK", "OK", and before you know it, your computer too will be "running slow".

I've got this computer at home that I'm about to install Windows 7 on. I downloaded the Beta yesterday and will probably install it today. But, just as an experiment and to learn some things, I decided to try and get all the Spyware, Malware and Viruses off the computer mentioned above.

It's not easy. I'm not convinced I was successful. The first think I noticed was the pop-ups. No matter which browser I used, I was getting popups. That was insane. I also noticed that XP Service Pack 3 had not been installed. I know when I built the computer, I had enabled "Automatic Updates". The Automatic Update feature had been turned off. I turned it back on. As soon as I turned it back on, something turned it back off.

I know a bit about computers so I went and looked at the registry. In the RUN entry there were some dll's getting loaded using rundll32. This is dangerous. Plus that were named odd things like, neguzon.dll or some such thing. There were at least 3 entries. I wrote them down. Then I looked at it again and one of the entries had changed. Apparently they had a random name generator that was generating random names and renaming or copying the dll and editing the registry entry. This was some pretty fancy stuff. So I downloaded "Spyware Terminator" from Snapfiles. I download all my stuff from snapfiles. They haven't infested any of my computers yet.

I downloaded Spyware Terminator because it had the best rating from Snapfiles. I was impressed with it. It immediately verified what I had already found. It has a real time scan that warned me when things were getting added to the registry without my permission and allowed me to block them. Unfortunately, after messing with it for about an hour, the only thing I can say for sure, is that it gave me lots and lots of information. When I asked it to quarantine or fix the stuff, it seemed to suffer defeat.

So, I downloaded the one a friend of mine at work talks fondly about. It's called Spybot Search and Destroy. I don't think it comes with a real time monitor. At least not in the free version. However, doing the system scan revealed all the bad stuff. When I told it to remove the bad stuff it said, "300 entries removed. 221 unable to remove. Can I remove on reboot". That's not the exact phraseology, but it's close. I told it that it could do whatever it needed to do.

What it does it put a bunch of commands in the RUNEX portion of the registry. The best that I can tell, these things get run before anything else. So it added 221 commands to the registry to get executed upon reboot. When I rebooted, it did its thing, but not without some funkiness. Some of the commands didn't work for some reason so I ended up having to push "OK" to the windows error message about 100 times.

When it was done, I tried the Automatic Updates again. It got further, but it was still being disabled. I don't know why. I tried to install the SP3 that I had downloaded earlier. Previously, it would try to install, but then give me some strange error about 1 megabyte of hard drive space and bail. After running the Spybot Search and Destroy I was able to install SP3. I'm still not sure all the bad stuff is gone, but it doesn't matter. Next is a grand erasing of the hard disk during the install of Windows 7. The beta expires sometime in August, but it'll be interesting.

No comments:

Post a Comment