I Love The Smell Of Spyware Burning In The MorningMarch 8, 2008 – 4:07 PM
I now have even greater sympathy for people suffering a spyware infection than ever before. I spent the better part of Tuesday night fighting off the worst spyware infection I have ever seen or heard of.
Someone was kind enough to donate a copy of VMWare for me to use for testing. VMWare is software that pretends to be an entire computer and lets you install operating systems on it inside of a window. It makes it much faster and easier to test things than using a whole test PC. If I destroy the operating system, I can just shut down VMWare, restore a back up and have it up and running again within seconds.
I have spent the last two days playing with VMWare and decided Tuesday to go visit a certain wrestling fan site, a site infamous for installing all manner of spyware. I was told that this site was guaranteed to be a rich hunting ground for spyware. The person who said that sure wasn’t kidding.
Let me begin this next part with an important note. Nothing at all happened until I said “Yes” to an ActiveX prompt. As bad as the infection is that I am about to describe, nothing would have happened if I had said “No” to that first prompt. Keep that in mind the next time you see an ActiveX prompt. NEVER SAY “YES” TO ACTIVEX PROMPTS THAT POP UP OUT OF NOWHERE!
There. Now that I’ve set off every spam filter in the world….
Warning! Geekspeak ahead.
By clicking “Yes” to the security warning, one spyware was installed. That first spyware downloaded and installed three other spywares. Those installed three new spywares each. Spyware was procreating on my computer at a geometric rate!
Six new toolbars showed up in Internet Explorer. Something deleted the Google Toolbar entirely. Three new icons appeared in the system tray. Three internet shortcuts appeared on the desktop and well over a hundred more showed up in my “Favorites” folder. Dozens of processes were loaded into memory. 200 new files appeared on the hard drive as well as over 400 new registry entries. And pop-ups were appearing at a rate of five per minute.
Within half an hour, my virtual computer was as infested with malware as anything I have ever seen at the message board.
I believe my favorite was the AdDestroyer program. That one sat in my system tray popping up ad windows, then declaring that “Your trial has expired. Click here to block pop-ups like that one.”. It made a very obnoxious squealing noise every time it did it.
Verrry nice. I believe the Federal Trade Commission sued a company last year for doing that.
Once I had decided that all the spyware that was going to be installed was installed, I set about trying to remove it all.
First, I tried three different antispyware scanners. No help there. If they didn’t crash, anything they removed came right back. It took me over an hour to determine that this was a lost cause.
Giving up on the automated scanners, I fired up HijackThis. If you’ve never heard of that one, it is a small program created by Merijn (Dutch spelling of Merlin), a university student in The Netherlands. Based on my original Browser Hijacking article and expanded upon continuously ever since, this program finds, lists and optionally deletes most of the start up locations, registry entries, browser helper objects, toolbars, services and other things installed by malware.
I scanned with HijackThis, selected several dozen entries to remove and clicked “Fix”. That killed most of it. Unfortunately, more than a dozen entries were reinstalled immediately. I rebooted and tried several more times with the same result. These particular malware programs had companion files loaded into memory watching for attempts at removal. Delete something and they immediately replace it. One of them even started to place randomly named start up entries for randomly named files placed in random locations on the hard drive. Sheesh!
The next thing I tried was the process killer bundled into HijackThis. I killed the memory processes that I suspected were protecting the malwares. Doing that allowed me to disable at least two more malwares. Still, a half dozen entries remained no matter how many times I tried to remove them.
After figuring out which processes were responsible for replacing these last few entries, I tried to kill them out of memory. That didn’t go so well. Every time I killed one process, another process would reload it. Kill that one and the other reloaded it. When I tried killing them all at once, it nearly crashed the computer, so I stopped trying that.
The next thing I tried was Killbox. Killbox is a program for deleting stubborn files. It can delete files immediately, delete them on reboot, replace a file with a dummy file on reboot, force explorer.exe to exit while it deletes a file, unregisters DLL files, kills processes and even lets you delete a whole raft of files at once.
I told Killbox to delete the offending malware files on reboot and then restarted the computer. Nothing. Not a single one of those files was missing after Windows loaded again. Clearly, these little critters weren’t going to give up without a fight.
I restarted the computer in safe mode next. That didn’t help things very much at first as the spyware loaded even in safe mode. At this point, I realized that I had overlooked something. Some of the remaining malware was loading as NT services. I might have shaved an hour or two from this whole exercise if I had noticed that in the beginning. Chalk that up to my being a little rusty at killing hijackers.
I opened the Management Console to stop and disable those two services and things became a little easier. Still in safe mode, I had Killbox kill explorer.exe and delete the malware files one at a time. Then I ran HijackThis again and removed all of the entries. This time, they stayed gone.
I restarted normal Windows and scanned again with HijackThis. Nothing. Every single entry was gone. Then I scanned with Ad-aware to clean up the remaining trash and …. well …. take a look for yourself:
Remember, HijackThis is not a spyware remover. It only allows you to *disable* hijacks and spyware while leaving the inactive files and nonfunctioning registry entries for other cleaners to tidy up. What you see in those screenshots is what was left behind, after I finally disabled all the garbage on the computer. Or rather, after I *thought* I had disabled everything.
While Ad-Aware was right in the middle of removing those hundreds of entries, one last stubborn malware managed to load from nowhere (I mean that literally, keep reading) and started spawning pop-up ads.
I have absolutely no idea what loaded this file or how. There was no start up entry for it. There were no suspicious looking memory processes or services running. It wasn’t hooked into Explorer. When it was in memory, you could see the file. When it wasn’t in memory, the file did not exist anywhere on the hard drive. It simply appeared out of nowhere, popped up a few ads and then vanished right back into nowhere. That’s a nice trick. I intend to figure out how it did that.
During one of its appearances, I dumped its memory to a text file. Inside were the names of six other files scattered throughout the Windows folder. I had Killbox delete every one of those files as well as the Houdini file and that was the end of that (I think). I left the VM window open all night when I went to bed just to be sure. There were no more pop-ups and no malware present when I woke up.
I am fairly sure there were inactive remnants of this massive infection littered all over my virtual computer after I was done. Ad-aware cleaned up nearly 600 items. Spybot found several dozen more. X-Cleaner, SpySweeper and PestPatrol all found bits and pieces scattered all over the place. Finally I just gave it up as a lost cause and shut off the virtual computer. The important thing was that the active infection had been killed.
It took five hours to clean up a hijacked PC that was right in front of me. Someone just tooling around on their first computer, with no real knowledge of how a computer works, either would have given up and set the computer on fire or taken it to a PC repair shop. Most repair shops would just throw their hands in the air, format the hard drive and be done with it. Those that stuck with it as long as I did would have charged roughly $350 (assuming five hours at $70 per hour at a fairly cheap repair shop).
All of that because I clicked the “Yes” button on a security warning. Think about that the next time you see an ActiveX warning.
For those of you geeky enough (or masochistic enough) to think that all of this sounds like fun, I have something for you. Thousands upon thousands of people show up at SpywareInfo’s message board every single day with infected PCs screaming for help. We have literally hundreds of experts, developers, advisors and other helpful members who do their best to walk these people through the steps necessary to fix their computers. Still, so many people show up that it often takes days for someone to receive any assistance.
If you would like to take a shot at helping some of these people, we would be happy to show you exactly how to do it. It’s a little different to fix a computer when it’s not in front of you and all you have to go by are text logs. We have a “boot camp” where all the tricks of the trade for fixing a malware infection over a message board are taught. Consider it a crash course in remote computer repair. If you are interested, read this page and follow the instructions.