PART 2 - Dangerous Spyware - Why you shouldn't assume you got it all removed.
RTA Information Technology, Tempe, AZ
Two more examples of why attempting to remove malware isn't a great idea, and how you can re-install Windows XP, fully patched, in less than an hour of your personal time.
I provide online help on a popular Internet technology forum. It's fun to help people in need, and I learn a lot in the process.
I recently participated in two malware-related problems that point out some flaws in the "Just Remove the Spyware" philosophy.
Problem One:
A homeowner has a network with six computers. He runs AVG Antivirus and Microsoft Antispyware on all of them. He noted that, two weeks earlier, AVG had caught and cleaned a virus.
Shortly after, Comcast turned off his Port 25 (direct email) traffic, saying that his home was the source of SPAM. At Comcast's request, he downloaded and ran Mcafee's free suite that included Mcafee Antivirus, Privacy, My Security Service, and Personal Firewall. All of the PCs checked out fine, with no infections. He asked Comcast to re-open his Port 25 access. Comcast complied, and then shut him down again two days later.
Concerned, he examined the McAfee Personal Firewall on all his PCs. On his daughter's computer, he found 800 inbound access attempts, while the other PCs were showing none. Looking deeper, he discovered there was a Windows NT Logon process running, with 25 IPs attached to it. The IP addresses were from all over the blobe: India, China, Russia, etc. Running McAfee's Personal Firewall for three days, he found she'd sent 2.7GB of outbound traffic!
He was aghast that all of these tools hadn't caught the perpetrator. So he looked for more tools. He installed F-Secure's Black Light (a rootkit detector). It found nothing. Then he installed Kapersky AntiVirus. It found the following programs, that both McAfee and AVG had missed:
Trojan.WIN32.CRYPT.O
Exploit.HTML.MHT
He still hasn't figured out how to get rid of these. They're resisting the combined efforts of all his malware-removal software.
Effort Expended:
THREE Antivirus programs downloaded, installed, and scanned.
TWO Antispyware programs downloaded, installed, and scanned.
ONE Rootkit detection program downloaded, installed, and scanned.
Phone calls to ISP about the problem.
End Result:
Problem still exists.
Problem Two:
A college student has a severe adware popup problem on his laptop. It makes using the computer a pain. He reports that he goes to school all day, and then works for a legal firm in the evenings. He has almost no free time to spend on fixing his computer. He already had FOUR antivirus programs and three spyware-removal programs installed.
He reported that he only uses the laptop for notes and email.
I advised him to backup his notes and email and re-install Windows XP. If he takes his laptop to his law firm, or if he logs onto the company's email server or onto their VPN, he risks contaminating the entire company or divulging his passwords through a keyboard logging trojan.
His response was that he didn't have four hours to waste reinstalling Windows. But he continued to spend time posting on the help board, asking others to help him remove his malware. Other posters continued to give him the standard malware-removal advice. These included:
a) Run more Spyware Scans.
b) Run a rootkit detector.
c) Run HijackThis and post the results in a spyware-removal forum.
My Advice:
Instead of spending time becoming a malware removal expert, spend the time on making a (necessary) backup and learning how to use your computer safely.
The most effective course of action (and least-time-consuming over the long run):
1) Back up your important data. You SHOULD have backups anyway. Hard drives fail ALL THE TIME.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application. I recommend MS Antispyware, since it's free and works fairly well. Keep your AV and A-Spyware definitions current.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT. Do NOT use your computer with an account that has Administrator rights. It's asking for trouble.
6) Learn the rules of safe web surfing so you wont' have any more problems.
The student's response was that he didn't have time for all this, and could someone please show him how to fix his problem.
My Response:
1) Bedtime: Go to Microsoft.com/downloads and download XP SP2 patch. Go to bed. Time: 5 minutes.
2) Morning: Tell PC to burn XP SP2 patch to a CD or copy it to a USB hard drive. Go to school. Time: 5 minutes.
3) Bedtime: Run FAST Wizard in XP and tell XP to back up all your files and settings to another PC or to a USB hard drive. Go to bed. Time: 5 minutes.
4) Next morning: Insert the XP Install CD and tell XP to re-install. Go to school. Time: 30 minutes.
5) Evening: Arrive home and XP is installed. Doubleclick on the XP SP2 patch to install SP2. You can use the PC in the meantime if you want. Time: 5 minutes.
Run FAST Wizard in XP and tell XP to put all your files and settings back on your new system. Time: 5 minutes.
Total time invested: Less than an hour, plus any re-intalls of applications you need to re-install. Plus, you end up with a recent backup of your important files.
Total computer downtime: Less than an hour.
Of course, he isn't going to take my advice.
Effort Expended:
THREE Antivirus programs downloaded, installed, and scanned.
FIVE Antispyware programs downloaded, installed, and scanned.
Multiple posts on a help forum.
End Result:
Problem still exists.
Update From PC Owner:
.....At ~6:30 pm, my laptop started acting really funny, and when I checked, all of its memory resources were being used by some unknown program....I went home, woke laptop up (to backup notes), and when I logged into my account everything went nuts.... Sounds came out of my speaker like none I have every heard before, the cpu cycled wildly from 0 load to 100% load, hard drive spun like nuts...I powered off the laptop and rebooted in safe mode. Everything looks ok, until I try to run any program or open any of my files. As far as I can tell, every one of my non system files is now corrupted and unreadable.....
Just in case anybody cares to take my advice, let me repeat it:
1) Back up your important data.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT.
6) Learn the rules of safe web surfing so you wont' have any more problems.
Two more examples of why attempting to remove malware isn't a great idea, and how you can re-install Windows XP, fully patched, in less than an hour of your personal time.
I provide online help on a popular Internet technology forum. It's fun to help people in need, and I learn a lot in the process.
I recently participated in two malware-related problems that point out some flaws in the "Just Remove the Spyware" philosophy.
Problem One:
A homeowner has a network with six computers. He runs AVG Antivirus and Microsoft Antispyware on all of them. He noted that, two weeks earlier, AVG had caught and cleaned a virus.
Shortly after, Comcast turned off his Port 25 (direct email) traffic, saying that his home was the source of SPAM. At Comcast's request, he downloaded and ran Mcafee's free suite that included Mcafee Antivirus, Privacy, My Security Service, and Personal Firewall. All of the PCs checked out fine, with no infections. He asked Comcast to re-open his Port 25 access. Comcast complied, and then shut him down again two days later.
Concerned, he examined the McAfee Personal Firewall on all his PCs. On his daughter's computer, he found 800 inbound access attempts, while the other PCs were showing none. Looking deeper, he discovered there was a Windows NT Logon process running, with 25 IPs attached to it. The IP addresses were from all over the blobe: India, China, Russia, etc. Running McAfee's Personal Firewall for three days, he found she'd sent 2.7GB of outbound traffic!
He was aghast that all of these tools hadn't caught the perpetrator. So he looked for more tools. He installed F-Secure's Black Light (a rootkit detector). It found nothing. Then he installed Kapersky AntiVirus. It found the following programs, that both McAfee and AVG had missed:
Trojan.WIN32.CRYPT.O
Exploit.HTML.MHT
He still hasn't figured out how to get rid of these. They're resisting the combined efforts of all his malware-removal software.
Effort Expended:
THREE Antivirus programs downloaded, installed, and scanned.
TWO Antispyware programs downloaded, installed, and scanned.
ONE Rootkit detection program downloaded, installed, and scanned.
Phone calls to ISP about the problem.
End Result:
Problem still exists.
Problem Two:
A college student has a severe adware popup problem on his laptop. It makes using the computer a pain. He reports that he goes to school all day, and then works for a legal firm in the evenings. He has almost no free time to spend on fixing his computer. He already had FOUR antivirus programs and three spyware-removal programs installed.
He reported that he only uses the laptop for notes and email.
I advised him to backup his notes and email and re-install Windows XP. If he takes his laptop to his law firm, or if he logs onto the company's email server or onto their VPN, he risks contaminating the entire company or divulging his passwords through a keyboard logging trojan.
His response was that he didn't have four hours to waste reinstalling Windows. But he continued to spend time posting on the help board, asking others to help him remove his malware. Other posters continued to give him the standard malware-removal advice. These included:
a) Run more Spyware Scans.
b) Run a rootkit detector.
c) Run HijackThis and post the results in a spyware-removal forum.
My Advice:
Instead of spending time becoming a malware removal expert, spend the time on making a (necessary) backup and learning how to use your computer safely.
The most effective course of action (and least-time-consuming over the long run):
1) Back up your important data. You SHOULD have backups anyway. Hard drives fail ALL THE TIME.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application. I recommend MS Antispyware, since it's free and works fairly well. Keep your AV and A-Spyware definitions current.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT. Do NOT use your computer with an account that has Administrator rights. It's asking for trouble.
6) Learn the rules of safe web surfing so you wont' have any more problems.
The student's response was that he didn't have time for all this, and could someone please show him how to fix his problem.
My Response:
1) Bedtime: Go to Microsoft.com/downloads and download XP SP2 patch. Go to bed. Time: 5 minutes.
2) Morning: Tell PC to burn XP SP2 patch to a CD or copy it to a USB hard drive. Go to school. Time: 5 minutes.
3) Bedtime: Run FAST Wizard in XP and tell XP to back up all your files and settings to another PC or to a USB hard drive. Go to bed. Time: 5 minutes.
4) Next morning: Insert the XP Install CD and tell XP to re-install. Go to school. Time: 30 minutes.
5) Evening: Arrive home and XP is installed. Doubleclick on the XP SP2 patch to install SP2. You can use the PC in the meantime if you want. Time: 5 minutes.
Run FAST Wizard in XP and tell XP to put all your files and settings back on your new system. Time: 5 minutes.
Total time invested: Less than an hour, plus any re-intalls of applications you need to re-install. Plus, you end up with a recent backup of your important files.
Total computer downtime: Less than an hour.
Of course, he isn't going to take my advice.
Effort Expended:
THREE Antivirus programs downloaded, installed, and scanned.
FIVE Antispyware programs downloaded, installed, and scanned.
Multiple posts on a help forum.
End Result:
Problem still exists.
Update From PC Owner:
.....At ~6:30 pm, my laptop started acting really funny, and when I checked, all of its memory resources were being used by some unknown program....I went home, woke laptop up (to backup notes), and when I logged into my account everything went nuts.... Sounds came out of my speaker like none I have every heard before, the cpu cycled wildly from 0 load to 100% load, hard drive spun like nuts...I powered off the laptop and rebooted in safe mode. Everything looks ok, until I try to run any program or open any of my files. As far as I can tell, every one of my non system files is now corrupted and unreadable.....
Just in case anybody cares to take my advice, let me repeat it:
1) Back up your important data.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT.
6) Learn the rules of safe web surfing so you wont' have any more problems.
posted by Myron Johnson | 1:34 PM
|
0 comments
