From the mailbox: Cleaned by a pro–Ripoff?

Field Reports

I had what was apparently a pretty bad infestation of spyware crud on my Win XP box. Aurora, Limewire, some other stuff. I couldn’t clean it out myself, gave up, and got a referral on a local tech guru.

He showed up, took one look, and said he had to take the system to the shop or I wouldn’t like the bill. I let him, and he brought it back clean two days later, with a bill for $180. Seems clean, and he added some blocking on installs, and updated my patches.

Was this pretty typical? I lost days here. Bill wasn’t bad, considering.
_________________
Joe

OK, so I’m still learning all this %$#!!

Typical? Sounds quite reasonable. Could have been much more expensive. You lost days, but saved money, because the tech didn’t attempt to clean the system in your office. If he had, he would have run a series of cleanup programs, some taking 15+ minutes to run while he attempted to look like he was doing something. For some items in the autoplays, he would have needed access to another computer to do searches for identification and for more specific removal tools that take out single programs–Aurora is one of those, that the general-purpose tools don’t take out.

Overall, it’s much easier to do this back at the shop, with reference materials handy, another PC for patch downloads, a high-speed internet connection for patch updates, and most important, the ability to walk away while the scans run, because you really do have to run multiple tools to clean up the mess. Onsite, you probably would have had to feed him lunch. Maybe dinner. Rented a room. Offsite, he could keep working on other projects, and not bill by the hour while he did other things.

You have been Updated

Identification

Yup, that’s what’s on screen this morning. I’ve been Updated, and there is this always-on-top message asking me to click on “Update”. Somehow or another, Viewpoint Media Player slipped past a fully-patched Win 2000 Pro setup with blocking in place on the autoplay settings. The product claims to send non-personally-identifiable information back to a server in order to run a toolbar, and online research claims that it hijacks search results. There’s no toolbar here, so I’ll guess I saw the very first message. AdAware and SpybotSD don’t identify it as a threat.

It doesn’t play fair. I can highlight the license agreement, but it won’t let me copy it. Same on a ‘Who is viewpoint?’ entry. Well, I did capture the main window as a jpg. As adware goes (if that’s all it is), it’s pretty tame. I had no trouble removing it by killing the process viewmgr.exe, running the Viewpoint uninstall, and cleaning out two related files from the temporary files folder. I’m curious how it got past my blocks.

Virgin Windows Report–Win XP Home, SP2 OEM

Definitions, Identification

Just finished building a new box for a client. Took the opportunity to grab the task list. The list below is what Windows Task Manager reported as running processes immediately after installation, after hardware detection, but before any drivers were installed. No patches, no antivirus, no software installs of any kind, no exposure to the internet, or even to a CDROM other than Windows itself.

OS version: Windows XP, Service Pack 2, OEM edition
Motherboard: MSI M8M Neo-V, with AMD Sempron 2800+ processor.
Any hardware support below, if any, was autodetected during install–no software or driver installs had been run when this process list was captured:

alg.exe
csr.exe
Explorer.EXE
lsass.EXE
msiexec.exe
services.exe
smss.exe
svchost.exe (5 instances running)
System
System Idle Process
taskmgr.exe
winlogon.exe
wmiprvse.exe
wpabaln.exe
wuaudit.exe

As I (or others), build more systems, we’ll post more of these “Virgin Windows Task Lists”.

I didn’t have a chance to grab a HijackThis log of the box in this condition, but that I will next time, and get a more complete picture of just what is part of the default configuration.