Infection Report

Field Reports

Did another spyware cleanup today. User reported that a spyware cleanup tool appeared immediately after running Windows Update. Guess: the update process changes some Internet Explorer settings back to defaults (known), and at that point, a third-party toolbar sitting in the “c:\winnt\downloaded program files” was able to run a delayed install.

Moral of the story: Empty the downloaded program files before running Windows Update. Easy method: use Drive Cleanup, from My Computer, Control Panel, right-click on the drive, choose Properties, Tools (tab), and Drive Cleanup. Or just navigate to the folder and wipe out the contents manually.

If All Software was this Good

Definitions

I’ve been looking, as always in recent months, at a lot of computers that don’t run right. Most have massive infections that include from a few dozen to several thousand spyware and adware bits and chunks, including files, autorun shortcuts, folders, processes, and registry entries.

Two computers were a little different last week. The first was for a client I visit regularly, and there was already autorun-blocking software in place. Two new items had gotten past the blocks. One was routine, and then there was yet another “I’m not spyware, no, really!” toolbar. Nothing strange there; although the program was designed not to be removable by Spybot or AdAware. What’s new is that the program has a functional add/remove entry, which really did delete the program, although it did pause for a marketing pitch to keep the product, and then took me to a marketing web page afterwards in the hopes of adding some other product to the system. Good marketing.

The second computer had a massive infection, and multiple passes with multiple cleanup tools were needed just to reduce the boot time from seven minutes. The usual tools, plus some surgical intervention in the registry, took care of most of the usual suspects. There was still clearly an infection, and a leftover message at shutdown, telling me that a program was not responding.

Looking a little closer, and examining the running services, I found the name of the process that matched the shutdown error. And I was able to end it, no problem, no error. Went back into the process list. It’s back! Did some Google searches, and found that the program included two processes. OK, ended the other one first. It came back, too, instantly. Hmmm. This program just
can’t be crashed. This is like the Klez virus of a few years back; it had two programs running that each repaired the other, and each repaired the autostart entries of both, on the fly, withing having to wait for a reboot. All our software should be so stable.

These programs, and more that aren’t as smoothly done, are competing with commerical software for system resources and CPU time. Consider looking at programs like a spyware producer, and ask: Can the program self-repair its settings? Does it include uninstall marketing? Can it survive an automated removal program? All software should be this good. Or evil. Sometimes I get those two mixed up.

Now you see it… Reboot, you don’t.

Field Reports

Yes, indeed. Very clever, these spyware authors. Working on a cleanup, found a spyware component, turned out to be part of Aurora, that the usual cleanup tools could find, but only could remove on restart. Restarted, and amazingly, it’s gone. Only not; it has a new name. Seems this one randomly renames itself on shutdown, so the only way to delete that file is to cut power, restart in safe mode, and delete it. Got Aurora? (It pops up ad messages with ‘Aurora’ on the task bar.) Don’t do it–there are also some other self-repair features involved in Aurora, and it’s not enough just to get that file. Do a Google search for ABIremover.zip and the instructions that go with it.

On the same system, found viruses galore, mostly trojans. And Bube, and Home Search Assistant, and a few other self-healing malware delights. Truly a combo platter. Took multiple passes to turn the doorstop into a computer again.