Slaying Dragons: Scumware Removal

I spent a number of hours this weekend removing scumware from a friend-of-the-family’s machine. The following Q&A pretty much sums up what I went through.

Q: What caused all this mess?
A: All these problems were caused by a class of programs known as “adware,” or “spyware,” often called “scumware.” At the most basic level, adware is software that, once installed on your computer, displays advertisements, usually associated with Web sites you visit, and typically in the form of other Internet windows that open.

There are many varieties of this adware. All varieties are annoying, but have to be installed at the users choice, and can be uninstalled easily via the Control Panel. Unfortunately, many types of adware are not so easily removed, and are extremely intrusive in what they do. Even worse varieties are nothing less than viral infections that require extreme measures to remove. (The courts and Congress are finally beginning to take action against this latter type.) And in a few cases, these software packages will install without even asking the user permission, although they usually rely on unpatched software and lack of virus protection to do so.

Q: Why did Norton Antivirus not take care of this when it all started?
A: These problems are a fairly recent phenomenon. Until Norton Antivirus 2004, this type of problem was not addressed by antivirus software (you have Norton 2002, which is excellent, but won’t stop this particular problem from happening).

Q: What can I be aware of so it doesn’t do it again?
A: Most of these ad programs, and many viruses, get in through Internet Explorer. There are a couple of reasons for this. Internet Explorer has a couple of known “holes” in its security, and (in addition) unsuspecting users often install things via ActiveX controls (those windows that say, “Do you want to install such-and-such?”) that allow companies to take over search results, the default home page, and even worse, as you found out. You might be interested in this related link on my BLOG: http://blog.wilcoxfamily.net/?p=142. It was probably the case that these adware things were installed when you accidentally clicked “yes” on one of these controls.

However, in a few cases, just visiting a site can install these browser helper objects. My advice to users for the time being is avoid Internet Explorer (switch to Mozilla) until Microsoft patches these critical holes.

Also be sure you run the Windows Update Service (it probably reminds you automatically) to keep Windows ME updated with the latest patches, and be extremely religious about updates to PestPatrol and Norton AntiVirus. Run virus and PestPatrol scans at least weekly. (I use a daily scan now.)

Q: Will all the new things we installed keep everything out?
A: Between Norton AntiVirus, BHODemon, PestPatrol, and switching to Mozilla, I think you’re in good shape as far as protection goes. You seem to pay good attention to how your computer is operating, and running a PestPatrol scan now and then should keep you free from trouble. Like Norton, PestPatrol works constantly, and should prevent something like this from happening in the future. At the worst, you’ll know when it happens, and we can get it cleaned out.

Q: Can you explain what each one does, so that I (a know-nothing-about-it guy) will be able to understand.
A: We installed two new things. The first, is BHODemon. As you’re not using Internet Explorer now, you don’t have to pay too much attention to it. What it does is show you which Browser Helper Objects (little programs that attach to Internet Explorer) are installed, and let you disable them. This was helpful in showing me that you had several obviously malicious Browser Helper Objects (BHOs) installed, and let me disable most of them. There is one on the list that is disabled, but still in existence. Next time I’m working on your computer, I’ll get rid of it, but it isn’t doing any harm right now, as BHODemon is keeping it dead.

The second piece of software is PestPatrol. PestPatrol is designed to fill in the gap where Norton Antivirus doesn’t typically operate, and completely remove all the little pieces of these nasty programs we’ve been talking about. Like Norton AntiVirus, PestPatrol runs all the time, and will offers good protection and removal of these threats. Like Norton AntiVirus, PestPatrol has an auto-update feature (right-click on the icon in the system tray to run it), and like Norton AntiVirus, you should run a full scan about once a week. Don’t worry about any Spyware Cookies that are reported. They do no harm.

Q: When we installed Mozilla, you showed me a way to have 2 or 3 subjects up and could go from one to the other, I do not remember how. Can you explain or tell me how to grt that information, from the program.

A: The “tabbed browsing” is my favorite feature of Mozilla. To open a new tab, just press CTRL-T or choose File –> New –> Navigator Tab. You can also open a link on one page into a new tab, by CTRL-clicking on that link.

Q: Just out of curiosity,when did you finish up with this?
A: I think it was about 12:45, but I actually didn’t spend that much time at the computer. Mostly it was a case of running a scan, using PestPatrol to remove files, then restarting and rerunning the scan. After a few cycles, we got down to only one piece of scumware left: CleverIEHooker, which consumed most of my time.

I spent quite a bit of time with PestPatrol, PestPatrol’s Web site, a startup configuration utility from Microsoft called MSConfig, and the Windows Registry Editor to get rid of CleverIEHooker. It turned out that this program was replacing a registry key every time I removed it, which is why PestPatrol didn’t clean it out completely. I found and deleted the program that was replacing the registry key, got rid of the key, and on the next reboot, was able to remove the remaining pieces.
Once I was done, I did a final reboot, verified there was nothing else hiding, and set VNC (the remote-control software) back to its original mode, where you’ll have to activate it if you need my help.
Overall, this was at times annoying, but I’ve learned some excellent scumware removal procedures from it. I’m glad I could help.

—Doug

The Virus Wars

Read this unusually detailed story at PC Magazine online.

Among other things, this article covers the human engineering factors in virus writing, the state-of-the-art in combating viruses by antivirus software companies, and the real scenarios we are likely to see in the future. The article is very infomative, and includes input from a several different virus writers.

On a related note, The Wilcox Family Says Goodbye to Internet Explorer: Mozilla has become our default browser for the time being, as I am waiting for some very scary Browser Helper Object vulnerabilities (and other exploits) to be repaired in IE. I’ve had one virus make it past Norton Antivirus in the form of a BHO (it was caught in my nightly scan, and did no damage), and my team leader, who is tech-saavy enough to write his own viruses and extremely security-conscious was nailed with two separate BHO infections in the course of a week. So, for the time being, we default to ’Zilla, and only fire up IE for a few sites (like the Sohmer Family BLOG that won’t display or work correctly in Mozilla.

2 Years at Kronos: Message to My Co-Workers

Today marked my second year of employment at Kronos.

What a busy year it has been on the home front! Naomi Nichelle (NaNi) was born in October, 2003. I lost my father in December—which was very sad—but I will see him again one day. Peter Jackson fulfilled our dreams with The Return of the King (and restored the Huorn in The Two Towers extended edition). We (finally) sold our house in Brockton, and moved to Nashua in January, 2004, shortening my commute by over 2 hours per day, and greatly improving our family life. I reveled in buying cool geek swag for NaNi from thinkgeek.com, and my wife Nichelle gave me the “Holy Grail of Lego” (the Star Destroyer model) for our anniversary.

Work this year has brought many changes. I've had three managers, one of whom endured me only for a couple of weeks. I've tried to forget the HTML UI Framework v1, and concentrate on building v3 (despite the occasional, discourteous reminders of v1 via the PAR system). I've had the opportunity to learn Struts, dramatically improve my Java skills, start studying for Sun Java certification, and achieve victory (with the help of a great team) in building the Lego guy at the tech summit. Along the way came immersive learning in ADP-ization, Czech localization, and AccuRev. Now that Larry Krakauer has retired, I may even have a shot (albeit a long one) at becoming the alpha geek—someday.

The constant support and genuine caring my co-workers provide has made this year pass quickly and pleasantly. More than ever, I am grateful for the blessing of working at Kronos—such an excellent company—among such excellent company. Thank you for your part in making this past year such a great one!

Good moring. Ugh.

It’s 8:45 a.m. (funny that Mark Sohmer hasn’t noticed that the BLOG postings are all on Pacific Time), and I’m waiting for my co-workers to come in (especially “JavaDoug” Ross and Pankaj Verma) after Ravi Gopalan and I pulled an all-nighter at Kronos. Our team is very well-managed, and this is the first deadline crunch that has caused more than a minor annoyance.

Trying to write while being sleep-deprived is an interesting experiment. I’ve had to rewrite portions of the first paragraph four times because they didn’t make sense. Of course, they still might not make sense.

Today is the last day of school for the year for John and Isaac, tomorrow is a birthday party for John, who will be 16 on Tuesday. It’s shaping up to be a busy summer.

Suspected Half-Life Thieves Nabbed!
Gamers actually helped catch these guys. Also in the ZDNet article is the information that all the source code had been stolen, but I thought previous reports had said only part of the code was. I hope they sentence the jerks, whose theft has delayed the release of Half Life 2 by at least six months, to be thrown into the crowd at a gaming convention. Check out the article and comments at Planet Half Life.

Pankaj has arrived, so I may get to hand the torch off and get some sleep soon.

“You’re talking politics. I want to know what you think is right.”

Former President Ronald Wilson Reagan died on Saturday, June 5, at the age of 93. We mourn the passing of a leader who inspired our nation, saw the end of the Cold War, and chose to do what he believed was right, rather than what was politically expedient. Even Bill Clinton chose to pattern some of his Presidency after Reagan—it is a pity he chose not to try to emulate Reagan’s integrity.

There are hundreds of articles available about President Regan. Here is one perspective; Dr. James Dobson also has written an excellent account of his experiences with President Reagan and his administration. I highly recommend reading the latter, as it offers a perspective on conservative political issues from before Reagan era through today.

Nichelle’s Notes from May

Naomi will be 7 mos. old on 5/13…the time goes so fast. She is now mobile. At 5 mos. she started to creep, but realized rolling where she wanted to go was much faster until a week and a half ago. One day last month she was on my bed w/ me playing with some toys and a doll that was mine when I was either 4 or 5. Things were great until David came in with his sword and shield and she left the doll and played with the shield. LOL. So now on occasion she'll have a sword in hand, or mouth (check out the picture—it’s quite cute).

Isaac and David play w/ her and she grabs their hair. Now mind you, they do scream or say “ouch,” but they keep giving their hair back to her to pull, it's pretty funny. John too, does the hair thing, but doesn't scream, which is good.

Nearly 6 mos. of residency here in Nashua, amazing. We love it here! As Doug is home so much earlier now, a huge blessing. We do miss our friends in Ma., we'll be down again, really, but many times over we see why God brought us here—Particularly for the 24-hour Wal*Mart in Amherst (just outside of Nashua) or the one in Hudson (a few minutes away) that’s open to midnight everyday ;-)!! :: drool, drool :: Alright, maybe not just for those, but it's a perk. I will have to admit shopping after midnight can get a bit wacky, as my sister-in-law, Joyce, came to see. We said, we'd never do that again.

Two weeks ago now, I joined the choir and work in the nursery once a month. Doug has been going out on visitation weekly now and John too has gone a couple of times. As for other ministries we're still praying for God's leading on that. It's wonderful seeing the kids excited about Sunday school and junior church and also their classes on Wednesday night. One of David's friends in his class is named David and was born two days before him. They'll be in K5 together in September.

Isaac turned 9 a couple of weeks ago,and we had a party for him at the house. He had a great time w/ his new friends and even Nda came up for the event. Nda has been up here a few times and we've so enjoyed his visits and the visits of our other friends and family as well. Hope we'll see more of you, too.

A couple of months ago, I started watching a little girl named Mikayla (4 days/wk). She's a sweetie. She and David get along very well. Mikayla will be starting K4 in September.

For the month of July our church offers a day camp for grades 1 to 10. I'm really looking forward to that. The program sounds awesome!

Today (5/6), I was asked to watch a little boy of about 15 mos. old named Ethan. I'll only be doing this two days a week-which is great. I start tomorrow.

Wow, it's already the 31 of May … Yesterday my cap on the radiator went once I arrived at church for choir practice. The car is now in the shop. We were planning to visit Cindy, but obviously that had to change. It's alright for it gives us an extra day to get things cleaned out downstairs.

Naomi had a full bath in the tub today…which she loved. She's been creeping for several weeks now,and two days ago started pulling her legs under her to get ready to crawl. Naomi also was able to pull herself up on the stairs in the family room.

John wanted to visit his friends in Mass. and Doug took him and the kids to Lowell and road the train w/ him part way (to North Station) and then sent him on the way. John made it to Brockton, with only a minor problem due to someone giving him the wrong information about what track the Middleboro/Lakeville train was on. Well, he made it back to Lowell Sunday afternoon so we could leave for Cindy's after church. With that trip being cancelled due to the car problem, John hopped back on the train to head to his friend Ryan's party. Can't believe his 16th birthday is a few weeks away…need to get planning. Actually, he needs to get planning!

Naomi and Mom

As I go through the pictures, I don't find many pictures of me w/ Naomi due to the fact that I'm always taking the pictures. Anyway, it is nice to see some w/ me in them too…


Naomi and Her Dad

Ah, Naomi and her Dad…it’s taken her no time at all to be up on her Dad’s shoulders just like her brothers. It’s very sweet. Actually, she’s rough-housing already.