Slaying Dragons: Scumware Removal

I spent a number of hours this weekend removing scumware from a friend-of-the-family’s machine. The following Q&A pretty much sums up what I went through.

Q: What caused all this mess?
A: All these problems were caused by a class of programs known as “adware,” or “spyware,” often called “scumware.” At the most basic level, adware is software that, once installed on your computer, displays advertisements, usually associated with Web sites you visit, and typically in the form of other Internet windows that open.

There are many varieties of this adware. All varieties are annoying, but have to be installed at the users choice, and can be uninstalled easily via the Control Panel. Unfortunately, many types of adware are not so easily removed, and are extremely intrusive in what they do. Even worse varieties are nothing less than viral infections that require extreme measures to remove. (The courts and Congress are finally beginning to take action against this latter type.) And in a few cases, these software packages will install without even asking the user permission, although they usually rely on unpatched software and lack of virus protection to do so.

Q: Why did Norton Antivirus not take care of this when it all started?
A: These problems are a fairly recent phenomenon. Until Norton Antivirus 2004, this type of problem was not addressed by antivirus software (you have Norton 2002, which is excellent, but won’t stop this particular problem from happening).

Q: What can I be aware of so it doesn’t do it again?
A: Most of these ad programs, and many viruses, get in through Internet Explorer. There are a couple of reasons for this. Internet Explorer has a couple of known “holes” in its security, and (in addition) unsuspecting users often install things via ActiveX controls (those windows that say, “Do you want to install such-and-such?”) that allow companies to take over search results, the default home page, and even worse, as you found out. You might be interested in this related link on my BLOG: http://blog.wilcoxfamily.net/?p=142. It was probably the case that these adware things were installed when you accidentally clicked “yes” on one of these controls.

However, in a few cases, just visiting a site can install these browser helper objects. My advice to users for the time being is avoid Internet Explorer (switch to Mozilla) until Microsoft patches these critical holes.

Also be sure you run the Windows Update Service (it probably reminds you automatically) to keep Windows ME updated with the latest patches, and be extremely religious about updates to PestPatrol and Norton AntiVirus. Run virus and PestPatrol scans at least weekly. (I use a daily scan now.)

Q: Will all the new things we installed keep everything out?
A: Between Norton AntiVirus, BHODemon, PestPatrol, and switching to Mozilla, I think you’re in good shape as far as protection goes. You seem to pay good attention to how your computer is operating, and running a PestPatrol scan now and then should keep you free from trouble. Like Norton, PestPatrol works constantly, and should prevent something like this from happening in the future. At the worst, you’ll know when it happens, and we can get it cleaned out.

Q: Can you explain what each one does, so that I (a know-nothing-about-it guy) will be able to understand.
A: We installed two new things. The first, is BHODemon. As you’re not using Internet Explorer now, you don’t have to pay too much attention to it. What it does is show you which Browser Helper Objects (little programs that attach to Internet Explorer) are installed, and let you disable them. This was helpful in showing me that you had several obviously malicious Browser Helper Objects (BHOs) installed, and let me disable most of them. There is one on the list that is disabled, but still in existence. Next time I’m working on your computer, I’ll get rid of it, but it isn’t doing any harm right now, as BHODemon is keeping it dead.

The second piece of software is PestPatrol. PestPatrol is designed to fill in the gap where Norton Antivirus doesn’t typically operate, and completely remove all the little pieces of these nasty programs we’ve been talking about. Like Norton AntiVirus, PestPatrol runs all the time, and will offers good protection and removal of these threats. Like Norton AntiVirus, PestPatrol has an auto-update feature (right-click on the icon in the system tray to run it), and like Norton AntiVirus, you should run a full scan about once a week. Don’t worry about any Spyware Cookies that are reported. They do no harm.

Q: When we installed Mozilla, you showed me a way to have 2 or 3 subjects up and could go from one to the other, I do not remember how. Can you explain or tell me how to grt that information, from the program.

A: The “tabbed browsing” is my favorite feature of Mozilla. To open a new tab, just press CTRL-T or choose File –> New –> Navigator Tab. You can also open a link on one page into a new tab, by CTRL-clicking on that link.

Q: Just out of curiosity,when did you finish up with this?
A: I think it was about 12:45, but I actually didn’t spend that much time at the computer. Mostly it was a case of running a scan, using PestPatrol to remove files, then restarting and rerunning the scan. After a few cycles, we got down to only one piece of scumware left: CleverIEHooker, which consumed most of my time.

I spent quite a bit of time with PestPatrol, PestPatrol’s Web site, a startup configuration utility from Microsoft called MSConfig, and the Windows Registry Editor to get rid of CleverIEHooker. It turned out that this program was replacing a registry key every time I removed it, which is why PestPatrol didn’t clean it out completely. I found and deleted the program that was replacing the registry key, got rid of the key, and on the next reboot, was able to remove the remaining pieces.
Once I was done, I did a final reboot, verified there was nothing else hiding, and set VNC (the remote-control software) back to its original mode, where you’ll have to activate it if you need my help.
Overall, this was at times annoying, but I’ve learned some excellent scumware removal procedures from it. I’m glad I could help.

—Doug

2 Replies to “Slaying Dragons: Scumware Removal”

  1. Do I understand you correctly? Doug Wilcox is advocating NETSCAPE over IE?

    I just want to make sure I understand this correctly.

  2. Just to clarify. I don’t like Netscape. I know, I know, there are almost no differences between Netscape and Mozilla, but there are differences. ’Zilla is better.
    And, yes, I am advocating Mozilla over my long-belovéd Internet Explorer.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.