Slaying Dragons: Scumware Removal

I spent a number of hours this weekend removing scumware from a friend-of-the-family’s machine. The following Q&A pretty much sums up what I went through.

Q: What caused all this mess?
A: All these problems were caused by a class of programs known as “adware,” or “spyware,” often called “scumware.” At the most basic level, adware is software that, once installed on your computer, displays advertisements, usually associated with Web sites you visit, and typically in the form of other Internet windows that open.

There are many varieties of this adware. All varieties are annoying, but have to be installed at the users choice, and can be uninstalled easily via the Control Panel. Unfortunately, many types of adware are not so easily removed, and are extremely intrusive in what they do. Even worse varieties are nothing less than viral infections that require extreme measures to remove. (The courts and Congress are finally beginning to take action against this latter type.) And in a few cases, these software packages will install without even asking the user permission, although they usually rely on unpatched software and lack of virus protection to do so.

Q: Why did Norton Antivirus not take care of this when it all started?
A: These problems are a fairly recent phenomenon. Until Norton Antivirus 2004, this type of problem was not addressed by antivirus software (you have Norton 2002, which is excellent, but won’t stop this particular problem from happening).

Q: What can I be aware of so it doesn’t do it again?
A: Most of these ad programs, and many viruses, get in through Internet Explorer. There are a couple of reasons for this. Internet Explorer has a couple of known “holes” in its security, and (in addition) unsuspecting users often install things via ActiveX controls (those windows that say, “Do you want to install such-and-such?”) that allow companies to take over search results, the default home page, and even worse, as you found out. You might be interested in this related link on my BLOG: http://blog.wilcoxfamily.net/?p=142. It was probably the case that these adware things were installed when you accidentally clicked “yes” on one of these controls.

However, in a few cases, just visiting a site can install these browser helper objects. My advice to users for the time being is avoid Internet Explorer (switch to Mozilla) until Microsoft patches these critical holes.

Also be sure you run the Windows Update Service (it probably reminds you automatically) to keep Windows ME updated with the latest patches, and be extremely religious about updates to PestPatrol and Norton AntiVirus. Run virus and PestPatrol scans at least weekly. (I use a daily scan now.)

Q: Will all the new things we installed keep everything out?
A: Between Norton AntiVirus, BHODemon, PestPatrol, and switching to Mozilla, I think you’re in good shape as far as protection goes. You seem to pay good attention to how your computer is operating, and running a PestPatrol scan now and then should keep you free from trouble. Like Norton, PestPatrol works constantly, and should prevent something like this from happening in the future. At the worst, you’ll know when it happens, and we can get it cleaned out.

Q: Can you explain what each one does, so that I (a know-nothing-about-it guy) will be able to understand.
A: We installed two new things. The first, is BHODemon. As you’re not using Internet Explorer now, you don’t have to pay too much attention to it. What it does is show you which Browser Helper Objects (little programs that attach to Internet Explorer) are installed, and let you disable them. This was helpful in showing me that you had several obviously malicious Browser Helper Objects (BHOs) installed, and let me disable most of them. There is one on the list that is disabled, but still in existence. Next time I’m working on your computer, I’ll get rid of it, but it isn’t doing any harm right now, as BHODemon is keeping it dead.

The second piece of software is PestPatrol. PestPatrol is designed to fill in the gap where Norton Antivirus doesn’t typically operate, and completely remove all the little pieces of these nasty programs we’ve been talking about. Like Norton AntiVirus, PestPatrol runs all the time, and will offers good protection and removal of these threats. Like Norton AntiVirus, PestPatrol has an auto-update feature (right-click on the icon in the system tray to run it), and like Norton AntiVirus, you should run a full scan about once a week. Don’t worry about any Spyware Cookies that are reported. They do no harm.

Q: When we installed Mozilla, you showed me a way to have 2 or 3 subjects up and could go from one to the other, I do not remember how. Can you explain or tell me how to grt that information, from the program.

A: The “tabbed browsing” is my favorite feature of Mozilla. To open a new tab, just press CTRL-T or choose File –> New –> Navigator Tab. You can also open a link on one page into a new tab, by CTRL-clicking on that link.

Q: Just out of curiosity,when did you finish up with this?
A: I think it was about 12:45, but I actually didn’t spend that much time at the computer. Mostly it was a case of running a scan, using PestPatrol to remove files, then restarting and rerunning the scan. After a few cycles, we got down to only one piece of scumware left: CleverIEHooker, which consumed most of my time.

I spent quite a bit of time with PestPatrol, PestPatrol’s Web site, a startup configuration utility from Microsoft called MSConfig, and the Windows Registry Editor to get rid of CleverIEHooker. It turned out that this program was replacing a registry key every time I removed it, which is why PestPatrol didn’t clean it out completely. I found and deleted the program that was replacing the registry key, got rid of the key, and on the next reboot, was able to remove the remaining pieces.
Once I was done, I did a final reboot, verified there was nothing else hiding, and set VNC (the remote-control software) back to its original mode, where you’ll have to activate it if you need my help.
Overall, this was at times annoying, but I’ve learned some excellent scumware removal procedures from it. I’m glad I could help.

—Doug

The Virus Wars

Read this unusually detailed story at PC Magazine online.

Among other things, this article covers the human engineering factors in virus writing, the state-of-the-art in combating viruses by antivirus software companies, and the real scenarios we are likely to see in the future. The article is very infomative, and includes input from a several different virus writers.

On a related note, The Wilcox Family Says Goodbye to Internet Explorer: Mozilla has become our default browser for the time being, as I am waiting for some very scary Browser Helper Object vulnerabilities (and other exploits) to be repaired in IE. I’ve had one virus make it past Norton Antivirus in the form of a BHO (it was caught in my nightly scan, and did no damage), and my team leader, who is tech-saavy enough to write his own viruses and extremely security-conscious was nailed with two separate BHO infections in the course of a week. So, for the time being, we default to ’Zilla, and only fire up IE for a few sites (like the Sohmer Family BLOG that won’t display or work correctly in Mozilla.

My First Spam in Hebrew!

I’m so glad that the Internet allows such rapid intercontinental communication. Imagine a world where one’s inbox would not be regularly populated by the decades-old and now primarily e-mail based Nigerian Money Scam, and the like. Horrible!

Lies, Darned Lies, and Marketing

I’ve come across this new breed of popup ad a few times in the past couple of weeks:

Brought to you by the evil folks at ZendMedia and the vendors of ComputerShield (http://ad1.zendmedia.com/ad-rpc.php?id=ad46) ...

Yet again we have an attempt to prey on the gullible and less-than-well-informed computer users. What infuriates me most about this—even beyond the desire to trick the user into thinking his or her computer has a problem (much like the “Your Internet connection is not operating at full speed” garbage ads)—is that the ad site claims the user’s computer is infected, regardless of the fact that the user’s computer (like mine) might be patched or firewalled and completely invulnerable to the RPC worm.

I wonder how many people have been duped by this scheme? This makes me very angry indeed.

Folks need to learn to differentiate between a scam advertisement and a real security threat, and this sort of schrecklichkeit is abominable.

And a Final Rant Is Due: Look, if you’re going to have a computer connected to the Internet, or even just receiving e-mail of any kind, you must install some good antivirus software and keep your machine updated with the latest security patches (which means running the Windows Update service for most people). Do not use McAffee because it stinks—you’re much better off with Norton Antivirus. Do update your virus definitions at least every week, and run a full scan that often as well. If you can’t afford Norton AntiVirus, try one of several free alternatives, such as BitDefender, Avast, AntiVir, or AVG Anti-Virus.