I just wrote this long rambling article about how to keep spyware off your machine.

Someone managed to get an evil spam through the old filters tonight. Here’s a little analysis of what this “person” was trying to do. Anyone care to run key.exe on their box to see what happens?

I had to remove a few more spyware infections this week, and I actually learned a couple of more tricks in the process. On one machine, something called “WINLOGON.EXE” was started from the little known registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run. This process seemed to be moving the focus from the currently selected application to itself periodically, perhaps as a method to gather passwords and account numbers. It seems that most spyware masks it’s invocation by adding a subkey to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, or, when it’s really being tricky, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Recently, it appears that some spyware authors have discovered how to use this Explorer policy key as well as registering their malware as a service and using the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices key as a way to conceal itself from the user.

Of course, in addition to the obligatory registry key deletions, I employed the usual cadre of tools to scan and delete various files and registry keys off the system. Typically, I use Ad Aware, Spybot, and HiJack This! before and after I go in and insure that the Registry run keys have been eliminated.

In addition, I use Sysinternals’ Process Explorer to profile the running process list. Sysinternals haven’t seemed to update their tool in a long time, but it’s still useful to see what’s known to be good versus what’s unknown. The only problem is that dll’s registered as services are run by svchost which is a harmless Windows executable, but it can be running a malevolent dll. So, Process Explorer’s assessment is slowly becoming useless as a way to profile your process list.

At any rate, by brute force or removal applications, I was able to fix two machines. I’ve been saying it for a long time, the best way to prevent these sort of infections is use Internet Explorer’s Security Zones, Proximitron, and, when possible, Firefox.

Wednesday night, I had to rescue a friend’s Windows 98 computer from Spyware oblivion. I was amazed at how far behind the times I had gotten in terms of spyware/adware removal with Windows and Internet Explorer. I hadn’t realized what nasty, evil stuff was on the Intraweb these days. When I first started working on the machine here’s what I noticed:

• Internet Explorer’s start page was about:blank, but some site appeared that continually popped up windows.
• IE Default Search was set to some dll on the hard drive
• HKLM/Software/Microsoft/Windows/CurrentVersion/Run, RunOnce, and HKCU/Software/Microsoft/Windows/CurrentVersion/Run had lots of suspect entries like "Winad.exe" and "Winclt.exe"
• Win.ini had a suspicious Run entry.

Now, whenever faced with this situation, I usually do the following. First, I run Windows Update about two to three times to upgrade IE and get all the Critical Updates. This particular box hadn’t been updated since like 1999. So there was something like 21 Critical Updates from The Vole to apply. After that, I then delete spurious entries from the various Run and RunOnce Keys from the Registry, run Ad Aware, delete suspect entries from Start Menu->Startup, and run sysedit to peruse autoexec.bat, config.sys, win.ini, and system.ini. This is what I _knew_ already going into the situation which is substantially more than most people.

To my surprise, all that couldn’t remove CWS which was causing Internet Explorer’s about:blank to download from some very questionable web site and I think _REINFECT_ the box by executing arbitrary code. Thankfully, the reinfections stopped ocurring after the Windows Update, but IE was still hopelessly infected with various toolbars and a nefarious about:blank redirect.

I had vaguely remembered that SpyBot was supposed to be a halfway decent program in the same vein as AdAware. So, I downloaded and installed it. It managed to find and remove loads of stuff that AdAware missed all without incident. It even forced a reboot of the box, and axed a bunch more malware that was immutable after Windows had loaded it into memory on boot-up.

I had never heard of HijackThis until googling for the specific problems I encountered over the course of cleaning this box. HijackThis informs you of every modification done to the Registry (post-install) that could be harming your system. It can then fix or delete any or all of the items that it finds. HijackThis managed to find even more malware hiding in the depths of the Registry that was missed by AdAware and Spybot. I promptly removed these items which were mostly extraneous IE toolbars and cruft.

After all of that, IE’s default page was fixed, however, Winad and Winclt remained in the process list. It seemed to me that these two processes were a very lame imitation of the famous Xerox/Motorola “Friar Tuck/Robin Hood-hack”. When you kill Winclt, Winad starts a new Winclt. When you kill Winad, Winclt starts a new Winad. Of course, when you delete the Winad entry from the Registry Run key, this process manages to rewrite it again within seconds. In addition, the executables were loaded into memory and immutable. So, they couldn’t be deleted when Windows was booted, and Spybot couldn’t manage to axe them during it’s boot-up removal process. My solution to this was to reboot and hold down F8 when Windows restarted. Boot into “Command-line Only Mode”, and do a
deltree c:\progra~1\winad~1.

Finally, I reran Spybot, HijackThis, and Adaware yet again, and purged the remaining malware in the depths of the OS. When I was done, the machine appeared to be clear of all the spy/ad/malware that had infected it, however, without reimaging the box, there’s no way to be 100% sure. After all, every executable is now suspect to having been tampered with.

I can’t imagine an ordinary member of the populace being able to fix problems like these. It’s amazing to me that Microsoft would allow such insanity to occur on its operating systems. I don’t see how normal trusting people can be expected to maintain a Windows system that is inherently insecure.