I think its a virus, but am not sure

[CityK]

I got asked to take a look at a friend's computer concerning an internet connection problem. Grudgingly, I obliged the request with a brief visit. Here are the specifics:

Its running Windows XP, firewalled (ZA) but no antivirus, and its users download off P2Ps like its going out of fashion. Its connected to the DSL line by some Acatell USB modem. Booting up the computer takes six to seven minutes - just a blank screen, no disk activity, and then finally the login screen will appear. Logged on, a connection to the ISP is definitely established (XP reports this and later verified with ipconfig at the cmd prompt), yet no program (browser, IM, ping from cmd etc etc) can access the internet. The firewall also fails to start due to some error that I forgot to note. In the Networks settings there were 4 entries - "My ISP", the Acatel Modem, the unplugged onboard Realtek Nic, and the DSL (Bell Sympatico .... the users ISP) connection. I am uncerntain what the hell the "My ISP" entry is. Nor am I overly familar with the XP layout with the networking stuff.

Anyways, I verified that it wasn't a hardware problem (Knoppix). So, my suspicion is that there are likely 4000-something viruses/trojans/worms on the stupid thing and that one of them has messed all the network settings in XP. Unable to access the internet through XP to run housecall and grab AVG free edition, and being too pressed for time (not to mention couldn't be bothered to have to deal with such an annoying time consuming and meaningless task on an gorgeous summer's night) I left but said I'd fix it up in a day or two. Most likely this is something that could have been easily avoided. I didn't bother checking the list of installed updates/patch situation, and I highly doubt they had any sort of anti-adware etc. (I guess that would be a given considering that there was no av protection ).

My questions are:
- anyone familar with similar connection problems, most likely caused by virili?
- what's the best plan of attack? I was thinking I would put AVG and Adaware on a CD and then install it on their machine and then scan. Hopefully that might catch a few buggers. If I can succesfuly repair the network settings, I think I would follow up with Housecall. Next StartupCpl to see what crap is running in the background and also the Win updates.
- But the biggest problem I forsee is getting back on line, given I'm not much of a networking type person (and not overly familar with DSL connection settings either). Any suggestions on how to proceed here?

Thanks

PS - The very fact that people think that these type problems can be magically resolved in seconds with a few keystrokes is so highly annoying. I certainly don't envy you guys who do this stuff for a living. I would go postal after about a day and a half (at best).

 

[Tea]

So, my suspicion is that there are likely 4000-something viruses/trojans/worms on the stupid thing and that one of them has messed all the network settings in XP.

I'll bet you a case of the finest port to a used dishrag. But it won't be one thing messing up the networking, it will be about seven.

Broadband, P2P, no AV, no firewall (software firewalls don't count), no Ad-Aware, no security updates ... Jeesh! How stupid can you get?

You have two choices, my friend.

First, the easy way. Say "I'm sorry, this system is too far gone to rescue". Then boot off the Windows CD and use DELTREE to remove (a) the entire Windows folder (and everything under it) and the entire Program Files folder too. Then install as usual.

There are less radical ways to install, but they amount to variations on the same theme, just a little less severe.

Now, the hard way. On a system as far gone as this, it might or might not be possible. (Especially with XP. XP is a crappy damn thing at the best of times.) Sometimesyou do all this but you just can't get the system back into shape. (Well, if you were prepared to spend three or four days, you might. Or might not.)

* Do this first step at home. Download Ad-Aware and the latest update file. Burn this onto a CD. Add anything else you think might be useful.

* Boot the sick PC in SAFE MODE.

* Run REGEDIT. Goto HKEY LOCAL MACHINE/SOFTWARE/CURRENT VERSION/MICROSOFT/WINDOWS/RUN. Take out everything. Do the same with RUN ONCE and RUN SERVICES. Now go to HKEY CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/RUN and repeat.

* Uninstall any Ad-Aware version that is already installed. Reboot (once again in SAFE MODE).

* Install Ad-Aware from the CD you already made. Update it by copying the new REFLIST.REF off the CD into the Ad-Aware folder. Run it. If it gets so clogged up that it slows down or chokes, hit ABORT now and then, let it clean 50 or 100 instances off, and start it again. In really bad spyware/virus infections, you might need to do a dozen Ad-Aware and/or Housecal scans. Stick with it. One by one, two by two, you get the little bastards.

Don't forget to uninstall Kazza or any other file sharing crap. Be prepared to be brutal. If P2P things won't uninstall gracefully, bust nuke the bastards. (DELTREE, REGEDIT, whatever it takes.)

Once you have gone as far as you can with this method, reboot again. This time select SAFE MODE WITH NETWORK SUPPORT. Hit Housecall. Scan as many times as you need to. Alternate with extra Ad-Aware scans. Hit MSCONFIG or REGEDIT again, as some of the little buggers can reinsert themselves into your startup.

If you get files that Housecall flags but can't delete, make a note of which ones they are and delete them manually. (In extreme cases, you won't be able to get them even in safe mode, so you will have to boot off floppy. Often, they are marked hidden and system. This is where you resort to that grand old standby tool, XTree Gold. Yes: 15 years old, and still indispensible. You can delete anything with XTG. (PM me if you need to.))

All this can take anything from an hour or two up to four or five days.

On the whole, I recommend the easy method.

Oh, when you are done, make sure the morons get a clue about security. Doubtless others here will spell this out in detail, but the short sumary is:

* Delete all the Internet Explorer icons. Give them Mozilla (or any other modern browser) or nuffin. (If they really need IE, they can type start/run/iexplore.exe.)
* Delete all the P2P crap.
* Install Ad-Aware. Make sure they know how to use it.
* Delete all the Outlook/Outlook Express icons. Better yet, uninstall them. ([i[]Not[/i] easy!) Give them a relatively secure email client, or tell them to use web mail. (Not via Explorer: they can use Moz.)
* Tell them to buy an AV program. PC-cillan, Vet, or perhaps AVG. Not Norton. You would not believe how many virus-ridden machines we see running NAV.
* Tell them to buy a real firewall.

Finally, charge them enough to make them take you seriously. If you do all that and don't charge for it (or extract whatever alternative penalty you prefer, such as guilt, scorn, or public humiliation), they tend to think nothing of the whole drama, and make the exact same mistakes again. Hey! They have a friend who sorts all that out, don't they? Why worry?

Me, I tend to be very polite and friendly, smile a lot, and do some serious damage to their credit card. Everyone goes away happy.

 

[Howell]

'deltree' is not recognized as an internal or external command,
operable program or batch file anymore you old fart.

 

[Tea]

Who iz an old fart? Zertainly not me!

Perhapz you mean Tannin.

And ... er ... we use DELTREE all the time. But, I grant you, we do it off a boot floppy.

 

[Fushigi]

http://www.storageforum.net/forum/viewtopic.php?t=3754 for a bootable tool CD that'll include AV and other useful apps.

- The long pause on bootup is most likely caused by problems loading drivers (usually network). It is very likely timing out each and every one of those extra connections. Boot safe mode and delete all network connections. Reboot and let XP re-auto-detect them.
- Mandate a hardware firewall. They can be had for maybe $20 in a typical non-wireless router nowadays.
- The 'My ISP' is likely an entry for the USB modem.
- Do an IPCONFIG /RELEASE /ALL followed by IPCONFIG /RENEW /ALL and then do a regular IPCONFIG /ALL to see what the IP addresses are. It is possible that XP is useing cached DHCP settings; the above will flush those out. And if it is connecting, then no harm is done.
- Uninstall ZoneAlarm and disable the XP firewall (if it's enabled). This is temporary to ensure that no firewall is interfering with net access and that ZA itself hasn't been corrupted.
- If you want a fresh look at net activity, grab TPF from http://www.kerio.com/dwn/kpf2-en-win.exe . It's an old freeware version and can be set up to prompt to accept/deny for all incoming/outgoing traffic. Could be useful.
- Run Spybot in addition to Ad Aware. Neither is 100% but together they're really close.
- Make sure any AV scans search the entire machine (not just C and make sure they scan within compressed files. I had a coworker whose PC was infected but the 12 viruses weren't detected as they were in .JAR files and the AV was set to not scan compressed files.
- If he has to log on to use his DSL account, make sure to record the account settings before wiping stuff out.

PS - The very fact that people think that these type problems can be magically resolved in seconds with a few keystrokes is so highly annoying. I certainly don't envy you guys who do this stuff for a living. I would go postal after about a day and a half (at best).

I blame modern media for this. How many times does someone on TV or a in a movie step up to a computer, press many 15 keys, and solve the mystery of the universe (or something more mundane like hacking the CIA)?

 

[Mercutio]

In addition to Adaware, you need to have CWSshredder and Hijack This available. Possibly also Spybot. I've run into parasites that directly attack Adaware and keep it from running, so the more tools you have, the better.

Make your friend buy adaware pro and adwatch, since it will actually tell you when programs are being added to startup and when BHOs are being installed.

If your friend insists on doing P2P, turn him onto Bittorrent, Emule or find a copy of Kazaa Lite (still very easy to find!). All are free of spyware.

For sure, if this PC is as compromised as it sounds, you're better off just starting over. Five or six hours of your time is probably worth more than the computer is anyway, and investing THREE hours that ensure a working PC is infinitely better anyway.

 

[Will Rickards WT]

I say fdisk/format the bastard.
I think it takes less time.
I make sure to load up the following:
NOD32 (they have to pay for this), ZoneAlarm, Firefox, Adaware
Optionally Thunderbird, gimp
Then you have to educate the users.

All this takes at least 3-4 hours maybe more.
So consider whether you want to charge for it.

 

[Buck]

More of the same as has been mentioned. I would like to emphasize:

Me, I tend to be very polite and friendly, smile a lot, and do some serious damage to their credit card. Everyone goes away happy.

 

[CityK]

Thanks for the feed back. Good suggestions, and its pretty much in line with what I expected to hear...perhaps I myself was guilty in hoping there is a easy way out. Bah...I'll make a minimal attempt via safe mode and trying the above mentioned steps & utilities to resolve this the hard way. If that begins to look like its taking the shape of a mission impossible (which superficially it certainly seems so), I'll decline the mission and force them to start from scratch....I have no idea if they even have the XP CDs or if its a restore CD...my bet is on neither.

Your points about making them respect the value of the service are well taken.

 

[miksmi]

I don't have an answer but.. Whenever non-family asks for computer help, I re-read the advice by greeps, the 7volts.com guy, before answering. Goto 7volts Tips and read the short blurb "Helping people out with their computers". It's a refreshing read and you won't fell guilty about saying "no".

Sorry you're in the situation, I've been there too.

 

[Buck]

Thanks for the link Mike; there are some neat gadgets mentioned on that site.

 

[miksmi]

You're welcome, Buck. Yes, greeps has some great ideas and tricks and quieting a computer. My favorite is the Molex extension cable -- what a time saver! A few years visited his site regularly; now I usually head over to Silent PC Review.

 

[miksmi]

oops, make that "tricks for quieting a computer".

Forgive the n00b question but why can't I edit my minute-old post?

 

[CityK]

Mike, thanks for the link. I too remember making regular visits to 7volts circa 2000/1. It was one of the first sites I had ever seen addressing the question of computer noise, as well as being a pioneering site in terms of case modding. I rarely see mention of it now, as SPCR seems to have become the defacto standard.

Anyways, his points about helping others with their computer problems are all very valid. I remember reading an ad in a local T.O. computer magazine several years ago that went somewhat along the lines of "Tired of being an unpaid tech for your friends computers?". I have no idea what the ad was about now, but that line has stuck with me. His 28K modem story also rings a bell for me in regards to a somewhat similar (bereavement) type situation. The comment about friends/family automatically associating you with forever being their tech support is also very true. I actually had to get very angry with one friend once in regards to always bugging me for tech support.

As per the editing question, please see this thread. If you also frequent SR, you'll find that this question gets posted on a regular occurence over there too, despite there being a FAQ addressing the very question.

 

[CityK]

Fushigi, I d/l'ed the UBCD the other day... should be quite useful. Thanks.

Haven't gotten back to this mess yet. I'm certainly in no rush. But when I do, I'll be sure to post the exciting conclusion to this adventure.

 

[miksmi]

Thanks, I read the FAQ; it says you can edit a post:

Unless you are the board admin or forum moderator you can only edit or delete your own posts. You can edit a post (sometimes for only a limited time after it was made) by clicking the edit button for the relevant post.

Anyway, no big deal. My errors of omission shall forever taunt me.

 

[Santilli]

People don't respect, or listen, unless it costs them money. The more money they pay, the harder they listen.

Fdisk/nuke the bitch, and let them do the reinstall.

s

 

[i]

Leave them with the Knoppix CD. Tell them to boot off that from now on. Problem solved. :wink:

 

[CityK]

To bring this (somewhat) to a conclusion, I will say that this turned out to be a comedy of errors. The story is quite long (and extremely boring), and really not worth relating in its entirety (...from the perspective of not wanting to waste too much of both your and my own time). So, for your reading pleasure, the encapsulated version goes like this:

Phase 1: After "fixing" the system [spyware, corrupted user profile, possibly virus funny business (but nothing found by nod, AVG, housecall, UBCD, McCaffe Stinger), corrupted network settings (modem driver related)] I suggested that they dump the USB modem and get a regular one from the DSL provider.

Phase 2: Arranging for a new modem should have been easy-peasy (and I have done this before with no problems). However, the treatment and response from the (Indian) tech support jerk was horrid (I know, because it was I who phoned it in under the guise of the owner - because they felt I would do a better job explaining). This was just bad - bad as in like what Merc experienced in his Sony story - i.e. we have to troubleshoot. Why? I just want to exchange modems?....It went on for twenty minutes, with five other people in the room listening on in astonishment as I (behaving very politely) tried to simply arrange for a replacement modem. The idiot actually ended up becoming belligerant with me. I just hung up. I suppose if I wanted to be an ass I could have gotten him in a lot of crap, but I really don't want to bother spending the time to complain...besides, if he's that bad, he's bound to be digging his grave from multiple paths. Anyways, the owners were abhorred by this, and the next day called to cancel with Bell. Bell begged and pleaded, but my friend's breaking point had been exceeded. (Its funny, I came across a website several months back that was made by a supposed former tech support for one of the two big providers here in Toronto - Rogers and Bell Sympatico. On it, this person details how to get some freebies from your service provider...basically once you say "I want to cancel" they will bend over backwards just to try to keep you on board. What I remember from reading, his descriptions of the service you are provided prior and post uttering those magic words sounded exactly the same as what happened in this case).

Phase 3: So enter Rogers two or three days later. Problem, they don't support SP2 yet. And the computer just would not release the IP settings under SP2. I get a call from my friends and go over, thinking this is an easy fix. Sure enough, the IP and related settings are stuck with their former sympatico values. Ipconfig /release all , /renew all just did not work. Puzzled, I called Rogers - the tech guy was pretty cool, and despite them not supporting SP2, he tried to work with me on it. Now, as I've stated before, I'm not very knowledgeable when it comes to the networking aspect of computers, so I really don't know if there was a simple solution to the problem or not. But what I tried, and what suggestions the tech guy offered just went no where.

Phase 4: "Roll back the barrel, roll back the barrel of fun"....Service pack 2 , meet service pack 1. So, with SP1 back on board, the network settings release - and Bingo was his name oh. Problem - much of the work that I had initially done in fixing the system was undone. Ooops. Unfortunately, the time was getting late (it was a Sunday night) and I didn't get everything patched up, so we put off fixing everything up until another day. Besides they were just happy they had a working internet connection again....what's a little security problem compared to having the internet eh? Of course they were happy.

Phase 5: From there and Back again, by Bilbo CityK. Do you know how long an unpatched computer takes to become compromised? I;'m guessing its probably a whole lot less time then the week that was in between my next visit to my friends house. I'm talking major spyware, and trojans folks. So, I cleanse the system a bit and decide that before I make anymore changes, that this would be a good place to make a ghost image, just so I can come back to it if necessary. Namely, my intention was to try SP2 now (from a known working network config). Problem - in blabbing away to the kids, and eating and drinking, and everyone getting ready to watch the movie rental on the big screen, I, uh, kinda of must of set ghost to clone the C: partition to the D: partition by mistake. It was just one of those things - I guess cause the mouse sensitivity is so out of whack when running off my ghost boot disk (which I imagine I could one of these days actually configure it properly), that the cursur slipped from the partition image option to the partition clone option by mistake. And, being relatively distracted, and despite the fact that I remember thinking that something just wasn't right (i.e. slightly different setup screens), I just didn't fully pick up on these facts and proceeded to click away and unleash the destructive operation. About twenty seconds into the cloning, I turned to the computer screen and realized what I had just done..."Oh fuck!! Eject, eject eject!".... hopefully my navigator made it out alive.

Fortunately, the son had taken my advice and had backed everything important on the system on to disc earlier in the week. So my collosal error wasn't as catastrophic as it could have been, but nonetheless, I certainly felt like an idiot telling them that I had just borked the D: partition. They really didn't seem to care....I'm certain they just didn't understand the gravitey of the error...or understand what a partition is. So all told, my error just became another PITA problem - ie. requiring the restoring of files from disc back to disk.

Anyways, continuing on, SP2 loaded fine and worked fine. But despite my attempts to rid the system of all virili, and spycrap, several remained. On line (AVG, Nod, and housecall all failed - Nod and AVG said they couldn't remove them; housecall kept crashing). Offline scanners on the UBCD just crashed as well....not particularly impressed with the UBCD virus scanning, as that's 0 for 2. Adaware, Spybot, and one of the one's Merch suggested (name escapes me right now...wait Sheddar was the one) were also striking out large on their end of the deal. I can't remember names offhand, but their was definitely two Trojans stuck on board, and the spyware/browser hijack was Coolwave(?), coolbits(?...no thats Nvidia stupid. Stupid! Why you little...) or something like that. It, and its viral friends, were most persistant in that they stay around and party.....Yi-ye-ya-yi-ye. What to do. Once again, its a late Sunday night, and I found myself almost back to square one. Well, I decided to just screw it. I actually uninstalled antivirus protection - otherwise the resident detection programs were basically just popping up all the time informing that there was a trojan detected...Ummm, tell me something I don't know....better yet, do something about it you useless pieces of .....

So I left them at that. They have an infected machine, and are vulnerable to more virilii, but despite this, they're happy cause the internet is working. Instead of working on this any longer, I'm just going to supervise them while they start from scratch and reinstall everything. I figure it will take less time and, two, they will learn something (the son is definitely picking things up along this journey). At the very least, they have learned how so very easy it is to pick up some unpleasantness in the windows world. How many years has it taken Microsoft to start encouraging user awareness about security? Pffft, amatures - it only took me a couple of weeks to teach an average family.

So, perhaps on Monday (its the Canadian Thanksgiving long weekend) I'll be slurping back a few slushies, enjoying left over pumpkin pie and barking out installation directories over at their place. Hopefully, this saga will finally be brought to its conclusion.

----------------------
I thought you said this was going to be short?

I lied. Now go get me some lunch, I'm starving....and that railing ain't gonna paint itself you know.

Yes sir. Right away sir.

 

[time]

If they really do have one of the more unpleasant variants of CoolWebSearch, you might like to spend a few minutes reading about what you're up against, particularly variant 39. Some such as this are impenetrable to CWShredder, and this is not a complete list.

 

[Fushigi]

Do you know how long an unpatched computer takes to become compromised? I;'m guessing its probably a whole lot less time then the week that was in between my next visit to my friends house.

Estimates vary, but most will say the average is between 12 & 20 minutes.

 

[i]

I was going to post a new discussion requesting some help, but as this topic is so similar...

Nearly 4 years ago supporting MS stuff was a major part of my livelihood, but not anymore. Now I'm forced to deal with Windows only occasionally ... the rest of the time I live and breathe BSD and Linux.

The parents of a friend of mine however, are working with Windows XP. (Home edition, unfortunately.)

At some point in the recent past, they discovered they had some spyware, and had someone remove all(?) of it. During or after (they were as vague as you'd expect former AOL users working with XP Home to be) this spyware-fest, they also switched ISPs. This XP Home system had originally started out with AOL, then had a brief stint with DSL, and has just now been switched to a cable ISP. I have to wonder what bits of AOL this system is still dragging along with it.

They asked me for help because they hadn't been able to get it to connect to the Internet since switching to cable. After looking at it on Friday however, it was obvious that it was connecting. For someone like me - out of the Windows loop for so long now - it was actually an interesting problem. They are successfully served all the information they should need for a functional network connection by a DHCP server. The problem is that DNS lookups always fail ... but only from within the GUI! I discovered that if I brought up a command prompt and ran nslookup, I could successfully resolve any name to the correct IP address, and then switch over to a browser in the GUI and connect to the IP address without any problem. But if I had IE (or later after I installed it, Firefox) attempt to do the name resolving by just typing in a URL, it would fail every time.

So ... is this lingering damage from the spyware (there didn't appear to be anything in the tasklist or in the usual starting points in the registry), or the result of the former AOL stuff, or both?

Assuming this is the remains of spyware damage, can I expect Adaware, Spybot, and/or HijackThis to fix it?

*sigh* If I had lots of time and money, I'd format their system, load WInXP Pro, set it to manually update itself, and then lock the hell out of the thing. I'd leave them with the ability to run Firefox. And Notepad. Maybe Notepad.

 

[Will Rickards]

I'm thinking check the hosts file on the machine but somehow that doesn't seem to fit the problem...

 

[blakerwry]

Sounds like a winsock problem possibly...

if they have XP SP2 you can reset winsock with the follwoing command:

netsh winsock reset catalog

And it would be worth your while to reset TCP/IP while you're there with the following:

netsh int ip reset c:\reset.log

or just type netsh <enter> winsock <enter> and poke around to see what you can find.

 

[blakerwry]

oh.. and howabout the firewall reset:

netsh firewall reset

 

[i]

I actually did a 'dir /s hosts*' command from the root of C:. Two files turned up, but both were just example files.

That reminds me ... I had to do the search from the command prompt because the "normal" search from within Windows Explorer had also been affected. That didn't surprise me much as *&#$(#@ Windows has IE integrated so deeply into its guts. On the left hand side of the search window, where you'd expect the fields in which to type what you're searching for, everything was blanked out (not greyed out) - like something had tried to modify the search capability at some point, but for whatever reason, the GUI search function wound up being unable to do anything at all. It was just crippled and useless.

How the hell do people live with Windows these days?

Sure, spyware is first and foremost a user education issue, but after ... what ... 15 years of serious Windows development, how the #&$*#&$ is Microsoft putting an OPERATING SYSTEM out there that ALLOWS this kind of insanity to ever happen in the first place?!

And people PAY for this crap!! I'm not going to tell anyone that either OpenBSD or Linux is perfect, but for the love of god ... at least I didn't have to PAY for either of them. And what's more, with BSD or Linux, if something goes wrong I also have a real chance at actually fixing the problem! And if I can't, I can reinstall it without having to call the Microsoft Stazi to get permission to do so.

Gack. Sorry. I'm reminded why I ditched MS in my personal life. I did so so long ago I'd forgotten why.

 

[i]

Thanks blakerwry. Does that stuff apply to XP Home?

 

[CityK]

If they really do have one of the more unpleasant variants of CoolWebSearch, you might like to spend a few minutes reading about what you're up against, particularly variant 39. Some such as this are impenetrable to CWShredder, and this is not a complete list.

Ah yes, CoolWeb. Thank you time, as that indeed was one of the culpruits. I'm guessing that the variant infecting my friends machine is 39 or later (given your link is current upto April/04). There's no way in hell I'm going to bother ferreting around the system trying to get every last reminent out. Going to take it from the top and start from scratch.....which didn't happen tonight, but maybe sometime soon.

 

[CityK]

These days I like to vest as least amount of time with learning more of all things "Windows" as possible. As it stands, time is the limiting factor in regards to my conversion to *nix....it's coming, but it just can't happen fast enough.

 

[blakerwry]

Thanks blakerwry. Does that stuff apply to XP Home?

XP pro and home are identical except for the fact that MS removed NTFS permissions from the Explorer GUI and changed user logins so that you no longer have the same MMC and domain logins are removed from XP home.

Any other differences I can think of are minor. (like NT Backup not being installed by default)

 

[LiamC]

Needed to find this to get Tea/Tannin's spware removal script.

 

[LiamC]

BTW, I've typed spyware as "spayware" three times today. Maybe that's what it does to you

 

[Buck]

Or it's the distraction one gets from looking at your avatar.

 

[Tea]

Hi all. I'm not back yet. Umm ... in fact, I'm still trying to find the proper turn-off. I must have had a Tannin Moment back there a few tens of thousands of kilometres ago and gone left instead of right somewhere in Thailand. Anyway, I'm posting this fom an internet cafe just outside a place called the Rautatieasema (whatever that is). Seems to be a railway station, but all the signs are in some weird language, so I guess I'll just keep walking. Bloody cold here though.

Enough of the postcard stuff and back to business.

It is interesting to see how little of the basic spyware removal method has changed of the last 18 months since I posted that how-to. What's different now?

Hijackthis instead of Regedit. Much easier. I sometimes need regedit these days, but rarely.

We rely much more on Spybot and much less on Ad-Aware. Ad-Aware is a bit lightweight, but still useful as a double check.

In XP, multiple users cause no end of havoc. Yoiu can clean user Alice up, but she gets reinfected from files hidden away in user Bruce. Flip over to log on as Bruce and clean that up, and the really nasty stuff hides itself in Alice, where you can't get to it. And so on. So, Rule One with XP systems is delete all the users except one[/i] If that anoys your customer, tough luck. It has to be done, and you can still save all their user files no worries. Even if you don't get cross-infection problems, every extra user adds 30% or 40% extra workload to the task. families with 7 users, you could spend a whole week on just one spyware job.

There is a range of special-purpose tools that we use now for particular nasties. Sing out if you are interested. (I'll be out of contact while I'm walking home, but Tannin will probably remember to post a list if you ask him nicely.) (Hint: say "please", and if that doesn't work, I usually find that a firm double-handed grip around the throat and a swift knee in the technicals is effective.)

By the way, has everyone mastered that particularly nasty and distressingly common bit of pox called Smitfraud or PSGuard? Sing out if you want a hand with it, it's tricky.

 

[LiamC]

(Hint: say "please", and if that doesn't work, I usually find that a firm double-handed grip around the throat and a swift knee in the technicals is effective.)

:lol:

Tea, you sure are funny. Besides, you spelt testicles wrong—it's T.E.S.T.I.C.L.E.S. Ask your dad what they are; after he's had a few ales.

:mrgrn:

 

[mubs]

Some years ago, I worked in a small company where the telephone operator would page "Technical Support, you have a call holding on line 3" if they didn't answer their phones when she transferred to them.This happened several times a day, and one could hear the page in all open / public areas of the company (including warehouse). Being the joker that I was, one day I asked the young gal, "Why do you keep asking for Testicle Support, it's embarassing to hear". Did she turn red! She never paged that way again, instead using the Tech Supp. guy's names instead. I wouldn't dare pull that stunt again anymore; would probably get fired for sexual harassment.