Spyware is a malicious problem that affects us all, but with reference to his recent experiences, Rob Jamieson asks is the cure worse than the infection?
I have often talked about different components that affect system performance, but a recent infection of Spyware highlighted to me just what else can be going on with software add-ins and how these can slow you down.
A typical workstation computer has the main design application and other standard office applications, such as word processor and mail, and most have access to the Web for information. However, this can also result in access to lots of nasty Spyware, as well as viruses they can bring with them. But is the cure worse than the infection?
Everybody knows about viruses and everybody should have some form of updated anti-virus software installed. Windows XP SP2 will warn you if you don’t have one installed unless somebody or something has modified your registry to stop it showing this! The problem is that that until recently Spyware has not been treated as such a malicious problem. A lot of “nice” websites have used Spyware to find out how many times you visit their site or their competitor’s sites etc.
Cookies are one way Spyware manifests itself. These then transmit messages back to the originator’s site with details such as your habits of browsing etc. You might say “what is the problem with this?” Well the answer is the constant communication is slowing you down. You also might say “but I only use my workstation for designing”, but the thing is a lot of CAD programs use web browsers to provide libraries and help etc. so you have no choice but to use a browser. Not all Spyware lives in cookies, so just deleting cookies in the “Temporary Internet files” will not kill them all.
Some Spyware hides in other DLLs (Dynamic Link Library) or other executable .exe files. This is bad as they can run all the time your workstation is on sending information to other people about your habits, passwords, bank details etc. Now you would think your anti-virus would stop this. The thing is Spyware is not a virus so they don’t all detect them. The other way Spyware can get on your system is through a ‘vulnerability’, i.e. a hole in a program or process where a file can be planted on your system.
Microsoft has woken up to this and is allowing a free download of Microsoft Windows AntiSpyware program which I had a recent reason to use in anger. Like most corporate users we have an IT infrastructure to protect me which it does most of the time but I also have a lot computers on my own network at home (sad I know) which has various workstations and laptops connected. Likewise I have a hardwired firewall but if you download or get emailed a file your virus protection (and friend) thinks is OK and you open it… bang!
Yes I should have known better, but my excuse is it happened on an old laptop that is used for browsing. The little program I got was not a virus but malicious anti-Spyware software! The file I received came with a load of Spyware for it to detect and of course if you pay the subscription charge it will clean up your system of all the junk that the file brought with it! I’m not saying all anti Spyware tools are like this but this of course led me to a quest to destroy this nasty one and all its little friends that had spread over my system.
Curing the infection
I will not detail everything in my voyage of discovery but I think the process is interesting, just in case you should encounter a similar problem. The first thing I did was disconnect the system from the network to stop it spreading its files to other systems. I have shares for picture stores and remote printers and I didn’t want to take any chances with them also getting infected. I downloaded a bunch of tools, such as ‘ewido antimalware’, ‘Spybot search’, ‘Hijack This’ and ‘killbox’ and some others. These are serous tools so be very careful!
After running the Spyware searching tools that delete the dangerous files all was not well. I still had processes running that I didn’t recognise, like netmone.exe etc. After trying to delete a few files, re-running the Anti-Spyware software and restarting the laptop it was clear that running programs were copying themselves at Windows startup before they could be removed by the Anti-Spyware. The files themselves could not be deleted as the files were in use and Windows wouldn’t allow it! So now to Plan C. ‘Windows Msconfig’ and ‘Hijack This’ can show you what files are being executed on startup and stop them. ‘Killbox’ sets files to be deleted before they start a process so they can’t copy themselves at startup. I did this to the files I suspected and re-run the Anti-Spyware and I thought all was well.
But I just didn’t trust that I had destroyed all the files. So I ran some executable files and the Spyware clicked in saying I had a new infection. The point is I couldn’t have as I still had not connected to the web so the infection was already there! Now if you had purchased the Anti-Spyware you would think it was doing its job but in reality it hadn’t cleaned up the previous infection. The way I managed to stop this was I searched for all the new files created on the system that day and added them to killbox and repeated Plan C. This is because the Spyware wasn’t clever enough to change the file dates.
One of my friends suggested it would have been easier to delete the OS (Operating System) and start again but I learnt a lot about Windows startup and was able to apply my new set of skills to another laptop and take out all the guff that builds up, like SQL databases etc which I no longer use. This in fact reduced the startup time by 1min 15 seconds and after a full defragment (including swap space) it felt a lot faster (the main user, my wife confirmed this).
My point is never trust anything, the cure is not always a true cure. Having had the experience I had I’m now not prepared to take the risk of not having a good resident in memory Anti-Spyware programme monitoring my system all the time but of course this has slowed the laptop down a bit. It’s worth trying Windows AntiSpyware Beta1 (whilst it’s free) just to see how clean your system is.
Robert Jamieson works for workstation graphics specialist, ATI.