Another Client with a spyware infection… This lady uses a dialup connection & eventually couldn’t do any web browsing.

Funnily enough, she had norton interner security (and anti virus) running, but this malware ran rings around it… the second computer in 2 weeks with norton helpless at stopping spyware.

Anyway, I spend 90 minutes doing the usual: disable malware startups within the registry, startup folder, etc. but every few minutes, a web page would spontaneously pop up anyway… At least the computer was mostly working, but if I left it as is, it would have gotten worse over time anyway.

Client agrees I can take the computer & work on it from the office.

After a lot of investigation, I find I’m dealing with “look2me”… & all the forums are full of helpful suggestions, none of which seem to work for my particular situation… run programs like adaware, ewido, spybotSD, etc, start in windows safe mode, blah blah blah.

No matter what I did, the spyware was re-appearing. I even knew which file was the culprit, but it was “in use by windows” from when windows starts, so it cannot be deleted, & it changes name after every reboot… so deleting it at reboot time is no use… and of course any deleted files or registry entries would get re-created (sometimes within a matter of seconds)

I got a good idea of what was going on by using hijackthis (http://www.spywareinfo.com), regedit, l2mfix, and the symantec page on look2me.

I even upgrade XP from SP0 to SP2

I also found that there are so many variants of this little critter… no wonder anti-spyware programs can’t control it… antispyware rely on malware “signatures”… similar antivirus programs… the malware people can generate new variants faster than any anti-malware company can keep up… maybe someone should tell them to adopt a heuristic approach… so that all current & future variants can be dealt with.

Anyway, I figure out how to interpret the output from l2mfix, & tell the difference between legitimate files & registry entries, & bad ones.

It seems like L2M rotates between 4 different (seemingly random) filenames after every reboot. The registry entry for the current active dll file can be deleted, but it gets recreated.

But there are 8 other registry entries, which seem to “control” the 4 dll files… So I delete these 8 entries while in safe mode (I wouldn’t have been happy if there were 200 entries!). They don’t reappear, so I empty out the temp, prefetch, & ie cache folders. Then I schedule killbox to delete any undeletable “bad” dll at booot time.

I’m not sure what else I can do… its 4am, & I’m a wee bit tired, so I decide to reboot into safe mode again & see what happens… I notice that my deleted entries have remained deleted, the “reappearing” registry entry is gone, and there are no bad dll files left in the system32 folder…

I run ewido, spybot & adaware, just to be sure, then I reboot to normal windows mode. Still no signs of L2M, so I do a defrag & let the computer (with Maxthon running) go for the rest of the night. The next morning, there are no signs of malware, so I declare the computer exorcised of deamons, & return it to its family.

Can someone please make a decent anti-malware program?

I hope future malware problems I encounter will be easier… otherwise I might have to take the “lazy” way out & recommend system rebuilds as a solution… not the most elegant solution, but it make better use of my time.

Posted by Computer Help as Technical at 5:33 PM EST

2 Comments »

Client needs help setting up a brand new computer & multifunction printer/scanner

She doesn’t know much about computers, so I startup the laptop & go through the windows “configuration” screens, nothing unusual.

She wants to setup the internet… but has no broadband modem… So I ask her to call the ISP.

In the meantime I check the wireless connection, & it looks like someone nearby has an unsecured wireless connection to the internet… So I tell her she can use it occasionally, but needs to get her own internet connection.

I enable norton, since it was already installed with windows.

I then install the HP printer software.

The HP software take 30 minutes to install… wow is it slow.

I also notice that the wireless network is still visible, but I can’t browse anymore.

By the time the printer is fully running, I have used up my allotted time, so I leave. But later, I start thinking: enabling norton might start blocking the wireless internet access… I’ll need to investigate this Norton software some more… Lots of people out there are using it (perhaps they shouldn’t), but I need to become familiar with how it works. Looks like I’ll be spending some time “playing” with this monster.

Posted by Computer Help as Technical at 9:00 AM EST

No Comments »

I return the laptop & I get the printer going with no further issues. I also did some tuning & installed some utilities to minimise the occurrence of popup ads, malware etc, & since Norton didn’t do a good job, I also installed AntiVir (www.free-av.com).

I also installed Maxthon (www.maxthon.com), as I’ve found the tabbed browsing helps to control popup ads (but maxthon also has built-in popup & ad removal capabilities, as well as many other nice features)

He also wants me to get his media centre PC & the laptop networked, so that he can share files between the 2 systems.

Here is where it starts getting time consuming, as I make sure both systems use the same workgroup, & both systems have the same usernames. I eventually get the HP to read/write files to the laptop, but not vice-versa… I disable norton on the HP, & I can now “find” the PC with windows’ find computer, but still no sharing of drives…

We agree to leave it as is, as the client knows a network expert who should be able to fix the networking a lot faster than me.

Although I got a lot done, I hate leaving loose ends.

Posted by Computer Help as Technical at 5:27 PM EST

2 Comments »