Is there a simple answer / what am I doing wrong with dealing with the spyware?

Discussion in 'privacy problems' started by babaganoosh, Jun 29, 2004.

Thread Status:
Not open for further replies.
  1. babaganoosh

    babaganoosh Registered Member

    Jun 29, 2004
    I need expert's advice on this before my head explodes!

    I take care of small networks at people's houses and am getting swamped with people giving me their PCs that are bogged down with spyware. I thought I was good at cleaning off the machines, but in the last few weeks, the spyware is certainly winning. Here's a bunch of questions / thoughts that I need answered.

    Some background: I typically boot into safe mode, turn off system restore, then manually delete the obvious folders in program files, windows and prog files \common files. Then I'll install / run ncase remover, cwshredder, hijackthis, spybot (with latest update - for v1.3, I need to reboot to normal mode for that), Trend Mico has a program called sysclean that is free and I run that also, keep emptying the trashcan, I'll reboot into normal mode and if the machine is usable, I will run Panda's online scanner and trend micro's on line scanner. They seem to find loads that spybot doesn't. And I run the ps cleaner and vx2 cleaner. Even after all these different tools say it's clean, I still get popups sometimes. and it seems if you miss one file, all your time is wasted?! the spyware knows other parts are missing and downloads all the other things right away.

    I am totally amazed how easy it is for these apps to install / gum up the machine and how hard it is to remove. I guess it's money for me / keeps me busy. but I can't charge for all that time that it takes and it's so depressing working on such a wasteful product.

    1) the scans take so long! I had been averaging 1.5 - 2 hrs. to clean a PC, but that's moving to 2.5 hours recently. what is typical clean up time for you?

    2) How do you lock down the machines?! I apply all windows critical patches and most recommended patches, install spywareblaster, update and enable all protection (I want to automate the updates, but their credit card approval takes a few hours and I am already gone by then). On win xp machines, I make the user a limited user (but then they complain they can't install things, etc... and if you ahve windows update set to automatically update, does that run OK? If you run windows update manually as a limited user, you get an error that you aren't an admin). and I install google toolbar to stop popups.

    3) Am I wrong, but it seems like you have to log in as each user and run all those apps as each user?! I cleaned up one admin user name (and you would think the whole PC?!), logged in as another user and spywareblaster wasn't protecting everything and the restricted zone didn't have any entries - I had to enable all protection on that 2nd user also? I would think an admin's restricted zone in IE would apply to everyone on the machine? But I could understand why not also.... and then if they create a new user, same thing - spywareblaster isn't protecting that user?

    4) When do you just reinstall the OS?! I was trying to remove malware from one machine, must have deleted the wrong thing 'cause then I was getting all kinds of error messages from the OS at startup. Wound up reinstalling Win Xp in a different directory (left everything as is in the windows directory) and boy did it run fast. But a reinstall also takes loads of time (check my math here). Instlal the os, apply ALL the windows patches, install the apps, etc. That can take hours of labor time (even if the PC is in the lab and you can walk away for a while. Yeah, I could ghost the machine ahead of time, but a) the clients don't want to pay when it's not needed (yet) these are typically new clients calling for the first time c) storage of all those images of current clients cost $$$.

    Thank you for all your time and effort with this!
  2. MCT

    MCT Registered Member

    Mar 10, 2004
    personally, what i do when someone asks me 2 fix a currupted pc thats full of spyware/malware is,

    lock the "hosts" file, set attributes to "Read-Only" (once ive cleaned the hosts file out) then, i will remove all "bad" cookies, and limit their internet access by disabling cookies & such, then run windows update (or another tool i like called AutoPatcher )then, scan with spybot & adaware (once they are updated) & run a hijackthis scan, THEN, when im sure its all clean, ill install spyware blaster & update it

  3. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    No, there isn't a simple answer and yes, the spyware is getting worse and worse by the day. :(

    As you've experienced, the automated cleaners only do pieces of the job now. And tools like HijackThis and CWShredder must be backed up with a lot of specific, single purpose tools customized to different types of infections. The experts and programmers are editing their scripts and specialty tools almost daily now to try to compensate for the evolving malware. (See this note/update from Merijn, author of HijackThis and CWShredder.)

    I assume you've read the technical descriptions in the news, general information and FAQs section. If not, you should. Also, you should read some of the longer hijack log threads, not just here but at some of the other forums working a lot of logs. Specifically, the threads where different experts are working on some of the harder to resolve problems. Those are very eye opening and may help you decide when it's time to cut & run, and just start reformatting.

    As to some specific answers, yes some of the tools have to set protections per user - simply because the protection mechanisms are based on per user values built-in to the OS/browser. (IE restricted zones are set in the hkey_current_user section as are the IE6 P3P cookie blocks, while the ActiveX protections are stored in HKLM.)

    As to locking down machines, we recommend people read and follow this:

    Why did I get infected in the first place

    The only problem is that "secure settings" often interferes with things most people want to do with their computers. So, they'll complain if you make them too secure.

    Oh, and if you ever find a way to explain to people why everything you do while working on a PC takes a long time, I'd like to hear it. I could use a new script for explaining that one myself. ;)
Thread Status:
Not open for further replies.