(Security, because it’s spyware, but General Tech, because it’s not actually all that interesting, being spyware on Windows, but I figured I’d post a bit of my notes here.)
Linda’s mother asked me if I could have a look at her PC. It was giving her weird error messages when she tried to go into the Control Panel and such to remove software. She blamed it on Linda’s sister, who’d been using LimeWire on the machine, but I figured it could have been anything, so I agreed to have a look. (There’s some history between us regarding fixing computers, and I generally loathe looking at family PCs anyway, but I figured what the hell, I’d never seen that particular error message before.) So, mostly last night and a bit today, I had a look.
First thing I noticed was the machine refused to see my USB keyboard and mouse – which was odd, because she has a USB printer. It’s a fairly modern machine, P4 class with 228MB of RAM (some is stolen for the video card), and it’s less than a couple of years old, so it shouldn’t have had difficulty.
She got in CP, and I also observed even booting, the following message:
16 bit MS-DOS Subsystem
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose ‘Close’ to terminate the application.
The funny thing is, she didn’t have an autoexec.nt file in that location. Oh well. She had Norton Antivirus installed (good) with outdated definitions (July, bad, because her license had expired). She had Ad-Aware installed, 21-day old definitions, so not terrible there, and she said she ran it regularly. She was telling the truth there, she had about a dozen logfiles. I had a look at those, and they were all fairly innocuous except for the last one, which had a cookie from a *really* rude site, which was very out of the ordinary. A fresh run of Ad-Aware found nothing.
I downloaded Windows Defender and ran it – bingo. iMesh. (I guess Linda’s mother will have a chat with her sister.) There was also Claria.GAIN.Trickler, ShopAtHome, FavoriteMan, PeopleOnPage, eZula.Eearn, and NewDotNet. I told it to remove them all; Defender coughed up 0x80501001 trying to remove Claria, ShopAtHome, and iMesh.
I grabbed HijackThis, ran that, and removed several entries that it found – RegShave, SpywareBot, and “ycmagm.exe”. It also had “R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings,ProxyOverride = 127.0.0.1” – I figured that was likely up to no good, and there were a few weird other BHOs installed, so bye bye to them.
Reboot, re-run Defender, this time it was able to remove the other 3 items.
About this point, some more googling suggested that there were some corrupt system files. Following advice I found at a couple of links, I did:
expand autoexec.nt_ c:\windows\system32\autoexec.nt
and the same for command.com and rundll32.exe. After each step, I tried the control panel thing, and after rundll32 was replaced it started working again.
Reboot again, and now I was able to get into add/remove programs to uninstall Limewire and RegistryFix 3.0 (don’t know what the latter is, google suggested it likely wasn’t useful, so adios).
Another reboot, and rerun HijackThis, remove an O16 that pointed to 18.104.22.168/25539938714c85774514/netzip/RdxIE601.cab. That IP resolved to pacman.progman.com, which I had a peek at (with my Mac, I’m such a smug user), which appeared to be a parked domain or one of those search aggregator pages. So I removed the item. By now, the system seemed to be more or less normal, so a couple more reboots and checks for updates later and I’m done.
Takeaway: I already knew better than to trust just one antispyware tool, but now I really know. (Better, don’t do something stupid to get infected in the first place. 18 years on PCs and the only infections I’ve encountered personally have been deliberately done by me.)
Man, I hate working on WinTel PCs.