Ok... I'm rarely this stupid

I downloaded the latest Divx codec (so I could watch the first 3 seasons of South Park I had just downloaded) and installed it without issue.

I actually did read about the fact that the latest 5.11 "Pro" version (used for encoding and decoding) of the Divx codec had spyware contained in it... however there was NO mention of spyware being contained within the non-pro version (used only for decoding only).

Damn!

Sure enough, shortly thereafter, I noticed something a bit odd.... Google searches were returning the first page of results as non-relavent links... almost identical to the sponsored link results except these new results were always very similar, regardless of what I was searching for, and these results referenced links for other search engines. Knowing that google wouldn't be quite THAT stupid, I figured there must be some spyware on the system. When I clicked on the second page of results, they all looked like normal results... and I noticed something VERY odd... according to the gooooogle page navigator at the bottom of the page, I was viewing the FIRST page of results. Additionally, I noticed an unusual spike in internet traffic and a noticable slowdown of the system performance. After closing everything down and uninstalling SEVERAL different spyware programs which had graciously installed themselves using the Windows Add/Remove programs option, I proceeded to clear the browser cache (manually), delete all temp files, then scan using "spybot - search and destroy" and adaware 6.

Sure enough, there was bucketloads of spyware found (over 100 individual components). I scan for spyware daily... so all of this crap came from this one program. After deleting the items, I did a boot scan for spyware using spybot to ensure that nothing remained. After removing the final pieces of spyware from my computer, I gave a sigh of relief... no problems removing everything... only took 30 minutes... no problem... time to do another google search...

DAMN! Same problem!

At this point, I'm thinking I've overlooked something. I know some spyware is a bit of a nightmare to remove.. but I'm sure I've run the normal routine that should get rid of everything:

• clear cache
• clear temp files
• check the add/remove programs section
• run adaware
• run spybot
• reboot and run spybot in boot mode

Next, I ran a manual anti-virus scan just to make sure (after I manually updated my virus definitions)... no signs of a virus.

Tried google again... same problem... and now I'm getting pop-ups even with the google pop-up blocker turned on... DAMMIT... THIS SUCKS!

After checking the usual resources online, I found no reference to this type of spyware/malware. (In hindsight, I'm sure there was probably a result that could have helped... but not knowing the type of spyware you are dealing with, coupled with the number of generic results from online search makes finding helpful information virtually impossible.)

Ok, I'm a computer geek by trade... time to think outside of the box...
I uninstalled the google toolbar.. no difference... except now I get even more pop-ups. DAMN DAMN DAMN!!!

Next, I checked my "hosts file" in c:\windows\system32\drivers\etc\ . This file can override normal network addressing... essentially routing any specific networking request (including web requests) to another unrelated server. The "hosts" file is very devious since it routes these requests without the user even knowing it.. for example, you type in www.cnn.com and you end up in www.milf.com ... meanwhile the url in the browser window still shows www.cnn.com as a side note, many child filtering programs utilize the "hosts" file to route kids from nasty sites. Nothing out of ordinary in the hosts file

I decided to check the browser cache for a clue as to what is going on. Since I had recently cleared the files and had only tried to use google once since then, it was reasonably easy to navigate the list of files. After eliminating the items originating from the actual google domain, I viewed the html source of some of the odd looking html and script files remaining in the IE temp file...AHA! a reference to "2020 Search"! Time to search online again.. this time using the terms "spyware", "2020" and "google".

SUCCESS! Links to a program called "Hijack This". This program checks a wide variety of points on a system where the problem can be hidden. I ran "Hijack This"... the results showed several entries with some of them looking a bit unusual... but after some careful checking, all but a couple were normal. I deleted the non-normal entries. (NOTE: "Hijack This" edits the registry... don't use unless you understand what you are doing)

Time to try google again... SON OF A #$&^&! No luck!

But... also mentioned on a page referencing "Hijack This" was another program called "CWShredder". This is a highly specialized tool for removing a very specific type of spyware/malware: CoolWebSearch (and it's various incarnations). After reading about the program, I ran CWShredder... which has two options: "Scan" or "Fix". Since the "Fix" option can do no harm to the system(and the "scan" option can overlook some varients, I ran the "Fix". Sure enough, It found a version of this nasty software called SearchX. It automatically removed it without fanfare. Back to google again... I entered a search term... and VOILA! A normal google result page! I tried again with a different search... WOOHOO... normal result!!!

After a quick reboot, final scan using spybot, adaware and CWShredder with nothing found, and a reinstall of the google search bar... I'm back to square one... except I now have to download an older version of the DIVX codec so I can watch the rest of the South Park episodes!

This whole process took 2.5 hours! This itself is significant. I am considered an expert on Windows Systems. I make my living as a I.T. Consultant for small-medium sized companies, I specialize in Windows-based systems/networks, I have over 15 years of practical experience working with 32-bit Windows, I have had my MCSE for over 8 years, I understand the methodology of troubleshooting problems... and yet it took me over 2.5 hours to figure this out! I can only imagine how much this could screw up an "average user".

While SPAM might be a pain in the ass to most people, I think Spyware/Malware is far worse of a problem. The average user won't notice many of the side effects of spyware... and even if they do, they are often ignored. I have seen reasonably powered systems slowed to a crawl from spyware clogging up the works. This slowdown is usually incremental and typical users would more often than not attribute the problem to other factors such as not enough memory or slow connection to the internet.

Here is a great link which contains many of the best FREE spyware detection/removal utilities including Adaware and Spybot (as well and many other handy tools).

http://www.softpedia.com/public/cat/...0-17-150.shtml

Also, in case you are unfamiliar with the practice, search engine results for "Spybot", often include different programs called "Spybot". Some of these programs will actually load spyware onto your system!!!

The "real" homepage for Spybot: Search & Destroy is here:
http://www.safer-networking.org/

The real homepage for AdAware is here:
http://www.lavasoftusa.com/

Sorry for the length of this post... I just needed to vent a bit after this pain-in-the-ass ordeal. I hope someone finds this helpful when dealing with Spyware/Malware.

Thanks for that Julian, I'm sure those links are going to be extremely invaluable to many people.

I guess I scan my PC quite irregularly, currently about once a month, or when I notice something 'obvious'. I've only once had a serious problem with Spyware such as you described above, every time I ran AdAware, it would find the spyware, remove it all and I'd think everything would be hunky dory. Computer reboots, and it's all back again. I'm not to this day 100% sure how I finally got rid of it, but I think it was a combination in the end of clearing temporary files, cache and then running the spyware removal systems.

I tend to agree with you about this often being more serious than spam. Spam is a pain, I get hundreds in my inbox daily, but at least I can choose to ignore/delete/filter them with a relative degree of success. Spyware can be a different story altogether. You can get some instances of spyware which render your computer completely unusable, every time you browse a website you are inundated with popups, I've had some cases where I get popups even without having opened up a web browser. However perhaps more critical is the fact that the spyware can considerably slow down the performance of a PC, without the user really noticing.

I just ran adaware after reading this post, and it found 50 instances of spyware on my machine. I hadn't noticed a problem, but clearly, they'd managed to sneak onto my system and are doing something I most certainly don't want them to be doing.

Anyway, thanks for an interesting read and a thoroughly useful post!

Jo

Thanks for the comments Jo.

The problem with spyware scanners is the lack of discrimination between some fairly harmless cookies and some performance killing malware (such as LOP, MySearchBar and CoolWebSearch.)

Often (for me, daily), a slightly misconfigured cookie will get classified as spyware... but I'm not terribly concerned about most cookies (assuming they aren't storing personal/payment information.) I am concerned with spyware applications which actively change the way my computer functions... either by causing pop-ups or, as in my latest case, covertly hijacking web requests.

That being said, I can understand that spyware is currently legal and often is the price we pay for utilizing freeware utilities... However, I do draw the line with unfriendly versions of spyware that either utilize cryptic, non descriptive entries (or completely forgo any entry whatsoever) in the Add/Remove Program list.

Companies who utilize this type of spyware in thier free versions of software join spammers in the list of companies who will never get my business, nor the business of my clients. Unfortunately, these companies are not worried about me as there are millions of unsuspecting people who will probably never realize they have spyware installed.

There are two items I failed to mention in my original post:

The first item:
One of the most common problems I've encountered is when clients claim to scan for spyware regularly... but never update run the update option. Spyware scanning tools release new updates fairly often. These updates allow the software to detect new types of spyware and detect spyware that has been altered to purposely evade detection.

On the opening screen of Adaware, there is a text link "Check for updates now"

On the opening screen of Spybot, there is a very large button link "Search for updates"

The second item:
Spybot has an immunize fuction which will prevent 509 different types of spyware from ever being installed.

On the opening screen of Spybot, click on the red "Immunize" button on the left column, click "ok", Click on the grey "Immunize" button in the middle of the screen.

Hey Julian,
Thanks for the reminder....haven't run Spybot in a while.

Had a frustrating time myself yesterday - HP sent a friendly email on how to run diagnostics, which I did...everything working fine. Then a quick check on their site of my system and they recommend that I download the latest driver.

I figure - newer is better (but in the back of my mind I'm thinking - "if it aint broke dont fix it")

Sure enough....screwed up my printer completetly. Shooting out blank pieces of paper - 5 at a time. ugh. I wanted to scream (and I kinda did at the jerk at the HP "customer service" who said it would cost me $30 for him to help me.)

Anyway - just uninstalled and reinstalled from my disk. 45 minutes lost. I'm a dumbass.

I am having a very large spyware problem right now. I have no idea what I installed or what e-mail I got or what website I went into, but I am getting insane pop-ups. I get them even when my computer is being idle and not just one or 2 but 10-15 or more. I have Spybot and AdAware and now I have that CWShredder program. Spybot and AdAware are fully updated. I run them daily because I know I have spyware. Any ideas on what to do? Whenever I run adaware it comes up with like 50-100 entrys of spyware and I delete them. Next time I run AdAware it comes up with the same exact list of adaware except now there are more or less. Any help would be great. If all else fails I will burn my important documents and then reinstall windows but to me that is not an option right now.


Thanks in Advance!