Sunday, November 21, 2004

An encounter with the Dark Side

I have been using my PowerBook for nearly a year now; it is pretty much the only computer I use when I am not at my place of employment (where I must perforce use a Dell desktop running Windows XP). My first computer, back in the mists of time (well, about 1978, anyway) was an Apple ][, the first real consumer personal computer. So getting the PowerBook was more of a homecoming than a Switch. Still, although I have been casually extolling the virtues of Apple and OS X to all and sundry this past year, it hadn't really hit home just how great the differences for the home user are, until Wednesday evening last week.

You see, while I, like everyone else, experience unexplained errors and Exchange server crashes while working on my work PC, I simply log a helpdesk ticket to have it resolved, and it is handled reasonably efficiently, without my having to do anything. At home I never have to do anything with my PowerBook: it simply works. My flatmate experiences intermittent problems getting his Dell laptop to connect to our wireless network, and I poke around at it and usually get it working again without really knowing quite how or why. So obvious minor differences, but nothing too exciting, right?

Last Wednesday evening a friend brings round his brand-new IBM ThinkPad, a really lovely machine. Unfortunately it isn't behaving in a very lovely way, and he is seeking my help. He shows me that whatever he sets as his homepage, the browser launches with what appears to be a search engine as the start page. This page also contains hundreds of links, some of them not very savoury. Straightforward browser hijack, right? That's what I thought. I confidently downloaded Ad-Aware SE and let it do its thing. It promptly found an instance of CoolWebSearch, and deleted it. Great!

Well, not so, really. On reboot, IE launches with the same unwanted start page! Scanning with Ad-Aware reveals the same instance of CoolWebSearch, which AA cheerfully deletes once again. Reboot, same thing. It becomes apparent that something is reinstating the malware, and Ad-Aware can do nothing to prevent it.

A little googling reveals that others have experienced similar problems, and a program called Spybot Search and Destroy is recommended. Download, run. Finds CoolWebSearch (CWS). Deletes same. Reboot. Same behaviour. Run SS&D. Finds CWS. Deletes. Reboot. Rinse. Repeat. Hmmm.

Back to Google. A little more digging reveals that the absolute last word on CWS removal is something called CWS Shredder. Download. Run. Finds CWS. Deletes same. Reboot. CWS back again. Start to tear hair out.

I start to run each program one after the other, in safe mode, turning the computer off for thirty seconds between each round. No dice. I do a Windows update. No change.

By this time my friend has had enough. Leaving the laptop with me, he goes off home. I continue to search, obsessed by this fiendish obscenity of coding. Further web research suggests that the malware itself is contained in a DLL in the Registry, and is easily found, but there is another DLL, a "shield" DLL, that watches the first DLL, and recreates it if it is deleted. The shield DLL is created with such unusual permissions and ownerships that almost no registry editor can even display it, much less delete it. I go to bed, annoyed.

On Thursday evening after work, I do some more searching. I find a page of arcane instructions, and attempt to follow them. I download the only registry editor that can display the shield DLL, but it doesn't seem to work. Either I have a different variant to the one in the instructions, or my shield DLL is too fiendish for even the super-registry editor. I start thinking about how much work reformatting the hard drive and reinstalling XP will be...

Fortunately I stumble across a fantastic site, Spyware Warrior. It's basically a forum, where the knowledgeable volunteers generously help out the truly "last hope" cases. You need to have tried everything else first, and you need to create an account and post your query to the forum; email exchanges are not supported. But this was literally my last resort, so I thought, what the heck. I created my account, downloaded a program called HiJack This, ran it, and posted the log on the forum, together with a plea for help. I had a tutorial to attend at this point, so off I went, not expecting a reply until the weekend.

On returning from class I was pleasantly surprised to find that a forum denizen named Blender had already processed my log and posted detailed instructions for removing the pest. I followed the instructions, rebooted the computer, ran IE and...

All was well! It worked like a charm. I posted a follow-up log, and Blender confirmed that the machine looked clean. He also gave me some software suggestions to keep the ThinkPad that way, including IE Spyad, a little script that adds several thousand noxious sites to IE's restricted zone, ensuring that the computer is on high alert should you stumble across them; SpywareBlaster, which prevents IE from installing ActiveX-based spyware, hijackers, diallers, etc; SpywareGuard, which alerts you if any changes are made to IE settings, an anti-spyware and adware hosts file, and of course the excellent Zone Alarm personal firewall, a lot better than XP's builtin job, and still free!

So a very positive ending to a rather unpleasant experience, thanks to the good people at Spyware Warrior. (Just an aside: DON'T use Hijack This without their advice unless you really know what you are doing; it's an immensely powerful program that could render your machine unbootable with a mouseclick. Please go to the forum and read the instructions or ask for advice).

And thank goodness for my Mac!


Blogger Gary said...

This comment has been removed by a blog administrator.

2:34 pm  

Post a Comment

<< Home