It’s been about four years since I stopped fixing computers for a living. I occasionally take on side work for friends, such as “my laptop started acting funny” and I have a few customers I still take care of when they need it. They all understand that I have a full time job in a restaurant and can’t always be there for them at the drop of a hat. Last week one of the girls at work asked me if I would take a look at her laptop, which started acting weird after her brother borrowed it. My first suspicion is almost always spyware of some form, and I am seldom wrong.
Warning – techie talk to follow.
First thing I noticed was that the system was sluggish on boot (moreso than Windows usually is, I mean) and clicking on a drive icon took a long time to actually bring up the Explorer window (again, moreso than usual.) It then started giving warnings about infections, “click here to download xxx” etc. It also wouldn’t stay connected to the Internet, which was probably a good thing. I had to search to find my old USB key with copies of Ad Aware, HijackThis, etc (all of which needed updating) so I could get them on the laptop. Ad Aware cleaned up most of it, but then something really bad happened. It told me to clean up the last remains, I had to reboot. Nothing unusual… but on reboot, Windows wouldn’t let me log in. Click the user name, “Loading settings…” and then immediately to “Saving settings” and back to the login screen. Well, bleah.
Some quick searches on Google pointed out the problem: Windows needs a file called USERINIT.EXE to log in, which makes it a perfect target for spyware. The spyware installer either copies over USERINIT with a fake copy that contains the malware, or it redirects to another file via a registry setting. Either method means that even if you log in using Safe Mode, you’re still loading the malware. Ad Aware found an infected copy of USERINIT and DELETED THE FILE! No warning about “Oh, by the way, you might want to restore this file before you reboot… this is your last chance…” If the registry points to a USERINIT file that isn’t there, you can’t log in. The only options at this point are to reload Windows or to somehow access the registry to fix it. If the laptop would stay on the network, I could access the registry from another Windows computer, but the wireless drivers were not loaded at this point, and for some reason the Ethernet connection didn’t work correctly.
BlueCon to the rescue! Some years back I found a program called BlueCon that would take a Windows installation CD, copy the setup files, add some neat tools to them, and create a bootable CD image. This bootable CD would take you right into the Recovery Console, but with tools not included with the Windows CD such as a command line registry editor and a password reset program. I had to dig around my pile of old CD’s to find a Windows XP Professional CD with Service Pack 3 on it (my SP2 version wouldn’t find the drive.) Finally found one, created the recovery CD, and got in to fix the registry and extract a new copy of USERINIT. Boing and it worked again!
Several passes of running Malwarebytes (Ad Aware had already failed me once) and it seems to have cleaned off most of the trash. The only remnants are the occasional pop-up claiming to have found an infection, which then tries to install Antivirus 2009. BEWARE THIS PROGRAM! It is NOT an antivirus program, it is in fact a rather annoying spyware program that is rather tough to remove once you have it. Not so much that it’s difficult to get rid of, but there are several variations on it, so first you have to figure out which one you have. (I tried two automated removal programs that both failed because they didn’t look in the right place for the files.)
I am now on Day 2 of scanning, deleting, rescanning, scouring the registry (I had to work today so it sat here.) In doing so I found another neat little trick that spyware uses to make sure it keeps reloading itself. The registry has entries for how Explorer should handle certain file types, including drives. It is actually possible to tell Windows “every time someone clicks on this drive, run this program first.” A valuable hook for an anti-virus program, but also a dangerous hole though which a spyware program can gain permanent access to your system. Delete the spyware and now you can’t even open the drive because Windows can’t find the program it’s supposed to run. I had to search the registry for the offending line (which was pointing to a file that was hiding in a fake Recycle Bin directory) and delete every reference to it. How nice… this sort of thing shouldn’t happen. I mean, why is it THAT easy? I am all for extensibility of an OS, but come on, Windows is basically saying “hey, the keys are under the mat, come on in!”
So, after several million scans and finally editing a file in the root that kept putting that stupid Shell line back into the registry, I think the system is finally working properly again. Of course, her Norton Security thingie expired, and no one EVER renews those things… and then they complain when stuff infects their system.