Monday, February 21, 2005

An Incensed User

I just got back from the incense filled apartment of our upstairs neighbor. She had asked for our help with her computer, which she said was giving her an error message sometimes when she would try to send an email. We had her boot up and show us the problem, but three attempts to recreate the problem failed to do so.

What we did see were some warning boxes about a page failing to load due to ActiveX settings and a window that popped up when we tried to load Windows Update. Before long, we realized that there were about a dozen malware programs that loaded at bootup. I started purging them by a variety of methods, and got many of them removed. The HKLM/Software/Microsoft/Windows/Current Version/Run folder had about 20 entries, about half of which looked legitimate.

Once most of the spyware was disabled, I took a closer look at her McAfee virus scan settings. I discovered that it had never been activated. Since she only had a 6 month subscription in the first place, I killed it and replaced it with AVG 7. Even before updating, it had found several viruses, and we realized that there were fouler dealings afoot.

In all, we found about 40 viruses, and managed to get most of them automatically removed. Some were in the System Restore area, and I had forgotten how to purge the system restore folders (I relearned). Some of them were in the Local Services user Temporary Internet Files folders (of all places).

The persistent lingering problem turned out to be the IE window that would pop up whenever we loaded Windows Update. The URL for it was, which we think may have been connected with mydoom. It was probably connected to some infected ActiveX files, because they were in the last virus scan.

There is probably more wrong with that computer, but we had to go. We didn’t get the Windows Updates installed (There were several MB of updates to download, and she has dial-up), and we didn’t ever run a clean virus scan. The startup programs was cut from 20 to 3 (only one of the originals remained–it was a Dell support program).

No comments: