Network News

X My Profile
View More Activity

A Sunday Afternoon House Call

I just spent nearly seven hours doing emergency surgery on a Windows PC that belongs to a dear, longtime friend. The experience was so harrowing that I decided to blog it.

So it's 2 p.m. Sunday and after a cursory examination of my buddy's two-year old Windows machine, it is clear that the thing is missing patches going back to mid- to late 2003, just months before Microsoft released Service Pack 2, a massive set of security fixes and operating system tweaks for Windows XP. Needless to say, the computer did not have Service Pack 2 installed.

The software updates from the antivirus engine inside his install of Symantec's Norton Internet Security 2002 are way out of date, with the subscription several months overdue for a one-year renewal. Defying the nettling notice that we really should go online and purchase new updates for the program, I counsel my friend and his wife against punching in their credit card and other private information into a Web browser just yet. "Let's see what we're dealing with first," I say.

I fire up Internet Explorer and am peppered with pop-up advertisements for supposed anti-spyware software, Vicodin painkillers and invitations to play Internet poker. It is obvious the machine has some serious spyware problems. Ad-Aware finds three pages of awful scary-looking toolbars, start-page hijackers and pop-up generators that constantly drag on his Internet connection. It manages to delete all but a handful of threats, and the stragglers it promises to annihilate on the next pass upon reboot. I send IE over to download the latest "software update" tool from Microsoft.

There's also some yellow triangle thingee with a red exclamation point in the middle of the taskbar that keeps flashing. If you click on it -- or wait long enough -- it will periodically launch an IE browser Window that takes you to a sleazy-looking search engine hawking generic drugs, "free games" and Instant Messenger cartoon characters.

Though I am a veteran witness of such atrocities, I remain awestruck by the juxtaposition of those two offerings. Somewhere out there, a diabolical marketing machine is reaching through cyberspace offering wide-eyed kids all kinds of goodies, including their very own custom-made smileyfaces or "emoticons," for use with AOL's chat program, AND their choice of highly addictive narcotics and sexual-performance enhancement drugs, with a selection of adult Web sites to boot!

I note with mild amusement that some intrusive program has changed his monitor's background wallpaper from a photo of a recent family adventure to a blue screen with a dire message warning that the system has suffered multiple, critical Windows crashes. However, I am unsurprised to see underneath a hyperlink to the Web address of a site that claims to have the solution. I change the desktop wallpaper back to one of Windows XP's stock pictures, a shot of a desert island amid a calming blue sea.

My tranquil interlude soon is rudely interrupted by a tenacious piece of spyware called Cool Web Search, which refuses to die no matter what tricks I pull. A quick Google search picks up this very useful thread at and I finally get the darn thing off the machine. I think. The little flashing triangle also goes away, which is an unexpected bonus.

I'm thinking now that it would be irresponsible for me to leave this computer connected to the Internet in its current state, but I don't dare unhook it because I'm in the middle of downloading several types of software updates. I promise to remember later when I'm done downloading things, but of course I forget. (I'll tell myself later that it's because it seemed I was downloading something the entire time.)

Then, I try to install Spybot Search and Destroy but the program crashes when I get to downloading updates. Undeterred by this minor setback, I decide to skip this part and forge ahead.

So next I download and install a tool that you need in order to completely erase older versions of Norton, so that I can install a free antivirus scanner. A few minutes later and I'm rid of Norton -- or so I think. There's still the program's auto-updater and another Norton thing that I have to remove. Then it's time to reboot and download the scanner, EZ Trust, a joint offering from Microsoft and Computer Associates. Updates are free for the first year.

I predict to my friends that the scan with EZ will take a little more than an hour and find nearly 40 viruses, worms and "Trojan horse" programs. The Trojan horses will hold the victim's Internet connection open so attackers can update with new spyware or instructions for launching a spam campaign. Two hours and 310,000 scanned files later, EZ Anti-virus finds 38 threats, including several very serious computer worms and viruses.

EZ says it removed all but one of the buggers, but suddenly it becomes clear I am dealing with what is in all likelihood a total system compromise -- i.e., it is starting to smell and feel like this computer is probably already under the thumb of online attackers who can control its every move.

A quick scan of the log of viruses found turns up one particularly nasty bugger, what's known as a "bot," as in "robot." This one is called "Forbot," which allows attackers to plug in a variety of additional features and services. Sadly, millions of home and (mostly) Windows computers are completely controlled by hackers and virus writers, a problem that is in part responsible for the sad state of affairs on the Internet today.

Still, EZ slew Forbot and 36 other unwelcome guests, leaving a stubborn survivor that hijacks a browser's home page. A reboot and re-scan with EZ finishes it off, while another go-round with Ad-Aware takes care of three or four things it found but couldn't crush the first time. I reboot again. A look in the computer's "system registry" -- which controls which programs get started and in what order whenever Windows boots up -- still shows several traces of Forbot and a few other threats. After some careful editing of the registry file, I am ready to move on.

So, now it's time to install Microsoft's Anti-Spyware software. Some program prompts me to reboot. At this point, I tell my friend, we should back up all of his hard drive data onto a series of DVDs and reinstall Windows. Of course, it's impossible to get a disc-burning program running when you're having serious computer memory problems. Plus, after a bit of digging, he says he doesn't have the original Windows XP install disc anyway.

Microsoft's anti-spyware program finds five very serious computer threats, and successfully deletes them all. Trouble is, it asks me to restart Internet Explorer to fully fix the browser's problems, and I have recently begun scanning the computer with an excellent and free online anti-virus service from Panda Software, which can find and eliminate many threats from your PC but requires you to be running IE. An hour later, Panda has finished its scanning, detects more than 70 problems, but succeeds in quashing only about two-thirds of them. Many others I must hunt down and kill by hand, finally banishing them from the PC, hopefully for good.

While this is going on I am prompted to go fetch a free update for the ZoneAlarm Internet firewall that's already on this PC, which I agree to download and install. Again, prompted by Microsoft's anti-spyware program and by ZoneAlarm -- you guessed it -- I restart the computer.

All things considered, we are making progress, but I've been slaving over this PC for 4-1/2 hours now, and I haven't even installed half of the missing updates. So, I send IE over to Windows Update again, and this time my buddy's PC is scheduled for 12 updates, which must be applied before additional patches or Service Pack 2 can be installed. (Also, spyware must be erased before you can load up SP2.) The update program works in the background while I finish installing the ZoneAlarm fix.

Nearly an hour later and the Microsoft updates are through, so it's telling me to restart again. Doing so yields yet another prompt from Windows Update to install yet another round of patches, this time 18 bundles in all (keep in mind, we're still not at Service Pack 2). This machine clearly had no business being on the Web, yet there it was, ready for takeover by any number of Internet pests.

I begin to remove dozens of suspect-sounding programs found in Windows' "Add/Remove Programs" feature, including children's games and "Internet connection booster" software.

By the time the last of the pre-SP2 patches are installed, I've been tending to this PC for nearly seven hours. It wants another restart. I am offered a margarita and I accept gratefully. Service Pack 2 is downloading after another reboot, and I instruct my friend not to install the update until the anti-virus and several anti-spyware programs have given his machine a clean bill of health.

It looks like someone has previously downloaded the Firefox Web browser on this machine, but that program also needs four generations of software and security updates. So once those are in place, I set out to make Internet Explorer harder for my friend to find, and set Firefox as the default browser, with its orange icon gleaming from the Windows taskbar. I don't want him using IE while there are still dozens of important Windows (including IE) patches still lacking on the computer. I shamelessly set his home page to Security Fix.

It is now 9 p.m., and sipping the last of my margarita, I utter a weary promise to return to create a user account for him that does not have privileges to install programs, thereby making it far harder for him be tricked into accepting bad software while using the Internet. At some point soon, I plan to produce yet another video guide to securing your computer that focuses on creating user accounts and transferring your current files and settings to them.

By Brian Krebs  |  June 12, 2005; 11:19 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Green Electronic Garbage
Next: Microsoft Issues Windows Security Patches For June


A machine that is that compromised can never be trusted again. Even if you were able to remove all the malware from the system, you can never be sure something isn't still hiding on the system.

Unfortunately, the only way to be sure in a situation like this is to format the machine.

Posted by: Matt | June 13, 2005 2:09 PM | Report abuse

I'm in the midst of a similar clean-up with a friend's laptop. 169 pieces of nasty malware that's corrupting any attempt at downloading an anti-spyware application.

He's running Windows Me and had no idea what the words "spyware" or "botnet" meant. After about three hours of frustration, I recommended an XP purchase. We'll try again this evening with a complete wipe and upgrade.

What a nightmare :(

Posted by: Ryan Naraine | June 13, 2005 2:12 PM | Report abuse

Matt makes a great point. With "Forbot" on there, it's not a stretch to imagine there's a rootkit on the machine avoiding detection.

In some cases, a complete wipe and OS reinstall might be practical.


Posted by: Ryan Naraine | June 13, 2005 2:18 PM | Report abuse

In addition to all your other protections, I have had good success with Win Patrol. With this installed and running, "Scotty the Wonder Dog" barks and pops up if any program tries to install in the background or change your registry. Aims at the same problems that would motivate you to create a user id that does not have install privileges. But for those of us who play computer games, not being able to install new software is unacceptable. Win Patrol makes sure that the only new software that gets installed is the stuff that we intend to install.

Posted by: Richard | June 13, 2005 4:15 PM | Report abuse

I'm no geek but whenever I try to help update someone's pc, the FIRST thing I do is install firefox, and make it the default.

Posted by: chrismad | June 13, 2005 4:34 PM | Report abuse

I shouldn't do this, but, I have two comments:

1. Regular backups.

2. Linux

1.) (At the minimum -- of anything really important): routine data backups would make it a lot easier to just reformat & reinstall the OS. Assuming you have the install disk.

2.) I don't want to start the firestorm, and yes, I know, these folks are obviously no "geeks" & don't want to be. However when my kids/relatives come, they use it because it is all there is at my house, and --surprise -- they survive. And for what people pay for Microsoft "tax", they could hire somebody to keep it running for them.

And finally: 90 years ago my father got his driver's license by filling in a form saying he had driven 100 miles. Today that would be ludicrous. Maybe there is a lesson there?

Posted by: PatK | June 13, 2005 7:08 PM | Report abuse

I agree with the earlier posts that recommend starting over. Delete all partitions, create new one(s) as needed, format the disk and install XP, followed by SP2 if desired. I work in a large government agency and our computer gurus say this would be recommended if he had been infrected with only ONE worm. I went a round with the MSBlaster Worm a year or so back and that is what it took to clean my XP machine.

Posted by: Richard | June 14, 2005 11:08 AM | Report abuse

I really don't understand why people put up with this. I switched to a Mac 15 years ago and have never had a virus in all that time. 15 years of just enjoying my computers. Never once had to reinstall the OS. I have had one or two hardware problems over the years... covered under warranties. I read these articles and I shake my head in disbelief!! There is not a single Mac user who has ever had a problem like what was discribed in this article. Not one out of millions of people. Its your choice, why put up with it. At least look at your options when it comes time to buy your next computer. You don't have to put up with this.

Posted by: Brad | June 14, 2005 11:14 AM | Report abuse

It seems like those intent on getting into your machine are always one step ahead of those intent on helping you. I find your approach of using multiple spyware and virus programs to back up each other to be the best solution short of a reformat. Even multiple programs still miss some of the more insidious new infections mentioned above such as rootkits which are being developed in new forms every day.

Your preventive measures to help your friend improve security and maintain updates and ease of use were good,
but you can't prevent your friend or his kids from going to seedy web sites, where viruses can find their way in through even viewing a jpg image.

You mention some new anti-spyware programs I am not aware of and will try. I will say that Spybot S& D, while once touted a couple of years ago, has not kept up, and is not nearly so effective as other programs. It is a small non-profit shop and one programmer cannot keep up with thousands bent on breaking into your computer for money.

Posted by: john | June 14, 2005 11:59 AM | Report abuse

I should get a commission from Apple. I live in a community where most folks can afford this (I'm not one of them)...

When a neighbor calls me over for help, I bring my Mac and a hub so that I can use it to download things while their Windows machine is churning through a scan, or just rebooting again.

Twice now, a neighbor it's come to, "to heck with it, I'm finished with Windows, when all I do is browse and e-mail. Let's get in the car a go for a ride ... I'm buying a Mac."

Posted by: tlmurray | June 14, 2005 2:29 PM | Report abuse

1. Always physically disconnect from the internet before trying to clean.

2. Keep standard tools on a cd so that they can be installed from cd. cd are cheap so keeping up with updates isn't that expensive.

3. Download SP2 and store it on a cd. This will save a huge amount of time. Here is the link:
XP SP2 contains all previous patches so it not neccesary to install them first, unless you use windows update.

4. Once everything has been installed and cleaned, then connect to the internet. I find this approach works far better.

Posted by: phil koprowski | June 14, 2005 2:42 PM | Report abuse

Being the proud father of two teenagers, I consider myself somewhat of a maven of getting rid of spyware. My two tips: 1) always take the box offline when running scans, a lot of spyware is in constant contact with "home base". (All kinds of files with names like "hsjakjasfd.exe" get downloaded executed on boot-up). 2) Get a copy of "Hijack This". Great for finding a killing ersatz toolbars and other junkware.

Posted by: cityhill | June 14, 2005 2:49 PM | Report abuse

Blessed with a terrific ISP that runs Spamguard and McAffee at their server - I run Zone Alarm Pro and AVG on my only PC. I update and scan with Ad-Aware SE and Spybot Search and Destroy about once every two weeks.I NEVER use Internet Explorer! My default browser is Mozilla (and sometimes Firefox.)

In a year I get approx ONE spam message - in case skeptics think I'm lying, let's make it two to be on the safe side.

Of course my three Macs don't need all this, but I run the NetBarrier firewall for an extra feeling of security.

Using the internet should be relaxing and pleasurable - on Macs it is - on the PC it can be, but effort is required.


Posted by: Doug | June 14, 2005 7:56 PM | Report abuse

I agree with PatK and Brad - why do you people put up with this? In 7+ hours, you could have loaded Linux (no new hardware like with Mac), had plenty of time to go over with your friend "this is how you do email; this is how you surf; this is how you install new programs or updates; this is how you do " and still had plenty of time to visit and have fun.

People do not care what OS they are running - they just want to do their tasks without spyware, adware, botware.

Microsoft was fine in a kinder, more innocent age but now it's organized crime that is taking over computers to use as robots in serious financial breakins.

Posted by: Carilda A Thomas | June 15, 2005 2:21 AM | Report abuse

I agree wholeheartedly with not being able to trust that system without deleting the partition and formatting the Hard Drive.

With the number of nasties found, it is inconceivable that stealth software is not in place, most probably a root kit, which no amount of scanning will detect.

Posted by: mcfox | June 15, 2005 2:35 AM | Report abuse

Loved your article. A beautiful lesson on decontaminating a badly corrupted computer. Believe it or not, I enjoy doing stuff like this. I treat it as a form of detective work, and who didn't want to be a detective at some point in his life?

Posted by: Craig | June 15, 2005 7:19 AM | Report abuse

Just some notes: I recently spent a similar amount of time on a friend's machine for the same reason -- I have a great tool for you to use and it will take that time to about 2 hours:

Try BartPE, which allows you to use a pre-installed environment (Windows) on CD, to which you can add all of your scanning/cleaning tools (Ad-Aware, McAfee). I agree that Firefox is better, but with having to update it every few weeks, it might be a little much to ask of an apparently novice user. I now have a single CD that I can take to a friend's place to do the clean up that would normally take hours. I can finish in under 2. Good luck!

Posted by: Jonathan | June 15, 2005 3:32 PM | Report abuse

Also, check out this guy's page for a good link on how to do a thorough clean up:

Posted by: Jonathan | June 15, 2005 3:34 PM | Report abuse

DATE: 06/16/2005 08:46:18 AM

Posted by: Anonymous | June 16, 2005 8:46 AM | Report abuse

DATE: 06/16/2005 08:46:45 AM

Posted by: Anonymous | June 16, 2005 8:46 AM | Report abuse

Had the same problem, so I just saved what files were important, and reformated the hard drive and re-installed Windows XP and the few software programs that were actually used by me. It is amazing how much trash builds up over time of unused, unloved and un-updated programs. Sometimes it's easier to just start over and be more careful in the future.

Posted by: James Ebeling | June 16, 2005 3:07 PM | Report abuse

The first thing i do when i ibuild a computer for someone is put AVG, Ad-aware, Spybot S&D, and Spywareblaster onto it.
Then i set them up in the system schedualer to run at a time that the cleint is most likely not on the computer (like while at work) since most people leave there computer on during the day.
With this set-up, none ov my cleints have ever had a problem with spyware or viruses.

Posted by: Brian | June 16, 2005 9:24 PM | Report abuse

Phil Koprowski's advice is good (keep important cleanup tools on a CD).

Also: Do your initial cleanup work in
Safe Mode. That inactivates a number
of miscreants.

Also: one of the first things to do
is clean up startup, via msconfig.
Pacman's list is invaluable.

I do half a dozen system cleanups a week.
Average time is 5 hours.

-- stan

Posted by: Stan Krute | June 16, 2005 11:09 PM | Report abuse

I want to second Phil Koprowski's comments about disconnection from the net and keeping vital cleanup tools on a CD.

Also: boot up into safe mode for initial
cleanup steps. That disables a large class
of miscreants.

Also: clean up startup via msconfig as a
first task. Pacman's list (google it up)
is invaluable.

Also: CWShredder and KazaaBeGone are two
very useful cleanup tools.

Also: Matt's idea that you need to format
the machine is ludicrous. I do half a dozen system cleanups a week. The only
way folks get reinfected is if they
do themselves in again. I've
had to re-format the hard drive on just
one machine in the past 24 years of PC

My latest WinXP maintenance tips are
always available here:

-- stan

Posted by: Stan Krute | June 16, 2005 11:16 PM | Report abuse

Norton is a problem even when it is doing its job. Here is my story.

I'm now one of Symantec's former customers. I am not a satisfied customer and a review of postings in various online forums suggests I'm not alone.

My System

Dell Dimension 2.0 Ghz with 256 Mb memory, 20 mb hard drive, Windows XP SP1 with Norton Firewall 2004 and Norton Anti-Virus 2004; Beklin 802.11b USB wireless connection to Belkin Router and 1.5 Mbs cable modem broadband service. All working just fine.

Trigger Event

This week Symantec forces download of new "live update" software module. Install fails. Whenever I try to load it, the Windows Installer comes up, hangs for a while, and then quits.

Catastrophic Failure of Two Symantec Products

Both Symantec products, the Virus Checker and the Firewall, have now failed. Error messages appear related to Windows Installer. Knowledge base says "Windows Installer" problem is a known issue and to use Symantec tools to remove both products from registry, remove directories, temp files, etc. Re-install in "safe mode" fails. Two hours later still no joy.

Web Site Open Nobody Home

Call Symantec help line as this is an installation problem. Never reached a live human being. Endless voice menus and hang ups are all I ever got.

Stop Loss and Out

Dumped Symantec products. Downloaded Zone Alarm Firewall & Anti-Virus, plus annual sub for $26. Worked perfectly. End of my ever using a Symantec product again. End of story.

Posted by: Ohadi Langis | June 19, 2005 7:06 PM | Report abuse

Posted by: regretfully | October 21, 2005 2:26 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company