Monday, 9 July 2007

CiD adware/malware removal

Spent the weekend battling with a customer's PC which was constantly popping up adverts (For Ebay, WWF and loan sharks. Some of these people should know better and stop dealing with computer hijacking scumbags). The virus scanner was reporting that it had found and fixing it. Installed Lavasoft's Ad-aware and Spybot S&D, but it would not correct the problem. I would have installed Windows Defender as Windows Genuine Advantage was installed. However, I can't guarantee that Windows is legitimate, so don't want to risk bricking a perfectly working PC.

Turns out that the malware was reinstalling itself by rolling back to a known state. Had to disable rollbacks, install Hijack This (HJT) and find out what was causing the problem. A randomly named executable in C:\Documents and Settings\\Application Data\\ was being executed on startup. Removing the startup using Hijack This, rebooting and then removing the directory stopped the popups. In addition, I had to manually remove the localhost entries in C:\Windows\System\Drivers\etc\hosts. Sadly in disabling rollbacks, all his software installs suddenly applied and he ended up on Windows MP 11 (which he hates), IE7 etc. I was in the doghouse.

I don't know where the .exe came from and don't want to ask. All I know is that the was in the 11 year olds directory and not the Dad's.

All this has made me wonder about the future of Windows computing. I think it has a future, but Microsoft need to get their house in order. As far as I'm concerned, no one should be able to subvert a browser in this manner. Microsoft and Google should lead by example and get rid of their toolbars. IE should be a lean ad-free browser and when the computer is rolling back, there should be a big red warning light stating that we've been hijacked.

It is possible that these people could be responsible. However, Messenger Plus was not installed when I looked, but CiD is the company behind Messenger Plus. My advice is to avoid MSN like the plague. If you can't do that, then install Pidgin. Also, never install an .exe ever and run HJT regularly.

No comments: