Oh my, where to start.
I got a call from Liz this morning, her computer was opening all kinds of windows and running really slow. We all know what that means, right?
So I had to tell her to shut it down and I would take care of it this evening.
Stephanie is 12. Stephanie has been playing on Mom’s computer a lot. Stephanie has been installing all kinds of stuff on Mom’s computer.
Oh my, oh my. I wish I could have taken some screen shots. The desktop was covered with “Free Cell Phone” and “Free IPod” icons and such. There were so many processes running the poor machine could barely do anything. (It is, after all, only a Celery 500MHz with 256MB RAM.)
It took me almost ten minutes to login and get the Add/Remove Programs dialog up and running.
Talk about AdWare and SpyWare. I managed to remove at least 10 programs, all AdWare and SpyWare and am now running AdAware on the box. It’s been running for about 40 minutes now and has found lots of stuff. Windows Explorer keeps crashing too.
AdAware found 434 “objects” including several processes running, tons of registry keys and a bunch of files. And then failed to remove them. It just hung.
So I thought I would try the new MS AntiSpyware thing. Much to my surprise, it seems to be doing a good job. It found 26 SpyWare objects and is supposedly removing them as I type this. We’ll see how the box is after a reboot when it’s done.
I have to hang my head in shame because there is no Anti-Virus on this machine. I should know better. After I get done running AdAware I’ll be installing Grisoft’s Free AGV Anti-Virus on it and doing a full system scan.
The full scan found 19 viruses. Cleaned them up too.
Well, after cleaning it up with AGV and the MS AntiSpyware tool, it’s still getting IE popup ads randomly appearing. So I ran AdAware again and it found 67 more objects to remove. Hopefully that will fix it.
Nope. Still have the popups. So I installed Spybot Search & Destroy and it found 20 more items to remove. I also installed a couple of other cool utilities – Startup Inspector for Windows and Process Explorer from Sysinternals.
Man oh man, what a mess.
And did I mention that I worked on this thing for more than five hours – until Midnight tonight?
And it’s still infected in some way. The damned popups keep coming back. Argh! Thanks Microsoft.
I’ll be installing Firefox and making it the default browser and pointing it at my Squid Proxy server that has a domain whitelist on it.
Hmm… The plot thickens. For some reason Stephanie’s account was an Administrator on the box. I’m pretty sure I didn’t do that. Also, as an administrator, I can’t get into Stephanie’s files and folders. That’s very interesting. I wonder how she did that.
Looks like I need to do some digging about XP and permissions.
Then I’ll be talking to Stephanie about what is allowed on Mom’s computer.
Here’s an interesting filename that I found on the disk: WebRebates_Auto_InstallSilent.exe
I love the “InstallSilent” part of that name…