Skip to main content.
Sunday, February 26th, 2006

Malware/Virus Removal

It’s been a long time since I really went all out to clean up a Windows machine to remove malware and viruses. I forget my first virus (I’ve been downloading free software since 1983), but I remember my first spyware well – it was early 2001 when I noticed a new entry in my HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Run, which turned out to be TimeSink. While researching how to get it cleaned out (which I finally did) I stumbled across the whole spyware problem. Shortly thereafter I encountered a similar problem with WebHancer, and fired off an email to my network administrator, who responded that he didn’t think it was a problem worth dealing with, because the outgoing traffic would be stopped at our firewalls. A little more than two years later, the same net admin wrote me to ask my opinion on spyware removal tools. In the interim I had discovered various applications on several machines in my office and had gotten some practice at removal, and would get more, until it got to the point that if I couldn’t clean up a machine in an hour I boxed it up and sent it back to corporate for an OS reinstall. My boss couldn’t condone the lost billable time I was spending – any IT functions I perform around the office are purely for our convenience – I’m supposed to be just an engineer.

But last week my wife complained that her favorite online game, Planet 8 Ball at, was running very slowly, and finally on Friday it quit running at all. Now, I haven’t been too pleased with my wife and her friends downloading and installing both offline games and online ones that require installing ActiveX objects – they are big potential sources of both spyware and viruses, but I figured that I had everything set up on my home machine pretty well to keep it clean. I just can’t train them to install stuff where I want it to go – there’s enough stuff in C:\Program Files and I would prefer to see games installed in their own directory – C:\Games. I’m lucky when these installers don’t place themselves in the root directory, which I like to keep very clean. However, I am pleased to see my wife doing stuff online – I figure it makes her more tolerant of the time I spend online myself. Every now and again I run Spybot and AdAware; I use AVG Free for antivirus with realtime protection and daily full scans (a little annoying in that the free version can not be set to ignore my archive of potentially useful trojans!); and I routinely check my HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Run key either through MSConfig or RegEdit. This is all out of habit – when I sit down at the computer I usually reboot into Fedora Core 4, and I’m starting to regard the Windows partition as a necessary kludge that I only maintain for my family.

So Friday I was tasked with getting her game running again, and I’ve spent every free moment this weekend trying to achieve that goal. I’m almost ready to concede defeat. I’ve pulled out virtually every trick in my arsenal – multiple scans with the aforementioned tools, plus Hijack This and Startup List from Merijn, CWShredder, and even RootKitRevealer. My hosts file is clean, and I’ve checked my traffic flows with Ethereal and been shocked – I mean blown away – with the traffic I saw even after Internet Explorer had been closed – and that was after I had cleaned the system! I looked up the ip addresses my machine was talking to at DNSStuff and used registration records to identify which applications were to blame. I removed multiple toolbars, browser help objects and ActiveX objects. And through all this, somehow I got something new in my CurrentVersion\Run key!

Of course, it might not be malware that’s stopping the game from playing, and it’s possible that my anti-malware defenses are the cause, but I have to clean the system first. Besides, it ran fine before. I’ve tried reinstalling Shockwave and I’m considering doing the same with Java.

Now, one of the things I found, or at least found traces of, is VX2 – a notoriously difficult infection to remove. Considering that I keep finding stuff after cleaning, this might be my problem. Hmmm – just found a VX2 plugin for AdAware – I didn’t realize that there were addons that I needed. I’ve also noticed that I have five svchost processes running, which is suspicious to me. I’ll have to check those out as per the Microsoft guidance. I downloaded and installed the augmented IE Add-On Manager, which is actually very nice – I could use something this clear for Mozilla.

*Sigh* All this work, and I’m not even sure that it’s malware that’s keeping the game from running. It just seems to be the most likely cause, though.

Posted by Greg in Family & Friends, OS, Software

Comments Off on Malware/Virus Removal

This entry was posted on Sunday, February 26th, 2006 at 22:52 PST and is filed under Family & Friends, OS, Software. You can follow any responses to this entry through the comments RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.