Skip to: More Info on Laptop Repair | Blog Home

The Laptop Repair Blog.

Gateway 450SX4 Laptop
Tuesday, August 09, 2005

A Gateway 450SX4 laptop came in this week. It would not boot into Windows XP.

It turns out that this one was loaded with spyware. All of the spyware was poorly created software which corrupted the system... A format and fresh install is in order.

posted by AbsoluteRaleigh @ 11:38 AM,

2 Comments:

At 8:20 AM,  mark off said...

While spyware is nasty and can make a system not boot I must disagree with the statement that a "fresh install is in order." While doing so will no doubt remove the spyware it's not a complete solution. It's simply the easy way out for the tech.

One thing I know is that it's not necessary to re-install just because of spyware. Many techs simply don't want to roll up their sleeves and figure out how the stuff propagates itself. I have taken the time to do so and I've never had to reinstall a system to rid it of spyware.

What techs need to do is to treat spyware the same way they do viruses. If you had a system with a virus, would you reinstall? No, you would check the startup procedure and make sure the virus didn't get started next time you boot, then you would remove the antivirus software and re-install the same or a different antivirus program and update the virus definitions. Spyware can be handled similarly but with a couple extra steps.

First, run a spyware removal utility, preferably more than one. No spyware utility that I've tried has swept a system so clean that running another spyware utility immediately afterward found nothing.

Second, check the startup procedure and turn off anything and everything that's in doubt.

Third, look for the spyware installation file(s) that have undoubtedly been stored somewhere on the system. The first and most obvious step in this process is to throw away the temporary internet files for every profile. You will often find spyware installation files in the "Downloaded Program Files" folder which is within the Windows folder. The contents of this folder are hidden by a Desktop.ini file. In order to see what's there:
- go into DOS
- browse to the Downloaded Program Files folder
- edit the desktop.ini file by removing everything except the line with
[.ShellClassInfo]
- then save the file.
The contents of the folder you're working in will now be visible both in DOS and in Windows.

The desktop.ini file in the Temporary Internet Files folder for each profile should be edited the same way to reveal hidden subfolders. You will find a content.ie5 subfolder and under that you'll find some randomly named folders. Windows usually makes 4 or 8 of these at a time. You should check them because occasionally Windows makes new folders to take the place of the old ones, and it seems the old ones are forgotten at this point. They just sit there forever if you don't go in and remove them manually.

Note: the content.IE5 folder and each of it's subfolders also contain desktop.ini files. What I do is copy the edited version of desktop.ini file from the Temporary Internet files folder into the content.ie5 folder and various subfolders overwriting any desktop.ini files that were there before. Windows Explorer doesn't always refresh so I'd suggest you open up a new Windows Explorer window to view the contents of the Downloaded Program Files folder or other folders after overwriting the desktop.ini files. I usually find the installation programs for spyware this way. Other places I've found them are in the profile's temp folder, in the windows temp folder, the c:\temp folder as well as in the root of the profile folder, for instance:
c:\documents and settings\administrator
or the Application Data folder within the profile folder.
c:\documents and settings\administrator\Application Data
You should definitely check all of these places. I've found spyware installation programs in every one of them as well as in the Program Files folder (not a sub-folder). If you don't find all of them you'll most likely end up with the spyware reinstalled during the next boot session or sometime soon in any case.

The fourth step in the process is to reboot into another operating system and remove everything that wasn't deletable in Windows. This is easily accomplished using an NTFS4DOS boot diskette (assuming there are ntfs partitions on the machine - if there aren't then any bootable floppy capable of reading a Fat32 partition will suffice) or Hiren's BootCD, or an operating system that runs off a bootable CD-rom can be used. They do exist. If you don't have some other operating system at your disposal then I suggest you find yourself another line of work. For those that do have another OS at their disposal, all you need do is go through the contents of the system partition finding and deleting any and all files that you identified in windows as spyware but were unable to delete because they were in use when windows was loaded.

The fifth and last step in this process is to boot back into windows and install software intended to prevent spyware from being reinstalled. The best of these is undoubtedly Mozilla Firefox which is configured by default to deny permission to websites that try to install software or make popups. In order to allow a site to do either of these things the user has to go into the options and add that site to a list of sites that can install software or can make popups. Needless to say Internet Explorer doesn't provide users with this kind of protection. They didn't even pretend to do so until Firefox came out and became popular. Now they do pretend to protect users but that's not quite good enough. So, not only do I install firefox and stress to my clients the importance of using it, I also configure Internet Explorer to use a non-existent proxy. Just because a person is using Firefox there's no reason Internet Explorer can't be started somehow. To prevent sites from circumventing Firefox by downloading spyware using Internet explorer I always configure IE such that it's looking for a proxy that doesn't exist, so no matter what IE is told to do, it can't do it. The last level of protection I have been putting into place for my clients is TeaTimer. This is actually something that needs to be done in the first step. When you install the spyware removal utilities. The two that I use are Adaware (www.lavasoft.de) and Spybot Search & Destroy (www.safer-networking.org). I've found that together they do a good job of cleaning up any system. Adaware is the more thorough of the two but Spybot S&D has one feature that I really like, TeaTimer. It's an option that's not installed by default so you need to be watching for it when you do the install. Make sure to install Teatimer and the computer is going to be fairly safe for the forseeable future. Teatimer alerts the user whenever a program is writing to various portions of the registry that spyware usually writes to. The user is given a chance to allow or deny the changes taking place. Some people of course are going to mess this up but if you take a few minutes and educate your client regarding how to make this type of choice (and when to turn TeaTimer off - like when you're installing software) then they can make the right choices. In any even if things go wrong everybody knows who's NOT at fault, namely the tech. That's a wonderful place to be for me. I say, give them the tools they need to do things right and give them enough information to use them. That way they will know enough not to blame their tech if they mess things up for themselves. The thing is, if they use Firefox religiously, and if they run teatimer when their surfing the web, they shouldn't have any problems with spyware whatsoever and that's a goal worth striving for. That's why I go through all this trouble.

Reinstalling, essentially puts the user back where they started and gives them no protection from spyware or tools to prevent it from doing exactly the same thing to them that brought them to you. Reinstalling simply makes them a victim waiting to happen again. It's the easy way but it's not a fix or even a work around. As techs we need to do whatever we can to avoid having our clients be victimized again by spyware just like we do with viruses. Anything less is simply not doing your job correctly.

Sincerely,
PJ
aka spamturbation@gmail.com

 

At 12:36 PM,  AbsoluteRaleigh said...

Hello,

Thank you for the follow up.

In this particular situation, our customer had nothing important on his PC and wanted a fresh install.

This was a cost effective solution and also gave his PC maximum performance. We also installed some freeware tools to not only keep off the spyware, but also viruses and pop ups.

Often we will just remove the spyware, unless the PC is heavily infected, it just depends on the situation.

-Absolute Computers

 

Post a Comment

<< Home

Recent Posts

• HP ZE5570US Broken Power Jack
• ThinkPad 600E No Sound
• Just Serviced: IBM ThinkPad A31 P4
• Dell Axim X50v PDA Repair
• Pennsylvania Laptop Repair
• Dell Inspiron 1000
• Cisco seeks injunction to keep Lynn from speaking
• Cisco IOS Vulnerability (public release)
• Fayetteville, NC Spyware Removal
• Cisco IOS Security Hole

Powered By

© 2006 AbsoluteRaleigh Laptop Repair Blog | No part of the content or the blog may be reproduced without prior written permission.