Stopping Spyware from installing

How easy it is to install spyware – especially for the unsuspecting person.  It almost happened to me yesterday.  I logged out of my account on scribd.com to take a screen shot of Scribd from a not logged in perspective and got a dialog box pop up saying that Windows needed to perform an urgent scan of my PC.  The dialog box just ‘didn’t look right’ Normally I get Security Essentials dialogue box would pop up and the box would be orange.  Then the next thing I saw is a new browser window pop up showing me the following:

imageest

A few things to note here:

  • System udgtrnbl – not a normal system volume name
  • The Shared Documents and Hard Drive folder were flashing warnings that there were 5 infections on each folder
  • This view of Control Panel is viewed through a browser window – not the normal control panel GUI
  • This view of Control Panel is an XP view – I’m running Windows 7 with a totally different look and feel for the dialog box
  • undefinedappmgmts.dll doesn’t exist
  • Windows doesn’t have a ‘Start Protection’ button

I closed the initial dialog box (the ‘urgent scan’ warning) and got the download box for AntiSpy2011.exe which is captured in the snip above.  This is the same spyware / worm / virus / trojan that paralysed my friends machine which now needs a total format and rebuild before I’ll be happy with it

A new process started – Companionuser.exe which is a valid process used by Windows Live but is often used by malware and other malicious programs

image

So how did I fix this?

  • I closed all editions of iexplore.exe using task manager.
  • I stopped the companionuser process
  • I and watched as it re-invoked itself… over and over again

Hmmm.

Every time I stopped the process, it started again… Damn thing.  And then I remembered where the virus was stored on my friends machine.  The virus / worm lived in the Temporary Internet files. C:\Users\%Username%\AppData\Local\Microsoft\Windows\Temporary Internet Files.  In Internet Explorer, I clicked on the View files button, sorted the files by time accessed, and deleted all of the files, images and cookies that had been accessed in the last hour.

Only then did the companionuser.exe process stop re-appearing in Task Manager.

But…

I can see how so many people install this worm.  It pops up unexpectedly – all I was doing was logging out – and I must have rolled the mouse over an advert or something.  Quick as anything, and to the unsuspecting person, worried about getting a virus or a worm, so simple to install. 

But i thought it was certainly worth highlighting so that others can back themselves out of this problem safely – or know who to call when they have a problem…  And delete cookie files regularly – just in case…

 

Technorati Tags: ,,,

6 thoughts on “Stopping Spyware from installing

    1. eileenb Post author

      Neil,
      it means that perhaps the adserver that supplies the scribd.com ads to the site has been compromised – or it might just be a dodgy ad itself. I didn’t notice anything odd until I got the popup. I’ve logged in and out of Scribd several times today and didn’t get anyything… I’m much more suspicious now though🙂

    2. Neil Pellinacci

      That’s where the combination of Firefox, Adblock Plus and NoScript comes in so very useful – quite scary how many web pages load Javascript from all over the web…

  1. Steven

    I cant stand spyware…. My personal favorite spyware remover is Spybot Search and Destroy.. aside from that I use Avast.. I tend to think that saving a penny and doing my research will get me the best results!

    1. eileenb Post author

      Hi Stan,
      Yes it’s a sad but true fact – we all need to be extra vigilant – as ways to put malware on to your computer are becoming more and more ‘seamless’ unfortunately, the spohistication of operating systems and applications means that users are fearful of doing something wrong – and often click ‘OK’ because they are told to – with unfortunate consequences…
      Thanks for your comment – and the link to Ed’s blog…🙂

Comments are closed.