|Tales of a Spyware Sleuth|
|Written by Matt LakeHits : 491|
|Wednesday, 30 November 2005 19:00|
Anybody who has been working with computers for a while knows days like the one I just had. You fire up your computer and everything starts to go wrong. New browser windows appear at the rate of one every five seconds, each touting more and more gaudy wares. The culprit? Spyware ... and lots of it. That wasn't there yesterday, so someone else must have used it. And then your phone begins to ring with people suffering from other technical problems.
That's exactly how my day started. Little did I know that this spyware problem and other "help me now!" tasks would eat up the whole day.
Uncovering the Culprit
When things go wrong, you do triage, and today's first task was to get rid of the spyware. Spybot Search & Destroy is my first choice of free exorcism programs for offensive pop-up ads and other browser-based nasties. After updating it to the latest spyware definitions, it scanned my computer for more than 30,000 variants on the theme. After doing its stuff, it offered to delete all 55 problem pieces of code, which after a reboot and rescan, it successfully did. But when I launched my browser, the pop-up ads and redirections came back immediately. This happens sometimes, and when it does, I turn to another free spyware killer. I'd just downloaded another free spyware killer, Microsoft AntiSpyware beta, so I gave it a go.
While AntiSpyware was scanning, I decided to sleuth out who had done this to my computer. XP Professional machines on a domain-based network are locked down pretty tight, so you need a network log-in to use it. Because of this, I was able to rule out the folks we found messing with our machines a few years ago--the cleaning staff had been using our PCs as a square-headed babysitter for their kids. None of them has a log-in. So this time around, it had to be a colleague out for a little after-hours browse on the seamier side of the Web. And when he logged in (yes, it was a he), he had used his own log-in. This is how I found out who he was.
XP Professional keeps a great audit trail of activity, all neatly filed away by log-in name. Under the C:\ drive, under Documents and Settings, you see folders bearing the names of everybody who has logged on to the network using the computer. You'll see generic names such as Administrator, All Users, and Default User, and your own log-in name. Any other name you see is probably an interloper.
The guy who had borrowed this PC--I'll call him Mac--had his name all over it. I opened the folder bearing his name and checked out the Cookies folder to see where he's been. Each of the sites he had visited had thrown a little text file into the Cookies folder, each of which bore a time and date stamp. Armed with this, I was ready to lower the boom on him--but that could wait until I'd fixed the problem.
I'd just set Microsoft AntiSpyware to delete a mess of additional spyware it had found, when another colleague came in. "This remote control mouse doesn't work!" he said. I'd just brought in two Keyspan Wireless Presentation Remotes (PR-US2s to their friends) for colleagues to use with their overhead projectors. These $60 units consisted of a small USB key and a remote control with a thumb-operated pointer. They had a great range and worked wonderfully. With very little practice, two of my colleagues were wandering around in front of groups, casually navigating Web sites, advancing PowerPoint presentations, and controlling DVD playback across the room from their PCs.
But this colleague had noticed that his cursor began wandering across the screen during a presentation. It went down to the Start menu and activated it. It opened a Web browser, and activated the Favorites menu. He'd lost his audience completely and couldn't account for it. So I went to check out his setup.
When I got there, the guy in the adjacent room came out. "This remote mouse doesn't work!" he said. He had had a similar problem with a wandering cursor. At the same time as his neighbor. With the same hardware.
"No, it works fine," I deduced. "It works so well, it's been controlling the computer next door as well. I'll get another remote that won't interfere."
Window Shopping ... and More Spyware
Back at my desk, Microsoft AntiSpyware and Spybot Search & Destroy both declared my system was clean. But it wasn't. So I downloaded the third member of the antispyware triumvirate, AdAware 1.6, and unleashed it. Sometimes, you need to bludgeon a spyware problem with a mallet to beat it into submission.
Meanwhile, I shopped around for other wireless remote mice. Keyspan's had been the best buy for a wireless 2.4Ghz remote mouse (I'd got it on sale for $50), but the one I had really wanted was the slick $200 Bluetooth Logitech Cordless Presenter. Using Dealio's spyware-free comparison shopping toolbar, I found a great price on the thing, but even $130 was outside my budget. It was time to do a little wheeler-dealing.
"You remember that site you visited at 5:17 p.m. on my computer last night?" I asked Mac.
He blanched and began to twitch.
"You should have visited this site instead. Not only is it allowed under the company Web usage policy, it's also a heck of a deal."
I handed him the page advertising the Logitech Cordless Presenter.
"I need one of these for the conference room. You've got $130 in your budget, haven't you?"
Mac checked himself. This might have been blackmail, or it might have been an interdepartmental opportunity for creative accounting. Either way, it was job insurance for him. He took the paper with a nod.
Back in my office, AdAware had plugged the gaps that Microsoft and Spybot had left. The three-fold attack on the spyware problem had pummeled the spyware out of my life.
Contributing Editor Matt Lake writes SOHO Advisor monthly for ComputerUser.