Viruses, Spyware, Trojans... Oh My!

Several years back the industry went through what I can only call a "Spyware Explosion". All of the Spyware companies were exploiting the weak security present in the Internet browsing software of the time, resulting in massively compounded and ubiquitous Spyware infections. I felt like every other PC I worked on, I was removing Spyware. As Microsoft and Security Software companies wised-up to this onslaught and improved their software, I began to notice such problems less and less. Any tech that has spent 4 - 5 hours removing Spyware will tell you that is not a fun task, so this evolution (so-to-speak) was a welcome one.

Nowadays I certainly don't spend nearly as much time on Spyware-related issues -but when I do, it seems like we have made a trade-off of sorts. What I mean is -sure we see less Spyware, but when we do see it, they seem to be much more sophisticated.  I can honestly say I enjoy the challenge of removing some of the trickier ones because this can truly test the skills of any experienced technician.

Case in point, I thought I'd share a recent experience:

I received a call from a remote office of one of my customers complaining that when they started their computer, all they would get is a blank blue-screen. They would get no icons, no start menu, nothing.  Luckily I was able to remote into this system using the Teklogic management software and I was then able to start Task Manager and attempted to launch 'Explorer.exe' which is the "Shell" in Windows that gives you your desktop and Start menu (among other things). I found that Explorer.exe would not start complaining that "Windows Could not find the file". I then proceeded to open a Command Prompt and drill down to where the actual Executable lives ('C:\windows\Explorer.exe") and I noted that it was there and it had the appropriate permissions to launch... I checked that the environment path was correct and that the Shell key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell) did indeed contain the appropriate text for launching Explorer upon startup. At this point I went ahead and extracted another copy of the Explorer.exe executable from the original installation media, finding that this did not solve the problem either. I was quite perplexed.

After some digging around, I found some references to a "feature" of the NT family of Windows Operating systems that was meant for developers to use when debugging applications. This feature is called "Image File Execution options" and lives at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'. If you want to know more about this feature read here. One of the things you can do with this is to essentially tell Windows that every time XYZ process is attempting to launch, to launch ABC process instead. This is a perfect example of how a very useful feature can be turned against us (as the computer users) by ill-intentioned Spyware. The Spyware had used this feature of Windows to configure the machine so that every time the process, Explorer.exe was launched, it instead launched something else altogether. This, I thought, was a very clever way to utilize a relatively unknown feature and turn it against the user. Once I removed the entry for Explorer.exe, we were then able to get to the Windows Shell and proceed removing the Spyware entirely.  A fun one indeed!!

Computer Real Estate....

It amazes me that the $399.00 computer is more prevalent than ever and as the PC price wars continue, large PC manufacturer's take any means available to lower the cost of their PCs. One of the ways that manufacturers are lowering this cost is to sell what I can only refer to as "PC real estate" on new computers. What I mean by this is, have you ever noticed when you get a new computer it already has, in most cases, loads and loads of "Bonus" software pre-installed? Things like Google Desktop, Google Search bar, Search Assistant, Adobe Reader, Norton 360, AOL, Wild Tangent , McAfee and a seemingly limitless combination of others? Make no mistake, the manufacturer is getting paid to pre-install this software on the machine -which benefits the software manufacturer because it increases the likelihood that the user will utilize their software, when often times, the functionality is provided in Windows natively.

This is a frustrating phenomenon for IT people because it just adds to the time that it takes us to configure a new system. We end up taking a brand-new system and having to essentially clean it up when we are configuring it for a client. Most of our clients will never use any of this software and therefore it just sits there junking up the PC. Worse even, most of these softwares' are trial versions and after 30, 60 or 90 days, it starts bugging you to register and purchase the full version -as well as the fact that many of these applications are resident, meaning that they are running all the time taking up PC resources, slowing your machine. If you have more than about 6 icons in the system tray (bottom-right by the time), you have resident applications running. This is the price we end up paying for a lower cost machine.

Some manufacturers are now offering the option to forgo this trial-ware at the time of purchase. I know that Dell is now doing this. When you buy a new machine either over the phone or on the web, be sure to check to see if the vendor allows you the option to not have any "bonus" software installed -you will be better off in the long run.