My weekend spyware odyssey

I'd been away to a friend's house for several hours. Had barely even used the computer on Sunday. But when I came home I saw that it had rebooted in my absence and was now awaiting my login. That's nothing unusual: I figured Windows had installed one of its incessant updates and helpfully rebooted itself while I was gone.

When I got to the desktop, though, I could see that was not the case: Somehow I'd gotten a spyware infection and now it had taken root.

The manifestation was simple yet obvious: In the system tray I had a new icon with an oversized pop-up: AntiVirus 2009, it called itself, and the pop-up said I needed to immediately run the software to "pervent (sic) data loss."

AntiVirus 2009 promptly proved itself to be awfully insidious: Right-clicking the icon for it began installing additional spyware (which I immediately canceled), and there was nothing to be found in the add/remove programs control panel. I didn't get any overwhelming pop-ups, at least, so the computer was still usable... but Trojans like this tend to install more and more malware until the PC is dead, so I knew I needed to act fast.

Now I follow my own advice on how to remove spyware, so I started through the usual routine. Avira was installed on the machine already, so I ran a full scan. Avira found a few items, which I deleted immediately, hoping for the best. I also installed AdAware and ran it, and it came up blank. Finally I ran HijackThis, used an automated log reader to find the malware entries (brastk.exe was the culprit), and manually deleted them.

Rebooting, the spyware was still there, so I moved on to more specialized tools. Downloading them was tricky, though, as AntiVirus 2009 had hijacked a number of browser pages: Typing in security website URLs instead took me to broken 404 pages or ad-riddled spam websites, even in safe mode. The malware also blocked web updates from working on all the antivirus software I did have. Using another computer I was able to download the oft-recommended Malwarebytes, but after a lengthy two-hour scan, it came up with very little.

I cleared what it found and rebooted, hoping for the best. The system tray icon and pop-ups were finally gone, but the browser hijacks remained. I figured I'd give System Restore a try to roll things back to a pre-infection state -- why not? -- only to discover that the malware had also stopped it from working right. It was still on and running, but when I tried to restore to an earlier time, the "Next" button just wouldn't work. Click click click... nothing. Clever, yet frustrating.

I wasn't ready to give up yet and reinstall Windows. More research finally led me to a tool called ComboFix. I nabbed it from another PC -- though not before finding that some of the links to download it were fake, yet another annoying malware tactic -- and ran it normally. ComboFix found a rootkit, rebooted my PC, and did a quick five-minute scan. After another reboot, everything was finally back to normal, no pop-ups, and no browser redirects.

Total time my computer was unusable: About four hours, including two hours of hands-on work searching and scrubbing.

I write this post to remind you, the reader, that spyware happens to everyone, and yet I still have no idea what infected email or hacked website I visited that opened the door for this evil app in the first place.

One major security takeaway I hope to leave you with: If standard removal tools don't work (a problem that's becoming increasingly large) spend some time searching the web from a clean PC to see if specialized tools exist that can help. I finally found one in ComboFix, though I'd never heard of it before yesterday. My system is now running Norton Internet Security 2009 instead of Avira, and scans with it, AdAware, and HijackThis are all coming up clean. Fingers crossed...