Someone passed a laptop to me to have a look at today. Apparently it was running really slow for some reason and even after running several scans over it with different anti-virus software, nothing came up. The owner couldn't figure out what was wrong.
So I booted up the Win XP machine and sure enough, everything was crawling. Took a few minutes before I could get Task Manager up to find out what process was responsible. It turned out to be a file named "smvalid.exe" which, as I had expected, was spyware when I looked it up in Google. It was taking up over 90% of CPU time.
I could always remove the file and registry entries manually with Hijackthis but since there were probably other spyware lurking around, I decided to run a selection of spyware scanners namely Adaware, AVG Anti-Spyware, Spybot and Webroot Spysweeper. They all spotted similar files but none of them managed to pick out that particular file I stopped running! So in the end, I had to remove "smvalid.exe" manually but surprise, surprise... The process was back the moment I tried going online to check everything was working fine or not. Obviously some other backdoor or trojan was still lurking about.
With the main spyware scans ran, I returned to my own anti-virus scans such as Kaspersky but they didn't manage to pick anything up either. Eventually I decided to try an old favourite named "Spyware Doctor". I stopped using it because it was one of those utilities that wouldn't fix anything unless you paid up but it's detection rate was good and it does tell you where all the little bugs are. Sure enough, running the program managed to let me find a number of other registry entries and mini exe files that the other scanners missed (including the "smvalid.exe" file!). Removing them all manually was going to be a pain...
It was then that I noticed there was now a free version of Spyware Doctor available too. Part of the new Google Pack, a collection of free software for anyone to use. After downloading the free version, I managed to clean out the remaining spyware quickly and the problematic file didn't return. Not bad, eh?
However, the PC was already hijacked though meaning search results were still being re-directed. Spyware Doctor didn't manage to fix these problems so I still had to use Hijackthis to remove the problematic registry entries manually. It beats searching for the right values in RegEdit mind you.
So, why didn't I just wipe the hard drive and re-install Windows? Well, it would be pretty troublesome re-installing everything and I also wanted to know how well the current selection of available security programs performed. They are there for a reason after all and it would be good experience learning how to tackle the problem at hand. In the end, the aforementioned anti-virus and anti-spyware programs didn't do too well, did they? But to be fair, it was spyware that I was dealing with.
It's interesting to see how spyware (or should I say "malware"?) is much more common and damaging than viruses these days (at least in terms of productivity). The software developers will have to do some catching up to find more of these nasty resource eating bugs!
In the end however, it's just best to stay away from suspicious sites, e-mails and of course, pirate software. You never know if the software's been maliciously modified or what those "cracks" really do. And, try using Firefox if you aren't already because hackers target it less at the moment due to the smaller 13% market share, compared to Internet Explorer's share of over 80%. If you were a hacker, you would go for the bigger market, no? Also, exploits found in Firefox are patched up much faster by the community than the monthly Internet Explorer.