I'm not a Microsoft staff person. I am a volunteer with some long history
of involvement with Microsoft products, and recognized as an MVP for doing
what I am doing here--answering customers questions.
These groups are to support the product beta. So my first goal is to see
whether some further operation with the product itself will cure the
infection, or whether it really is something that isn't handled at all by
Microsoft Antispyware, in which case I can make further suggestions--so
that's where that particular "pat answer" comes from. I'm neither the most
experienced spyware cleaner here, nor someone with an in-depth knowledge of
how the product works from the inside out--I'm more of an observer and
administrator, with just enough technical knowledge to be both helpful most
of the time, and perhaps dangerous on occasion.
No--System Restore is a red herring, I believe. Yes, viruses and spyware
are stored in System Restore restore points. No, they don't magically
reappear or regenerated from within those restore points. They will, of
course, if you USE the restore point which contains the virus or spyware
executables. I don't agree with the advice which suggests clearing restore
points before cleaning. I think it is reasonable to clear restore points
AFTER cleaning, when you are sure the system is clean and stable--but
clearing before takes away an important safety net.
Neither antivirus apps nor firewalls stop spyware. If you are keeping
patched to date, I believe most recent spyware are trojans which are being
installed by the users--click here to enter this site--allow this ActiveX
install to proceed further. That reminds me--my 9 year-old daughter was
looking a music lyric sites last night, and I better scan the laptop she was
using!
Yes there have been issues of spyware drive-by installs allowed by security
vulnerabilities in Windows and Internet Explorer. I don't have any idea
what proportion of the issues we are seeing today relate to what source of
original infection.
Your antivirus could spot some of this stuff. The premium price products
from Symantec and other vendors, are being "enhanced" to provide this
coverage. How well they are doing at the job I'm not sure, but some
proportion of hard to clean bugs I've seen posted here have Symantec
articles--I can't quantify that. The lines between viruses, root kits,
trojans, and spyware definitely have some gray areas, and probably will
continue to.
So--if it isn't hiding in System Restore, how does it do its magic? In my
experience there isn't much magic. The stuff is out there on the drive, and
has links to startup locations, and usually isn't hiding very hard. There
is a trend, however, which might be exemplified by this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;894278
article, which describes a piece of commercial spyware which hides in the
same fashion as a root kit.
As I've mentioned--there are lots of other posters here who are more
experienced at cleaning spyware than I am. My approach is to clear out the
temporary Internet Files, at a command prompt, perhaps in safe mode, and to
examine the startup locations--you can use the System Explorers in Microsoft
Antispyware--these allow you to take something you can't prove the safety of
and block it on a temporary basis and see the effect. Or you can use other
tools--silentrunners.vbs which is a script which gives a listing of the
contents of all known startup locations, etc. Or you can use the HijackThis
tool which provides logging and an easy to use interface to allow removal of
items judged by peer-reviewed experts to be bad.
I usually look over key parts of the system--the root of the boot drive,
system32, for hidden, system, read only files, and compare what I find to my
own knowledge of what clean systems typically have. If I find something
that sticks out, I will use the date and time of its creation and check
other locations for files that appeared about that same time.
This kind of work is as much art as science, I think, and I'll freely admit
to not being a great artist--I'm probably not describing everything that I
think about or do, either.
So--if you've got a bug that keeps coming back--1) If Microsoft Antispyware
id's it, then I believe it should be capable of cleaning it. If it can't
perhaps it is because it has missed removing a central process or executable
because it was in use. That's what the safe mode restart often takes care
of. It isn't a panacea, but it often does the job--the spyware isn't
running in safe mode, and the cleaning can be done properly. Should the
program be able to warn you about this?--I would thinks so--but I'm not a
programmer!
If Microsoft antispyware misses it completely--you are going to have to dig
deeper--using the system explorers or MSINFO or whatever reversable tools
you can use to test whether particular startup items are at the root of the
problem. If you can put a name to the bug you can do Google searches and
often get useful information. And, before I forget it, a fair portion of
recent commercial spyware is listed right there in add or remove programs,
and the remove functions do work.
Hmm - that wasn't from Microsoft, and it wasn't a simple answer, but
really--if it regenerates it is because it is still on your system in a
startup location, and it hasn't been cleaned properly.
