I recently did a fresh install of Windows XP on my brother’s computer. I installed avast antivirus and Spybot. Now I keep noticing new programs that neither of us has downloaded. First was Steam, a website where you buy games. Next was Superantispyware. There was some other registry cleaner type program I can’t remember. After googling, all of these programs seem to be legit. Either my computer illiterate brother is accidentally downloading these programs(doubt it) or some malware is downloading them for us.
I’m going to reinstall Windows again, but as a learning experience, what can I do to figure out what is happening?
Just to be clear here, but what do you mean by fresh install? Did you repartition the hard drive, followed by formatting the hard drive, then installed the O/S from an original DVD/CD install disk? Or did you just insert the DVD/CD and reinstall the O/S? Or something in between?
Which web browser (and version) are you using? Are any of the applications installed later “not original” meaning you don’t own the actual installation media, complete with serial numbers (if need be)?
What games did he install on his computer? Some games install steam, and require it in order to run, so depending on what else is installed that one might be legitimate.
I used the emachines system recovery CD that came with. I didn’t manually create any partitions, just inserted the CD and reinstalled. It gave me the warning that the reinstall would erase all my data, which was my goal because it was infested with crap from his girlfriends kids(not an issue anymore). I’m assuming no malware can survive that right?
Browsers:
Firefox 3.6.16
IE 8.0.6001.18702
He only uses it for Facebook, Bank/Credit Card balances, and to charge his ipod; so the only programs are the ones I downloaded and installed in this order.
Avast
Spybot
Firefox
iTunes/Quicktime
Netgear software for the wireless adapter(from CD) i bought for him.
Malwarebytes(I downloaded it yesterday just to see if it caught anything the others missed)
So it’s pretty empty. That’s why I noticed so easily when these other programs appeared. I ran full scans with Avast, Spybot, and Malwarebytes.
My theories are:
I was somehow infected after the reinstall but before my antivirus/antispyware was fully installed and updated
Infected when Avast stopped running for a day because I didn’t finish my registration(oops).
Malicious facebook apps my brother possibly used
My brother accidentally downloading from clicking on tricky adds that disguise themselves as error messages.
The main thing that throws me off is that the suspicious programs all seem to be legit.
I looked up the creation dates for the suspicious programs, then searched all files created on that date and found no other executable files. I looked in the Firefox download manager and didn’t see the programs; don’t know if IE has something similar.
A lot of these programs are bundled as ‘free downloads’ with other apps. They are installed without most people noticing. Probably not Steam, but if he plays any sort of on-line game he may have installed steam without knowing it, especially if its a Valve game.
No malware is installing steam for you. Its just such a silly assumption to make. Look at the Steam folder on your c:\program files\ drive. Right-click it, and look at the created on date. Look at the owner of the folder. You’ll see who made it and when. Also you can get this info from the windows logs. Google on how to view logs in XP if you are unsure.
There’s no way you have some magic hidden malware that 4 apps cant find and which install things like steam. Most likely your brother doesn’t know what he’s doing or his gf’s kids are much more clever than you think.
Maybe I was overcompensating because I was setting up the computer for someone else(so he would stay the hell off mine). Similar to the reason why I will make a Tiramisu with raw egg yolks and eat it all day, but I won’t make it for someone else for fear of getting them sick.
Superantispyware is a legitimate anti-Spyware application, and probably should be on your computer (either that, or Malwarebytes). It’s not downloaded unless you specifically go to their website and download it.
You should set up separate user accounts. Give yourself a password and administrative rights, but don’t give that to anyone else. It will prevent them from downloading crap (even legitimate crap).
The restore cd they gave you most assuredly has all the crapware they installed on the machine when it was sent to you from the factory. There are a myriad of ways to install a new OS for free that do not involve crapware, however I cannot talk about them here.
The best way to deal with it is to just uninstall the crapware through the Add/Remove Programs option in the Control Panel.
You didn’t mention anything about Windows updates. Make sure you’re up to date on those, including the service packs. If you’ve already done this, great!
Well, That will work, but it’s not the best way. That method does it manually, one program at a time (often with restarts required after each).
A better way is to download either PC-Decrapifier or CrapCleaner (now named CCleaner). They automate this process, using lists of known common crapware, removing lots of them at once and with much less involvement needed from the user.
Oh, for future removals, download Revo Uninstaller, and use that instead of the Add/Remove Programs process. It’s a much more thorough remover – it cleans out leftover registry entries, documentation & help files, etc. There is a surprising amount of garbage left behind on your machine after an Add/Remove Programs process completes.
Usually after spending 4-5 hours installing OS and software, I spend 2-3 hours uninstalling the piggyback crapware. Double that time if you have a box from E-machines.
Crapware almost always comes out cleanly with the software uninstall within Control Panel.
ETA: I’ll second the use of CCleaner. Also, get the Comodo Firewall.
