Sun 14 Dec 2008
Two days ago, we realised our home laptop was infected with spyware. Whenever we did a Google web search, the results page titles would all be reasonable, but the actual websites returned were rubbish. The results would take you to pages full of advertising, rather than useful content. Clearly, something was very wrong.
We are running an up-to-date copy of the McAfee scanner, but it hadn’t picked up anything, and a full scan resulted in a verdict of all clear. Sorry, McAfee, you fail.
Yesterday, I downloaded Microsoft’s Windows Defender – software that is designed specifically to find this sort of thing. It didn’t find anything.
I also tried downloading Symantec’s Norton AntiBot (free for 15 day trial). It was worth the money I paid, i.e. nothing. AntiBot couldn’t find the spyware. At this point, three big guns – McAfee, Microsoft and Symantec – had completely failed.
The only other symptom with our infection was that, under Firefox, when the Google search results page was being returned, “Connecting to 18.104.22.168 …” was briefly shown in the browser. Doing a search for that returned some results with titles suggesting that people at the CyberTechHelp forums had similar problems on their PCs.
The helpful support guys there recommended the free Malwarebytes’ Anti-Malware software to fix it. A scan quickly found something named Trojan.Agent hiding in a fake sound driver in the c:\windows\ directory, which it then removed. Everything was back to normal!
You should never know if your anti-virus tool is any good. Ideally, you should never find yourself infected, so never find out if your tool has a weakness. Unfortunately, we did find our PC infected, so we did learn that our anti-virus tool was no good. The lesson for me is that the free tools can be superior to the big name, expensive tools. I won’t be renewing my McAfee subscription.