Teaching Mrs. Smith

Got your own spyware horror story?

We had just returned from Thanksgiving break at my small-town high school, and already a special challenge awaited me. My teacher informed me that another teacher, Mrs. Smith, had a computer that wasn't booting up and she wanted me to take a look at it. She told me the assistant principal had already looked at it and couldn't get it to do anything. I took on the challenge and gripping my handy-dandy Flash drive, headed toward Mrs. Smith's room.

My first challenge was getting her computer to boot. The boot files had been corrupted, so I logged on in Safe Mode, which fortunately worked. My first instinct was to check for spyware, so Ad-Aware came into play. Shockingly, only 40 instances were found. About 30 of them were tracking cookies and the other 8 belonged to Alexa, which shouldn't have prevented start-up or corrupted any boot files. My next thought was to perform a virus scan. AVG Anti-Virus refused to install in Safe Mode, but Avast, my personal favorite, did. I installed the program, and once again was shocked that it didn't catch a single virus. Something fishy was going on.

Like a good computer geek, I next tried out HijackThis, another personal favorite. Everything appeared normal except for one program: SystemDoctor 2006 Free. I asked Mrs. Smith if she put it on there and she said no, but the IT department may have. Thinking little of it, I restored the system (in Safe Mode) to 20 days before. Sure enough, the computer booted with no problem at all. Mrs. Smith and I rejoiced, as the original goal was to boot the computer. But wait a second--would the computer undergo boot system failure 20 days from now? My work was not done.

As soon as Mrs. Smith logged into the network, everything appeared normal, and the network program's window popped up as it should. Then, SystemDoctor 2006 Free roared back to life, alerting me of 300 instances of spyware. After I was able to verify that the school's IT department hadn't installed the program, I was sure it was rogue antispyware.

Out came my flash drive and out came Symantec. SystemDoctor seemed like WinFixer, so I followed those removal instructions. In fact, since most of the file locations and Registry entries were almost the same, I wondered if SystemDoctor wasn't a WinFixer variant. I deleted all the programs and was beginning to destroy the Registry entries when the computer suddenly froze. D'oh! I had forgotten to reboot into Safe Mode. Finally, the last Registry entry was gone. I breathed a sigh of relief.

I rebooted the computer in normal mode and it worked beautifully. After installing SpywareBlaster, CCleaner, and Auslogics Disk Defrag for optimization, I called it a day. The machine was clean and I was proud. Victory was mine.

-Jared
Cairo, Georgia, U.S.A.

Reply from the Download.com editors:

Good job identifying SystemDoctor (not to be confused with the legitimate Spyware Doctor) as rogue antispyware, Jared. The program masquerades as an antispyware tool, displaying false positives to induce users to hand over their cash and credit cards. Thankfully, removal options are well documented and fairly straightforward.

SystemDoctor is a Trojan horse that is often included in spyware bundles, so Mrs. Smith is lucky she didn't have more trespassers. Spyware is a threat to networks, so the most important precaution Mrs. Smith needs to take is to avoid opening suspicious-looking links and attachments. SiteAdvisor might help keep her off untrustworthy sites, and the premium version will analyze e-mail and IM links.

It's interesting you mentioned the much-misunderstood Alexa. Ad-Aware does suggest that the Alexa key is an item that requires removal, but it's not that simple. With Internet Explorer, Alexa uses a Registry key to drive the "related links" function. Often referred to as a data miner, you can think of Alexa's product as a cross between a deluxe cookie analyzer and a Nielsen rating.

If you use the feature, IE will serve links that seem relevant to you, given the activities of other Alexa users. In exchange, Alexa will record and analyze your surfing behavior. While users of the Alexa toolbar should be cognizant about the program's data-tracking prerogative (it's listed explicitly in the EULA), the Internet Explorer version is cloaked as an option within Internet Explorer, and therefore regarded suspiciously. It may be nosy, but it's not malicious. Still, if Alexa seems a nuisance, you can remove the funcionality.