This will probably be a familiar tale for any IT support tech and hopefully a cautionary tale for others. This incident started with a support ticket indicating that one user was getting a variety of unusual error messages, including “Trust Relationship between Workstation and Primary Domain failed”, which is fairly unusual on windows 7 machines and never good.
On contacting the problematic user I was told that they had resolved that error by running a system restore, but they suspected that they had malware on their computer. “What makes you suspect malware infection?” I asked, “Well,” they replied “It’s running very slowly and I get a lot of pop-ups in Internet Explorer and on the desktop.”
So I connected to their laptop and noted that indeed they were getting some pop-ups, such as:
Now, this sort of thing looks very similar to malware, and in my book it is only a small distance from being classed as malware, however it is not malware because:
- It was installed ‘deliberately’, or at least after gaining the users consent
- It doesn’t conceal its existence: it creates normal program directories and adds an entry to the installed programs list with a reference to its uninstaller
- It doesn’t perform any malicious actions in terms of stealing data or damaging the OS, it just keeps hassling the user to buy a piece of software
A lot of security software will detect such applications as ‘Potentially Unwanted Programs’ (PUPs), ie. a program that is not explicitly malicious but may have been installed without full knowledge or understanding.
A quick glance at the list of installed programs in Add/Remove Programs (appwiz.cpl) confirmed my suspicions that we were dealing with a *cue scary music* click-happy user. And oh boy had this one been clicking on stuff:
The computer was jam packed with crapware that had been acquired by clicking on things on the internet. At a guess, I’d say that the user probably installed a few pieces, such as ‘MyPC Backup’ and ‘Video Downloader’ deliberately, thinking that they would get their PC backed up and their videos downloaded. Needless to say this caused more pop-ups and slowdowns, so they installed ‘Optimizer Pro’ and ‘Norton Security Scan’ to try and address these issues. This of course caused even slower running and exacerbated their problems. The rest of them result from too much clicking on things on the internet and software that came along for the ride.
Why does this cause the user problems? It causes problems for several reasons:
- These programs will hijack internet browsing and produce many pop-ups to entice the user into buying the full version of the crapware (monetisation)
- Registry cleaners and optimisers may damage the registry causing anomalous behaviour
- Multiple security programs cause system instability and conflicts
- Lots of these programs will mess up the users browser, by changing default search engines, file handlers and home pages
- All of the programs add themselves to the Windows auto-start list so that they are constantly running in the background – this is a waste of compute resources (see image below)
Returning the user’s computer to a clean, fast running, pop-up free environment is a simple but time consuming job. I spent around an hour:
- Uninstalling each of these programs from Add/Remove Programs
- Deleting any remaining program files and folders
- Resetting Internet Explorer to default settings and removing any left-over add-ins
- Checking for any left-over or orphaned startup entries and scheduled tasks
- Downloading and running Malwarebytes (MBAM) to check that no genuinely malicious programs had sneaked in with everything else.
There was no malware, no virus infection, just a click-happy user on the wonderful ol’ internet. In closing I would add that I don’t blame the user 100% – there’s a lot of big players that were totally complicit in this: Google – for allowing ads for crapware at the top of the results page; Bing – for being even worse; Microsoft for failing to include or enable advert and pop-up blocking in Internet Explorer; myself for allowing the user permission to install software on their work computer.
My best advice for avoiding this scenario in future? Use an advert blocker such as AdBlock Plus and stop clicking on flashing ‘Download’ links on the internet. Stay safe.