Countless articles could be written on spyware. Recently, I ran into Troj/LdPinc-LZ on a PC. The really bad part is that Spysweeper didn’t detect this piece of malware even with the latest definitions! I am therefore recommending that you use Ewido as the software can be used passed 30 days (the real-time protection will get disabled if you don’t register it, but you can still use the on demand scanner). The trial version of Spysweeper won’t even clean the malware off your PC anymore and will shortly be removed from my web site.
The sypthoms were actually quite interesting. When the user went to CNN, Internet Explorer would just crash. When the user went to a specific realator site, the whole computer rebooted! Very little information exists on mssync20.sys, but by booting into safe mode and deleting all the mssync files from C:windowssystem32, I cleaned the little bugger off. It appears from the event logs it was also trying to load as a service and failed, so if you happen to get infected with this pest, make sure to check your services for a mssync20 service. After trying to load Spyware Blaster, it complained it couldn’t find MSINET.OCX. The spyware must have kicked this file out of C:windowssystem32, so I connected to my machine and copied it back over and life was good again.
Upon my searches on Google about spyware, I found some interesting articles. This one by Michael Horowitz goes through a nice series of steps when dealing with malware. He mentions the fact that the new version of Bagle actually has a trick to disable Safe Mode on PCs by deleting the SafeBoot key in the registry! This is explained in more detail at Didier Steven’s WordPress blog, with yet another link to Chris Quirke’s web blog on how to boot with BartPE to restore the Safeboot tree.
– Soli Deo Gloria