Spyware Can Be Hard To Tell From Typical Windows Behavior

Last week, I got an e-mail from a friend who said she thought her mother's PC might be infected with spyware. Not that general popup-ads kind of spyware, but the kind that targets a particular computer, monitors everything the user does, and sends it back to someone over the Internet. Although I was skeptical at first, her story convinced me otherwise.It turns out that her mother was going through a divorce. My friend feared that her stepfather might have installed spyware on the system to snoop on her mother's online banking and purchases, or to collect other evidence that might be used against her during the divorce. This is a classic use of commercial spyware, although there are cases where the collected evidence has been rejected due to state privacy laws.

Yet even if it can't be used in court, the information collected by spyware could be valuable. Most of the public has heard horror stories about spyware on the news, even if they don't know how to find out if it's running. Add to that a situation such as a divorce, and users can be quick to conclude that any activity they can't explain must be spyware.

In this case, I scanned the system using several tools looking for suspicious running processes, deleted files, and rootkits. I didn't see any sign of spyware, viruses, or Trojan horse software. I monitored the network traffic and didn't see anything strange at all. Windows patches also were relatively recent. Compared with many systems I've seen, this one was in surprisingly good health as far as malware goes. That may have been helped by a recent and up-to-date copy of AVG Antivirus. Perhaps it was just a very careful user who didn't visit dangerous Web sites or open unknown attachments.

Yet this three-year-old notebook PC was far from clean. Although the copy of Symantec Antivirus that Dell bundled with the system had been removed years before, its updater still ran in background and tried to phone home more than a dozen times a day while I had the system. Several useless bundled background applets from Dell were still installed. The drive was full of junk files, and the system desperately needed to be defragmented. In other words, this was a typical Windows PC.

With all that software running and AVG doing an unannounced background virus scan, the system rattled noisily and keystrokes sporadically appeared on the screen. The system behavior was so strange at times that it definitely seemed spyware-level spooky. By turning off the background apps and waiting for the virus scan to complete, it felt like a whole new system. It could use a complete cleanup, defrag, and tweaking of system settings, but they still aren't convinced that there's no spyware on that PC so they want to leave it as-is. It's always hard to prove a negative.