Slashdot Mirror

• Openoffice.org (use word processor, spreadsheet, presentation, database, and similar applications)
• Picasa (view/edit photos)

Internet Tools

• FireFox (browse Web sites)
• Gaim (chat with users of AIM, YIM, MSN, IRC, etc.)
• Thunderbird (e-mail)
• Pegasus Mail (e-mail)
• Macromedia Flash Player (watch Flash animations within Web browser)
• Java Plugin (run Java applications inside Web browser)

Basic Tools

• 7Zip (compress/decompress files)
• EditPad Lite (edit text files)
• vim/gvim (edit text files--advanced)
• Adobe Acrobat Reader (view PDF files)
• PDF Creator (create PDF files)

Security Tools

• ZoneAlarm (firewall - detect unwanted Internet access)
• Avira Antivirus (detect/remove viruses)
• ADAware Personal SE (detect/remove spyware)
• SpyBot Search & Destroy (detect/remove spyware)
• HiJackThis (detect/remove spyware)
• Discombobulator (make Windows more secure)
• Shoot the Messenger (make Windows more secure)
• Unplug-n-pray (make Windows more secure)
• PGP (encrypt/decrypt files or e-mail for privacy) - see admin for more details

Advanced Tools

• Virtual CD-ROM Control Panel for Windows XP (mount ISO images as filesystems) from MSDN
• IMAPSize (manage/search/backup an IMAP mailbox)

>Comcast btw said it's not possible for spyware or that ilk to use this much bandwidth.

Speaking as an ISP support admin, I can assure, that's absolutely not true (well, if you include botnets, which is probably 99% of the bandwidth stealing type of nasties people infect their machines with). Now, if you had a machine on the backbone, well, maybe you'd find it tough to end up on a botnet using 100 Mbits+, but the "paltry" 30 Mbits maximum most cable handles (generally the customers modems are DOCSISed to what, 6 Mbits?) wouldn't take any effort to botnet to death.

You should have taped them saying that so we could laugh at them like Verizon.

You should also run spybot and adaware SE personal on that machine. You could also play around with hijack this, but if you do one wrong move with hijack this, you'll need to re-install windows (well, someone who knows their way around windows won't... but I digress). It's probably got plenty more junk on it if you found 24 viruses. In fact, I'd probably consider getting a shop to nuke it and re-install it; after that sort of abuse windows usually becomes pretty fragile, and the PPPoE stack (needed for your new DSL) is going to be one of the first things to break.

When your F-Prot trial runs out, uninstall it and grab AVG, a free antivirus. You can do a check (and repair) of your computer without installing an anti-virus with Trend Micro's Housecall or BitDefender. Enjoy!

I recommend you convience your company to buy Zone Alarm, AVG Anti-virus, Ad-Aware, and use the free program called Hijack This. Now Hijack This requires a third pary web forum for the program to be used correctly, because if you don't know what you're reading and deleting you could very well remove requiered registries. So after you finish scanning each system with Hijack This, upload the scan log to this forum (several other are recommended on CNET but this is the first one I found) http://forums.spywareinfo.com/ These guys know what they're doing and are very helpful from what I've read.

Hope this helps.

They've altered it a bit since the story on Digg. Now it opens to an Overture search engine form instead of a page full of PPC links. Same search engine though. It does save a cached copy of the last page visited in the cache folder, after you shut it down. No cookies or anything else was saved that I could see.

Before and after usage log

I couldn't find active links for one or two of them myself, but here's an updated list -- in some cases these aren't the original sites, which have disappeared, so obviously it's worth being extra careful with antivirus software... apologies for the mess of links; the filter doesn't like short lines...

1by1 (play MP3s), AriskKey (recover passwords), AutoRuns (enumerate startup tasks), BurnCDCC (burn ISO images), CD (basic CD player), CDex (rip CDs + convert MP3/WAV), Copier [0X Copy Machine] (scan + print), CWShredder (clean spyware), DComBob (tame DCOM), DirLister (make quick file lists), Discover (force windows onscreen), DupeLocater (find and clean), FileRecovery [PC Inspector] (undelete), Folder2ISO (use with BurnCDCC), FoxitReader (read PDFs), GUIPDFTK (split/join PDFs), HijackThis (find spyware), HJSplit (split/join files), Identify_Boards (identify hardware), KatMouse installer (due to MS drivers), LCISOCreator (make ISO image from CD), Leaktest (test firewall), Microsoft keygen (people lose things), MultiRes (change res + force refresh), Multi Timer (stopwatch), NoteTab Light (text editor), NTest (test monitor setup), OnTop (pin windows to foreground), Process Explorer (task manager), ProduKey (recover passwords), Registry Commander (virus cleanup), ResHacker (examine executables), Rootkit Revealer (just in case) ShootTheMessenger (turn service off), Shred by AnalogX (simple filer shredder), TedNPad (unicode text editor), TFT (dead pixel locator), UNPnP (tame SSDP), UPX (compress executables), UnitConverter (what it says), utorrent (basic torrent app), VCdControlTool (mount ISO images),

As seen here, there is a famed wrestling fan site which is well known for the vast quantities of spyware that it unleashes on an unsuspecting user. the guy writing the article decided to deliberately infect a virtual machine set up especially for the purpose:

By clicking "Yes" to the security warning, one spyware was installed. That first spyware downloaded and installed three other spywares. Those installed three new spywares each. Spyware was procreating on my computer at a geometric rate!

Six new toolbars showed up in Internet Explorer. Something deleted the Google Toolbar entirely. Three new icons appeared in the system tray. Three internet shortcuts appeared on the desktop and well over a hundred more showed up in my "Favorites" folder. Dozens of processes were loaded into memory. 200 new files appeared on the hard drive as well as over 400 new registry entries. And pop-ups were appearing at a rate of five per minute.

Within half an hour, my virtual computer was as infested with malware as anything I have ever seen at the message board.

I believe my favorite was the AdDestroyer program. That one sat in my system tray popping up ad windows, then declaring that "Your trial has expired. Click here to block pop-ups like that one.". It made a very obnoxious squealing noise every time it did it.

Verrry nice. I believe the Federal Trade Commission sued a company last year for doing that.

Once I had decided that all the spyware that was going to be installed was installed, I set about trying to remove it all.

Oh boy.

short answer = yes to all above

from
http://www.spywareinfo.com/newsletter/archives/jun e-2003/3.php

California based TiVo, the company that makes digital TV recorders, has announced that it will begin selling the data that it collects about the viewing habits of its more than 700,000 users. TiVo lets users record TV shows and play them back at different times, skip commercials, and even train their TiVo to suggest programming more likely to interest them.

As the TiVo box connects to company servers to download programming information, it also uploads data about what users have watched and how they watched it. They can tell who watched which shows. They can tell which commercials were skipped. They can tell at what point someone got bored and start flipping channels. All of this information would be a gold mine to advertising agencies, and TiVo is about to cash in.

As horrifying as all that sounds to people who prefer to keep their private life private, this is not as big a deal as it sounds. Unless you specifically opt into more detailed statistics gathering, all of the information is anonymous and will not used to identify your specific viewing habits.

If you watch an old rerun of Highlander, all TiVo knows is that someone in your zip code watched it, not that you, specifically, watched it. You can even opt out of that much, if you like, by calling TiVo at 1-877-367-8486 and requesting that they opt you out of all statistical information gathering.

What TiVo is doing is basically the same thing that early advertising spyware programs did. They log how you use the service and then send that information back to the company in order to make the advertisements presented to you more relevant and interesting. The difference between TiVo and the advertising spyware companies is that TiVo is honest and up front about it. TiVo does not simply steal the information by installing trojan-like data mining programs the way Aureate, Conducent, and others did.

On the other hand, I would still be nervous about TiVo collecting the information even if it were anonymous. As I understand it, your viewing information is not stored along with your account's personally identifiable information only because they choose not to do so once they have it. We have only their word that they would never cross reference viewing habits with their users' account numbers.

For that matter, who's to say that if TiVo were ever bought out, the new owner wouldn't just dive right into the data and start putting both sets of information together. That is exactly what DoubleClick tried to do when it bought marketing firm Abacus Direct.

With the information gathered offline about consumers contained in Abacus Direct's database, DoubleClick could have identified anonymous web surfers. It was only after several class action lawsuits were filed and a few states opened investigations that DoubleClick backed down from their plans.

I don't own a TiVo myself, but if I did, probably I would call that number and opt out entirely. Again, the telephone number to opt out of all TiVo statistical information gathering is 1-877-367-8486.

http://www.spywareinfo.com/newsletter/archives/jun e-2003/3.php

short answer = yes to all above

from
http://www.spywareinfo.com/newsletter/archives/jun e-2003/3.php

California based TiVo, the company that makes digital TV recorders, has announced that it will begin selling the data that it collects about the viewing habits of its more than 700,000 users. TiVo lets users record TV shows and play them back at different times, skip commercials, and even train their TiVo to suggest programming more likely to interest them.

As the TiVo box connects to company servers to download programming information, it also uploads data about what users have watched and how they watched it. They can tell who watched which shows. They can tell which commercials were skipped. They can tell at what point someone got bored and start flipping channels. All of this information would be a gold mine to advertising agencies, and TiVo is about to cash in.

As horrifying as all that sounds to people who prefer to keep their private life private, this is not as big a deal as it sounds. Unless you specifically opt into more detailed statistics gathering, all of the information is anonymous and will not used to identify your specific viewing habits.

If you watch an old rerun of Highlander, all TiVo knows is that someone in your zip code watched it, not that you, specifically, watched it. You can even opt out of that much, if you like, by calling TiVo at 1-877-367-8486 and requesting that they opt you out of all statistical information gathering.

What TiVo is doing is basically the same thing that early advertising spyware programs did. They log how you use the service and then send that information back to the company in order to make the advertisements presented to you more relevant and interesting. The difference between TiVo and the advertising spyware companies is that TiVo is honest and up front about it. TiVo does not simply steal the information by installing trojan-like data mining programs the way Aureate, Conducent, and others did.

On the other hand, I would still be nervous about TiVo collecting the information even if it were anonymous. As I understand it, your viewing information is not stored along with your account's personally identifiable information only because they choose not to do so once they have it. We have only their word that they would never cross reference viewing habits with their users' account numbers.

For that matter, who's to say that if TiVo were ever bought out, the new owner wouldn't just dive right into the data and start putting both sets of information together. That is exactly what DoubleClick tried to do when it bought marketing firm Abacus Direct.

With the information gathered offline about consumers contained in Abacus Direct's database, DoubleClick could have identified anonymous web surfers. It was only after several class action lawsuits were filed and a few states opened investigations that DoubleClick backed down from their plans.

I don't own a TiVo myself, but if I did, probably I would call that number and opt out entirely. Again, the telephone number to opt out of all TiVo statistical information gathering is 1-877-367-8486.

http://www.spywareinfo.com/newsletter/archives/jun e-2003/3.php

Just make sure you block doubleclick.net in some way. The Bank of America site loads web bugs from doubleclick.net, even after you've logged in. I see them (adblocked) on the Accounts Overview page. It seems they were just doing this in the eastern US two years ago, maybe they're doing it elsewhere now.

At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

That said, if everything is working well, you become the buffer between the sysadmins and the rest of the world.

You get to be the one that goes to HR and complain about Clueless User #69 in cubicle 18 with his inappropraite visit to the wrestling website that installed spyware for a solid hour over lunch. You would also get to run the pilot projects before they role out company wide. You test the new toys, using the other sysadmins in fair rotation as project managers for the test.

You also get the really big headaches, like when Clueless User #69 is the incredibly cute and hot granddaughter of the boss, or some such thing (who never does anything wrong. No. Really.)

There are different requirements for enterprise use than for personal use. I will try to help out a bit for those in the corporate world. For example, SpyBot and Ad-Aware are only free for personal use. Because of this, IT shops are not supposed to use this without buying a license. So what should an underfunded IT department use?

Anti-Virus: Yeah, it's usually not great for catching spyware, but the latest versions of all vendors should at least slow down some of it. In our organization, we have several different versions of Norton Anti-Virus, from 7.x to 10.0. So if one PC has lots of problems with spyware, putting version 10.0 on there helps fight it automatically.

Microsoft Anti-Spyware: This is a pretty good tool for unmanaged environments. It is better than Ad-Aware or SpyBot, from my experience. I am not sure of the licensing, however, since we don't use it here.

Autoruns and Process Explorer: These are fantastic products that you can use at work for free, as long as you always download it from www.sysinternals.com when you put them on a PC. Autoruns will give way too much information about what starts up and what has hooks into the OS. To the average user, this can be overwhelming and even dangerous, so make sure you know what you're doing when you remove something. Process Explorer is a great tool for seeing what is running. It is miles better than Task Manager that ships with Windows. It shows you what hooks into what processes and will even allow you to pause a running application!

StartupList and HijackThis: These two programs will help you figure out what kind of nasty stuff you might have running. I am not aware of the licensing issues with these, as I usually use Autoruns instead.

APT, APM, and TaskMan+: These three tools are process explorer type utilities. However, with APT and APM, you can unload a certain DLL file. This is very useful if you have a dll that you can't delete and that keeps regenerating all of the other junk you just removed. Simply unload the DLL from anything it is hooked into and then you can delete everything. TaskMan+ lets you kill almost any process, including services. Best of all, these products are licensed without restriction.

I hope these help. Sorry I can't write more but I'm at work fighting off the bad stuff myself ;)

Of course if you want to be 100% sure a format would work. DO NOT RUN A LOW LEVEL FORMAT! I seen it recommended it's just wrong... Low-level Formatting creates the Tracks and Sectors on a blank hard drive. The drives you buy today are Low-level Formatted at the factory. Low-level Formatting these hard drives yourself is not recommended.

But not everyone can or wants to go trough the trouble of formatting so what can we do next?

My standard way to get spyware of a box:

run crapcleaner this will remove a lot of useless files just make sure you only select the sections you want deleted. Don't use the reg clean unless you know what you're doing.

Next up would be the running the standard anti virus programs I personally use hitmanpro the site is dutch but the program is English it includes most trusted anti-spyware products and runs them all in a row and automatically removes anything and makes up a html page of what it did.

Still not gone?

- If you know the name of the spyware it might be worth googling chances are you find a special removal tool.

- In my case I can spot bad programma's and spyware as a process with the use of HijackThis and sysinternals process explorer. But be sure to google all the processes you don't trust before deleting them. This way of deleting is not recommended for your average computer user (then again you post on slashdot so your probably fine..)

- Some times it's required to boot in to safemode to remove some files

Ok now that you're cleaned you don't want this sort of thing to happen again there are a few common practices:

- Don't be YES man don't just click YES and NEXT on every box that pops-up also instruct any family members to do the same.

- Run as a normal user instead of administrator

- Make sure windows is up to date

- Some browsers such as firefox make it easier to avoid spyware though this requires some plugins. recommended are adblock + gblocklist

Useful links:

google: http://justfuckinggoogleit.com/
;)
crapcleaner: http://ccleaner.com/

hitmanPro: http://hitmanpro.nl/

HijackThis: http://www.spywareinfo.com/~merijn/

Process explorer: http://www.sysinternals.com/Utilities/ProcessExplo rer.html

Firefox browser: http://www.mozilla.com/firefox/

adblock: https://addons.mozilla.org/extensions/moreinfo.php ?id=10&application=firefox

gblock list for adblock: https://addons.mozilla.org/extensions/moreinfo.php ?id=1136&application=firefox

hope it helps...

Adaware and Spybot Search and destroy are your best place to start, but I understand your frustration. Probably three out of the last four times I've dealt with a Spyware infested machine they didn't completely do the trick on their own.

Install and run Adaware and Spybot S&D, making sure you update the programs and select to perform deep scans (within archives, etc) in the custom scan options. This will probably most of the easiest and most common exploits. Reboot.

Go through your Add/Remove programs menu and try removing any programs you can identify as spware. If the programs didn't come with an uninstaller, I would have to officially recommend you do not go through any of their steps to download one and run it. I have tried this in the past with mixed results. Some of these programs truly were just severely annoying adware that actually removed themselves at the end of this lengthy process, but some were truly malicious that simply installed MORE spyware after running the uninstaller. I recommend you don't risk this.

Open up the task manager and go through each and every process, reseaching in if need be. I use groups.google.au to get the older version which seems to provide more relavent results. Kill any processes that you find are suspiscious. Hell, kill any processes you can't identify as normal Windows OS or application processes. I dealt with a instance of spyware once that executed two randomly named processes that protected the spyware from removal. If you killed one process, the other would immediately respawn it.

Go through all of your startup locations: C:\WINDOWS\Start Menu\Programs\StartUp C:\WINDOWS\All Users\Start Menu\Programs\StartUp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run Start --> Run --> msconfig --> Startup tab

Once again, go through each and every item and delete or disable everything that you can identify as malicious. It's likely that when searching you will run across others who have dealt with the same spyware issues in the past and have had to figure out how to remove them.

Run your Adaware and Spybot S&D scans again. Reboot. Test your machine to see if the spyware is still there. Still have problems?

Download and run Hijack This Pour through your log once more, or alternatively post it to one of the many forums where professionals are willing to lend you a helping hand. At this point, you may also want to consider downloading and running Rootkit Revealer.

Also, try rebooting into safe mode and running your scans. Even though you are in safe mode, you should still monitor and kill processes that are suspicious. Remember, Sony's Rootkit came complete with a safe mode driver.

If all of this hasn't worked, then I suggest you back up your data, scan it for viruses, and do a low level format with a utility such as Killdisk. Now that you have to reinstall your OS, perhaps now is the prefect time to make the Linux switch.

For those who don't know about it, you can read up on HijackThis here and the direct link to the zip dl can be found here.

http://www.spywareinfo.com/articles/cell_phones/

As a general rule, I always turn off the location settings on my phone. Sprint has had this feature enabled by default for the past 3 years, and it wasn't until recently that I learned I was broadcasting my whereabouts 24x7.

I worked at a computer repair shop at one point, and my SOP is very similar, although I typically run HijackThis earlier in the process (Before removing programs), and I include - if necessary - some passes with other programs.

Worst-case Scenario:
1) Kill all unecessary processes manually (if able)
2) Run MSCONFIG and disable unecessary startup processes (if able)
3) Run Spybot S&D (if able)
4) Run HijackThis
5) Install Avast! AV and updates, and schedule a boot-time scan (if able)
6) Uninstall/manually remove unecessary applications
7) Reboot
8) Repeat all setps 1-6 which did not work the first time
9) Run Spybot S&D (again)
10) Install and configure Firefox with Adblock extension.
11) Install and configure SpywareBlaster
12) Lock Down IE
13) Reboot
14) Manually clean up any remnants with the help of HijackThis
15) Install and configure Kerio PF

It takes longer than is typically necessary of a simple cleanup, but so far I haven't run into anything that couldn't be fixed in such a manner. Most importantly however, it doesn't cost a dime. I keep both a USB flash drive and a CD on hand with all of the programs and updates I need as well as some other fallback programs (some pre-installed directly on the CD/flash drive), so if the infected machine is unable to connect for downloads/updates it won't slow me down. It also helps that IE is not needed when loading everything from the CD or flash drive.

Of all the machines I have used this on, only those of the incedibly stupid have had problems resurface, while most have run clean for a year or more. I use the same preventative measures on my own PC and have never picked up any spyware/malware.

There are two other ways to check what's starting up. 'msconfig' from start > run is a good one, but I find it a cleaner solution to simply remove the entries from the registry.

Hijack This

Lists everything that is autostarted, and removes the autostart entry with a simple check box and button. If you're comfortable with editing the registry, then by all means feel free to do it manually. But if you're not a hard core geek (or you want something to recommend to your non-geek friends and loved ones), then check out Hijack This. (Not affiliated with the program in any way. It's just a super handy tool to have around - I keep a copy on my pen drive that I carry around with me.)

Well, this page lists all the URLs associated with CWS.

Add these hosts to your webfilter/proxy blocking list:

coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws

And/or add 127.0.0.1 before each host, and add those to your /etc/hosts.

Well, this page lists all the URLs associated with CWS.

Add these hosts to your webfilter/proxy blocking list:

coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws

And/or add 127.0.0.1 before each host, and add those to your /etc/hosts.

No one mentioned hijackthis yet! http://www.spywareinfo.com/~merijn/ It might be harder to use but it is damn effective. Especaily when used with the others.

One one hand, spyware is some pretty evil stuff. There are little weasel programs I've spent quite a bit of time trying to get out of systems.

On the other hand, I get paid to do that. I just did one small company with 5 computers that was literally shut down because they couldn't do anything on their systems. Spyware is a problem on just about every single "joe average" computer that I have seen lately. The problem, of course, is going to get worse as long as Windows continues to allow users to run with privileged access by default.

I don't feel like going into a Microsoft rant - I'm sure it would be preaching to the choir anyway. I would like to share effective tools in my warchest for cleaning out spyware -

Ad-Aware - My favorite anti-spyware program right now. Gets about 95% of baddies.

HiJack This! - Cleans up anything that Ad-Aware may have left behind. It scans all startup regkeys, services, and BHO IE extension keys and lets you select which ones to nuke. BE CAREFUL, it lists both the good and the bad. If you don't know what a process is, google for it before you remove its key.

There are many other useful tools on this download page as well, like LSPFix. This program will fix the mess left by programs that mess with your TCP stack, such as New Net, whos manual removal can disable your Internet access completely.

Pocket KillBox - You know those processes that come back from the dead after you kill them? Can't delete the EXE because it's locked in both normal and safe modes? Pocket Killbox is what you need. If it can't delete the file outright, it can temporarily end the Explorer task and try it that way. If that doesn't work, it can use Windows' replace-on-reboot function to swap the EXE with a dummy file on the next reboot. Very handy for getting rid of the most nefarious of processes.

Spyware Blaster - Pre-emptive spyware prevention. The interesting thing about this program is that it doesn't remain resident in memory. Instead, it writes files and regkeys to your system that prevent the spyware from installing. Adding and removing protection can be done in one click.

The privacy ramifications of this are frightening. RFID is already widely used in product storeage, it makes warehousing far easier and more streamlined. The problem is that the tags arent always deactivated once the product has been purchased. If this turns into a gigantic linked network, consider the possibilities. Any hacker worth his salt could dial in and figure out what you purchased, where its being kept... any number of things. It would make tracking your spending habits simplistic. more on RFID: http://www.spywareinfo.com/articles/RFID/Metro_Rhe inberg.php

Hopefully you tried CWShredder? Best thing out there, because Merijn got a vendetta

Hopefully you tried CWShredder? Best thing out there, because Merijn got a vendetta

Don't use just AdAware; Spybot and MS Anti-Spyware (which runs on 2K) have assisted me much in clearing out istbar from the systems of people who're infested by it. If you know Windows enough, HijackThis can help you with manual spyware clearing.

And switch away from IE - IE on Win2K is still unsafe as hell (not all of the XPSP2 updates have been backported). You're almost certainly regularly going to a website with ISTbar exploit installer, hence the reinstallation. Firefox or Opera.

http://www.spywareinfo.com/~merijn/downloads.html Hijack This will create a log of possible Malware. Google all the entries to figure out which ones aren't legit. Not always easy since some malware will randonly rename themselves. Remove questionable entries, either by googling the specific manual removal instructions or let HT delete the entry for you. Also use msconfig to turn off all startup items. then got to "services", hide the MS services and turn off everything left. Reboot. Turn all services left and reboot. Turn on each item turned off and reboot till Malware shows itself. Once the baddie is located research manual removal instructions. I had a similiar problem with my PHB's wife's PC. The above helped though the biggest problem turned out there were 6 worms hiding out and turning Norton off at each reboot. Had to download and burn to CD 20 something worm/virus detect and removal progs.

You need to use HiJack This. http://www.spywareinfo.com/~merijn/downloads.html

This program doesn't actually detect spyware/adware/malware, but rather it shows all items that are currently loaded on your system. It does have some helpful hints as to what these itmes might be, but doesn't specifically tell you if something is malware. You have to be saavy enough to figure it out yourself. I've gotten rid of a few nasty progs with this helpful tool.

Well, domains yes, specific pages, no. And they even let you turn off the autoupdater if you want. First time I've ever seen that from Google.

What I'd to know is how this helps a broadband connection but not dial-up. My connection already loads most pages nearly instantly.

Use Hijackthis http://www.spywareinfo.com/~merijn/downloads.html instead of reinstalling the OS to find those pesky self-monitoring spyware programs. Oh, and remove them in safe mode or the command prompt.

crappy spyware.

It's either the network connection itself (especially on dial-up/ISDN/xDSL) or the server. So, fine.. if I use a browser which takes half a second longer to render a page, so what. I've just waited 30 seconds to get half a page from an overloaded server which lives on another continent. Curious that such other limitations should go without mention at the home of the Slashdot Effect.

I hope I'm not being too rude, but seriously, I googled for referrer spam and bam...first result had some decent advice. This was just the first thing that came up. Add the word "apache" to your query and you will get some very helpful results. Besides, this is Slashdot...not a trove of reliable information/advice. Just start using Apache to start blocking the Mallorys. Also, if you're still posting any kind of statistics or referrers publicly, stop. Spammers wouldn't do this if Bloggers didn't publish that kind of abusable data.

Does this answer your question?

That trash folder is holding the contents of ONE DAY'S worth of spam, viruses and viruses bounced at me by bonehead email filters. Overall, I'd say this was a light day.

For those who may not recognize the fallacy in your comparison, I'll point it out.

The difference is that there is plenty of "evidence" already for Kazaa not being "clean". If they want to claim they are "clean", they should have to prove it because there already is proof that they are not. In your Ashcroft example, the "secret agents" are just on a phishing trip with no evidence.

Here is that evidence I mentioned

There are a handful of other people I can think of who've done a similar amount of work. Merijin Bellekom, Patrick Kolla and Andrew Clover spring to mind, although there are others.

I wonder how many weeks (days?) until we see this happen with Microsoft's antispyware app?

I took a look at your site, and you're missing one of the biggest guns in my adware/spyware aresenol: HijackThis! A little techie to use a first, but I find it a great last resort when spybot and adaware fail...

I had the same problem on my brothers PC, it was a self installed little nasty called CoolWebSearch. It is a pretty common browser hijacker these days. I got around it with a removal tool called CWShredder and a windows update.

Ad Aware should remove most of the spyware, but there's a lot of stuff that digs itself so far into the system that it's nearly impossible to clean. I also recommend "Hijack This", although it will not remove anything it will give you a list of all running process, then with the help of google, you can disable anything that shouldn't be running. Also be sure to use "msconfig" to disable any processes that try to start at boot time that may be malware (again google is your friend).

Of course when this is all done run a complete virus scan, I use the free version of AVG and haven't had any problems. And also be sure to get all the windows updates.

Last thing to be aware of is that some of this malware will corrupt system files and whatnot and a full reinstall may have to be done anyway, but I always recommend that as a last resort when fixing someone elses machine because there is always something that they forgot to backup and it's you they're going to call to try and find it.

Ad Aware: http://www.lavasoftusa.com/software/adaware/
Hijack This: http://www.spywareinfo.com/~merijn/

No, it gives you the same little info bar up top that Firefox does when you try to install an extension from a non-whitelisted site. Then it pops up the following dialog.

No, it gives you the same little info bar up top that Firefox does when you try to install an extension from a non-whitelisted site. Then it pops up the following dialog.

Here is a list of infected file sharing programs.
http://www.spywareinfo.com/articles/p2p/

HijackThis is an extremely useful tool if you can tell a "regular" windows component from a non-regular one.

It will catch almost anything, since it scans based on malware vectors, rather than signatures. I routinely remove spyware at a smallish university, and I'm beginning to prefer HijackThis over spybot and AdAware, because HijackThis is faster, simpler, and I know what I'm doing.

It also encourages the less-knowledgable/newer employees to learn what is normal Windows behavior and what is not.

No Loafing!

However, once I learned what it was, I downloaded CWShredder (here and here), which got rid of the nuisance quickly and painlessly. And it took less time than a reinstall.

Not really true. Some CWS variants are really really hard to remove (in extreme cases, using the oxymoronically-named HackerDefender rootkit to disguise itself, plus hide and shut down CWShredder, AdAware, Spybot S&D et al when you try to install them), but everything is possible.

Basically, if CWShredder, Spybot and AdAware don't work for you, and you can't see anything on your HijackThis! log, first step is to search on the now slightly outdated CWS Chronicles and then on many of the excellent anti-spyware forums out there, all of which have encountered more variants of CWS than you could ever imagine. If you can't find someone else with the same problem, then post your HJT logs and other stuff and someone should be able to help you.

These parasites (it's not all spyware anymore) are now really, really, really out of hand - the CWS people, especially, but there's even worse people out there - and something needs to be done to stop them. Unfortunately, that's not going to happen anytime soon - since the companies that make most of these are "legitimate businesses", as opposed to idiot teenagers with Visual Basic. Shame.

Not really true. Some CWS variants are really really hard to remove (in extreme cases, using the oxymoronically-named HackerDefender rootkit to disguise itself, plus hide and shut down CWShredder, AdAware, Spybot S&D et al when you try to install them), but everything is possible.

Basically, if CWShredder, Spybot and AdAware don't work for you, and you can't see anything on your HijackThis! log, first step is to search on the now slightly outdated CWS Chronicles and then on many of the excellent anti-spyware forums out there, all of which have encountered more variants of CWS than you could ever imagine. If you can't find someone else with the same problem, then post your HJT logs and other stuff and someone should be able to help you.

These parasites (it's not all spyware anymore) are now really, really, really out of hand - the CWS people, especially, but there's even worse people out there - and something needs to be done to stop them. Unfortunately, that's not going to happen anytime soon - since the companies that make most of these are "legitimate businesses", as opposed to idiot teenagers with Visual Basic. Shame.

Not really true. Some CWS variants are really really hard to remove (in extreme cases, using the oxymoronically-named HackerDefender rootkit to disguise itself, plus hide and shut down CWShredder, AdAware, Spybot S&D et al when you try to install them), but everything is possible.

Basically, if CWShredder, Spybot and AdAware don't work for you, and you can't see anything on your HijackThis! log, first step is to search on the now slightly outdated CWS Chronicles and then on many of the excellent anti-spyware forums out there, all of which have encountered more variants of CWS than you could ever imagine. If you can't find someone else with the same problem, then post your HJT logs and other stuff and someone should be able to help you.

These parasites (it's not all spyware anymore) are now really, really, really out of hand - the CWS people, especially, but there's even worse people out there - and something needs to be done to stop them. Unfortunately, that's not going to happen anytime soon - since the companies that make most of these are "legitimate businesses", as opposed to idiot teenagers with Visual Basic. Shame.

A fourth reason - free-as-in-beer, closed-source spyware removal utilities are already ripped off by unethical software companies (see here for an example), and this would discourage people from making open-source utilities that would be even easier to rip off.

They're supposed to be there, but if they're not, it doesn't make a difference how they're organized. Would you rather search every key in the registry (mine's about 10MB), or search the contents of every file on the disk to find your hidden settings?

As far as malicious apps go, that's why I have AdAware and HijackThis, along with StartupList. I think it's ridiculous that there are something like 50 different places that you can inject a program on Windows startup (run StartupList /complete to list them), but again, it doesn't matter how it's organized, it would be equally as ridiculous - but harder to manage - if it were spread across 50 different files instead of just 45 keys and 5 files.

Do you consider NAV to be malicious? =) And dear god no, I'd never remove it by hand. Why would you do such a thing? If it comes down to it, I'd reinstall over the current incarnation and uninstall the new one, or kill the folder, remove all the startup entries and hope it still boots. I've never had a problem just uninstalling AVs if the system was stable, and if it wasn't I usually had bigger problems that could only be solved by FORMAT and the like.

AV software is inherently tricky, since it usually hooks several APIs and specifically would NOT want to let itself be removed. I'm glad it is that way, otherwise the next virus to come along could just trash the INI file and force a reboot, and then my computer would be wide open to anything else coming down the pike. That'd be pretty darn useful AV, eh?

Sorry to say but spyware on the mac has already reared its ugly head.

Its only a matter of time before they infect my iPod too!! AIEEEE