Slashdot Mirror
Which Adware and Spyware are the Most Insidious?
the_dreadnought asks: "I was just asked today which adware and spyware are the most insidious by an acquaintance. He asked me if this stuff was really legal, or was it just not important enough for law enforcement to deal with? I know the porn stuff (not from experience,,,ok, from experience) that dials out to foreign countries is one of the more extreme examples, and Gator is well known, but if Slashdot readers could describe what adware and spyware they think is the sneakiest I would appreciate it. Also, any thoughts on whether some of this stuff is even legal, as it is almost certainly not ethical."
Xupiter! Or what used to be Xupiter. In it's time it really wreaked havoc. Although going to their home page says they are out of business, ths link on their site shows that they may be up to something else soon
You can share some of the love for the Yomtobians here. These guys are right up there with Spamford Wallace and the Cantor/Siegel in the Internet Hall of Shame.
windows. yes...definetly windoze
Here are the removal programs...
Spybot
Adware
However, this begs the more interesting questions....
Is there *nix spyware?
Why not?
Davak
That darn weatherbug thing that everyone I know has. You try to uninstall it but it manages to find a way back in :-/
Lop is by far the worse one ever... recently I convinced my cousin to switch over to Mozilla Firebird, but this article (http://www.spywareinfo.com/articles/lop/) suggested that Mozilla isn't 100% safe, but is much easier to cure than hacking the registry (apparently it's just one line in the user_prefs). One sources said that it changes 47 registry keys... I also found that it randomly mutates into new filenames (actually it downloads newer versions), making it much harder for programs like Adaware to hunt it down.
Also, Lop disguises itself as a mp3 search toolbar. It also comes with newer versions of MSN Plus.
One more thing, some people are willing to profit from lop uninstaller, such as this one - http://www.onlinepcfix.com/spyware/Lop.htm - it contains some more information related to lop.
Please direct all bug reports to
I agree, that HijackThis program did wonders for my parents' messed up computer. Not only did the search page mysteriously get changed after every reboot, we had the misfortune of answering questions from my little sister about the porn popups the BHO caused when she accessed Neopets. However, one or two clicks with HijackThis and all was right again. Adaware and S&D don't catch everything, looks like I had to add ANOTHER program to my arsenal.
Not necessarily through the damage it does, but through the sheer number of times I have to get rid of it. Even though I use adaware and block cookies, it still manages to get itself in through a back door (I think it runs as a java applet, which then installs a cookie).
It doesn't do anything particularly nasty (other then send tracking data out), but I find it hard to block and its used by quite a few sites that I visit often (BBC, for example).
Ya - no kidding. I hate realplayer. Every time I set my mpgs to load in windows media player, 10 seconds later some kind of dll that always runs sets my file associations back to realplayer. lame!
we are all one consciousness experiencing itself subjectively - bill hicks
The easiest way to delete New.Net is to do the following:
1. remove it using "Add/remove" programs
2. if still not working, remove the WinSock and WinSock2 registry keys from CurrentControlSet
3. Go to network settings on win98 or on 2000/XP, just go into the properties of your network connection and if possible, remove tcp/ip. On XP this is impossible, so ignore this step
4. Add new service. If you're not on XP, just reinstall tcp/ip. On XP, select "have disk" and point it at C:\windows\inf. Then select tcp/ip and install it
5. clean up any newdotnet files lying around.
6. Join a class-action lawsuit against the company that makes this piece of crapware.
Be aware that these steps can cause problems with programs like cyber-sitter or firewalling programs that modify the networking stack. Do this at your own risk.
This is very prolific. I've cleaned it on on laptop twice! I have a supsicion the user is downloading crap all the time, but I do wonder in what form it come in.
Michael
The worst program I've ever seen is savenow..
It starts like 5 processes on boot (using between 50-75mb of ram and 20-25% cpu), sends all of your browsing habits somewhere else, and pops up porn, and other various ads randomly while using the computer. It is by far the worst spy/ad ware I've ever seen.
Or you can just reset Windows XP's TCP/IP stack
from command prompt:
netsh [enter]
int ip [enter]
reset [enter]
then reboot
Depending on which version of Real Player you are using, I'm using 8, you can go into the application's preferences and tell it to disable the Real icon in the systray and not to hijack the associations for other supported media types (in 8's preference dialog and under the Upgrade tab, click on "Auto Restore Settings" and uncheck anything that's checked).
I did that during the setup and after it was running and haven't had that problem since. I haven't touched RealOne, so I don't know where they would hide that stuff. Else, go to the Registry and remove their systray app from running.
The CoolWebSearch Chronicles
The story of a thousand hijacks
This is an article which details the variants of the browser hijacker known as CoolWebSearch (CWS). In the last few weeks, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop.
The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.
The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online. However, even though the evil programmers of CWS have released over half a dozen versions of their hijacker on the advertising market in such a short time, it should be mentioned that it is very hard to catch a live installer...........
search your hdd for 'realsched', dont delete it (else it will automagically be reinstalled), just change the name to realsched.old or something. viola, no more message center system tray popups!
kazaa and everything it bundles with it are my collective vote.
;)
I used to work tech support, where half the problems people had using our pages had to do with the numerous spyware programs installed with kazaa. It was a mess.
I'm glad that in my department now my users don't have admin priveleges. If they get themselves spywared, it is easy to fix -- if all else fails, back up their roaming profiles and blow them away, recreate settings on next login! I don't know of anything that can survive a brand new shiny profile
cat shit has a wierd sharp afterodor that dogshit doesn't. I've found its realitively easy to get rid of dogshit odor quickly it pretty much localizes. cat shit odor on the other hand travels and adheres to stuff. You have to Febreve the fuck out of everything to get rid of it, and it never truly does completely leave...
My days of not taking you seriously are certainly coming to a middle...
There is Real Alternative. I'm not sure how legal it is, but it plays the files and I don't have to install the RealOne crap. Until I found it I simply didn't use any sites that relied upon realplayer files. I was so happy when Amazon.com added WMP samples.
DateManager PrecisionTime Gator eWallet OfferCompanion Dope Wars Go!Zilla MThree_Decoder MThree_Encoder MThree_Ripper DivXNetwork DivXNetwork2 Audiogalaxy Satellite MailCleaner Grokster iMesh Swaptor Shankster MediaSeek Morpheus Screen Scapes Software Supreme Sunsets Supreme Sunsets Setup Weatherscope Blubster Weatherscope SearchScout Toolbar
I have a degree in Computer Science and that makes me the computer repair man for everyone I know. The biggest problem is unsolicited adware programs.
Gator - Slows the computer and uses insane amounts of hard disk space downloading ads.
Weatherbug - SLows the computer down and is difficult to install.
Bonzai Buddy - Similar to Gator.
New.Net - Does nothing useful but slows the internet connection to unusable levels of slowness.
These programs are almost always installed by kids using the family computer. Kazaa is the biggest problem because it automatically installs adware. I can't count the number of houses I have gone to where the computer is unusable. I remove the programs I have listed and the computer is usable again. Sometimes the kids have tried uninstalling the programs incorrectly and I have to reinstall windows, all 'cause the kids wanted to check out porn on kazaa. Little bastards.
- Kill Yourself, spare us all! -
The real difference though, is that quicktime only tells you to 'go pro' when you use it. In windows, realplayer keeps a process going called realsched. Its only 128k so you don't really notice it, but its there to let you know about all your upgrade options.
Actually, you can still remove the latest variants, it just takes much more effort. You have to use a program like Hijack This! which can scan all the registry keys that spyware like CWS normally resides and remove them manually. Just did it last week with a customer.
That's why god created Kazaa-lite and such.
Google Toolbar doesn't count, because it is a VOLUNTARY move to enable the spying features (default is to disable them, they give you a nice short EULA that tells you they'll get some info from you if you enable PageRank). Gator and the more insiduous MemoryBlaster (or something like that - it's a taskbar icon that shows you percent free RAM, and takes up about 50% of RAM on a 128MB box with XP itself) count. Taking into account that someone could be blindly clicking links, one could VERY easily get the whole GAIN suite in a few seconds. (BTW, there are MUCH nicer alternatives to those - I've heard RoboForm isn't spyware, and can even import your Gator data if you did once use it, Date Manager? double click on the clock! (oh wait, roblimo can't figure that out) PrecisionTime? ArgoSoft Time Synchronizer is what I use - good ol' fashioned freeware)
unfortuantly there is no other player which plays their media
mplayer!
Yeah, but that still doesn't take care of the fact that the software is crap. Back when I had Windows 2000 installed, the only time I got a blue screen was when I was using realplayer.
and run into this cr*p all the time. New.net is always fun, as are Xupiter, Xzoomy, and the newer varients (like orbitexplorer). Theres another one called lop that has been pretty fun to try to get rid of. Here is a quote from doxdesk.com about lop I find amusing "lop/Toolbar installations normally put a round icon in the system tray, try right-clicking this, choosing 'Menu', then on the resulting window, clicking 'Help', then 'Uninstall'. With newer variants you will have to answer an annoying riddle before it will go away."
I really hate dealing with this stuff over the phone with people who don't know what IE is or where the start button in any version of windows is located. It makes you wonder how they know they have a problem in the first place, did they make it to thier 3rd game of solitaire and not get any pr0n pop ups? Either way, if you don't know how to use a computer, why do you automatically click on "I agree/accept" any time it pops up on your screen? This was my short list of spy/ad/cr*pware that gets on my nerves on a daily basis. Have a nice day...
Now, let me step up and argue the other side of this one for a moment. Sure, gator sucks if it shows up when you don't expect it to, like if some shareware program you download installs it without telling you. However, I recently wanted to encode a DIVX movie. Just one or two, mind you, not a ton of them. So, I went to the DIVX website and downloaded their encoder. They will let you use the decoder for free (or they used to...) but the encoder part costs money. Alternately you can install and use the encoder for free if you agree to let gator on your system.
They're very up front and honest about it: they want money for their software, so either you fork it over or donate your eyeballs. Sounded fair, I didn't intend to have it on there for more than a month or so.
The installer was also very open about the fact that it was installing Gator, and the fact that I'd be seeing ads occasionally. After I installed it, gator came up, and I found a nice little preferences pane. After some digging through "advanced settings" I found out I could make it display ads approximately 1-3 times a week at minimum. I did that, and it never bothered me again. I think I've seen it pop up maybe a few times. I can deinstall it any time.
So what's the big deal?
Have you tried Pest Patrol. It has never failed me when I want to remove spyware crap for my father, or other non-techies who ask me for help. Tweaking The winsock registry keys might work for you or me, but not for them, and they are always asking for help.
The Uncoveror: It's the real news.
... maybe this site would help:
http://www.spywareinfo.com/downloads.php
"Consensus" in science is _always_ a political construct.
i've been an earthlink user for quite a few years now and i usually tend to stay away from ISP-supplied software, but they have been putting out some pretty cool shit this year thru various 3rd-party software partnerships/cobrandizing, the latest of which being SpyWare Blocker powered by WebRoot. it is actually quite cool: it'll look for advertising companies cookies and disable'em for you, as well as offer you to remove 3rd-party spyware and trojans, i think it can do some other shit but i haven't entirely explored it yet. it maintains a constantly updated database of existing spyware. i wonder if it would catch the New.net shit. hrmzerz. and it's free for all earthlink customers.
Extraordinary Vacations. Exceptional Prices
Microsoft Windows and that dastardly Messenger service. (enabled by default) that would be the most insidious adware out there.
oh and i guess XP qualifies for spyware with that nasty activation "feature" (though not quite)
Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
http://www.macopinion.com/columns/macskeptic/00/11 /21/
MacOS 9 made a call to Gilligan's Island and tried to send some information to its little buddy at littlebuddy.apple.com. This was supposed to be a one time event at the end of the install process - but of course, Apple, forgetting that not everyone on the planet has 24/7 high-speed internet to their homes, created a situation where if it fails (ie: God forbid, you're not connected to the internet while installing MacOS 9), it repeatedly tries to get through. This first surfaced because someone noticed that their Mac was trying to make a net connection when nothing was supposed to be doing that.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
I thought that I had it bad, but some people received bills for $500. They have gone to court, and somehow they have not been shut down (though anyone that disputes their bill gets the FTC as a third party arbiter). I encourage everyone to educate themselves about Alyon Technologies. Go read through that site, you will learn about some of the worst people in the world, and how they will take advantage of you and then tell you YOU are at fault.
I don't know if there is a Hell, but if there is, these people would be in the center of it.
In Windows XP there is a feature called Software Restriction Policies (SRP, see here). This feature allows you to deny software to run based on Certificates (and Path, and Hash, and Zone for MSI). Since all the Spyware installers use signed Active-X "drive-by" installers this is an effective way to kill them. This, however, is an arms race. You need to collect the certs you want to invalidate first (upon first encounter of a spyware safe their cert into a file and disallow it). You can find the feature in Control Panel->Administrative Tools->Local Security Policy. Have fun!
it's probably this. likely your hosts file has been hijacked, and quite possibly moved to a different folder (try c:\windows\help\hosts). the link has a removal tool.
I don't know if you checked this or not, but the problem may have been rather benign. The start page for Explorer, or most other web browsers, can be set in two places: in the application directly, or in the System Preferences. If the start page is set in the system preferences, and Explorer tries to use the system start page, changing the Explorer start page may have no effect. Explorer on OS X also had a problem not correctly updating some preference files under some circumstances, and settings changes sometimes didn't take effect. (Entourage also had this problem.)
Either of these, or a combination, could have caused this problem.
I've never had trouble removing New.net or any otherspyware with Spybot Search & Destroy. Sometimes one or two reboots is necessary, but other than that it seems to do the trick.
It even says, when cleaning with it, something like "Applying networking fix".
It's recommended as Pricelessware by alt.comp.freeware, which means no nasty spyware or adware.
You can extract passwords from Gator (or any browser's password manager) one at a time with the "view passwords" bookmarklet. Be sure to tell your client that vanilla IE (new versions) and Mozilla Firebird have built-in password remembering, so he won't have to type his passwords each time after he gets rid of Gator.
There are also some password managers that can import from Gator. Roboform is an example. I don't know if I trust any of them, though.
The shareholder is always right.
> there is no other player which plays their media
Whatever you feel of their supposed code nazi attitudes; mplayer plays almost everything.
Don't hate the player, hate the game.
I don't have a sig.
George II -- Spreading Freedom and American values, one bomb at a time.
- iGetNet
- Bonzi Buddy
- Lycos Sidesearch
Using an application firewall like System Safety Monitor can help limit these (it intercepts calls between applications and allows you to permit or deny them) but this does require an experienced user.There's a nice little program called "InCtrl5". It was freeware, from PCMag, but they now want money for their "free downloads" ... should be easy to do, though.
... but it was useful, way back when.
It takes a snapshot of your system before and after you install something, and shows you the difference. Configurable - "don't include this directory" or "include this directory" - but really, the default settings (check windows directories, registry, autoexec.bat, config.sys) are sufficient.
'course, haven't used it in quite a while, now that I use SuSE
-- Henriette's herbal -
Though I don't think that 1.2.3.4 is really a nameserver though.
My vote goes to a program that is not quite as popular, but is similarly damaging called OSSproxy. Basically if you have the misfortune of deleting it, your system 's DNS resolution is hosed until you reinstall Windows. You can uncheck it in startup, but like New.Net, you can't DNS anything. Oh, did I mention it does not come with any (obvious) uninstall?
:P ...not). But, the only way I've been able to remove it is using the following. Oh, but you have to not have deleted any part of it yet in order for it to work.
/uninstall
I usually run across this when a customer complains that since they switched off dialup to broadband, they can't access the net. Apparently, there is some screw up within the program that keeps people that switch net connections from DNSing.
You can bitch at the company and they'll send you a buggy ass uninstall program (which really helps if you already lost your net connectivity
"%WinDir%\System\NScheck.exe"
Then just clean up any garbage left behind.
P.S. Looking up on it, it looks like some people have found out how to can the sucker if it was already deleted. Still a pain in the ass though.
Any sufficiently advanced influence is indistinguishable from control.
That's interesting, but Idealab is not a Silicon Valley company. It's based in Pasadena, which means that it missed Silicon Valley by about 350 miles.
There's no point in questioning authority if you aren't going to listen to the answers.
or run them all together as MSN tech support is trained to do... "netsh int ip reset resetlog.txt" That along with "regsvr32 softpub.dll" and "regsvr32 wintrust.dll" will fix 99% of MSN problems. That and Referring to OEM...
Shift happens. Fire it up.
Isnt netsh a resource kit binary?
Apparently not - I've not installed the resource kit on this machine (which is running XP Pro), but I definitely have netsh available.
It's official. Most of you are morons.
But you can't use it indiscriminately. Most setup programs for example will add a run-once entry to delete temp files or files that were in use and couldn't be replaced - this is something you want to allow. But the same setup program may also be installing fishy stuff, so you need to be able to tell the difference.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
If you're running Win98SE - you can always refresh your installation by running
/p f"
"setup
That goes through the installation procedure, refreshing all the corrupted/replaced files. Gives you options to keep the more recent ones, too. That's solved many a problem for me...
AOL is by far the worst piece of spyware ever devised by man.
For IE 5/6, do tools, internet options, security, internet, custom level. Set everything in activex controls to disabled, except automatically run, which you can set to run. This will only allow already-installed controls to run, but won't download new ones or give you that damned annoying message about how it's not running them because of your settings (that's the only reason you tell it to run - if you can deal with it nagging you for every refresh, set that to disabled too). You can block specific things like flash by adding the GUID and a descriptor to a certain part of the registry.
funny munging
So all we need now seems to be the Safari 1.2 release. The only question is when that will be...
DO NOT LEAVE IT IS NOT REAL