The Average PC is Infested with Spyware

WoodenRobot writes "This article claims that Earthlink have discovered that the average user's PC has 28 spyware programs on it. More details can be found on Earthlink's spyware auditing page." Compare to a university study. The FTC is hosting a Spyware Workshop.

Good effort to fight spam and malware

[mindless4210]

That's a pretty in-depth study, with over 1,000,000 scans, makes the results fairly strong. It's good to see all this combatting of spyware.

It really doesn't surprise me to hear that the average computer has 27.8 instances of spyware on it. Most users have no idea what they're doing; I constantly remove that kind of junk from my family's computers.

Earthlink has been doing a good job of fighting spam and spyware on the internet. I think it's a valiant effort.

slightly misleading...

[David+E.+Smith]

Note that of those 30 pieces of spyware per PC, 24 of them are labeled as "cookies."

There's still a LOT of junkware/spyware/adware/malware/whatever out there, far more than there should be IMO, but it's not quite as bad as they let on. :-)

Re:slightly misleading...

[Valdrax]

Typically, the kinds of cookies that spyware programs identify are cookies used by advertising companies that have multiple sites as customers and which are used to track you as a unique user from site to site, building an demographic profile. There have been efforts before to weld information from your logins at these sites to your browsing habits for a more personal marketing profile.

I've never, for example, seen Ad-Aware tag a Slashdot cookie as a privacy risk, but I have seen it tag Doubleclick and other crap from when I have to use Explorer (which I use for really uncompromising, cookie-laden sites).

I've seen pretty bad ones

[nightsweat]

Went to a party a couple weeks ago and cleaned 550+ bits of spyware off the hosts' machine. Took me a couple more days to find and send them the fixes for two IE parasites AdAware and SpyBot S&D didn't see.

It really should be a violation of the wiretap laws to put this crap on someone's machine. These poor non-technical users' machine was an Athlon 2200 that ran like a 486. Once we took the crap off, it zoomed.

Re:Earthlink? How ironic.

[maxbang]

I used to be on Earthlink, until I became disgusted with their "support." The only spam I ever get now is from my old address with them. I don't know what their spyware removal is based on, but I know it didn't catch gator running on a friend's PC. Between that and the spam, I don't see myself going back to them in the future, or recommending them to anyone I know.

3 programs..

[naelurec]

Spybot S&D
SpywareBlaster
SpywareGuard

I use these three programs (in the above order) on lots of spyware infected machines and so far, haveh a LOT of success removing and keeping spyware off those systems. Infact, earlier today, I ran that combo on a system and reduced RAM usage by 100MB, not to mention a huge speed increase (of course, I did some other housecleaning such as disabling startup items & removing some other non-spyware search bars & annoyances).

Re:So which is it?

I quote from the university study:

"They examined the traffic on the university campus and found that 5.1 per cent of all connected machines had one of these four programs running."

So, to answer your question, they got one in twenty because they only scanned for four spyware programs.

Earthlink's scan (using Spy Audit) went further. But don't trust the editor's writeup (do we ever?), they did not find "28 programs", but "28 items": 4 programs and 24 cookies. Check out the real figures from Earthlink.

I just tell my friends one word ...

[ninewands]

Ad-Aware

It just works ...

On one machine on which I installed it, it found and removed more than 256 spyware components (bad cookies, spyware registry keys, etc.). That friend installed it on her brother's PC (according to her, he's a <sarcasm>"Really Bright Guy"</sarcasm>) and it cleaned out more than 1,000 Bad Things(TM).

Re:I just tell my friends one word ...

[Mesaeus]

You should read the comments of the Spybot S&D developer on his webpage about how many "commercial" spyware scanners simply copy his hard worked on spyware database database which is FREE and then ask money for it. Some of them even include spyware of their own. Spyware is starting to become as worse a problem as email spam. Maybe even worse since email is always restricted to email, the inventivity of spyware developers to find new nooks and crannies for their spyware doesn't seem to have any limits.

I always recommend

[pretzel_logic]

using a web site http://www.doxdesk.com/parasite for spyware detection and removal instructions. Its pretty good!. Post some more links that may be useful

Re:Claims Overhyped?

That was actually lifted from Broadband Reports first, for what that's worth:

http://www.broadbandreports.com/shownews/42314

That's the only outlet I've seen noting that this is areally just an Earthlink PR stunt, and their software doesn't remove spyware because they're both lazy and conflicted....

No need to RTFA...

[retro128]

...because a lot of my work is cleaning up those systems infested with spyware. And that's just my parents, co-workers, and friends' systems. My co-worker has a laptop that she telecommutes with, and her sister got a hold of that thing and loaded just about every cute freeware app she could grab on the 'Net. This thing was so loaded down with spyware that they were wrestling each other for control over Internet Explorer, and it wouldn't even browse. I don't remember exactly how many hits Ad Aware picked up, but it was several hundred.

I also had a bad run in with new.net. My thoughts about those people would land me in jail if put into action. Read about these scumbags along with removal instructions here. I spent an hour trying to extricate it out of my mom's computer before finding this link. This thing has a DLL that literally ties itself into the TCP/IP stack of Windows, so removing it will disable TCP/IP. Just a slight problem, don't you think? Nothing like an untrusted third party app intercepting your TCP/IP calls and doing god knows what with them.

I should mention that a different co-worker picked up CoolWebSearch, a particularly evil spyware app that resurrects itself even after you try to remove it with Ad-Aware. An awesome app called CWSShredder is available at http://www.spywareinfo.com/~merijn/downloads.html.
Also located there is a HiJackThis, which scans regkeys commonly used by spyware and allows you to remove them. Be very careful with this app though, as legit keys are listed too.

In light my experience, I shudder to think what Joe Sixpack must have on his system....

Last thought: What gets my goat is how everyone's going after virus writers, but no one's touching these asshole spyware programmers. These programs DO interfere with system operations, are difficult to remove (some even actively interfere with ad-removal software), and run without the user's knowledge. I'm probably preaching to the choir here, but I simply must vent.

Re:Illegal

[KingRobot]

Usually, you agreed to having it installed on your computer at some point or another; especially Ad-Ware. Often it can be hidden in the fine print of some other programs installation, or a "plug-in" on a website.

Re:Small Issues

[pla]

And even so (I'm ashamed to admit) there's a bit of spyware that I can't seem to track down.

Do a Google search for "sted380.zip" (you don't want the ones after that, they disable themselves after a while). It lets you see exactly what programs your computer loads via the numerous startup methods, and delete them. Short of your particular problem somehow running as an actual device-driver, this would let you kill it.

Also, you might want to make sure you don't have any strange-looking services running - I've seen a number of difficult-to-remove programs that work by letting you kill them easily, but they don't remove an associated service that just reinstalls them at the next reboot.

Do what I do...

I teach a basic computing class (basic & intermediate internet use).

The primary topics are:
* Cutting & pasting (get them out of the habit of typing URLs manually)
* The browser is just a program, the internet is out there *points* all the browser program does is talk to the other computers.
* This is a URL, this is what the bits of it mean. These are TLDs, these have their registration controlled (mil, gov, etc.), these don't (com, org, etc.).
* You CANNOT trust everything you read online! (*uses google to find conspiracy theories, instructions on making tinfoil hats*)
* This is Google. Don't bother with the other search engines. Here is how we use its features...
* You should NEVER use the following programs unless you HAVE to, due to their insecurity:
- Internet Explorer
- Outlook [Express]
* You SHOULD use the following, free programs:
- Mozilla (replaces IE + OL, I don't want to confuse them by telling them to try Firefox, it's name might change before they could get it).
- Adaware
- Spybot Search & Destroy (NB: we use Google to find these; I warn them to beware the impostor programs)
- AVG Antivirus (Out-of-date AV programs are nearly useless. I know that you don't want to pay $$$ for constant updates. This is free for personal use [but not business use!], here is where you go to install it).

As you can see, I have it pretty well down pat by now. If any of you have free time, talk with your local library about setting up free classes like this for the community. We reserve one of our computer labs for this one, and I teach a class every week.

Most computer users aren't as stupid as they are uneducated. We cannot fix stupidity, but we can fix ignorance. Teach them and the messages will spread; hopefully they will also share their knowledge, mitigating the problems caused by poorly educated computer users.

Re:I hate this shit, SO much...

[Dok+Fenderson]

Have you looked into using a product like Deep Freeze? It locks the HDD down in such a manner that you can install whatever you want to but upon rebooting it returns to the state it was in when Deep Freeze was installed. Just have everybody save to removable media, a network share, or make DF ignore a particular directory and the problem is solved. I've used this as a solution in a couple of small private schools and it works like a charm.

Dok

Re:Firefox for HTML, what about for email?

[t_allardyce]

The reason for Outlook vulnerabilities stems mostly from Microsofts Visual-Basic script, which basically has access to things like your address book and the 'send mail' function, add to this that an email can contain a script and it will run just from the user opening the email and you have a great combination. It gets even stranger when you think how many times these 'worms' have got major media coverage and taken down entire mail servers from all the traffic they generate and guess who gets the blame? some script kiddie who although being an idiot, isnt as incompetent as Microsoft for leaving such a gaping hole open in the first place.

Frankly if it was a car and with a security flaw that ment _anyone_ could barehandedly get in and start the locked and alarmed car in less than 5 seconds without setting off any alarms there would be outrage against the manufacture and a recall and upgrade!

Opening executable attachments comes from the windows hack-around approach to programming, so no-one is quite sure of a zip file is an exe file or a screen saver is a virus, Thunderbird and other clients dont have script holes and i think they wont allow you to execute an attachment without saving it to disk first (prooving that you atleast know roughly what you're doing).

Re:Over Hyped

[EtherMonkey]

That's because a fresh, out-of-the-box, consumer-grade machine from Dell (or HP or Compaq) DOES come with Spyware/Adware installed. For example: WildTangent games, RealOne Player, MusicMatch, et cetera. The manufacturers get PAID to put these on customer PC's and get COMMISSIONS for each conversion to the full-featured product. If you think I'm making this up, then go out to Best Buy, Circuit City, Staples or CompUSA and look at any of the systems they sell. Dell's consumer-level stuff is no better or worse in this regard.

Re:Average this, average that

[Sgt+York]

True, but as the sample size increases, the effect of individual outliers and small groups of outliers dwindles. Once you hit a certain point, you have to have a large number of outliers, which would represent a seperate but significant group of users. Which is interesting in itself. Personally, I'd like a scatterplot of the data. Then see if you can type it to demographics...these people all had spyware, so it should be easy to get their demographic info.

Anyway, the Earthlink sample size was over 1 million. A single outlier or small group of outliers will not significantly affect that average, unless they had a couple of hundred thousand instances on his computer, and everyone else had 3.

Re:Small Issues

[Drantin]

while this program is a closed source one, it is a good freeware program that checks many places in the registry(and the normal StartUp menu, etc.) for programs that run on startup, StartUp It comes in a Control Panel applet and as a stand-alone exe.

(Disclaimer: I am not Mike Lin)

Lies, damn lies, and statistics.

[dtfinch]

Their figure of 28 pieces of spyware per computer considers identifying cookies to be spyware. When counting just spyware programs, the number drops to about 5 per computer. That's still quite high. They didn't need to redefine spyware to include things undeserving of the "-ware" suffix to get their point across.

Re:Average this, average that

You are using the wrong statistics terms:

Mean: The sum of the value of every item divided by the number_of_items in the sample.

Mode: The item in a sample that has the highest value.

No, you are.

You defined the arithmetic mean, which is commonly known as the average.

Mode is the item in the sample that occurs the most frequently. The item with the higest value is called the maximum.

The median is the value that occurs midpoint in the list of values when they are sorted in ascending (or descending) order. If the list has an even number of values, the median is the average of the two middle values.

Dork.

Not only the average PC...

[master_p]

And this is the case not only for home users, but for intranets also. I recently did a research in my company, and ALL Windows PCs (I mean all, 100%) were infected with at least one registry hack or spyware.

Most PCs had 100s of registry key compromises (Alexa being the most usual), and lots of spyware...some even had trojans and worms, even if Norton Antivirus is installed to all PCs as a company policy.

I recently changed my boss' internet explorer with Firefox, and replaced all desktop IE links with firefox.

I have made the habit of running Spybot - S&D and Lavasoft's Ad-Ware at least once a week, as well as having Antivirus on at all times.

Has anybody calculated the cost of malware ? it could be thousands of billions of dollars. So much time spend cleaning Windows installations, doing system scans, reboots, registry restores and cleanups...not to mention compromized servers and server downtime.

How much, if Microsoft was charged, would they have to pay society for the damage ?

Re:Earthlink? How ironic.

[Jeremy+Erwin]

Earthlink scanned 1,062,756 times, finding 29,540,618 instances of spyware. 23,826,785 of those were "Adware Cookies, which store personal information (like your surfing habits, usernames and passwords, and areas of interest) and share the information with other Web sites." Earthink SpyAudit

Now, if you eliminate the "adware cookies" as dubious, you're still left with the headline "The average PC contains 5.4 instances of "Adware, System Monitors, and Trojan Horses." Still tabloidish enough to get a rise out of most slashdotters.

Re:Not far from truth

[brandonY]

I recommend Mozilla or Firefox. They block pop-ups, pop-unders, all potentially bad ActiveX controls, and just about every other form of spyware. If you act now, you can even get standards compliance thrown in for free!

The cookies they do nothing...

[Ayanami+Rei]

At it's simplest a cookie is a just a mapping from a string to a value that your computer stores on the behalf of some webserver. It looks like this:

slashdot.org / 31 Apr 2004 user 621112::jrLk8rfhJlszg7DMS6cI83

Your webbrowser will provide that information to the server (slashdot.org) at a later time (before the expiration, 31 Apr in this case). In this way the server can "remember" who you are by storing whatever it would have otherwise forgotten as that cookie which is saved to your hard drive. In this case it's remembering that "user" equals 621112...blah blah blah. When slashdot sees me trying to load the front page, it gets that cookie, which it looks up and figures out maps to "Ayanami Rei" and shows me my Slashdot homepage as opposed to the generic one.

Here's the thing. Your web browser justs sends ALL the cookies that the webserver ever left everytime you fetch a URL from that server since it can't tell which one it might want... the server ignores the ones it's not intereseted in.

So whenever you see an ad banner coming from some site like doubleclick.net, you can be sure that it's setting and checking a doubleclick cookie. The thing that makes it dangerous is that it can also tell (from Referer headers also graciously provided by your browser) what page that ad was referenced from (and hence what page you were browsing!) So doubleclick.net can track you between sites that use their ad banners.

Etc. Some websites concerned about tracking traffic insert invisible images that fetch and set cookies from centralized webservers to get statistics. While cookies only get and set themselves to servers with the same name, that doesn't mean a bunch of websites can't subscribe to one tracking service. (And they often do...)

So while I wouldn't call it spyware, you need to be aware of the potential privacy implications and you need to carefully inspect your cookie files or cookie permissions. Mozilla lets you block access to cookies by originating sites, so you can control who can and can't use your cookie storage.

Re:The cookies they do nothing...

You just posted a one-way hash of your slashdot password, which can now be brute-forced cracked offline quite conveniently.
May I humbly suggest you change your password, here and on every other online service where it is used as well (if you're the password recycling type)?

Re:Stopping this crap

[kyoko21]

I doubt anyone will actually see this besides you so I will post the meat of my squid.conf file. It doesn't block ALL garbage, as for it only blocks the garbage that I have encountered. In a way it is only as good as the person that *trained* it.

What I have done essentially is enabled the real time URL filtering access control list abilities of squid. It isn't clean but instead of plastering it with crazy regular expressions, I have attempted to keep the list in alphabetical order (well I need to sort it yet again...).

I also have a fairly massive host file that cover some sites that I am not blocking. Though I could technically incorporate the host file into the squid file but I haven't done that either... lol!

I also have installed a lame little web counter that gets updated (works >50%) when redirected from the deny info tags.

you can see the configuration snippet here.

Re:whoa!

[FryGuy1013]

http://www.musicsonglyrics.com/T/Thursday/Thursday %20-%20Division%20St%20lyrics.htm

http://forums.mozillazine.org/viewtopic.php?t=68 86 9&highlight=xpi
for more detail + links to other posts.

Bullshit

[burbilog]

Ditch IE for Firefox. I just did 2 clients' computers today (running slow, yadayada) and guess what? One had 18 spyware trojans installed, the other had 64 (as well as a couple of viruses). Firefox (any Gecko-based browser) is not vulnerable to the crap that IE is. I always tell my clients to not use IE anymore. When they listen, they always have a better overall experience.

Firefox is not MUCH more secure than IE. Wanna proof? What's the fucking difference between IE's box asking about installation and Firefox's one? Yes, I'm talking about .xpi files. How long it would take before spyware will distribute itself as .xpi files and users will happily click "yes" in these boxes?.... I love mozilla. It's a very good browser. But don't think that it's a magic cure for all spyware.

Re:whoa!

[ErichTheWebGuy]

OMG! That makes me angry. The plugin that comes from the first URL is from www2.flingstone.com which redirects to the following URL: http://www.blazefind.com/license.html which is a clear slyware eula. I suspect that this would install and run beautifully on my Linux box with Mozilla 1.6... I feel like a child who has just had his innocence stolen.

Analysis of the tool...

[ChrisPaget]

The Register carried this story earlier - I posted this to John Leyden, and might as well repost here....

Being somewhat bored on a Friday afternoon, I decided to take a quick peek at
this software from Earthlink, and found some rather disturbing results. In
fact, it's ill-represented, borderline illegal, and about as intrusive as
RealPlayer (and that's saying a lot).

I ran my machine through their quick'n'dirty scan, which reported
1 Trojan,
5 Adware programs,
65 Adware cookies

Given that the combined might of one internet security expert, Ad-Aware,
HijackThis, Spybot Search-and-destroy, and Network Associates Antivirus (all
with the latest updates - me included!) found nothing, I got somewhat intrigued
and looked a little deeper. My (american) fiancee has an Earthlink account, so
I borrowed, that, downloaded the software, and (several reboots and updates
later), ran their proper spyware detector.

This showed up that it had found 123search, Alexa Toolbar, Bonzi Buddy,
OpenSite, and Netbus(!!) on my system. Every one of those apps would be found
by at least three of the apps which I regularly run, and every one of them would
have been found in the manual checks which I periodically run as well. So I
went a little deeper...

Once the checks had been run, I paused a little before allowing the tool to fix
the items it had found. In the meantime, I fired up regmon and filemon,
allowing me to see *everything* that the tool was doing.

This turned out to be not a whole lot. No files outside of either the Earthlink
install folder or the system registry were modified in any way. The only
registry keys which were deleted we for Netbus settings (OK, I fiddled with it
for a project about a year ago, but a registry key isn't exactly the same as
having it installed!) and a few random CLSID's that could have been anything.
Not exactly convincing evidence - especially considering that I know none of
those other apps have ever been anywhere near this machine...

So, having "fixed" everything, I ran the quick'n'dirty scan again. Surprise!
My machine was clean. So, I uninstalled the proper software (its ONLY saving
grace - it uninstalls cleanly), rebooted, ran the quick scan again, and was not
entirely surprised to find that it now listed no trojans or adware, but 18
tracking cookies. Despite only accessing the Earthlink site (and El Reg) since
it reported that I was clean. And still, Ad-Aware and Spybot report nothing...

Essentially, it looks like this is reporting large numbers of problems in order
to convince you to pay Earthlink for their software, which then magically
"fixes" all the problems (which never existed in the first place). They're
trading off the FUD associated with Spyware, and it's ethically and (probably
legally) wrong. Their product may be of benefit to people who know no better,
but I'd stick with Spybot S&D and Ad-Aware - two very good (and free) apps
which, when combined with a decent AV scanner (and maybe a personal firewall, to
boot) give you all the protection you need from spyware, and a whole lot else.

I have screenshots, logfiles, etc...

MSConfig

[giveuptheghost]

Or, just click Start, click Run, type "msconfig," hit Enter, click the Startup tab, and uncheck anything that you don't want to run at startup. There are numerous guides online that can help you sort the wheat from the chaff, and just doing this once will probably be enough, especially if you have a name-brand PC that you bought from Best Buy (since manufacturers and places like BB tend to pile on a bunch of unnecessary startup modules).

Re:Small Issues

[Mesaeus]

I recommend HijackThis, it will list everything it finds at all the nooks and crannies that spyware programs use to hook themselves into the system. Note that most lines will be for LEGITIMATE programs/system functions, so select carefully what you want to remove. In any case, I find it real easy to determine what's good and what's not, based on program names and directories. There hasn't been any spyware that I couldn't disable this way, though I usually run Spybot S&D first to take care of the easy and older ones.

Re:Not far from truth

[KrisHolland]

You are mistaken, Spybot Search and Destroy *IS NOT* spyware.

Here is a list of *SAFE* Adaware and Spyware removal tools.

*Free*

Spybot Search and Destroy
Adaware

*Not Free but Good*

Pest Patrol

Webroot's SpySweeper is really, really good.

[Ride-My-Rocket]

I had been using both Lavasoft's Ad-Aware and Kolla's SpyBot Search and Destroy to keep my box free of crapware, before my boss turned me onto Webroot's Spy Sweeper.

I've been SpySweeper as my primary spyware scanning tool ever since, with Ad-Aware as a 2nd-scan chaser. On the rare occasion that Spy Sweeper misses something, Ad-Aware always gets it, with a 0% margin of error (when using Spybot S&D as a 3rd-round scanner). Conversely, there were a few occasions that Spy Sweeper missed something in Round #1, but Spybot S&D also missed a few in Round #2, so that it was necessary to run a 3rd scan at all using Ad-Aware.

To summarize: Spy Sweeper rocks. If you want even more security, run periodic Ad-Aware scans, and you should be spyware-free (assuming you keep your product definitions updated).

Re:Worst I've ever seen Part 1

[CTho9305]

I think this guy has got you beat... 23,002 traces of spy/adware!

Re:Small Issues

[Laebshade]

Have you checked to see if it's piggy-backing on any extensions? Check in registry editor under HKEY_CLASSES_ROOT and look under .com and .exe. This link will help you out too. A simple google search brought that up. If you do a search for "shim.exe" on google it finds shim.exe with variable words in front of shim.exe. The program may be duplicating and rewriting itself just like a virus. This this, and this might help too. Of course this site and this site will always help.

Re:Small Issues

[startup.cmd]

Have you checked the service registry for the startup key? Look in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es. There's a program called sc.exe from MS that allows you to stop these services and drivers from starting up. If you don't have Windows XP (which includes it by default), get it here. Place the executable in your path. Enter these two command lines to stop the offending program:

C:\>cmd /v:on

C:\>for /f "tokens=1,2" %S in ('"sc query type= service type= driver state= all bufsize= 51200"') do @if /i %S==SERVICE_NAME: sc qc %T 2048 | findstr /i /l "readme shim.exe" && (set SPYWARE=%T & sc config !SPYWARE! start= disabled)

What the above does is turn on delayed environment variable expansion. Then it queries all of the services and drivers that the service control manager (services.exe) manages. The command parses the output until it finds the offending executable and sets it to disabled, thereby preventing its startup. You could also use sc.exe to uninstall readme shim.exe. Just read the manual that comes in the zip file.

Fraud

[IgwanaRob]

This so called "Spyware Detection" program is a fraud. It is nothing more than a marketing ploy to get people to join Earthlink.

First, it claims that I have several spyware programs on my machine that I know for a fact I do not. Alexa and Wild Tangent are no where near this machine. Spybot and AdAware confirm, as well as manual checks. Seems they are possibly scanning registry keys, and finding SpywareBlaster's kill bit - either that or it is flat out lying.

Second, it uses generic names for non existent "trackers" - "Spy #5c5f4 -- Research In Progress" - sorry, if it's real, then it should have a name.

Finally, and this is the most aggravating one - this program identifies a cookie that Earthlink itself places on your machine when you visit this page as a adware cookie. They also list one cookie that I do have that I need - from TV Guide - to keep track of my channel listings on the TV Guide site. This I'll simply ignore, even though it's still wrong.

This means they are intentionally placing files on your machine so they can identify stuff to make you, the supposed ignorant user, paranoid and lead you to believe that joining their service and using their tools (which are freely available anyway) will keep these things off your machine.