Spyware Becoming Worst Tech Support Problem

teknurd writes "Wired has an article about the growing problem of computer users having to call tech support to get help removing all of the spyware on their computers. 'The fast-growing phenomenon is already responsible for more than 12 percent of all technical support calls in Dell's consumer hardware division, the biggest category of complaints this year, company representatives said.' Personally, I have had to remove this plague from the computers of several friends and family members."

Just run Spybot

[baggachipz]

http://www.spybot.info . That's all it takes. Have it run on people's windows startup and they're set.

Re:Just run Spybot

[AndroidonPPC]

\\(machine name)\c$\documents and settings\all users\startmenu\programs\startup\ is good place to start

or just make a registry file to add info into hkey_local_machine\software\microsoft\windows\curr ent version\run key. (hint: this works on any windoze box when done as administrator)

with remote administration and a script, you could have those puppys running mighty quick.

-Andy in Chi

Re:Just run Spybot

[drinkypoo]

Lavasoft Ad-Aware still detects things that spybot doesn't - and vice versa. Entirely (?) removing CoolWWWSearch actually required running both programs.

There's nothing you can do to prevent spyware aside from completely locking down systems so users have nearly no permissions to the registry or anything else. This of course means that no programs not explicitly allowed on your network will operate. If you can deal with this tradeoff, more power to you.

Spybot Search & Destroy is a fabulous piece of software but it doesn't do the whole job.

Re:Just run Spybot

[petecarlson]

Unless you were using an older version of Ad-aware, LSP-FIX would have fixed your tcp/ip stack. I used it on one of my friends computers and it worked perfectly. Of course I installed Mozilla while I was there and he asked me about it. I tried to explain that it was an opensource web browser but he just gave me a blank stare so I explained that it was an improved version of IE with a built in popup blocker and tabbed browsing.

Re:Just run Spybot

I'm going to make the assumption that XPI can be abused in the same way -- but why abuse 5% of the browser population (and the 14 users of Netscape Navigator) when you can abuse 95% of your browsing audience?

It's not very common, but it does happen. Check out this thread if you don't believe me.

Re:Just run Spybot

[GPLDAN]

I don't know if you've seen on the website, but Spybot has been under a concerted DDOS attack, off and on, for awhile. I think the fact the software is so damn effective, and the guy does just a frankly superb job of keeping signatures up, that's it's really put a thorn into the side of spybot creators everywhere.

If you can afford it, consider donating to the guy. That's a helluva bit of software to be giving away. Either that, or nominate him for the Nobel Prize, if your on the committee that is.

Re:Just run Spybot

[mgpeter]

just make a registry file to add info into hkey_local_machine\software\microsoft\windows\curr ent version\run key. (hint: this works on any windoze box when done as administrator)

Instead of messing with the registry, download the Excellent Startup Control Panel from Mike Lin's Home Page. This little Utility is an excellent way to control what does and does not execute on Windows startup. Using this utility you will be amazed at what processes are automatically started, some programs, like roxio's crap, will start 3-5 processes at Windows Startup.

It is also an excellent way to very quickly see if any Adware/Spyware is installed without running Adaware or Spybot.

Re:Just run Spybot

[Just+Some+Guy]

The problem is that if you have family or friends that don't know anything about computers and don't seem to care to learn, doing the above will help you out temporarily... and then cause you a huge amount of problems on Windows.

I have one (1) stock response to all non-business tech support requests. Say this verbatim, and without sounding condescending:

I work on computers all day, but they're the big ones like banks use, and I don't know much about the smaller ones that people have at their desks.

I know that Apple makes a nice little Macintosh computer that doesn't cost much more than a good one like the Windows kind you've been looking at, but they're a lot easier to use by people who aren't one of us computer geeks. My own wife has one and she loves it. If you get one of those, I could probably help you with it, but like I said, I really don't know much about Windows. Sorry I can't be of more help.

It gives them a useful solution to the problem they're having, is honest (I really don't know a whole lot about Windows versions more recent than Win98), and has one of two outcomes:

1. They buy a Mac, love it, and think I'm a hero.
2. They stick with their PC, but finally believe me that "has a degree in computers" doesn't mean "can fix every computer made", and find someone else to pester.

PS: You and I know that "big computer" means "FreeBSD web server over in the machine closet", but who wants to get hung up on details?

Re:Just run Spybot

[scumdamn]

The best fix for Winsock corruption in XP is to delete the Winsock and Winsock2 keys from the registry, reboot, and install TCP/IP over itself (you have to browse to c:\windows\inf to get it to show up in the list) but it works nearly every time. I've been having techs do it for about a month now and it's been very successful.

ad-aware

[frizz]

Is there anything better than ad-aware for solving this problem?

Re:ad-aware

[I+confirm+I'm+not+a]

Is there anything better than ad-aware for solving this problem?

Why, yes, as it happens! ;)

I've read some suggestions to run both Adaware and Spybot - I've found either to be more than capable on their own, but then I tend to practice "safe-browsing": use Firefox, use Linux where possible, etc.

Some solutions to spyware

[mausmalone]

AdAware is a great program, I swear by it. Also, working at a help desk, I often tell people to go into IE advanced settings and disable 3rd party browser extensions. They seem to think that if it's a toolbar for IE, it's automatically a great idea to download it.

Re:What a Crock

[Doesn't_Comment_Code]

Ah, yes. Here it is. It took me a while to find it.

http://yro.slashdot.org/article.pl?sid=03/12/03/02 57238&mode=thread&tid=126&tid=172&tid=187&tid=98&t id=99

STOP RUNNING AS ADMIN!

[dioscaido]

I'd say 75% of spyware issues come from users running as part of the Administrator group. All day-to-day use windows accounts should be a regular user, with the least priviledges as possible. Without being part of the Admin group, the spyware would not be able to write to HKLM registry, C:\ or C:\WINDOWS. Some spyware could still infect the user's directory, but at least a simple re-log on to Administrator could be done to clean up the machine.

CWshredder

[jrwillis]

CWshredder does tend to work REALLY well on that hard to get adware/malware. It's like I was complaining to a co-worker the other day, I don't feel like a Network Tech as much as a bloody computer janitor now.

Re:my experience...

[hattig]

A lot of "Spyware Removal" software is actually Spyware that removes competing spyware.

The only two to trust are AdAware and Spybot.

Unfortunately the Spybot download doesn't work at the moment, I think it's slashdotted.

Spybot on start-up works fine.

[Saeed+al-Sahaf]

But when you administer dozens, hundreds, thousands of Win boxes and you can't automate installing/configuring/running Spybot

Gee, that's strange. We have 300 Win boxes in my building and about 1000 company wide, not a lot really, but more than a few... Spybot runs just fine from the start-up script. Actually, though, since our machines (all of them) stay on 24/7, we run it and other stuff at night too (but those are scheduled tasks, of course). Need my LAN admin's number?

Re:Spybot on start-up works fine.

[Verteiron]

If you'll check the Spybot S&D forums, you'll find that, yes, there is a way to get push SpybotSD out to machines on a domain, and update it, and run it, silently, with no user interaction.

http://forums.net-integration.net/index.php?c=7

You can look under the hood yourself

[zeno_lee]

In addition to using the various anti-spyware software recommended above, like AdAware and SpyBot, I've made it a regular habit to look at these registry keys:

Run regedit:
Start->Run-> "regedit"

Look in:
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
Run
RunOnce
RunOnceEx

The Run is an especially attractive haven for spyware companies. That's how spyware programs run their programs after users reboot their computers. If you suspect there are weird entries in these registry keys, download spyware removal software and run it. If you don't know what you're doing don't mess with the keys.

I also check TaskManager regularly for weird processes. It's a bit technical, but after a while you can see which processes belong and which ones don't.

[X] marks the spot

[mwvdlee]

This is what I told my dad after removing another 20 porn auto-dialers from his system ("Yeah sure dad, you have no idea how those got there"); Whenever you encounter a popup which you don't fully understand, click the [X] button top-right, do not click the "Yes", "No", "Cancel" or any other buttons. If no [X] button exists, hit the Alt+F4 keys. This basically got rid of practically everything problems since he doesn't install software himself (wouldn't know how if he wanted to).

Re:Odd... money to be made isnt being made?

[Have+Blue]

Possibly because encouraging companies to uninstall each other's software is a dangerous precedent. Who's in charge of deciding what's spyware? And it would be easy to slippery-slope one's way into a situation where Windows or BIOSes would only run code signed by a central authority.

Are you on Win2K?

[not_a_product_id]

If you are you can run most things as Administrator WITHOUT having log out. Just hold down shift and right-click on the EXE. The pop-up menu will have a "Run-As" option. Just put in your administrator details and away you go. It's not perfect but it's a damn sight easier than having to log out.

Re:Does Spybot S&D Immunize really work?

[sheddd]

After rolling out ~35 new PC's at work (with user rights to the registry and c:\windows so our most used app will work) I was freaking amazed at how good some of our clueless users are at finding viri/spyware. If I put my mind to it I couldn't screw up a pc worse. Every time IE started (with the new xxx toolbar) around 30 popup windows with all sorts've educational pics came up.

In 24 hours, one machine had over 60 viri quaranteened and several pages of crap that spybot picked up.

After enabling immunize, their infection rate went to almost 0.

It's not perfect, but it is a great help, IMO.

My Two Cents, Korean Spyware... The Horror!

[Chordonblue]

I'd have to agree, with the small provisio that I think that anti-virus firms need to do a better job defining what a virus IS.. As the admin of a small school I've decided that next year I'm locking down the labs - big time. I didn't do it up until now because of program incompatabilities but I have to say that if this remains an issue, it won't matter - we'll get different programs.

It wasn't so bad before this year. Yeah, there was some spyware out there, but it wasn't like f*cking 'n-case' which replicates itself to random filenames all over your drive and then inserts startup stuff in 'startup', the local and machine registry, and even the freakin' win.ini!!!

I called Sophos on this after spending some two hours cleaning it up. I basically said, "You folks need to take some responsibility here."

The time has come to draw the line in the sand. n-case and others like it, are VIRAL. It can't be removed easily by the user - NO agreement of this nature can be legally binding.

Now for what frightened me the most: Ever have spyware that couldn't be cleaned by Spybot and/or Ad-Aware - even with the latest patches? No? Then you probably don't live in Korea. A few of our students do, and this is where this particular piece of crap came from. It defended itself by making a program that runs at startup that runs a program that insures that another program is there and running THAT, reprograms your home page to a site that ActiveX 'drivebys' your computer to load the program!!! :O

That was a bitch to clean up (although nothing compared to n-case!). You probably haven't seen this yet because it's a Korean app - but it managed to get on a few American machines here when the Koreans visited a site that installed some 'happy fun cursor' program.

I'm ranting.. But the truth is: Admins have to do their part, but the anti-virus people have got to do a better job also. They need to stop turning a blind eye to this issue.

wmplayer.exe - me too. Here's how to kill it

[Weaselmancer]

I had no idea I got it until I ran adaware. Then I got some freaking spyware bug that deleted windows media player and replaced it with a spyware app or a virus or something.

I just fought that one off last night. Took forever to nail it down. Here's what finally worked.

Delete the wmplayer.exe in Program Files/Windows Media Player. Run ad-aware 6 with the latest definitions. That'll zap the crap that it installs, which for me was windows/a.exe and windows/system32/bridge.dll, along with a host of other reg keys and crap.

Because it's windows, reboot and run the scanner again. If it finds anything, repeat.

If you're lucky, you'll still have a working copy of wmplayer.exe in windows/system32/dllcache. You'll know it's the good copy if it's larger than around 6k or so.

Hope this helps, because this one was a total pain in the ass to track down. Good thing my machine is dual boot Linux. And my main windows browser is now Firefox, too.

Oh yeah, on a side note... Whoever wrote the scumware that overwrites Windows Media Player needs to be hung by a pair of thumb screws and roasted over a coal fire. It's one thing to sneak your apps onto a system, but another thing entirely to overwrite existing apps.

Here's hoping their crap gets noticed on some FBI computer somewhere.

Weaselmancer

PS: Just in case there's a friendly FBI guy reading this, take the scumware wmplayer.exe into a Linux install and run "strings" on it. You'll see the URL of the fine folks who brought you this plague. They encrypt their strings by inserting 4 garbage characters over 0x80 every so often, so ignore those.