Spyware Becoming Worst Tech Support Problem

teknurd writes "Wired has an article about the growing problem of computer users having to call tech support to get help removing all of the spyware on their computers. 'The fast-growing phenomenon is already responsible for more than 12 percent of all technical support calls in Dell's consumer hardware division, the biggest category of complaints this year, company representatives said.' Personally, I have had to remove this plague from the computers of several friends and family members."

Just run Spybot

[baggachipz]

http://www.spybot.info . That's all it takes. Have it run on people's windows startup and they're set.

Re:Just run Spybot

[Rosco+P.+Coltrane]

http://www.spybot.info . That's all it takes.

When you're Joe Blow at home, that's fine. But when you administer dozens, hundreds, thousands of Win boxes and you can't automate installing/configuring/running Spybot, things are a bit different.

Re:Just run Spybot

[sulli]

Just run Mozilla, and none of that stoopid-ass ActiveX will try to hijack your PC.

(Come on, didn't people see this coming when Microsoft came up with ActiveX back in the day?)

Re:Just run Spybot

[hattig]

That, and AdAware.

So that they catch what the other one missed.

If I was an OEM, I'd get a license from one of the companies to include AdAware/Spybot on the shipped systems and set it to run once a week. That's gotta be worth it to remove 12% of support calls!

Re:Just run Spybot

[radixvir]

I used to think that only computer novices got spyware. But just this past week i got several all at one time. i have no idea how it happened ( i dont even use internet explorer) but it was bad. after i run ad-aware and mcaffee to clean them off, one of them deleted some important files under my system folder, or at least thats what i assume because my tcp/ip wouldnt start. i ended up having to totally reinstall windows. ive since decided im going to try and use windows as little as possible, only when i need to work in photoshop or office (i have the newest versions, ie no crossover office). but beware even advanced windows users can still get these things.

Re:Just run Spybot

[AndroidonPPC]

\\(machine name)\c$\documents and settings\all users\startmenu\programs\startup\ is good place to start

or just make a registry file to add info into hkey_local_machine\software\microsoft\windows\curr ent version\run key. (hint: this works on any windoze box when done as administrator)

with remote administration and a script, you could have those puppys running mighty quick.

-Andy in Chi

Re:Just run Spybot

[Gunja]

thanks capt obvious not like the people that read ./ dont know how to clear spyware off their machines. The point is my company is paying me money to clean off advertisements from our computers. Its a waste of time, resources and money. And just like virus software ad/spyware removers and blockers 1) dont always work 2) have to be constantly updated.

Re:Just run Spybot

[drinkypoo]

Lavasoft Ad-Aware still detects things that spybot doesn't - and vice versa. Entirely (?) removing CoolWWWSearch actually required running both programs.

There's nothing you can do to prevent spyware aside from completely locking down systems so users have nearly no permissions to the registry or anything else. This of course means that no programs not explicitly allowed on your network will operate. If you can deal with this tradeoff, more power to you.

Spybot Search & Destroy is a fabulous piece of software but it doesn't do the whole job.

Re:Just run Spybot

[chosen_my_foot]

You forget that the user can still download and install WeatherBug, Precision Date Time Manager, and many other helpful products. Using an alternative browser does not prevent this action.

For some reason a lot of people seem to believe that using Mozilla/Firefox/Opera makes their box invincible. It's a good start, but should only be one layer of your security.

Re:Just run Spybot

[michelg]

I can attest to the fact that some sites that are using those horrible ActiveX install popups are now also including XPI popups as well, at least for firefox in win32.

Re:Just run Spybot

If you're an educated user, shoring up your home network is extremely simple:

1) Install a hardware firewall.
2) Install a software firewall.
3) Install a quality antivirus program.
4) Install Ad-Aware - preferably the Pro version with Ad-Watch.
5) Install Spybot.

The problem is that if you have family or friends that don't know anything about computers and don't seem to care to learn, doing the above will help you out temporarily... and then cause you a huge amount of problems on Windows.

For example, every time the software firewall asks them to approve a connection, they'll either always deny them (screwing up their software) or approve them (screwing up their security). They'll be upset when they can't use a program because it needs ports opened on the firewall. If you show them how to open ports up, they'll eventually just open ALL ports, thinking "now I won't have to worry about doing it every time a new program wants new ports available". The other option is not to tell them how to do this and just do it for them. You are now their bitch.

The other problem is that they'll want to install applications. In Windows, you can set several user levels. You can set a very restricted one that doesn't let users install software or access/modify any documents but their own. Then there's a level that will let them install software and use all documents. Then there's the full power user, backup user and admin user levels.

For security purposes, you would of course want to set their account to a level that will not allow them to install software. Otherwise they're going to be installing every stupid spyware riddled, adware plagued, malicious, wasteful, resource-eating piece of shit they come across. So, now every time they want to install a program, they're going to come to you. You're their bitch.

So the only way to achieve true security is to prevent them from doing anything they really want to do and now you're going to be bothered by every person that you've set up every time one of them wants to install a program or open up some ports. Every time they want to install a game, application, office software, utility, etc.

It's a hassle just dealing with this for one person. Now imagine if your grandmother, an uncle, your mom, two siblings, a neighbor, a girlfriend and two family friends all have you on the hook like this? It never ends. And then people wonder why techies are becoming more and more reluctant to help and more abrasive. Look, it's like being a car mechanic. As a car mechanic, I would not expect my friends to repair their own engine block or diagnose and fix other complex problems - but I certainly expect them to fill their own gas tank, change their own oil, refill their wiper fluid, check and refill their power steering, check and fill their tires, replace signal lights, screw on their license plates, adjust their rear-view mirors and side mirrors and adjust their seats into position.

However, for people who aren't willing (or maybe can't in the case of some elderly people who just can't fathom the concepts) to learn the basics, you'll find that if you don't help them they will end up with myriad of crap on their machines. Dozens of viruses, spyware, programs running in the background to steal resources and processing time, adware programs that pop-up crap all the time, hijacked browsers, three p2p networks starting at launch time and running in the background (eating up memory, cpu, storage, bandwidth), p2p utilities that go with them, "weatherbug" software, msn, yahoo, aim and others, and countless other things. I've seen people with so much fucking shit on their machines like the above mentioned that their machines would start-up and then die, crash or reboot before finishing displaying the desktop. Just too much crap running.

It isn't my job to baby people, teach them every little thing and care for them. They can buy books, play around and learn on their own just like the rest of us had to. If you can't appr

Re:Just run Spybot

[dnoyeb]

Are we computer specialist really any better than the Anti-Virus camp? We make money on both sides of this equation. Were becoming like lawyers.

Re:Just run Spybot

[chosen_my_foot]

If you're assuming the user isn't stupid then perhaps you haven't worked very long in IT ;)

I liken our users to toddlers. If there is any way, no matter how ridiculous, for a toddler to injure himself with a toy, he will do it. After only 6 months in IT, I see the user as a toddler and computers as their toys.

I tell them time and again that their Windows XP computers synchronize their time with our servers, but they still install Gator's time manager because the banner says "OH NO YOUR COMPUTER CLOCK COULD BE WRONG!!! IF YOU DON'T INSTALL OUR SOFTWARE YOU SUPPORT TERRORISM!!!" As many posters in this thread have stated, you tell them time and again that MyComet cursor and all those goodies are what makes their computer run slow, but by the week's end you will return because they have installed it again and now their box is hosed.

It's even worse when the computers on the production line turn up with these things. The cost of a stopped line per minute is quite a good bit more than my annual salary. Whoever wrote Sasser owes me a lunch break, because I had to skip it to deal with infected machines on the line. (Yeah yeah, "You should have patched sooner". No one mentions the issues that were reported with early patchers, such as frozen computers, 100% CPU usage, and inability to log in to Windows. We chose to wait until the issues were settled, and it bit us. What good is an uninstall, Mr. Anderson, if you can't boot your box?)_

Re:Just run Spybot

[petecarlson]

Unless you were using an older version of Ad-aware, LSP-FIX would have fixed your tcp/ip stack. I used it on one of my friends computers and it worked perfectly. Of course I installed Mozilla while I was there and he asked me about it. I tried to explain that it was an opensource web browser but he just gave me a blank stare so I explained that it was an improved version of IE with a built in popup blocker and tabbed browsing.

Re:Just run Spybot

I'm going to make the assumption that XPI can be abused in the same way -- but why abuse 5% of the browser population (and the 14 users of Netscape Navigator) when you can abuse 95% of your browsing audience?

It's not very common, but it does happen. Check out this thread if you don't believe me.

Re:Just run Spybot

[GPLDAN]

I don't know if you've seen on the website, but Spybot has been under a concerted DDOS attack, off and on, for awhile. I think the fact the software is so damn effective, and the guy does just a frankly superb job of keeping signatures up, that's it's really put a thorn into the side of spybot creators everywhere.

If you can afford it, consider donating to the guy. That's a helluva bit of software to be giving away. Either that, or nominate him for the Nobel Prize, if your on the committee that is.

Re:Just run Spybot

Why are your users allowed to install software? The evidence supports locking down user machines to doing tasks for work only, because they have abused the previous system.

And why are critical systems running an insecure OS with a long colourful history of security vulnerabilities? In fact any machine that doesn't need to be connected to a network shouldn't be.

Re:Just run Spybot

[throwaway18]

>after i run ad-aware and mcaffee to clean them off, one of them
>deleted some important files under my system folder, or at
>least thats what i assume because my tcp/ip wouldnt start.

There is at least one adware program that replaces one of the windows internet-related DLL's with it's own version. Adaware didn't handle removing it very well when I came across it months ago, I was hoping they had fixed that. It usually isn't necessasary to reinstall the machine. Removing TCP/IP from the list of installed network protocols, rebooting and reinstalling it (windows CD or setup files required) usually works.

Re:Just run Spybot

No, Spybot and AdAware are not enough.

I was plagued with problems for over a month (more like two). I ran both of these programs continuously and was never able to remove the problem completely. I would remove everything that was found by Spybot and AdAware, and it would seem clean--until I rebooted that is. The damn crap would reinstall itself when I would reboot.

I was pulling my hair out with this sh!t coming back constantly and thinking that I would have to do a complete reinstall.

What eventually worked: Bazooka

It tells you how to remove things manually (not for the layman, but no problem for the /.er) and is in-f*cking-credible. After about 8 weeks of hell, I found this and was able to remove all of the problem software within minutes. Plus, the software is free.
In case you were wondering, the app killing me the worst was WinPup . Grrrrr.

Re:Just run Spybot

[NatasRevol]

Because the CEO/CFO/president of the company said so.

End of story. Set it up that way or get fired. Job security (lots of it) or none. Your choice.

Re:Just run Spybot

[mgpeter]

just make a registry file to add info into hkey_local_machine\software\microsoft\windows\curr ent version\run key. (hint: this works on any windoze box when done as administrator)

Instead of messing with the registry, download the Excellent Startup Control Panel from Mike Lin's Home Page. This little Utility is an excellent way to control what does and does not execute on Windows startup. Using this utility you will be amazed at what processes are automatically started, some programs, like roxio's crap, will start 3-5 processes at Windows Startup.

It is also an excellent way to very quickly see if any Adware/Spyware is installed without running Adaware or Spybot.

Re:Just run Spybot

[gstoddart]

I've come to the conclusion that between web vulnerabilities (like ActiveX controls) and the myriad of trivial pieces of software people install (funky cursors, search bars, whatever) a Windows machine is always going to be infected if you're not careful.

My office machine I only use Mozilla except for sites that absolutely require IE, and I sure as hell don't click on or download anything that I don't explicitly want.

My home XP box sits behind a hardware firewall, and except for *very* occasionally, I don't install much software on it -- and truthfully most of that is stuff like Mozilla and cygwin anyway.

In both environments my e-mail gets delivered to a UNIX machine.

To date, I've had decent luck with both machines -- only once has anything hit and that was the Windows RPC vulnerability. I suspect the usage pattern of most people is to embrace a lot of the new and shiny stuff that comes their way.

I guess I've been using UNIX long enough that eye candy bugs me so much I don't get exposed to it. Which might be part of why i don't have problems.

We used to have an office admin that downloaded every screen saver, animated cursor, or cutesy little flash game that was sent her way.

I must say, Windows has improved a lot over the years. I still don't trust it to not stumble if left on its own.

Re:Just run Spybot

[edunbar93]

1) Install a hardware firewall.
2) Install a software firewall.
3) Install a quality antivirus program.
4) Install Ad-Aware - preferably the Pro version with Ad-Watch.
5) Install Spybot.


Besides the 4+ hours of work that this entails, the specialized knowledge and cash required, a five item list like this is hardly what I would term "extremely easy."

In fact, it's more like saying "Any educated person can boost the performance of his car in 5 easy steps! Just install a turbocharger..."

And it's also worth noting that installing two firewalls like that is paranoid and stupid. Especially if the first one isn't even forwarding ports, something some 90% of computer users don't even need to do. And if you are forwarding ports, then what are you going to do on the client machine? Block those ports? What was the point of forwarding them again?

Re:Just run Spybot

[masoncooper]

The easiest way to prevent corporate computers from becoming infected with spyware is to not run your users as local admins. I can't begin to tell you how many times I've seen companies whine and complain because it's too much work, and that it's easier to just let them install what they want.

We have almost 200 machines and in the past 8 months have had only ONE exploited. Not only that, but a restart fixed it, because all they were able to do was change the startup page in IE.
I'll admit it, we spent lots of research time adjusting permissions so that certain apps would run (Freakin ADP) but once it's set up, you can rest easier knowing that the users, and transitively any software running as the user) cannot write to system folders.
Obviously, this isn't our only level of security, we run SAV CE and regularly push a set of kill bits for malicious activex components. Oh, and our last line of protection is a driver-level program called Fortres that denies any writes to certain files (EXE's, executables, others we choose). They can't even copy/rename files to and from EXE.
We've covered most of our bases and are continually watching for holes but I'd say the most important thing an admin can do to control the desktops is to run users as users!

Re:Just run Spybot

[Just+Some+Guy]

The problem is that if you have family or friends that don't know anything about computers and don't seem to care to learn, doing the above will help you out temporarily... and then cause you a huge amount of problems on Windows.

I have one (1) stock response to all non-business tech support requests. Say this verbatim, and without sounding condescending:

I work on computers all day, but they're the big ones like banks use, and I don't know much about the smaller ones that people have at their desks.

I know that Apple makes a nice little Macintosh computer that doesn't cost much more than a good one like the Windows kind you've been looking at, but they're a lot easier to use by people who aren't one of us computer geeks. My own wife has one and she loves it. If you get one of those, I could probably help you with it, but like I said, I really don't know much about Windows. Sorry I can't be of more help.

It gives them a useful solution to the problem they're having, is honest (I really don't know a whole lot about Windows versions more recent than Win98), and has one of two outcomes:

1. They buy a Mac, love it, and think I'm a hero.
2. They stick with their PC, but finally believe me that "has a degree in computers" doesn't mean "can fix every computer made", and find someone else to pester.

PS: You and I know that "big computer" means "FreeBSD web server over in the machine closet", but who wants to get hung up on details?

Re:Just run Spybot

[scumdamn]

The best fix for Winsock corruption in XP is to delete the Winsock and Winsock2 keys from the registry, reboot, and install TCP/IP over itself (you have to browse to c:\windows\inf to get it to show up in the list) but it works nearly every time. I've been having techs do it for about a month now and it's been very successful.

Re:Just run Spybot

[daviddennis]

I really don't think people should have to treat their computers like a fortress by installing millions of lines of complex and potentially unreliable code on their computers, just to guard against outside attacks. It's like being forced to run an armor plated car, and accepting the huge performance and fuel economy hit.

So I run Macs, which solves all those problems and more.

Macs are a little more expensive, yes, but the amount of time and aggravation saved is worth every penny.

I run all Macs at home and I never get virii, never get spyware, and they keep on running at good speeds virtually forever.

Frankly, I'm not a paranoid enough person to run Windows, and in all honesty I don't want to become one.

I don't understand why Apple's market share hasn't soared thanks to this and other similar advantages.

I know that one day there will be a Mac virus or two, but the economic motive just isn't there for spyware, thanks to Apple's low market share. I think it would have to double or triple, which it isn't doing any time soon, to justify spyware development.

So my answer is: Get a Mac. You'll be happier. It's prettier than Windows. It's slicker, too. And you won't get these pesky problems. Are they slower? In some cases, but armor-plating your PC is going to make it run a lot worse than the Mac, if the complaints in my company about our AV software are any indication.

D

Re:Just run Spybot

[zerocool^]

I think it needs to be reiterated: It's a good start.

It's a huge first step. I now run firefox, it's the default browser on my windows box. If you've read my comments in the past, I've always been a fan of I.E., and I still am, to be honest with you. I think I.E. is faster, and renders things better than Firefox, firefox (even though it's no where near moz's bloat) still uses more memory, plus there's this annoying javascript transparent thing that Firefox doesn't deal with well, and it just has several little annoying things I don't like.

BUT.

After casual surfing the web (with google toolbar installed to block popups) on I.E. a couple of months ago, I proceeded to get spyware left and right that I didn't even know about! The damn javascript buffer overflow that installs cool web search got me. I had no idea I got it until I ran adaware. Then I got some freaking spyware bug that deleted windows media player and replaced it with a spyware app or a virus or something.

This is just from CASUAL web surfing. I didn't download anything, I didn't run anything, I never clicked "ok" on any of the "you are about to download and install 'CLICK HERE TO ACCEPT OUR AGREEMENT'" things. This was all exploits that hijacked my browser and installed spyware.

Fuck. That.

Firefox only has two advantages over IE+google toolbar: Tabbed Browsing (which i'm starting to like), and security. Until recently, they weren't reason enough to switch. Now, they are.

So, it needs to be pointed out: Yes, there are still ways to get spyware even when running firefox. It's true. BUT, firefox is a HUGE first step. I don't have anything worse than a few tracking cookies now.

AND it needs to be said: It does not mean you're a n00b l00ser if you run I.E. and you get spyware. It's nothing you did wrong. Even powerusers, whatever that means, still get spyware in I.E. You don't have to click to install anymore. It used to be enough to know that you shouldn't download and run stuff that you didn't know what it did. It's not anymore.

~Will

Re:Just run Spybot

[Seumas]

That really isn't four hours worth of work. If it's your first time, it might be - but I'm not talking about how extremely easy it is for grandma. I'm talking about how easy it is, in the grand scheme of things. Certainly, to do the above you would need to have some rudimentary education about the machine in front of you to perform those five steps - but in my experience, only those who have that education (beyond how to login, surf and manipulate the max/min/close window buttons) are even aware of the problem and the steps needed to handle it.

It isn't as difficult as you seem to suggest, though. A hardware firewall is common sense and even your ISP will instruct you to install one when you pick up your cable or DSL modem (or when they come out to install it). Not knowing you need a hardware firewall is like not knowing you need to buy a modem to use the internet. And they aren't that expensive. A high quality new one is about $80. A decent one can be had for $50. Basic installation is simple. Plug it in, change the admin password. Done.

Installing an antivirus program is also simple and has been drilled into every user. Most computers come with one, even if it's only a trial subscription. You can get decent ones for free (Grisoft's AVG, for example). They're easy to configure and usually have adequate walk-throughs.

Ad-Aware is easy to install and free. Same with Spybot. You might need to read a little before making full use of them, but just having them installed offers more security than not having them at all.

As for having both a hardware firewall and a software firewall - sure it's paranoid. The thing is that software firewalls are inadequate and ineffective. If you allow what you think is a legitimate program to have acces to the net (a windows service or MSIE for example), you may also be unwittingly allowing a sub-component to piggy-back with it.

I don't expect a software firewall to protect me or the family/friends I install them for. I like having one installed so I can see what applications are trying to get out. If something strange is trying to get out and it hasn't been caught by Ad-Aware, SpyBot or AVG/Kaspersky - I want to know about it. I could watch a netstat all day long - or I could just watch for pop-up notification sin the system tray.

In fact, it's more like saying "Any educated person can boost the performance of his car in 5 easy steps! Just install a turbocharger..."

But it isn't. This isn't about boosting your performance. This is about knowing to lock your car's doors, not locking your keys in the car, not leaving your keys in the ignition or the car running while you stop at 7-11, changing your oil regularly, checking the tire pressure occasionally, keeping your tags up to date and possibly having a car-alarm installed.

Any educated person should know not to drive their Lexus through the worst part of town, stop in front of a 7-11 with a bunch of crackheads standing outside by the pay-phones and leaving their keys in the car and the engine running while they go into the store and buy a coke and nachos.

Re:Just run Spybot

[wackysootroom]

We've had the same problem on our network until we banned people from downloading microsoft executable and certain types of archive files using our network alltogther.

Our company firewall redirects all http traffic through a transparent squid, where we have a bunch of ACLs that allow and disallow certain things. All of the non standard HTTP(s) ports are blocked at the firewall.

We are a smallish shop of only ~50 users, and this all works out fine. No more spyware/crapware/malware headaches.

Re:Just run Spybot

[Allen+Zadr]

I fully agree with you here. I make between $70 and $140 every time one of my co-workers' teenagers decides that their 'internet connection is not optimized'.

I try to teach them how to take care of it themselves, and they have no interest in learning.
Most lawyer tasks are the same, easy to do yourself, but there's a whole bunch of info to learn before you can get it right. I have no interest in learning law-craft.

Re:Just run Spybot

[twoshortplanks]

You do get pesky Mac problems though. Like the hardware falling to bits *all* the time. Seriously, I've sent my mac back to apple twice. The person across the desk from me sent his new mac back as soon as he got it (fried mainboard) - and he's sent his old one back several times. The other person opposite me sent his better half's back three times. My flatmate had to send his TiBook back as soon as it arrived. And it seems everyone else I know (and I'm not exagerating here) has sent theirs back too. It's like one of the things you just have to accept - the hardware *will* fall to bits.

This isn't to say that your points are invalid. This isn't to say that I don't still keep buying apple hardware. But the build quality sucks! I'm not sure if I recommended one to a friend how I'd feel saying "Oh yeah, that needs to go back to the shop. They all do that".

Re:Just run Spybot

[jhagler]

I know that running Outlook is a risk, however it really doesn't take that much to remove 99% of the risks. Like I say, don't keep the preview pane open and I view mail as plain text, that should remove the dangers from anything embedded in the HTML, I know better than to open annakornukova.vbs/exe/pif, and I use AVG's antivirus plug-in to catch anything else I may have missed. At this point I think most of the threat is gone. Like I said, this is my first virus in several years.

I have the feeling it came in on a P2P file. AVG is supposed to scan them too, but I've never really trusted that completely. But those are the risks you take connection to the Internet nowadays. And as long as I can catch it and remove it within 24 hours, I am willing to take the risk.

Re:Just run Spybot

[WoodstockJeff]

The evidence supports locking down user machines to doing tasks for work only

Sometimes, that's impossible. Try to syncronize a Palm Pilot or compatible with Outlook when you're not running as a system adminstrator under XP. It won't work.

The unfortunate thing is that those people who have PP's are often the ones paying your salary, and they would not be happy with the idea that they might be blocked from updating them.

Trying to argue security with them is (usually) pointless - they've already made several bad security decisions (Windows servers, Exchange running on those servers, Outlook running on the local machine), so your piddly little concerns with security are unimportant!

Re:Just run Spybot

[festers]

Firefox has another great advantage that I see frequently overlooked: AdBlock

That little extension has made my web browsing pure joy. It blocks every ad I've come across, including flash ads, and it supports wildcards so I can right-click and block entire "ad" directories from servers without losing other content. It's beautiful.

Re:Just run Spybot

[gumbo]

It would be nice if people could comprehend that just because you can write code and support enterprise networks doesn't mean you know every obscure thing in the world.

The funniest bit is all the people that you do wind up helping. At least with me, they always ask me stuff I have no idea about. "How do I do this in Excel?" or "why does it keep doing that?" So I click around for a bit and fix it for them, and they assume it's something that all geeks learned how to do in geek school. Like, day 41 of geek school is how to change the header options in Word. But really, they're just too scared to go clicking on new and weird menus that they've never clicked on before, so they don't even try.

ad-aware

[frizz]

Is there anything better than ad-aware for solving this problem?

Re:ad-aware

Linux :-)

Re:ad-aware

[I+confirm+I'm+not+a]

Is there anything better than ad-aware for solving this problem?

Why, yes, as it happens! ;)

I've read some suggestions to run both Adaware and Spybot - I've found either to be more than capable on their own, but then I tend to practice "safe-browsing": use Firefox, use Linux where possible, etc.

Re:ad-aware

[UconnGuy]

Spybot is just as good. I find running them both is a better solution, each find things the other doesn't.

Re:ad-aware

[NatasRevol]

wife...mall-ware...

Joke in there somewhere!

No Suprise

[two_stripe]

Spyware can be a real prick to remove, people just cant do it themselves, even competent computer users.

my experience...

[Ummagumma]

Im the IT manager for a 100+ person software compandy (actually, the ONLY IT person...)

Over the last 6 months, I've had to spend more and more time cleaning this crap off peoples machines. I've got it down to a science, though - I keep a disk around with a whole lot of useful tools on it such as:

Spybot search and destroy
stinger
all windows XP / 2000 patches since the latest SP
spywareblaster
and others

Takes me about 15 minutes to clean a machine now. Of course, that is 15 minutes that I could be doing something USEFUL...

Re:my experience...

[GypC]

Oh yeah... and why do your users have the security privileges to install software?

Re:my experience...

[grub]

I'm [network/unix/Mac/Novell/some windows] support for a ~200 user research place. Every Friday our Director of Research sends out a "what's up" email talking about various projects, etc. A couple of years ago I was asked to do a weekly thing called "Computer Corner". What I do is have a paragraph with a link to an internal webserver I run with more info.

I did a spyware article a while back and on the server had some tools for installation complete with how-to's, screenshots, etc. Naturally some people aren't geeks and are a bit leery of anything remotely technical so we always offer to come do the work if needed. That happened only a handful of times.

If you have a lot of users that approach may be helpful.

Re:my experience...

[Rosco+P.+Coltrane]

Yet you still use Windows...

You probably don't have much of a choice, but I would encourage you to look into a Linux migration.

You forget Dealing With Your Boss 101: If Windows causes your pains and trouble, bitch and whine about Microsoft to your boss, he'll "understand" but won't even question your IT choices for the company. If you chose Linux, any little problem, however insignificant, will be Linux' fault, i.e. your fault.

Choosing Windows is a job security choice. Sad but very true...

Re:my experience...

[Pig+Hogger]

Takes me about 15 minutes to clean a machine now. Of course, that is 15 minutes that I could be doing something USEFUL...

Two words, buddy: JOB SECURITY.

Re:my experience...

[jamonterrell]

That's interesting. I usually stick with ad-aware, but decided to evaluate some other products for use at work. Within 2 minutes of installation (The first time I ran IE afterwards), I had a popup from gator come straight up. I'm not saying without a doubt that spywareblaster contains gator from the original source, but the copy I got my hands on snuck gator in. Anyone else seen this? Did you download your copy direct or from a download mirror? (Also interesting to note is that spywareblaster, as of the last version I saw, did not detect gator as spyware.)

Re:my experience...

[SilentChris]

Permissions are your friend. We have a similar situation but we knew long ago that limited permissions was best for most users. They can download all the crap they want -- they just can't install it. Same goes for viruses. We haven't had a single virus or spyware problem since we instituted the policy.

Re:my experience...

[RollingThunder]

Probably because so many piss-poor programmers assume they'll have that ability, and the apps your users need won't work if they don't have that priviledge?

Re:my experience...

[Ummagumma]

I do use windows, and have zero choice in the matter. Our software is written primarily for Windows Server, and .NET development doesn't generally work very well on a Linux box.

If I had my choice, Id have Linux deployed alot more in the backend, but I don't have that luxury. The company is WAY to tied into Exchange and MSCRM to go with a Linux solution.

I AM however, putting SpamAssassin on a Linux box to do mail filtering. :)

Re:my experience...

[hattig]

A lot of "Spyware Removal" software is actually Spyware that removes competing spyware.

The only two to trust are AdAware and Spybot.

Unfortunately the Spybot download doesn't work at the moment, I think it's slashdotted.

Re:my experience...

[grub]

Yeah, do it. You'll have way more time to read slashdot! ;)

Re:my experience...

[TykeClone]

I AM however, putting SpamAssassin on a Linux box to do mail filtering. :)

We do this. The only other things I would recommend would be to tie them in with MimeDefang and ClamAV. Doing that lets you bounce e-mail bourne viruses before they make it into the internal network.

One day last month 1/3 of all of our inbound e-mail traffic was e-mail attempting to deliver viruses. They never got to the user's desk, so they never became a security problem.

Good tools.

[grub]

Spybot Search & Destroy [Best spyware cleaner IMHO, also immunizes against re-installation]
Javacool's Spyware Blaster [works well in conjunction with Spybot]

I used to use Lavasoft's AdAware but after it wasn't updated for a while someone recommended Spybot which I've stuck with.

Re:Good tools.

[WebGangsta]

I used to use Lavasoft's AdAware but after it wasn't updated for a while someone recommended Spybot which I've stuck with.

Ad Aware was updated a few weeks ago to version 6.181 (?) and does a better job of getting rid of stuff (including CWS) than the current version of Spybot. Normally, I would run Ad Aware then Spybot to finish cleaning stuff that Ad Aware left behind, but now I've found that I have to run Spybot first followed by Ad Aware. This may be temporary, but still...

I think it has to do with some of these spyware/virus programs deactivating these sweeper programs or munging the hosts file so they can't get the updates. At least with a download of Ad Aware (without the latest update), you can get the bulk of things cleaned up enough to be able to access the update sites afterwards for a second pass with your favorite spy-removal tool.

i heard that...

[psychalgia]

with the company i work for id love to make suggestions to help people rid themselves of this, but were not allowed because its all third party stuff. i dont work for an ISP, but an internet banking group, and time after time people are blaming their bank for redirect hijackers and popups...all i can say is that your computer is messed up and you should try to call your ISP for assistance. not like theyd be in a much better sitch than me. too bad we can convince people to stop clicking on every bloody thing that pops onto their screen.

Removal Tools

[tsheriffk]

between spy-bot and hijack this, i have been able to remove any spyware i have encountered. The trick with spybot, is that people need to know what they are doing, so they dont screw up their computer. Adaware is dummy proof, but only does gets a portion of the stuff.

Always a winner...

[theirishman]

Personaly I find foramt C: the best for getting rid of crap like that!

Re:Always a winner...

[happyfrogcow]

i prefer

Fermat C:

it not only formats the C drive but fills it with results of x^n + y^n = z^n for various values

Re:Always a winner...

[Mr.+Bad+Example]

> Fermat C:
>
> it not only formats the C drive but fills it with results of x^n + y^n = z^n for various values

I have discovered a truly remarkable spyware removal method which this text entry box is too small to contain.

Bonzi Buddy

[AtariAmarok]

I always ask Bonzi Buddy to help solve my spyware problems. He is always so helpful!

What a Crock

[Doesn't_Comment_Code]

If I remember correctly from a previous article (3-6 months ago), Dell prohibits its tech support from helping customers remove certain programs that could be considered spyware. They are unable to do so because Dell, and some other suppliers have partnerships with the makers of the borderline spyware.

What a crock!

Re:What a Crock

[Doesn't_Comment_Code]

Ah, yes. Here it is. It took me a while to find it.

http://yro.slashdot.org/article.pl?sid=03/12/03/02 57238&mode=thread&tid=126&tid=172&tid=187&tid=98&t id=99

Re:What a Crock

[DR+SoB]

Adaware is great, except i've found they've missed many brutal spyware programs before, especially programs that deeply imbed themselves in other programs (such as Windows Media Player, very common). SpyBot seems to miss a few as well, although normally not as many as Adaware. After running Adaware and Spybot on a few heavily effected computers, I think installed the new Norton Antivirus 2004 + Internet Security, and it found 9-15 OTHER missed spyware programs.. Of course, to fix them all I would have to boot on the disk and run it seperately..blah!

I've found installing NetScape also helps greatly, as it blocks many malicious pop-up ads. Normally when I'm asked to configure a computer for someone, the last step is to delete shortcuts to IE and install Netscape as the default, people are wierded out at first (I've never seen this browser before! "It's great!"), but after a while they swear by it too.

My brother recently brought a computer I gave him just maybe 5 months ago, home from University for me to inspect, because of "poor performance' (P4 @ 2.6 w/ 1 gig ram, GeForce 4, poor performance? What the hell is he running), well I booted it and opened the task manager, running at 100% NON-STOP, Memory almost maxed, and at least 30 Un-identified programs running. Forget spybot or anything, it's FDISK time! But it gave me some insight into the average user, because he told me he noticed it was running slow, so he uninstalled as many valid programs as possible (of course to no effect), the average user has NO IDEA what's wrong, they just know the thing runs slower then the old Apple II's!

Re:What a Crock

[Trifthen]

Careful just saying adaware. The software is named Ad-aware, a start contrast to Ada-Ware which is itself a spyware program masquerading as a removal tool. Note that both of these are "adaware" when all punctuation and capitalization are removed. Scary, huh?

Some solutions to spyware

[mausmalone]

AdAware is a great program, I swear by it. Also, working at a help desk, I often tell people to go into IE advanced settings and disable 3rd party browser extensions. They seem to think that if it's a toolbar for IE, it's automatically a great idea to download it.

Should be integrated into AV software

[Goodl]

get on it Symantec etc. this getting to be as big if not a bigger problem than viruses. All the computers of family and friends are rife with this stuff, and they won't stump for Ad-aware pro as well as AV sw

Re:Should be integrated into AV software

[abrinton]

Funny, it is integrated into McAfee. I use it in my 100 person company and it works pretty well. The feature is called "Find Unwanted Programs" or something. It's all set up with EPO so I know every desktop has it, and nobody can turn it off. Catches most spyware, and McAfee is good about updating.

There is one major drawback. McAfee decides what is an "unwanted program" and you can't change it. It stops some tools that I would rather it didn't. However, I've found this trade off to be well worth it as I spend exactly *nill* time cleaning spyware.

I get calls all the time about the "virus" someone or other just got though.

Re:Should be integrated into AV software

[blunte]

I spent an hour with our Symantec account rep last year imploring him to communicate how badly we need spyware protection integrated with virus protection.

In the US corporate world, Symantec is probably the leader. If they would just buy Spybot or something, build in a spyware signature download system (as they have with virus), my job would be so much easier. I'd even happily pay them another 5k$ for that feature on our machine.

But this sales guy didn't even know what spyware was.

Symantec really missed out on a big feature that would have set them apart from McAfee.

No Doubt

[PhraudulentOne]

I support this kind of thing every day at work with the odd internet customer/staff member. Spybot has really helped out a lot - its free, small, and works great. I can believe the 12% figure, but here at the ISP I work for, its more like 60% of calls, only the customer doesn't know they are calling for this particular problem. For them, the internet and their computer has just bogged right down so they think something is wrong with the internet.

Reading this article on a Linux box...

[Black+Parrot]

...priceless.

i wouldn't mind

[irokie]

"the developers get paid, in theory, by companies that want to harness the spare computing cycles on thousands of computers to solve some complex computing problem."

i wouldn't actually mind giving a fwe of my spare cycles to someone if they needed them for something legitimate.
everyone i know ran the SETI@home screensaver... not only were you contributing to something, but it looked way cool too!

A few tips i give to friends

[insomaniac]

1. Run a good anti spy ware tool like spybot or ad aware.

2. Don't use IE or Outlook

3. Don't use Kazaa or most other p2p clients

4. Don't run any and every program you come across

This helped my friends a lot, my father was really offended by spyware and who can blame him, he's a firefox fan till the end now... :)

People

[Schezar]

Every time I remove this crud, I explain exactly why they had it to begin with. I tell them Comet Cursor , Gator, Bonzai Buddy, and the like are VIRUSES. Absolute VIRUSES. I tell them not to download them, and the problems will never come back. I set their IE security settings to not allow Active X as well.

Within days, they're all back. "But I LIKE my Comet Cursor! I didn't think it would happen this time."

The problem here is that many people today lack basic problem solving skills. They see a problem with their VCR, they fix it. (Clock's off, let's say). They see a similar problem with their computer, and they freeze up and assume they can't fix it even though, in the case of the clock for example, it's the SAME PROBLEM with nearly the SAME SOLUTION.

People don't seem to apply their own basic intelligence to computers. Nor do they seem to learn from their mistakes. "Why did you install Spambar again?"

"I wanted the -feature-. How was I supposed to know it was bad?"

"Because it caused this SAME PROBLEM THE LAST THREE TIMES YOU INSTALLED IT! I HATE YOU! DIEDIEDIE!" /works for tech support

Re:People

[JaffaKREE]

Sometimes it's just about hopeless. I threw together a computer for my girlfriend, who has a Comcast Cable connection. Fully patched, with AVG, Zonealarm, and ad-aware. There are 6 other people who use the computer.

If I don't maintain it to the point of once-a-week troubleshooting, the next time I stop by, there is more garbage/spyware/viruses/popup junk than I can possibly understand. Comet Cursor, Weatherbug, Bonzi, that "set your clock" thing, backdoors, and a deluge of popups that will make your head spin when IE is loaded ( I installed Opera. They don't like it. ). You're probably thinking, if I had correctly installed all the stuff I said I did, this wouldn't happen, right ?

If only it were that easy.

Zonealarm ? Well, they were having problems with their internet one day, and decided it might be that firewall thing, so off it went. Despite my insistence, this happens fairly often - because they don't actually see the negative effects of it.
Viruses ? AVG just disappears. Someone must be uninstalling it, because it's usually gone when I go looking for it.
The spyware ? I don't really know where it actually comes from. There's usually a bunch of other junk apps and game demos, I assume that's how they find their way on to the computer.

So yeah. PEBKAC. at least one of the problems.

Re:People

[eth1]

"People don't seem to apply their own basic intelligence to computers"

That's because computers all have a Common Sense Exclusion Field generator. Anyone coming into that field turns into a dribbling idiot. However technical type people's brainwave patterns generat electromagnetic field around them that nullifies this field. It also knocks quirky hardware and software back into order, which is why it mysteriously starts working once you show up to fix the problem.

Switch?

[thesolo]

Personally, I have had to remove this plague from the computers of several friends and family members.

Not to sound snide, but this is exactly why all my family & close friends run Macs now. It's easier on them, and it's a hell of a lot easier on me, since now I don't have to stop over, run Adaware, and clean their systems for them.

Re:i know....

Except for the fact that the average user leaves their IE at default settings. Even savvy users can be fooled - for example - my wife's computer was recently infected with the sysupd.exe/TSCash dialer spyware - it installed itself, without my wife's knowledge or consent, even though I set her IE settings as secure as possible. In order to remove this - I had to boot into safe mode, delete the sysupd.exe file, and then remove two registry settings. Of course - the question remains - the bits of info telling the OS to write those registry entries and run that exe are *still* floating around the hard drive somewhere, even though inactive.

You can't blame every dumb user for spyware that installs itself via malicious Java or VB code - most of the time, the user will be completely unaware and unable to do anything about it until after the fact.

Joe Sixpack and TCO

[mrneutron]

Last night I spent 3 hours at a neighbor's house on spyware patrol. He's a fireman who plows my driveway for free (he is Joe Sixpack personified), and I'm his volunteer tech monkey. I cleaned them all out 2 months ago, and now they were in worse shape.

All 3 of computers were unable to surf the web. Teenage daughters had downloaded Kazaa, weatherbug, morpheus and others. I explained the dangers of spyware (and getting sued by the RIAA, hoping the scare them into ending the spyware party) to them last time, with predictable results. I also advised Dad to lay down the law (I'm not holding my breath).

The 98SE box (yeah, I know) was completely hosed. Booted up, auto-launched about 8 different programs, auto popups, and would actually blue screen before I could launch a single app. I blew that one away, reinstalled from scratch, and ran Windows update (requiring 5 reboots) for close to 2 hours (ever run windows update after a clean install of 4-year old media? Not fun).

And he has a hardware firewall and fast cable modem connection: this would have been impossible on dialup (and the clean install would have been compromised within 10 minutes without the firewall).

After all of this, I had all 3 computers working fine, with up-to-date patches, virus protection, and an Ad Aware icon on the desktop. Also a lecture on the evils of spyware to the assembled daughters.

I'll be back there in a month or 2, guaranteed. Let's hope for lots of snow next winter.

Re:Joe Sixpack and TCO

[hattig]

It seems that people install these things again and again because there is a slight feature in it that they like.

So maybe a good solution is to find something legitimate that does that same task and install it for them.

For example, there must be a legitimate application out there that does what Comet Cursor does without the spyware. Install Bittorrent and add shortcuts to various bittorrent sites - if they are going to download music, at least make it download music safely and usefully for other users. And so on.

And as for corporate users ... anyone who manages a network that gets these problems should be sacked. Those machines are the company's, they should only be able to run approved applications. Yeah, give some leeway, allow IM, web and e-mail of course, allow reasonable customisation and personalisation, but don't allow local installation of software or plug-ins. If someone needs some software, let them ask IT with a valid reason for it.

Re:Joe Sixpack and TCO

[flying_monkies]

If you know you're going to be back, and you know how much it sucks to have to re-patch the box, maybe investing in an extra drive and something like Ghost for the machine would be worthwhile? You get the call, go over, throw your drive in, load the OS on the proper drive, patch it then ghost the sucker to the second drive, power down and pull the drive. Next time they call, you throw your drive back in, boot off a recovery disk and bring the system up to the point of the last clean install... Be sure to kick them out before you do it, stay locked in the room for 3 hours and scream profanitys profusely so they think you're really doing something.

Re:Joe Sixpack and TCO

[blahlemon]

What you need to do is add a hidden partition and ghost their computers to it. At least your re-builds would be less labourous.

Unless you like hanging out with Joe Sixpack's teenage daughter.

Is there a real solution?

[manavendra]

Spybot removal software is one thing, but is there a real solution to this problem?

User's will continue installing software they think is cool, or hear about from their friends/colleagues - be it bonzi buddy, kazaa or anything else. Pretty soon they'll start facing problems - the computer would begin to be unresponsive since kazaa is eating all the cpu, searches in google fail because IE is redirected to SearchScout, or whatever else you have/

Cure is one thing, what's the prevention for all this? And I ask this, not for informed, knowledgeable users, but naive home users who don't know any better?

No M$ bashing please. I have heard of several tools that keep track of what's installed and the changes to registry, but haven't come across anything will a simple interface and a "knowledge" of most common spyware (possibly updated frequently from a public server). Such a tool would at least make the customer support job easier!

Re:Is there a real solution?

[david.given]

Cure is one thing, what's the prevention for all this? And I ask this, not for informed, knowledgeable users, but naive home users who don't know any better?

There isn't one. I'm afraid it's that simple.

The real villain is the computing model used. Windows (and Unix, and OS X) has a pretty simple security model: programs are either trusted, where they can run and use local resources, or they're not, in which case they can't.

This means that in order for the user to execute ThisMayBeAGame that it's downloaded from some random web site, the user has to tell the OS to trust ThisMayBeAGame. At which point the user is screwed, because it's got no way of determining what ThisMayBeAGame is actually doing.

...and before you jump on me: yes, I know that all the operating systems I'm talking about support fine-grained access control. Unfortunately, it's only in some areas. Linux only supports it in the filesystem. You can restrict a process to be able to touch some files only, but you can't restrict it to being able to open sockets to certain addresses only or to use no more than X mips of CPU time. Window is even worse because most people (myself included) disable file system access control entirely because it's just too inconvenient; the default user can do anything. I don't know about OS X but since it's based on BSD I assume it's like Linux.

...and yes, I know that you can get high-security patches for some operating systems that do provide this sort of control, but they're not used.

What's needed is a radically different computing model. Instead of a brittle system where all running software is trusted and you have prophylactic systems in place to distinguish between trusted software and untrusted software, you need a failsafe system where it simply doesn't matter if you run malicious code because it can't do any harm.

Managed systems like .NET and Java are a step in the right direction but things need to go much further. Imagine a computing system where your desktop computer simply provides computing resources to a whole ecosystem of interacting software agents. Some of these you put there; some of them arrived as part of other people's documents; some just wandered in off the local network. Some of them may be helpful, some may be malicious. They're all managed by a high-level system that doles out system resources depending on what the user's doing. An agent that's attached to the screen gets more CPU time and real memory than one that's not. An agent that's resident on the machine's local storage gets storage space, an agent that's arrived from the network doesn't. A transient agent can only make network connections to a host if it can present proof that it actually has something to do with that host... and so on.

Such a system would be far more resilient than the current ones. It would also work rather differently, but that's no bad thing. A lot of security issues would simply go away. Of course, there would be other problems that you wouldn't get with one of today's system --- notably, your software ecosystem would waste lots of resources --- but I think that's eminently affordable.

Now, I suppose, all I have to do is to go away and write it...

Windows Live CD + favorite spyware prog

Dell should just provide users with a Windows Live CD that contains and anti-virus program and a spyware removal program.
Pop it in, computer boots up, runs the anti-virus and spyware removal, shuts down.

Then there is no hassle for the customer about them going to an internet site and installing a program, and then figuring out how to run it.

Re:Windows Live CD + favorite spyware prog

[Stevyn]

Or make it run off of linux. "The Live Linux to fix Windows CD"

Spyware Overwhelms the Average User

[SirChive]

In the last couple of months I've seen four or five computers that were rendered completely useless by spyware. The owners literally could not open their browser and get on the web.

Many of the newer programs should not really be called "spyware". They are really a form of hijack-ware. They seize control of a users browser and send up an endless stream of ads.

And no, the average user will never be able to cope with this. Most people just want to buy a computer and use it. They are no more interested in learning how to maintain a computer than they are in learning auto maintenance. It's up to the computer industry to deliver usable products to the end user.

Re:Spyware Overwhelms the Average User

[Fearless+Freep]

> They are no more interested in learning how to maintain a computer than they are in learning auto maintenance.

Most drivers also have driver training, a driver's license, insurance, and know at least that the car needs gas and occasional maintenance

Re:Spyware Overwhelms the Average User

[R2.0]

"And no, the average user will never be able to cope with this. Most people just want to buy a computer and use it. They are no more interested in learning how to maintain a computer than they are in learning auto maintenance. It's up to the computer industry to deliver usable products to the end user."

Your analogy is close, but not quite. Regarding auto maintenance, you are right in that people don't want to learn how to do auto maintenance, bu most of them know that their cars NEED maintenance. So do computers, but the average computer users haven't realized this yet.

A better way to use the analogy between cars and computers would be to ask users the following question: "Would you open the hood of your car and add or replace parts that you found out on the street for free? And if you did, and your car started running crappy, would you get pissed off at the dealer or the mechanic?"

Don't run anything

[nuggz]

I don't understand the problem.

My wife is relatively computer literate. But it comes down to a simple rule.

Don't download anything, don't install anything. Ignore all those taskbars and toolbars and toys.

we've had no trouble.

Look who's talking...

[aixguru1]

"A separate study by Internet service provider EarthLink found more than 29 million spyware-related files on the 1 million computers the company tested."

Earthlink uses those types of data mineing files in their total access software. When I run spybot and Ad-ware, it constantly finds the files tied in with earthlink for advertising.

Not to mention AIM now has pop up advertising and things. I am glad that I don't have to use my windows machine for anything more than audio processing for the most part. I couldn't imagine what it would be like if I used it to browse the web regularly...

MS Subtle shot at the Free Software Movement?

[jonasmit]

Finally, Friedberg [from Microsoft] cautions Internet users to pay extra attention to offers of free software. "Be suspicious," he said. "When something's free, there's likely a catch."

I worry that ordinary users will associate the free software work done in the Linux/BSD community with spyware - or more likely that MS will turn up the rhetoric against the Linux/BSD community when the competition gets hot in the desktop space.

Odd... money to be made isnt being made?

[Serapth]

There is one thing I cant figure out here. Spyware is the next big thing after virii... why havent the big anti virus companies gotten in on the action? I mean, how much more work would it take a McAffe or Symantec to add spyware detection tools and removal software to their current products? If you think about it, the only big thing that distinguishes one AV company from another is there response times to a new virus. Wouldnt this be a very sellable feature?

On the bright side, the big kids staying out of it, allows little guys the like LavaSoft ( ad-aware ), to carve a niche for themselves. However, in a lavasoft type company gets smart and offers virus removal in their tool aswell... why would you not get the do it all tool, instead of two pieces of software?

Its always funny watching big commerical companies miss the boat on stuff like this though :)

Also, I may be wrong, their may be an AntiVirus product out there that deals with SpyWare. If there is, please let me know!

Re:Odd... money to be made isnt being made?

[Have+Blue]

Possibly because encouraging companies to uninstall each other's software is a dangerous precedent. Who's in charge of deciding what's spyware? And it would be easy to slippery-slope one's way into a situation where Windows or BIOSes would only run code signed by a central authority.

STOP RUNNING AS ADMIN!

[dioscaido]

I'd say 75% of spyware issues come from users running as part of the Administrator group. All day-to-day use windows accounts should be a regular user, with the least priviledges as possible. Without being part of the Admin group, the spyware would not be able to write to HKLM registry, C:\ or C:\WINDOWS. Some spyware could still infect the user's directory, but at least a simple re-log on to Administrator could be done to clean up the machine.

Re:STOP RUNNING AS ADMIN!

[dioscaido]

Windows has the "Run As..." capability (right click any app, select Run As... and enter the administrator account), so that somewhat simulates doing a 'su' in linux.

But I totally agree that many application developers don't understand the concept of running at the least priviledge necessary. So many apps write their config to C:\Program File\APP\ and HKLM, which requires elevated access, instead of writing to C:\Documents and Settings\user\Local Settings and HKLU. Hopefully more people will read 'Writing Secure Code' (from MS, ironically), and windows apps will improve.

Re:STOP RUNNING AS ADMIN!

[moexu]

I tried that when I upgraded from 98 to 2000 at home. I set up a regular account that had as few priviledges as possible for day to day work and an administrator account for everything else. I lasted about a day and a half before I changed my account to have administrative access.

Nothing worked properly. I would get all sorts of weird access denied errors for things that shouldn't have required administrative access to begin with (like changing default settings in Word). I had to log off the machine and log back on as administrator to install games. When I tried to play them under my user account it would prompt for the administrator password.

I don't think that users running as administrators is the fundamental problem. The fault lies with software developers who don't write software under the theory of least priviledge and with Microsoft for designing their OS so that gaining superuser access for administrative tasks is so awkward.

Re:STOP RUNNING AS ADMIN!

[Tin+Foil+Hat]

While that is a good suggestion, it's also very annoying. If I run as a regular user and want to install something, I have to actually log out, log back in as Administrator, install the software, log out, and then log back in under the normal account.

Why can't Windows just prompt for the Administator password when I want to install something? Not offering that practically ensures that almost nobody will use the normal user settings. It simply makes it too difficult to install software.

Talk about stupidity....

YARTHMS.
(Yet Another Reason to Hate Microsoft)

Re:i know....

[JavaLord]

how about NOT installing shit on your systems duh?

The new trend I've noticed is if you end up on a website with one of those stupid pop ups that gives you "Do you want to install junkWebBar" you click no, and it still tries to install (my firewall catches this). It still manages to install itself though, my firewall ends up catching it when it tries to get out for the first time.

You can try running mozilla but then you run into websites that just break in it because they aren't coded for web standards.

Now this stuff happens to me, I have a degree in computer science, work as a programmer, and run 2 firewalls at home. How are everyday users going to protect themselves? Just not "installing shit" doesnt' save someone from getting browser jacked which used to be limited to porn sites, but I see it everywhere nowadays.

This is going to be an issue, that if it gets worse might drive people to linux or some other OS/internet browser.

Re:Omission

[gordonb]

If you define spyware as programs from third party sources, you may be right. I'm not sure that there is a total lack spyware out there. I haven't seen any yet, though.

However, OS X appears to phone home on boot. Check out some of the ip traffic (you can't use kismet or such as the OS X box is still booting, but you can look at the log from your router/firewall). This may not be spyware, technically, but Apple does see which systems are connected, if you let them. If you block this traffic or boot without an internet connection, the system still works fine, of course. I don't have an XP box to play with, but my buddy Amit says the same thing occurs. Any comments?

Re:Good examples of source of problem

[wishlish]

My wife's a librarian, and she's one of the few people I know who I'd let use the computer without my supervision.

Just tell your wife that she could get fired by installing that crap. It's like letting someone into the building to spraypaint the walls. Company computers aren't yours, and installing crap is akin to damaging company property.

I mean, you wouldn't take a sledgehammer to a company printer or fax machine, would you? (insert obligatory Office Space joke here)

There is a rather simple fix

[SilentChris]

Permissions are you friend. We had a spyware/virus situation in our office until we instituted a new policy: no one has install permissions. You want to install stuff, come to us. You can download all the crap you want, you just can't install it. Complaints will get filed in the circular bin.

We coupled XP permissions, SUS (godsend, that thing) and NAV Corporate. NAV updates everyone's definitions as soon as they come out. SUS sends out updates nightly (usually a few days pass after they're issued by MS so we can test and approve them). Firewall keeps dump RPC requests out.

Since then: no viruses, no spyware. Time taken to set up all of the pieces: a few days. Money spent: XP licenses came with new machines, NAV cost a couple grand, SUS was free. Time and frustration saved: priceless.

Re:There is a rather simple fix

[sesaetaen]

Time spent installing each and every application for your lusers: ???

Constricting your average user's permissions that way is what makes people try to circumvent security, which in the end can be even more troublesome than cleaning out spyware.
(I know I would)

We should be promoting real-time spyware blocking

[will0957]

I work at an ISP and we get a fair amount of calls pertaining to spyware/adware. "As soon as I connect to your service I have all these ads coming up on my screen!" "I keep changing my home page but then it goes back to this porn site!" All that we are supposed to support is getting people connected to the internet and setting up their e-mail.. so they always get upset. I personally prefer SpyBot, but management tells us to recommend Ad-Aware. The best is when they call up because Ad-Aware didn't fix the problem. "Now what?!". CWShredder can be pretty useful in these situations.. For your own personal machine I recommend SpyBlocker. It isn't free anymore, but it's worth the money to buy it. It's a real-time ad/spyware/bug/cookie filter. It works quite well.

Spamware removal sites

[Krafty+Koder]

i happened to come across these fantastic spyware removal sites. if you download their software you are guaranteed 100 per cent no more spyware
Debian
Mandrake
Linspire
Fedora
Mepis
Xandros
Suse
Slackware
Gentoo

Simple Answer for the Wife's computer

[Displaced+Cajun]

She's running windows 2000, and logs in as a USER.

I've got Admin rights to her computer. When she needs a game installed, I install it. But limiting her to user rights, she doesn't have to proper access to install ANYTHING.

This works for me.

CWshredder

[jrwillis]

CWshredder does tend to work REALLY well on that hard to get adware/malware. It's like I was complaining to a co-worker the other day, I don't feel like a Network Tech as much as a bloody computer janitor now.

Biggest problem is IE plugin structure

[StandardCell]

The default settings in Internet Explorer are one of the biggest causes of spyware insertion. The problem is that spyware on a page causes IE to come up with a message window that says "Would you like to install FREE toolbar from foo.bar?" and then at the bottom it says something about a security certificate.

Well, as you all know, anyone can go to Verisign and buy a certificate for authentication purposes, but most people take certificates to mean that it's certified safe software. For the uninformed user, there's little difference between this and the latest Macromedia Flash plug-in.

Even worse, there are a lot of sites that cause Internet Explorer to go into a loop with the plug-in. By that I mean:

1. Plugin for "FREE SphyWhere Inc. ToolBar Search!" presents itself to user.
2. User presses "No" button or the close window button to avoid installation.
3. IE comes back with a dialog that says "You MUST install free toolbar to gain access!" and then has to click the "Ok" button or the close window button on THAT dialog.
4. Process repeats itself at Step 1 and continues in perpetuity unless the user is fast enough to be able to close the actual browser window before the plugin pops up, or until the user consents, or unless the user shuts down Internet Explorer.

This occurs primarily on porn sites, but it will occur many times on legitimate sites (e.g. VG-Network, formerly Dave's Video Game Classics for classic games and one of the music lyric sites (can't remember which off the top of my head).

The root of the problem here is that - surprise - Microsoft has continued to let websites exploit this peculiarity in its browser. The end result is that users get frustrated and either inadvertently or out of frustration simply allow the spyware to be installed. Even worse, if the user is dumb enough to have "Low" set on their security settings due to their own inability or unwillingness to learn about basic browser functionality, all this spyware will get installed automatically. Some users I believe continually complain about their computer being slow to the point where they're prompted to upgrade unnecessarily because of spyware they don't know that they have.

So...on every fresh Windows install I do, I do it behind a NAT router to begin with, install all service packs and security updates and drivers, then put a software firewall on the computer, then an antivirus app with Trojan detection, and finally a spyware removal app. Then I instruct people to go to Windows Update every day, their virus update every day, and Spyware check every week.

Isn't spyware fun?

Nip it in the bud

[WebGangsta]

As others have said, the biggest issue that we have to deal with isn't the spyware itself, but the end-users who "just have to have" whatever the associated programs are. And these programs don't just slow their computers down, it also affects the network by adding unnecessary traffic to the pipe.

What are the worst offenders? Those programs offering either "cute" or "informative". Desktop wallpaper, custom cursors, so many toolbars and geegaws to make your browser look like CNN's Headline News. A time updater. A date updater. A weather notifier. Hate to tell you, but I have a watch, a calendar, a radio, and a window. Between these four things, I think I'll know what the day/time is and what weather is coming.

What would these same users do if they drove up to a street corner and there was somebody waiting to plaster their car with a flashy bumper sticker in exchange for their friends' email addresses? I would hope that these folks would just drive away. So why does it work on a computer screen?

Hell, half the problems business have could be solved if companies just banned access to all the websites that produce these programs. Can't download Weatherbug or Webshots if you can't get to the websites in the first place. No need to visit each individual computer if you can use the firewall to do your job for you. Anyone have a list of those evil IP addresses they'd like to share? (and by "evil" I mean, well, "evil")

Re:Nip it in the bud

[DChristensen]

Be sure to include:

66.35.250.150

That kills more of my time than I know what to do with.

its not lazy so much as training

[holy_smoke]

Folks have been trained since the DOS days that they just turn on their computer and use it. Programs have been written for that environment with this assumption in mind (no user-admin privilage distinction).

So the "Problem" is more Microsoft's failure than it is the users failure. Users use, and are taught how to use. Microsoft perpetrated the "run as admin always" problem, and they directly trained (through the use of their software) vast armies of average users and software developers to embrace this road as the norm and the expected software "reality". Unfortunately it is was a disasterous mistake in many regards (virii, worms, spyware, blah blah)

They need to fix this basic architecture problem, and this will hurt users (learning curve, potential invalidation of older software) and the software industry (re-tooling their software code).

Garbage in, Garbage out?

Spybot on start-up works fine.

[Saeed+al-Sahaf]

But when you administer dozens, hundreds, thousands of Win boxes and you can't automate installing/configuring/running Spybot

Gee, that's strange. We have 300 Win boxes in my building and about 1000 company wide, not a lot really, but more than a few... Spybot runs just fine from the start-up script. Actually, though, since our machines (all of them) stay on 24/7, we run it and other stuff at night too (but those are scheduled tasks, of course). Need my LAN admin's number?

Re:Spybot on start-up works fine.

[pbranes]

Yeah, but are you going around manually installing spybot on every single machine? The time to manage that kind of setup is exponential to the number of machines you have. If you have a way to deploy spybot, push updates, & schedule scans remotely, I would love for you to post that method.

I don't understand why antivirus companies don't include spyware removal in the virus tables. It wouldn't require any additional programs - they just have to get a signature for each type of spyware and put it in the table. It seems like such a logical, easy step, that you have to wonder what would motivate the antivirus companies to not clean off spyware. Are they just big, slow, stupid corporations who can't see **THE NEXT BIG THING**? Are they afraid of a lawsuit from spyware companies like Claria (Gator)? Do they have an unwritten agreement with spyware companies to stay out of their territory?

Re:Spybot on start-up works fine.

[Verteiron]

If you'll check the Spybot S&D forums, you'll find that, yes, there is a way to get push SpybotSD out to machines on a domain, and update it, and run it, silently, with no user interaction.

http://forums.net-integration.net/index.php?c=7

Re:Spybot on start-up works fine.

I know you're trying to be sarcastic, but I also manage about 120 computers in an office where this isn't possible. Each of the computers are on the same network, and use the same bandwidth, and share some of the same files, but each computer owner is an independent contractor and we can't put anything on their computers without permission first. They don't leave their computers on all the time, we have no startup script options, it's a mess.

I remove spyware from 5 to 10 computers a week in my city. They drop them off with me, I remove spyware, I go to their office and remove spyware, I see spyware in my dreams, I eat spyware for breadfast, and as they said in the movie Stripes...

I eat sleep walk talk shoot sh*! spyware!

How to stop Spyware long term

[parp]

I manage an office of about 70 Windows PCs. When I first started many of the PCs had spyware on them. Every other day someone would complain and I would clean it off. When the same people kept asking for spyware removal it became clear that to solve the problem you have to prevent the average user from installing software on their PC.

Want to stop spyware? Do not log in with Administrative rights! 99% of spyware requires administrative rights to install. In the corporate environment this is simple: don't give out the local administrator password to anyone Ever! And don't put regular users in the Administrators group. For home users, create two accounts - one for installing software with admin rights, and one for everyday use without admin rights.

UNIX admins figured this out years ago. You only use root when you must, why don't most Windows users do the same thing? My suspicion is most home users don't like the concept of windows login's and passwords. To solve this I wish XP home had a simple switch for a user to enable or disable software installation.

"legal" viruses

[esoterus]

This is absolutely the biggest problem tech support-wise that I have to deal with these days with my clients. It surprises me that they aren't yet seen in the same light as viruses are. They can be just as crippling, just as tricky to remove (even with ad-aware and spybot), and just as sneaky getting in to your system...

I've told people when they've asked me how their infestation happened that they're basically viruses they actively allowed to be installed, though in some cases I'm not even sure you as user have to "ok" to let in there. I advise users to click "x" on the installer windows now - I don't even trust "no" anymore.

You can look under the hood yourself

[zeno_lee]

In addition to using the various anti-spyware software recommended above, like AdAware and SpyBot, I've made it a regular habit to look at these registry keys:

Run regedit:
Start->Run-> "regedit"

Look in:
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
Run
RunOnce
RunOnceEx

The Run is an especially attractive haven for spyware companies. That's how spyware programs run their programs after users reboot their computers. If you suspect there are weird entries in these registry keys, download spyware removal software and run it. If you don't know what you're doing don't mess with the keys.

I also check TaskManager regularly for weird processes. It's a bit technical, but after a while you can see which processes belong and which ones don't.

Re:You can look under the hood yourself

[og_sh0x]

Also look under the HKEY_CURRENT_USER branch, under the same registry keys. Some programs will hide some startups in there, knowing most people who know about HKEY_LOCAL_MACHINE still don't know to look in HKEY_CURRENT_USER. Also take a look at your BHOs (Browser Helper Objects). This program should help you sort them out without having to dissect your registry: BHODemon

Re:You can look under the hood yourself

[rsadelle]

Actually, figuring out what the things in Task Manager are isn't as technical as it looks. I happen to like Answers That Work's list. It's a little heavy on "use our tool to turn this off," but if you know enough to be looking at your Task Manager, you probably also know enough to be able to turn off the services yourself. (Control Panel > Administrative > Services)

Old Hat

[doodleboy]

Like a lot of the /. crowd, I do tech support for an extended group of family and friends. Most of these folks have no idea that leaving an unfirewalled unpatched win98 machine sitting on a broadband connection is a bad thing. All they know is it doesn't work anymore and can I fix it?

If they're on a broadband connection I get them a hardware firewall. I don't even ask, I just buy it and hand them the bill. I also enable automatic updates. I generally use free tools like ad-aware and spybot, tiny firewall, a free av scanner if they're too cheap, etc.

In what has to be the most painful bit for them, I give the Inevitable Security Lecture. Their attention span being what it is, I only hit the high points. I point to the Windows Update icon, explain what critical updates are, explain what spyware is (and how to use ad-aware & spybot), etc. It's probably a waste of time, but you never know.

There you have it. I've been through it over and over. Like I said, old hat.

Does Mike's Ad blocking hosts file cover this?

[British]

If a bunch of spyware sites are set to a certain # of hosts, can we just make them resolve to 127.0.0.1 with a nice custom hosts file?

I know mike's ad blocking hosts file does it for pop-ups, but what about stuff like bonzi buddy?

If so I'd like to put it on my dad's computer. Problem is, a lot of little rinky-dink apps he downloads have spyware just piggybacking on it. Then again there's a few utilities that take care of that.

Ahh i can see in a few years we'll have a nice internet that will blindfold themselves to such malicious sites.

[X] marks the spot

[mwvdlee]

This is what I told my dad after removing another 20 porn auto-dialers from his system ("Yeah sure dad, you have no idea how those got there"); Whenever you encounter a popup which you don't fully understand, click the [X] button top-right, do not click the "Yes", "No", "Cancel" or any other buttons. If no [X] button exists, hit the Alt+F4 keys. This basically got rid of practically everything problems since he doesn't install software himself (wouldn't know how if he wanted to).

Re:Just run Spybot: A Word From The Trenches

[devphaeton]

Or adaware or hijack this, yadda yadda...

Problem is, we're talking about computers owned by the unwashed masses (at least in my tech support job). These are people that call up with a chip on their shoulder demanding that their ISP fix what has happened to their computer. Wonderful ads lik "Earthlink with a free Pop-Up blocker" etc. have now in the perception shifted the responsibility of parasite problems onto the ISP.

A lot of these people don't understand the basic directory structure or how to find something that's been downloaded onto their computer, and walking them through a download of a parasite removal tool, updating it, running it, and then guiding them through what to do with what it has found can EASILY turn into a 2-hour procedure. Most of us have more important shit to do than that. Double that amount of time if they don't have two phone lines and/or cannot be connected to the internet. Any coincidental problems are blamed on your removal tool.

Also, the latest trend i'm seeing, is people calling up to complain about all these popup ads and homepage hijackings/search pages thrown in. You start pointing to all the free games they've downloaded, bonzai buddy, Desktop Calendar, Weatherbug, etc, and you are met with "but i LIKE having my weather updates, i LIKE having my Calendar there" etc.

THEY WILL REFUSE TO LET YOU HELP THEM

Doesn't stop them from still calling you up "i'm still having a problem with all these popups..."

Most machines i've cleaned up (like HUNDREDS of parasites), i'll hand it back to them and tell them what not to do again, and they are in the exact same state in a week's time. They simply go and install all the same crap they had before.

I was warned by many that doing Tech Support for a living was a burnout job, and borderline emotional abuse. But the last couple years of parasites have made it pure insanity. Tech Support is at a whole new low...

"i need to find a new job" is an understatement.

Someone should offer a reward

[Doooh_head]

Someone should offer a reward to anyone who can come up with a completely successful way of:
1 - Blocking spyware from being downloaded and installed EVER (aside from simply saying "Use Linux"), and
2 - Completely cleaning already infected machines/browsers/etc, and
3 - Hunting down the developers of all of this crap and them.

It pisses me off knowing there are many hard-core intelligent software developers out there creating this crap!

They all should suffer!
The community should find them, like they do for child-molesters, and berate them and publically thrash them.

bazooka, not just a hilarous chewing gum.

[cabazorro]

try bazooka spyware removing tool.
Unlike some other tools that jack with your
register, bazooka just detects and advices you
on how to remove it.
slashdotter remark:
#of spyware on my linux box...el zippo.

point of interest

[RMH101]

you can't remove/readd TCP/IP in XP. you have to fix the stack. annoying, but there you go.

Re:i know....

[wheany]

Use Mozilla until you run into a page that doesn't work. Then copy the address, open IE and use it while on that page. That's what I do with Opera. And really, there aren't that many pages that simply refuse to work with anything but IE.

Disk Images Rock!

[Mockura]

If you have disk imaging software (Drive Image, etc.), after updating everything make an image and burn to CD. The next time you have to redo his system (and it sounds innevitable) just blast back to the base image.

Are you on Win2K?

[not_a_product_id]

If you are you can run most things as Administrator WITHOUT having log out. Just hold down shift and right-click on the EXE. The pop-up menu will have a "Run-As" option. Just put in your administrator details and away you go. It's not perfect but it's a damn sight easier than having to log out.

Not entirely.

[zonix]

Entirely (?) removing CoolWWWSearch actually required running both programs.

I believe some of the CWS spyware variants actually replace some of your executables (like Windows Media Player) with a trojan that downloads new versions of these wonderful pets. This is bad because no anti-spyware can help you when this kind of damage is done. You're gonna have to reinstall applications.

I've always tried to explain to people that anti-spyware tools should be your last line of defense. You have to be aware of the dangers to avoid them, and adjust your behaviour on the internet accordingly (look up info on known spyware, inspect browser cookies before storing, etc.). Letting spyware in and having, say, Ad-aware deal with it after the damage is done just won't cut it (at least not anymore)! It's not like you do this with a virus?

z

Re:Not an issue for OS X users

[SomeGuyFromCA]

> On MacOS X, user processes pop up a dialog box asking for an administration password when installing new software.

And users react in one of two ways, if not both:

a) they routinely put in the password for everything
b) they bitch about "this is stupid, why can't it be like windows where I never have to enter a password" and if they're really troublesome, they'll find a program that will enter their password FOR them

This is the same reason I roll my eyes at "Linux has user accounts and only one root so it is perfectly secure" posts. Most people would then run, day-to-day, as root. People would still install every trojan horsed piece of shit that comes along.

It doesn't matter how many locks you have if you hate unlocking them, so you leave them open.

On top of that

[andih8u]

Most companies that provide tech support will not let you remove / delete anything from a user's computer...liability issues if removing spyware ends up borking the whole thing. Then it was tech support that killed the computer and the company is responsible for fixing it.

Online experience

[nuggz]

I visit lots of sites. I get lots of email

The problem is that people install random crap that they don't need, and it causes trouble.

You only need a few plugins or helper apps.
Flash is nice, Acrobat is a must, I grab mozilla too.

I don't find my online experience lacking, I get my emails, I find phone numbers, and get information on other stuff I need. Ebay and online banking work just fine.

Re:Does Spybot S&D Immunize really work?

[sheddd]

After rolling out ~35 new PC's at work (with user rights to the registry and c:\windows so our most used app will work) I was freaking amazed at how good some of our clueless users are at finding viri/spyware. If I put my mind to it I couldn't screw up a pc worse. Every time IE started (with the new xxx toolbar) around 30 popup windows with all sorts've educational pics came up.

In 24 hours, one machine had over 60 viri quaranteened and several pages of crap that spybot picked up.

After enabling immunize, their infection rate went to almost 0.

It's not perfect, but it is a great help, IMO.

Maybe

[llywrch]

My primary workstation at home runs Linux. However, to keep peace in the familiy, I got my wife a laptop running Windows (98SE to be precise; don't laugh, it does everything she needs, & I installed Eudora so to avoid Outlook & all of its problems, a step that prevented her from virus infections countless times).

So last week while playing one of the online games at Yahoo, she is bombarded by countless pop-up ads. While she is a competent user, she knows this is beyond her & asked for my help. So I sat down & started digging thru the guts of Windows.

Now keep in mind that for the last several years, I have dealt almost exclusively with Linux, Solaris & other flavors of UNIX; I was drawing from my memory of Window 3.1 (& a hazy idea of the Windows Registry) for what to look for. And after 2 hours of hunting, I killed a couple of the easier bits of malware, but it wasn't until a colleague told me about Ad aware & Spybot that we truly started to make a difference.

The moral of my story? Unless you're willing to live in a Windows-free world, its defects will still make your life miserable; & ignorance of Windows is not strength.

Geoff

New.net

[Tantrum420]

I too had this problem. Let AdAware take out New.net and Blammo! No network connectivity. Did the research and found the fix just like you did.

"And Class.... What did we learn?"

I learned to cruise through add/remove programs and remove any of the obvious spyware first. Sure, they don't usually "completely" remove themselves but then spybot/adaware get the remnants and I haven't had any problems with partial uninstalls on anything since.

Just a tip.
T

How to remove Spyware

[slonkak]

1. Kill all suspicious processes
2. Clear Internet history, cookies, and cache.
3. Delete any crap from the Startup group
4. Install Ad-Aware (this might have to be done from cd or removable media since some spyware causes internet breakage)
5. Update Ad-Aware
6. Run Ad-Aware
7. Delete anything Ad-Aware quarantined
8. Run msconfig and remove from the Startup group anything you don't know what it is
9. Reboot
10. Repeat steps 6 and 7
11. Reboot

You should be good to go. I've had to do this on just about everyone's computer in the dorm at school and many family and friend's computers... It's never failed once.

Some people might not like this suggestion, but trust me, it works. Install Firefox and remove any shortcuts to IE (just make it unusable by the average person, since you still need it for Windows Updates). Teach whoever how to use Firefox. I've done this with my parents (who are NOT computer literate). I set all the settings correctly, installed all the plugins, etc. They don't miss IE at all. Plus, Firefox blocks popups and doesn't run ANYTHING without asking you first, thus, no more unwanted spyware from bad websites...

My Two Cents, Korean Spyware... The Horror!

[Chordonblue]

I'd have to agree, with the small provisio that I think that anti-virus firms need to do a better job defining what a virus IS.. As the admin of a small school I've decided that next year I'm locking down the labs - big time. I didn't do it up until now because of program incompatabilities but I have to say that if this remains an issue, it won't matter - we'll get different programs.

It wasn't so bad before this year. Yeah, there was some spyware out there, but it wasn't like f*cking 'n-case' which replicates itself to random filenames all over your drive and then inserts startup stuff in 'startup', the local and machine registry, and even the freakin' win.ini!!!

I called Sophos on this after spending some two hours cleaning it up. I basically said, "You folks need to take some responsibility here."

The time has come to draw the line in the sand. n-case and others like it, are VIRAL. It can't be removed easily by the user - NO agreement of this nature can be legally binding.

Now for what frightened me the most: Ever have spyware that couldn't be cleaned by Spybot and/or Ad-Aware - even with the latest patches? No? Then you probably don't live in Korea. A few of our students do, and this is where this particular piece of crap came from. It defended itself by making a program that runs at startup that runs a program that insures that another program is there and running THAT, reprograms your home page to a site that ActiveX 'drivebys' your computer to load the program!!! :O

That was a bitch to clean up (although nothing compared to n-case!). You probably haven't seen this yet because it's a Korean app - but it managed to get on a few American machines here when the Koreans visited a site that installed some 'happy fun cursor' program.

I'm ranting.. But the truth is: Admins have to do their part, but the anti-virus people have got to do a better job also. They need to stop turning a blind eye to this issue.

Why dont they lock down Run and Runonce?

[Matey-O]

It seems like MOST of these beasties throw themselves into the Run and/or Runonce registry keys. Why can't those keys be locked down?

Re:Why dont they lock down Run and Runonce?

[The+Ape+With+No+Name]

Because Winders has a fundamentally flawed security implementation. No, I won't defend that statment. Res loquitur ipsa.

Please don't tell them to call their ISP....

[Kazimira]

I saw in a couple of comments that folks referred users off to their ISP for help removing these items.
DON'T! Please!
A comparison I had to use yesterday with a customer because they were getting angry that we(ISP) would not help them was:
If you have a car, don't maintain it, ignore the recall notices, drive without your seatbelt and slam it into park while still moving, you're going to have an accident or break the damn thing.
Do not call the DOT/highway department because of it. We can't and are not going to help you.

An ISP's job it to provided a customer an internet connection. Not to be their free tech bitches for any and every issue that comes along. We view virii and spyware as OS issues and not the ISP's connectivity issue.
Our qualifying test is.....if your computer was in perfect working order, can you get on the internet. If it's not.....call us back when it is and we'll help you with the internet.
That may sound a little customer unfriendly but when queue hold times are over 30 minutes and every customer is pissed off, you have to draw the line somewhere.

If we fail to hold computer users responsible for their own actions, we are enablers of the behaviors we are complaining about.

Re:Have daughter - SSDD

[AetherBurner]

I warned my daughter about the Same Stuff on Different Days. Even had to reinstall Windoze on her system because it was so trashed. I read her the riot act about adding "the goodies" and tied in the third degree with it on top. The next week all of the garbage was back. So, I cleaned the drive again and pulled the network drivers. She has no email, internet, NOTHING. Yes I get the occasional whine and sob about not talking to her friends but I told her, you mess up - you pay. Best fix possible - pull the plug. It also works at the office. Install spyware after a cleaning and warning, your computer loses internet access. It is just ToughNetworkLove.

Spyware and tech support

[Orion+Blastar]

Most OEM Helpdesks refuse to help the customer uninstall Spyware and Adware. They do not want to get sued by Spyware and Adware makers.

I found that Spysweeper works better than SpyBot or others. It scans memory and can prevent Spyware and Adware from installing and schedules a regular scan in case they do install.

If you run an X86 PC system with Windows, There is a solution to the malware problem if you are not too chicken to use it. Buy Crossover Office if you really want to run MS-Office and other MS-Junk. Yes you heard me right, leave that POS called Windows for an OS that does not suffer from such bad malware and security prolems.

Pay Up

[Greyfox]

Require an internet license to connect to the Internet, similar to the ham radio license. That would involve users actually having to know a thing or two about their systems.

The problem here isn't spyware developers. The problem here isn't the Nigerian spammers. The problem here isn't DDOSing skript kiddies taking over thousands of machines on the Internet. The problem here is users who expect to be able to be allowed to be completely ignorant of their extremely complex system while at the same time being protected against the hazards that they will encounter on the Internet.

The solution is quite simple; force those users to learn the fundamental basics they'll need to protect themselves from all the above hazards, and require them to take a test to determine that they're at least minimally able to protect themselves. Additionally make it easy for a person working in a technical capacity to revoke that license ("I'm revoking your license. If you want it back you'll have to take the class and the test again.")

Elitist? Is requiring a driver's license so that idiots won't go out and kill people on the road elitist? Is requiring a ham radio license so that people won't go out and interfere with legitimate services elitist? The potential exists to do as much or more damage with the Internet. We can no longer allow users to be blissfully clueless. A license is a public affirmation that they are aware of the responsiblity they take when connecting their computers to the Internet.

Do people actually follow the Advertisements?

[Hippocrates]

Spyware has always baffeled me. I don't see why anyone would ever follow any link that pops up on their desktop. It's annoying, and I just want to close it instead of buying anything from a pop-up company. Is it even a good marketing scheme? ...

Pick Your Poison: Ad-Aware or Spybot

[crashnbur]

Repost of this comment, with fixed links. (Mod the other one down!)

* * *

Ad-Aware with Ad-Watch is my personal choice, which requires either the "Plus" ($26.95) or "Professional" ($39.95) edition. You'll have to go through the "Tweak" options to set Ad-Watch to run win Windows starts and start in blocking mode, but once its up -- you don't have to worry about ad/spy-ware much anymore. Just run a comprehensive Ad-Aware scan every week or two, and check the results list to make sure nothing useful is being flagged as spyware! Oh, and Ad-Aware's free version (that does not come with Ad-Watch) is a very effective scanner/cleaner, but it will not stop ad/spy-ware from infiltrating your system -- it can only remove it after the fact, which often requires several minutes (or even hours?) of tweaking after their removal.

Spybot Search & Destroy is my second choice, and except for its tendency to treat files quarantined by Ad-Aware as spyware (well, they are, but they're quarantined!) and to miss a few items that Ad-Aware finds, Spybot is very capable of keeping your PC (mostly) clean. But here's the catch: Spybot is freeware, so it is much more cost-effective than Ad-Aware, but remember the old addage: "You get what you pay for."

I've used both Ad-Aware (more extensively) and Spybot (somewhat extensively) for several months, and here's my suggestion: use Spybot or Ad-Aware's free version at home if your files aren't "top secret" or otherwise crucial to anyone's survival; use Ad-Aware Plus or Professional on business computers (where the company will pay for the license) or if you want to protect your computer from gathering ad/spy-ware in the first place.

There are other options out there, and remember that nothing is perfect... Some legitimate things will be deleted if you're not careful, and some illegitimate things will sneak through no matter how careful you are. The ad/spy-ware-war only marks our attempts to stay ahead of the game.

Here's a tip for your ISP.

[Gldm]

When I was working in phone support for a major ISP one of the biggest problems we had was people wouldn't call in about spyware problems until their machines were SO hosed they couldn't even GET to the sites to download removal tools. So eventually I started bugging my supervisor and various higher ups until we put spybot in a small public ftp that we all memorized the IP adress of. That way when the users called in, what we'd do is have them open a command prompt, and walk them through an ftp on the command line to get the file. Sure it'd take 5 minutes to explain all the crap to type in, but it's way better than the usual "Wait I can't see the link anymore, there's a popup. Let me close it. Ok there's 3 popups, I'll close them. Ok wait I'll just reboot" etc that'd take half an hour. Command line ftp doesn't trigger all the resident hijack crap because it doesn't use the browser.

wmplayer.exe - me too. Here's how to kill it

[Weaselmancer]

I had no idea I got it until I ran adaware. Then I got some freaking spyware bug that deleted windows media player and replaced it with a spyware app or a virus or something.

I just fought that one off last night. Took forever to nail it down. Here's what finally worked.

Delete the wmplayer.exe in Program Files/Windows Media Player. Run ad-aware 6 with the latest definitions. That'll zap the crap that it installs, which for me was windows/a.exe and windows/system32/bridge.dll, along with a host of other reg keys and crap.

Because it's windows, reboot and run the scanner again. If it finds anything, repeat.

If you're lucky, you'll still have a working copy of wmplayer.exe in windows/system32/dllcache. You'll know it's the good copy if it's larger than around 6k or so.

Hope this helps, because this one was a total pain in the ass to track down. Good thing my machine is dual boot Linux. And my main windows browser is now Firefox, too.

Oh yeah, on a side note... Whoever wrote the scumware that overwrites Windows Media Player needs to be hung by a pair of thumb screws and roasted over a coal fire. It's one thing to sneak your apps onto a system, but another thing entirely to overwrite existing apps.

Here's hoping their crap gets noticed on some FBI computer somewhere.

Weaselmancer

PS: Just in case there's a friendly FBI guy reading this, take the scumware wmplayer.exe into a Linux install and run "strings" on it. You'll see the URL of the fine folks who brought you this plague. They encrypt their strings by inserting 4 garbage characters over 0x80 every so often, so ignore those.

Spywareinfo.com

[Tuxedo+Jack]

You think spyware's bad? Take a look at the "cool web search and other malware removal" forum on SWI.

http://www.spywareinfo.com/forums

Hell, just because of that crap that people push out, I keep a USB pindrive (yes, it's the "devil duck" one from ThinkGeek) filled with utilities:

- Spybot (can be run without installing!)
- Ad-Aware 6 installer and new reference file
- Stinger
- CWShredder
- AVG installer and license code
- ZoneAlarm installer
- TheKillBox (can delete _ANY_ file - even ones in use)
- PV (used to detect new versions of CWS that tie themselves to winlogon.exe as well as explorer.exe and can't be removed without DOS or the Recovery Console)
- Firefox and K-Meleon installers

Suffice it to say, my life is rather busy thanks to those bastards who make this.

If I had my way, I'd take them out into the street, then let each and every person who was inconvenienced by their software throw one ball at them.

I.E. shotputs.

Bart's PE is a great Windows Boot CD

[WoTG]

Too bad my mod points expired...

I'll vouch for Bart's PE as a great tool. It does take a while to assemble and build your boot CD - for licensing issues, you can't just "download an ISO". But, if you're looking for a way to easily get your friends and family off your back... this is a good way to go.

There are extra benefits to using a boot CD versus a regular software install of anti-spyware. Since you're not booting from the hard drive, there's no chance for spyware launch "watcher" processes to prevent anti-spyware programs from installing or launching. While you're at it, you might as well pop a virus scanner on the CD, for similar reasons.

As an aside, even though Bart's PE should have perfect NTFS abilities, when it comes to recovering data from damaged filesystems, Knoppix often works better - probably because it mounts read-only or something.