Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Tricks from Browser Hijackers?

Posted by Cliff on from the adapt-or-(preferrably)-die dept.

Fortunato_NC asks: "I'm the IT manager for a small business that delivers its service via a browser-based application, and we take around two dozen to three dozen tech support calls from users each day. Many have something to do with pop-up ads making using our product nearly impossible, which is odd, since we don't have any advertising on our website. Of course, it's spyware causing the pop-ups, and we recommend using a product like Ad-aware to take care of the issue. However, not everyone gets the message. Today I was on a client's computer using WebEx helping them remove yet another 'browser helper'. The uninstaller for this program consisted of running no fewer than four separate programs, each of which forced closed the Internet Explorer windows, killing the WebEx session, and making it very difficult to service an already upset client ('What do you mean I have to join the meeting AGAIN?'). It seems as if this product anticipated the need to have someone remotely help the user remove it and went out of its way to make that task nearly impossible. Has anyone else on Slashdott encountered spyware or malware specifically designed to make life miserable for *remote* support techs? What other nasty tactics are spyware authors using that you've noticed?"

10 of 104 comments (clear)

  1. a few steps to clear yourself of all problems by xutopia · · Score: 1, Informative

    1. make your browser application fully standard compliant
    2. tell users with problems that the problem they are experiencing is beyond your control and has to do with IE and Windows sucking so bad.
    3. Let them know that CERT recommends they use something else than IE like Firefox.
    4. tell your clients that with Firefox their unwanted popups will never appear.

  2. Safe mode by QuantumRiff · · Score: 3, Informative
    Reboot the PC into safe mode (with networking) load adaware, (or whatever) get its updated def files, and scan.

    Doesn't work remotely, but seems to get pretty much all of them.. However, I have seen in the last month one or two running even in safe mode on Win2k. As soon as you reboot back, they re-install about 10 more. Thank god for norton ghost for those nasty ones.

    On a side note, is there a huge list of IP's that these spamware come from, or report back to, or whatever? Sure would be handy to ban those IP's at the router..

    --

    What are we going to do tonight Brain?
    1. Re:Safe mode by lounger540 · · Score: 2, Informative

      I do tech support for an ISP, we don't officially support removing spyware but this is a sure fire way to get the net running again. The dreaded 98/ME that's another story requiring a full TCP/IP&Winsock reinstall. We charge for that great service. BTW: Winsockxpfix.exe works very well on XP systems too, that's the first thing i d/l from inside safe mode or sometimes if email works but not ie, well you see the picture.

      --
      LOOP1: MOV CX,2 LOOP LOOP1
  3. Re:nasty stuff by Anonymous Coward · · Score: 1, Informative

    Mozilla's looking pretty good about now.

    I would suggest Opera. I've been using it almost exclusively since I found version 3 back in the late 90s, and I've never EVER had a piece of spyware on my machine that didn't come with it. It's fast, small, customizable (especially for the intelligent user), and resilient when it fails. It has features for the serious browser user that Mozilla STILL doesn't have - in fact, all of Mozilla's best ideas (barring XUL perhaps) were in Opera first, and it's still ahead.

    If you give Opera a chance for just two weeks, I can almost guarantee you'll wonder what the hell you thought was so great about Mozilla. Mozilla is okay, especially if you're a casual browser, but if you spend a huge portion of your time in the browser, Opera is still the best.

  4. Re:Stop using IE by hdparm · · Score: 2, Informative

    Webex actually has a Mozilla client - no problems doing Red Hat webcasts.

  5. Spyware by Chop · · Score: 2, Informative

    I just got finished fixing an employees home computer because WindowsME (ugh..) would show the splash screen and then reboot. Start the computer in safe mode? Nope, it would get to loading the desktop and then blue screen (windows protection error, please blah blah blah).
    Anyways once I got the the pc running I ran Ad-aware and it found ~70 or so items and removed them, however I had to remove one file that Norton Anti-Virus detected, that ad-aware missed, in the windows folder and I noticed an explorer.001 file. I renamed .001 to .exe and rebooted, I re-ran ad-aware and it found an additional ~200 spyware items that it could not find the first time!

    NOTE: Ad-aware does not check the c:\recycled folder for spyware, however Nortion Anti-virus does...

    Chop

  6. Re:nasty stuff by magefile · · Score: 2, Informative

    Knoppix can already read NTFS, so it could (in theory) use AdAware, CWShredder, etc, it just can't write (so it can detect, but not fix).

    Depending on whether housecall.trendmicro.com is ActiveX or Java or whatever, it might work. Just wouldn't be able to fix anything.

    There is no stable NTFS writing driver yet. So ... no, there is no such tool.

  7. Listen Mode of VNC by WoTG · · Score: 2, Informative

    Most (all?) of the VNC derivatives inherited the VNC Client "Listen" mode and VNC Server side "Add Client" command. I've used these a couple times when the other person has (or I suspect has!) a NAT to get through.

    Assuming that you can configure the forwarding on your personal network correctly (I think listen mode is port 5400, but look it up), you can set your workstation to "Listen" for new VNC connections from your client's computer. Your client initiates the connection from their VNC Server program - right click, yada, enter remote support IP address, yada, yada. This nicely solves most of the common networking/port forwarding issues. It's also a heck of a lot easier than stepping someone through logging into a router and setting up port forwarding. It's a good design choice that VNC uses a single port, or else this wouldn't work very well!

  8. Re:Stop using IE by br0ck · · Score: 2, Informative

    put the firefox path into all the shortcuts and registry keys that currently point to IE

    And then the user won't be able to use Windows Update and they'll be worse off than they already are. Also, switching from IE wouldn't stop 99% of the crapware which mostly comes from people installing screensavers, P2P apps or those oh-so-cute little doggies that show up in the toolbars.

  9. Look2Me Installed as event processor? by Webmoth · · Score: 2, Informative

    One of the nastier ones I've dealt with lodged itself as a subkey in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Of course you couldn't delete the file because it was in use. You couldn't kill it because it was a DLL loaded by the winlogon process, which you can't kill. Attempting to remove it from the registry just triggered it to put it right back.

    Ended up booting to recovery console and deleting the file there so it wouldn't load, then was able to remove the entry from the registry.

    A quick Google search reveals it as "Look2Me". More info here.

    --
    Give me my freedom, and I'll take care of my own security, thank you.