Analysis of Spyware

scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"

Re:firefox testimonial

[scubacuda]

Check out this host file also.

Just not IE!

[yoshi_mon]

I realize that Firefox and Mozilla get all the glory here on /. due to them being OSS but the bottom line in all of this is just that IE is the one to blame.

I've been using Opera since v5.x and have never looked back. Lately I've seen a lot of improvement in Firefox but they are still playing catchup with Opera.

For whatever reason Opera only seems to get a nod here when it should be getting a lot more but cest la vie. I personally will continue to support Opera until they sell out or whatever but I hope that they, and everyone else, realize that having a marketplace full of a few, maybe even many diffrent browsers will only help everyone in the long run.

Currently I am installing Firefox for people who just need to use anything but IE; mostly end users. For a power user however Opera is the way to go.

Re:Spyware is just another form of a virus

[sploo22]

Wrong. Here are some definitions of a computer virus:

A program that can infect other programs by modifying them to include a possibly evolved copy of itself.

"A parasitic program written intentionally to enter a computer without the user's permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system." -- Symantec

Get your terminology straight. If it doesn't infect other software, it is not a virus. Your argument is like saying malnutrition is a virus because it makes you sick.

Startup Cop

[blackmonday]

There's a really nice tool on the net called startupcop that was made by the ZDNet people, released, then dropped. You can still find it on google as "startcop.zip". It's a nice program that shows you what starts in Windows when you boot. My friend had about 60 different adware/spyware programs on his machine. I was able to remove most of them except for this pesky TV something adware which would not uninstall. And something else, there's some other kind of app that won't let adaware or spybot run. Its a giant pain in the ass, my friends PC is unusable, eve with Mozilla, and he ahs a $50 a month broadband bill. The sons of bitches who make these programs need to be put in jail. There, now i feel better.

Re:Startup Cop

[Jade+E.+2]

this pesky TV something adware which would not uninstall

OK, here you go, JD's quick guide to removing hardened spyware, such as TV-Media (tvm.exe). (This is mainly for stuff that the spyware removers can't delete, or that won't let AdAware and it's friends run.) This is even maybe a bit semi-on-topic, wow.

First, get HijackThis. If you're not very familiar with windows internals, run it on a couple clean systems to get a feel for what should be there.

If it isn't being blocked by some really nasty spyware, AdAware or one of those is a good first step to remove the easy stuff before you tackle the hard stuff.

Now, run HijackThis on the infected computer. It will take some practice to learn what is bad and what isn't, but some things will be obvious. In the case of TVM, there will be a startup item (O4 iirc) for tvm.exe, a URLSearchHook for tvmbho.dll, and a bunch of BHO entries for randomly named 'ms????.dll', and possibly a few more dlls in the system32 directory. (I havn't personally ever seen a valid BHO entry, but YMMV.) The important thing to do here is to make a list of files to delete in the next step. At this point you can check the suspicious entries and click 'fix', then re-scan the computer and see how many of them come back. In the case of TVM, several of them will, most notably being the tvm.exe startup item. Killing tvm.exe won't help with this, either.

Now, on to removing hard files. In this case, tvm.exe is hard because it loads with explorer so it's always 'in use'. A couple of the ms????.dll files are hard because they are in use and/or get replaced on reboot by tvm.exe if they're gone. There are three methods to remove these.

First, safe mode. This is easy, albeit time consuming waiting for reboots, but doesn't work for all files. (In TVM's case, it works.) Just reboot into safe mode and delete each file on your list, then use HijackThis to remove the registry entries.

Second method. Faster if you're a decent typist, works for files (like tvm.exe) that hide their process inside explorer.exe so you can't kill them. Open a command prompt and task manager. Use task manager to kill any visible tvm.exe (or whatever) tasks, then kill explorer.exe. Your shell goes away. Use the command prompt to delete the files, then run HijackThis and remove the registry entries. (You can re-run explorer from the prompt when you're done.)

Third method. Slow, complicated, but works for files that can't be deleted by either of the other two methods. This method also works remotely through most desktop-sharing type connections, unlike the other two. Once you've figured out where the files are being launched from (HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n in TVM's case), open regedit and go to that key. (NOTE: If you're using windows 2000, you'll need to use regedt32 instead of regedit, but the rest of the process is similar) Click on the key (The entire folder, not the individual entry) and choose permissions from the file menu (or right-click menu in XP). Now you need to deny access to everyone for that key. If you're not familiar with permissions, the exact steps are to click 'Add', type 'Everyone' as the name, hit 'OK', hit 'Advanced', highlight the 'Everyone' entry and hit 'Edit', then check the 'Deny' column next to 'Full Control', then OK out. Reboot. The files won't load (and neither will and of the other startup items in that registry key), so you can delete them and run HijackThis freely. When you're done, run the registry editor again, and in the permissions window for the key in question just click on your 'Everyone' entry and click 'Remove', then reboot one more time.

Hope that helps, and good luck.

I avoid spyware by...

[vudufixit]

1. Not visiting porn sites 2. Not going to the default homepage network 3. Not downloading and installing Kazaa or PTP apps of that ilk. 4. Not clicking on any popup or banner ads 5. Never agreeing to install any software as a result of visiting a web site, unless it's Macromedia, Apple or Microsoft. I still run IE, and I have a bare minimum number of XP fixes.