Analysis of Spyware

scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"

Even Sevens

[mfh]

> And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.

Personally, I think you should examine ways to get even. Even-Stevens.

Up until this point, I've seen lots of anti-spyware put out that blocks spyware and protects your system from unjustified Reg entries etc., but it generally stops there. It's a shield when what we need is a shield and a sword.

Covenants, without the sword, are but words, and of no strength to secure a man at all -Hobbes

What I would like to see is anti-malware that bites back, hard.

We had this site going a while back that was going to test anti-trolling methods, like by taking a troll user and stuffing them in their own world. All their posts would be modded up and their view of the site was totally different than the users who were not trolls. Of course in tests it was easy enough for them to spoof their IP to get past this, but many of them didn't realize how to do it.

But for malware sites, what if we came up with a solution that would detect it and let it believe it was working, but generated the data needed to put these goofs in jail. I think the SETI distributed computing model could be slightly altered to work to this end.

Then we could get Even-Stevens.

Re:Even Sevens

[FooAtWFU]

What I would like to see is anti-malware that bites back, hard.

Well, you could feed the spyware's controllers some fudged data, but how do you think you're going to get a SETI@Home-like model to "generate the data needed to put these goofs in jail"? Please, explain how repeated computation of fast Fourier transforms will do anything to uncover the spyware's owner. :)

Suppose we managed to get your nice antispyware software to collect data on the spyware's owners. What form do you think that data will take? I'm guessing it would be little more than IP addresses. Perhaps you can convince the authorities to subpeona the ISP for the owners of those addresses, but I doubt it. Good luck.

Re:Even Sevens

[LostCluster]

You're missing a key point. Spyware operators can't be put in jail because they're not breaking any laws simply by publishing spyware. Being scum is not a crime.

A virus gets onto a user's computer through security holes, but malware simply walks through the front door stating their evil intents in a clickwrap TOS that the user usually doesn't read. There's no crime in getting people to agree to something stupid in exchange for a silly little app that runs in the corner of their screen.

Re:Even Sevens

[MindStalker]

Your implying that spy and malware exist because people want attention. That may be true concerning many viruses, but spy ware is simply about money.

Re:Even Sevens

[nkh]

I don't have Windows, but I've seen stories on /. about users infected by spywares, instead of the usual TOS clicking.

Re:Even Sevens

Perhaps you can convince the authorities to subpeona the ISP for the owners of those addresses, but I doubt it.

Why is it that "the authorities" are interested in subpoenaing the addresses of filesharers, but not illegal malware scammers?

Re:Even Sevens

[WgT2]

Hmmm. Interesting opening comment:

Society will always generate malcontents and folks with antisocial personality features.

Surely you don't mean to discredit these malcontents' freewill do you? And the suggestion that the have "need" to hurt other people also seems to disown them of their personal responsibility to behave properly dispite if they are malcontent and have antisocial personality "features". I'd rather call the later "choices."

Shheesh! What kind system would any lawful country have if they were to punish their criminals because someone else, i.e. "society," made them choose to be evil, malicious, self-serving, or greedy? Sure, society and it's micro-cosmos might promote these things, but everyone is ultimately responsible for their own decisions. Please, let us not even hint at the contrary.

Thanks,

William

Re:Even Sevens

[Crizp]

I got a cousin whose Windows XP would display 31 (he counted them) popups (a new, different one after the previous had been closed), when he logged on his user profile.

After I reinstalled XP for him, I installed Firefox and ordered him to use that and forget about IE unless he wanted to be hit upside the head with my cluestick. He doesn't know much about the underlying technology of computers and recent software but everyone in the family understands when I say "use that and evil stuff might be installed on the PC even if you're only surfing around". They take my word for it as I'm the resident geek.

I did the same with his family's computer. Now I just have to explain stuff to the youngest son who insists on using BearShare, Kazaa (even if I've said NOOOO!) and such stuff. He downloads and installs small programs. Once, the family computer was infected with over 150 viruses.

My cousin is extremely happy with Firefox, once I've shown him the concenpt of tabbed browsing, he's never looked back. And the computer don't get as much spyware installed now. The younger brother screws that up a bit 'cause he won't listen. Damn nu-metal ignoramus :)

Re:Even Sevens

[ScrewMaster]

Actually, no. The vast majority of mal-ware is installed via drive-by downloads using Internet Exploited^H^H^H^Hrer. The only reason people see a click-through is because they're lucky enough to install an application that happens to ask for permission ... and I've seen a number of these things that go ahead and install themselves even if you click No. Once you've run the setup program you're probably screwed.

I did something similar to the article's author some time ago, although I wasn't particularly detailed in my "analysis." I set up a dummy XP Pro machine (unpatched, since that's how Joe Average's machine will likely be even if he does have broadband and knows how to use WindowsUpdate) and started browsing around for a couple of days as I normally would. I installed no applications other than those that came with XP. At the end of my test period, I had a couple of dozen different unauthorized apps running that entered the system solely through the browser. No warnings, no click-throughs ... just stealth downloads. The test machine was a reasonably fast 1.4GHz Athlon but it was decidedly sluggish at the end. I did have to get rid of a couple of browser hijackers along the way just so I could continue the test. I used Spybot and Ad-Aware to get some idea of the actual programs that were installed: the list was pretty extensive but I have no idea if I found them all. The network it was attached to is otherwise pretty thoroughly firewalled and anyway these weren't worms.

And I wouldn't be so sure these jerks aren't breaking any laws. Regardless of the privacy implications, spyware causes damage. Trashed systems, lost data, personnel time spent cleaning infestations and so forth. I've seen corporate workstations with thirty or forty spyware applications running simultaneously, causing major performance loss and instabilities. It wouldn't be hard for a corporation with a few hundred workstations to get the FBI interested with a legitimate damage claim of a few hundred grand in losses.

Spyware, malware, adware, spam ... all of these are parasitical activities on the part of a diseased few. And they have been greatly aided and abetted in their behavior by the likes of Microsoft, who either by design or by incompetence made such things trivial to implement on a vast scale. My feeling is that, given the relative importance of the Internet to all of the world's largest economies (and to the developing nations that would like to use it to improve their own lot) some kind of immune system will have to be developed to deal with these parasites. That may involve gunshot wounds to the head, I don't know.

Re:Even Sevens

[bhtooefr]

You could say that your Internet browsing patterns, or things you entered into forms, were copyrighted (say that you were attempting to create a geographic art form by traveling the Internet, and use that as the thing that they broke copyright on), and get them with 512(h) of the DMCA (all you need is a "good faith belief that someone violated your copyright", after all)...

Re:HAH!!!

[Nogami_Saeko]

So... Security through obscurity then? :P

(runs away)

N.

In other news

Ive heard that MyDoom 3 has just been released too... a much darker scarier variant which seems to have originated on mars

What happens?

[Rosco+P.+Coltrane]

What actually happens when you install adware/spyware/malware?

I'm not sure. Let me ask BonziBUDDY...

Re:What happens?

[accidental_1]

What did it say?
It told me i need viagra.

Re:HAH!!!

[Eudial]

Nah, i feel more like

Mua ha ha ha ha ha ha ha! Inferior beings! I run an antiquated version of SPARC solaris, and NOTHING is compatible with SPARC solaris! Not even spyware!

firefox testimonial

I have been an IE devotee since v4.x came out. I have recently moved over to Firefox in order to stop me having to keep up with all the security problems I started to experience only inthe last couple of months.

Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

I downloaded Service pack 2 release candidate and noted a lot of security improvements and features, but in agreeance with with MS whom today released the full Service pack 2, it seems to mainly add 'bars and locks' to your 'doors and windows'. Whereas Firefox seems to be a better neighborhood to live in from the start.

Re:firefox testimonial

[TheHawke]

Oh Mod this parent up!
You hit the nail on the head several times with firefox's security. It does seem to have marked improvements over IE in security, blocking 'wares from going off in your system, to barring banners from starting up, ever!

Of course I maintain a hosts file that pretty much keeps them at bay.

http://www.pelicancoast.net/~nighthawke/hosts.zi p

Re:firefox testimonial

[Rosco+P.+Coltrane]

Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

Perhaps lots of people, including Microsoft itself, have an interest in perpetuating the myth that software is inherently insecure.

Re:firefox testimonial

[scubacuda]

Check out this host file also.

Re:firefox testimonial

[TheHawke]

Eeek! This guy just upstaged me! Now i'll go sulk for a week then get EVEN!

Re:firefox testimonial

[Donny+Smith]

Oh, I get it now - Microsoft makes shitty OS and then secretly invests in anti-virus companies to make money!

Shiiit, maybe I should have put this in the slashdot-user-friendly format with little numbers as in:
1. Write shitty OS
2. Invest in A/V vendors
3. Profit

What a bunch of bullshit.

Re:firefox testimonial

[len_harms]

you may find this usefull as well.
pac file
I use it in addition to a decent hosts file. I even combined the two. That way the freeking browser doesnt even ASK to be nuked. Before popup blocker was put into Mozilla and IE this is what I used. I rarely saw a popup, and my spyware count went to 0. Sometimes it pukes on itself but someone was kind enough to put a 'turn it off for now' thing. Which is kind of cool as with a hosts file you have to move it out of the way then back when done. There is also a plugin for mozilla I belive that does something similar. But for someone who has to use both its pretty easy to keep running.

The reason I like the pac thing a little better as it snags whole domains. Where as a hosts file only gets 1 site. Also sometimes you want to goto one site but not part of that site. Its pretty powerfull...

Re:firefox testimonial

[TheHawke]

Heheh, nice one Len!
Actually, i've put a IPblock in my hosts file by entering the IP address into it and referring it to loopback. (I know, it goes agianst the RFC for DNS, but it works!)
I've dogfarted on gator/claria with this action and they are pretty much torqued off at me for that. Of course, i've made it rather difficult for them to get in touch with me without sending a message thru a lawyer by blocklisting their domain in our POP3, hee hee hee hee.

This way it keeps'em honest and let's them know that they are not welcome in any way, shape or form

malware honeypot?

[TheHawke]

I wonder if someone can whip up a honeypot that'll reverse-engineer some of the malware out there, munge all the URLS down and give proof that someone is doing this on purpose.

Then maybe the state DA's will jump in and make a lesson of a malware producer or two. That is, if they are local. IF not, LART until their router is unplugged.

This 'ware business is seriously getting out of hand and MUST be dealt with, one way or another. IF we have to force these jokers to go overseas, fine, then we'll do so and isolate their domains at root DNS.

Re:malware honeypot?

Let's give credit where credit is due!

Did you RTFA? The spyware he mentioned all loaded automatically using exploits that are only available in IE and Windows! This is all courtesy of Microsoft!

Face it: these people would not be able to do these things without Microsoft's brain-dead approach to secure design. If you wanna sic DA's on somebody, point them at Microsoft!

Re:malware honeypot?

[selderrr]

You mean like we want to do with spammers ?
We all now how well that worked


Face it : malware is the new spam, and it is a lot harder to detect & isolate. OSX & linux users may be safe for now since the problem is moved from mailserver to client machine, but it is only a matter of time until java malware shows up.

The ONLY solution is keeping the OS secure, the firewall tight and the user aware not to click bogus utilities. That and a network wide hosts file that redirects a lot of crap.

Re:malware honeypot?

[TheHawke]

I do not disagree, and let me reinforce the point. the 'wares take a direct path to customers systems from known sources, unlike virii.
If someone goofs and winds up on a site like the article mentioned, guess what, the customer just hit a malware mine.

It's not like the lovebug bit where it spread like wildfire, at random, the 'wares are more focused and actually show a purpose behind their creation: to retrieve personal information on the user behind the keyboard.

Under Federal and State regulations, this shows Willing Intent to Commit Malice, possible violations of Wiretapping Laws,and is grounds for prosecution to the fullest extent of the Law.

Re:HAH!!!

[tekiegreg]

ok I can one up that....my Netscape for abacus's owns your puny spyware infested site!!!!

Mozilla Firefox - it solves most problems....

[Gigantic1]

Those poor soles running Internet Explorer (like ME until recently) don't know what they are missing by not switching to Firefox, Opera, and some of the other fine browsers out there.

Usually, I skeptical about "Freeware", but Mozilla's Firefox has been a glorious exception. Not only is it faster, more intuitive, and easier to use than IE, it is also MORE SECURE. Unlike IE, Firefox does not allow ActiveX and VBScripts to run - and this is a blessing.

Please consider giving it a try.

Happy surfing.

Re:Mozilla Firefox - it solves most problems....

[Rosco+P.+Coltrane]

Those poor soles running Internet Explorer (like ME until recently)

Jesus, it's about time you upgraded from ME, I'd say...

Re:Mozilla Firefox - it solves most problems....

[Gigantic1]

Nooooooo. Sorry about the confusion. "ME" referes to myself, not "Windows Millineum Edition" (Yuck)

Currently, I'm running Mozilla Firefox on Windows 2000, and I have no complaints. In fact, I'm happier about surfing the web than I've been in years!

For reference, Firefox may be downloaded at http://texturizer.net/firefox/index.html.

Happy Surfing.

Spyware Prevention

[Tiberius_Fel]

I've found that all the spyware can be kept down to basically zero if you do what I do (even for Windows users). I use Firefox and not IE (it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)... And speaking of ad-aware, I run it regularly. Honestly, spyware statistics would go way way down if people ran an anti-spyware program now and then. I find in my experience, when you run it for the first time and get 500 - 1500 "objects" found, it wakes the user up as to what sort of crap is on there, and after that they seem to be pretty good about running it themselves.

Re:Spyware Prevention

[MyHair]

(it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)

I don't think Ad-Aware (or other spyware scanners) checks Firefox cookies. I just ran and older version and it only found an Alexa registry entry, but I opened my Firefox cookies.txt and found a doubleclick.net cookie in there.

I'm a Firefox user/fan and IE hater, but Firefox doesn't inherently block tracking cookies, so I had to pick at your example. (Yes, Firefox does allow forcing per-session cookies, but it's not on by default, and it causes problems with remember-my-login cookies.)

Changing subject:

I noticed McAfee and others now have Anti-Spyware products alongside the AntiVirus products in stores. I'm wondering why the distinction between viruses and spyware? Shouldn't scanning for them and removing them involve the exact same process? Why not just include spyware/adware in the definition files?

Yeah, the obvious answer is "to make more money", but that really pisses me off.

And let's not forget...

[Tuxedo+Jack]

How about the bastards who make browser hijackers? Removing CoolWebSearch's affiliates wastes so much goddamn time at my office, it's literally taking nearly three hours a week.

And don't deny it - their affiliates DDoSed SpywareInfo because it told people how to remove their bastardly malware and provided CWShredder.

I say we go after them, drain their coffers dry, and donate the funds to the Mozilla Foundation or something.

No spyware here

[SteveXE]

I managed to keep my pc pretty much spyware free when running IE aside from the day to day tracking cookies.

I switched to Mozilla about 2 months ago and not only do i never get spyware cookies due to its easy to use cookie blocking and plugins, but its so much better in many respects. I still have to use IE on some pages that contain video files, and i do have a few gripes but overall its much better and lets me control my internet experience on many more levels.

Re:I guess you missed the memo...

You know, you are absolutely right! I am going right back to IE.

After all, just this one vulnerability makes it just as insecure as IE's 1035.

New one just in: now 1036...

another: 1037...

another: 1038...

Shit! I'm not gonna keep this up all day!

Spyware is just another form of a virus

[onyxruby]

How long will it take people to realize that spyware is just another form of a virus? I remember when people used to argue trojans weren't viruses and now people have finally come to accept them as just another form of a virus.

Look, I have worked on systems that have had hundreds of infections, from viruses and spyware. I routinely subject a drive from a machine with spyware to the same checks and controls I do with viruses. I start by removing the victim drive and putting it in a secondary control system. Only then can I properly remove the hooks installed to prevent you from really removing things.

I've seen everything from DLL hooks to putting itself into the system restore file or hidden OEM restore partitions. This way windows itself will *fix* your removal. I've seen where they try to emulate legitimate hotpacks and patches. It's pretty simple really, if a program installs surreptitiously, disguises itself, and takes steps to prevent it's removal - than it is a virus.

Re:Spyware is just another form of a virus

[drinkypoo]

Spyware/Adware is only as much a virus as a worm is. Guess that makes it a worm. Viruses infect other programs, worms propagate themselves as a program. There is a grey area when they hook themselves into assorted libraries, though.

Re:Spyware is just another form of a virus

[sploo22]

Wrong. Here are some definitions of a computer virus:

A program that can infect other programs by modifying them to include a possibly evolved copy of itself.

"A parasitic program written intentionally to enter a computer without the user's permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system." -- Symantec

Get your terminology straight. If it doesn't infect other software, it is not a virus. Your argument is like saying malnutrition is a virus because it makes you sick.

Re:Spyware is just another form of a virus

User: Wow! SuperKaazaMidgetCursor! (I agree.) (I agree.) (I agree.)

Peter Norton: SpyVirus removal complete!

User: Norton broke my SuperKaazaMidgetCursor. No more free MP3s and naked strippers on my desktop WAH! I want my money back!

[The big difference between Anti-Virus and Spyware-Removal programs, is that the former is based on program behavior, and the latter makes value judgements about what is 'good' software or 'bad' software. I don't think any developers want a situation where they have to get their programs certified as "good" by some 3rd party.]

Re:Spyware is just another form of a virus

[WhatAmIDoingHere]

Did you read the post you replied to?

He said: "I've seen everything from DLL hooks to putting itself into the system restore file or hidden OEM restore partitions."

That sounds like it's infecting software. Last I checked, Windows wasn't hardware.

Re:Spyware is just another form of a virus

[Gigantic1]

Wrong. Here are some definitions of a computer virus....

So...you preface your diatribe as shown, and then proceed to tear into the guy's thread for the sake of Semantics.

Please...lighten up. We can all be friends here.

Thanks.

A lot of people don't care

[.+visplek+.]

Funny thing is that a lot of people just don't care. I remember that visual plugin for Winamp: Wild Tangent Valentine Dancer. It turned out to be spyware (and so did the rest of Wild Tangent's plugins and apps) but a lot of people just wanted to see a girl dancing on their screen. They just don't care. Not aware of the results of a spyware infested computer and blinded by some digital hottie. The result is over 3,707,559 downloads.

Re:A lot of people don't care

You wouldn't happen to know the URL for that dancing girl, would you?

Re:A lot of people don't care

[danila]

We need an open source project to provide this functionality in a spyware-free format. The reality is that people need dancing girls, they need strippers on their desktop, they need other bells and wistles. And they will install them, so I'd rather see them install GNUGirl and GNUBuddy.

pollution

[wobblie]

the only effective way to combat this is to pollute/crapflood their databases, in a massive sustained effort. A DDos they they are just begging for.

Just how that's done is another matter; but how long will it be before some enterprising young soul comes up with a daemon that generates false information and does nothing but pollute spyware databases? If it can be done with SETI, it can be done here ... the caveat is that the machine would have to be "infected" to do this ...

Working version

[fuctape]

Working version of the article (for now): http://isc.sans.org/diary.php?date=2004-07-23

make it fun

[zogger]

it's weird but it's hard to get people to download and run antimalware stuff. But they WILL download and run other things, so, I got an idea, code one of those anti virus anti malware things so it works like a video game, you hunt and destroy the individual malware doodads graphically.

Just not IE!

[yoshi_mon]

I realize that Firefox and Mozilla get all the glory here on /. due to them being OSS but the bottom line in all of this is just that IE is the one to blame.

I've been using Opera since v5.x and have never looked back. Lately I've seen a lot of improvement in Firefox but they are still playing catchup with Opera.

For whatever reason Opera only seems to get a nod here when it should be getting a lot more but cest la vie. I personally will continue to support Opera until they sell out or whatever but I hope that they, and everyone else, realize that having a marketplace full of a few, maybe even many diffrent browsers will only help everyone in the long run.

Currently I am installing Firefox for people who just need to use anything but IE; mostly end users. For a power user however Opera is the way to go.

I want an integrated tool!

[gone.fishing]

I hate spyware. It is much worse than most of the viruses I've dealt with. As a support technician in a large corporation I deal with it every single day. Some days, all day.

I'd love to see a tool that would deal with all security threats to the desktop. A single tool that would protect against viruses, malware and would act as a smart desktop firewall. We already use an anti-span service but I think the tool should do that too. In the workplace it should be centrally controlled and updated automatically. It should report on attemts and allow the networking folks to use this data to stop stuff at the corporate firewall.

While I am dreaming, I think I'd even like to tool to provide a transparent, managable method of deploying service packs and patches to the desktop (although that is I admit probably better seperately with software deployment tools).

I suppose the server boys would probably need a tool to keep those back-room boxes squeeky clean too. Maybe a special server version of the same software could be slapped on those bad-boys.

I understand why companies are reluctant to share data but in the case of "common security threats" I think that an exception should be made and an automated but monitorable system of threat identification and reporting should be built into the software so as soon as a new threat is identified it can be made available to everyone using the software.

Then we can all cooperativly figure out who is doing this and we can publish that information somewere (like slashdot?) and we can provide them with a little justice!

Re:I want an integrated tool!

[blowdart]

You support a large corporate network that allows their users installation rights (face it, most spyware doesn't install unless you have rights to install BHOs, ActiveX controls or other rights)? You work in a large corporation who runs a windows network and doesn't know how to push patches out over AD, or the nicer 3rd party products out there that do it?

What's your ticker symbol, because I don't ever want to buy stock in a company that can't run a network properly.

Re:I want an integrated tool!

[localhost00]

I think the integrated tool you're looking for is called "properly configured Linux".

I am not trying to be anti-Linux here, since I am booted into it anyway, but I tend to believe that there is a "properly configured Windows XP" too.

It includes:

All users use a Limited account
The is ONE admin account, to be configured with a red desktop and boring scheme as to place zero doubt that no one is supposed to be there to do anything except to install software.
Except for Windows Update, no user under any circumstance whatsoever should use Internet Explorer in the Admin account.
Zone Alarm
Ad-Aware
XP installed on 4-8GB partition
Documents and Settings redirected to another partition (yes, it is possible with a single reg hack)
Norton Ghost (on a FAT32 partition)
Good copy of System partition image on the FAT32 partition
Any suggestions?

I have a theory that the scumware threat in Internet Explorer becomes extremely inert when someone browses the Internet while logged into a limited account. Can't write to HKEY_CLASSES_ROOT or HKEY_LOCAL_MACHINE. Heck, can't write anywhere on the system partition. Can anyone confirm this theory?

Startup Cop

[blackmonday]

There's a really nice tool on the net called startupcop that was made by the ZDNet people, released, then dropped. You can still find it on google as "startcop.zip". It's a nice program that shows you what starts in Windows when you boot. My friend had about 60 different adware/spyware programs on his machine. I was able to remove most of them except for this pesky TV something adware which would not uninstall. And something else, there's some other kind of app that won't let adaware or spybot run. Its a giant pain in the ass, my friends PC is unusable, eve with Mozilla, and he ahs a $50 a month broadband bill. The sons of bitches who make these programs need to be put in jail. There, now i feel better.

Re:Startup Cop

[Jade+E.+2]

this pesky TV something adware which would not uninstall

OK, here you go, JD's quick guide to removing hardened spyware, such as TV-Media (tvm.exe). (This is mainly for stuff that the spyware removers can't delete, or that won't let AdAware and it's friends run.) This is even maybe a bit semi-on-topic, wow.

First, get HijackThis. If you're not very familiar with windows internals, run it on a couple clean systems to get a feel for what should be there.

If it isn't being blocked by some really nasty spyware, AdAware or one of those is a good first step to remove the easy stuff before you tackle the hard stuff.

Now, run HijackThis on the infected computer. It will take some practice to learn what is bad and what isn't, but some things will be obvious. In the case of TVM, there will be a startup item (O4 iirc) for tvm.exe, a URLSearchHook for tvmbho.dll, and a bunch of BHO entries for randomly named 'ms????.dll', and possibly a few more dlls in the system32 directory. (I havn't personally ever seen a valid BHO entry, but YMMV.) The important thing to do here is to make a list of files to delete in the next step. At this point you can check the suspicious entries and click 'fix', then re-scan the computer and see how many of them come back. In the case of TVM, several of them will, most notably being the tvm.exe startup item. Killing tvm.exe won't help with this, either.

Now, on to removing hard files. In this case, tvm.exe is hard because it loads with explorer so it's always 'in use'. A couple of the ms????.dll files are hard because they are in use and/or get replaced on reboot by tvm.exe if they're gone. There are three methods to remove these.

First, safe mode. This is easy, albeit time consuming waiting for reboots, but doesn't work for all files. (In TVM's case, it works.) Just reboot into safe mode and delete each file on your list, then use HijackThis to remove the registry entries.

Second method. Faster if you're a decent typist, works for files (like tvm.exe) that hide their process inside explorer.exe so you can't kill them. Open a command prompt and task manager. Use task manager to kill any visible tvm.exe (or whatever) tasks, then kill explorer.exe. Your shell goes away. Use the command prompt to delete the files, then run HijackThis and remove the registry entries. (You can re-run explorer from the prompt when you're done.)

Third method. Slow, complicated, but works for files that can't be deleted by either of the other two methods. This method also works remotely through most desktop-sharing type connections, unlike the other two. Once you've figured out where the files are being launched from (HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n in TVM's case), open regedit and go to that key. (NOTE: If you're using windows 2000, you'll need to use regedt32 instead of regedit, but the rest of the process is similar) Click on the key (The entire folder, not the individual entry) and choose permissions from the file menu (or right-click menu in XP). Now you need to deny access to everyone for that key. If you're not familiar with permissions, the exact steps are to click 'Add', type 'Everyone' as the name, hit 'OK', hit 'Advanced', highlight the 'Everyone' entry and hit 'Edit', then check the 'Deny' column next to 'Full Control', then OK out. Reboot. The files won't load (and neither will and of the other startup items in that registry key), so you can delete them and run HijackThis freely. When you're done, run the registry editor again, and in the permissions window for the key in question just click on your 'Everyone' entry and click 'Remove', then reboot one more time.

Hope that helps, and good luck.

How about fixing the user...

[Phil+John]

...since it's always the same one beat it into him with a clue-by-four.

Re:There's a simple solution to this..

[nyseal]

"Just don't use Windows or IE"......now THERE'S something new for slashdot. Sheesh

I avoid spyware by...

[vudufixit]

1. Not visiting porn sites 2. Not going to the default homepage network 3. Not downloading and installing Kazaa or PTP apps of that ilk. 4. Not clicking on any popup or banner ads 5. Never agreeing to install any software as a result of visiting a web site, unless it's Macromedia, Apple or Microsoft. I still run IE, and I have a bare minimum number of XP fixes.

Re:I avoid spyware by...

Then you are gonna get it eventually!

You really need to take a look at some of the vulnerabilties in IE. You don't have to click any popup or banner ads; they can install whatever they want just because the ad popped up in the first place. Did you RTFA? This particular spyware infection started by opening a popup frame that was 1 pixel by 1 pixel; you wouldn't even know that something had popped up, let alone have to click on it. Then it used a .chm exploit that looks like it opens whatever page the spyware writer wants! You don't have to browse to porn sites; they will do it for you! Then it gets around to resetting your home page to whatever the author wants; this could certainly be a porn site, too. And it goes on and on...

Look, the most telling quote in the whole article is: ...you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it.

and it is strictly because you are running IE and Windows!

Re:HAH!!!

[anynameleft]

"run an antiquated version of SPARC solaris, and NOTHING is compatible with SPARC solaris! Not even spyware!"

You know that your C compiler might well be infected to compile some spyware and backdoors into itself and applications it compiles?

As an IT Consultant, this is a huge problem.....

[djhankb]

For my clients, many of them have spent 1000's in my time repairing these issues. I can't say that it's bad for *my* business, but for them... Many are tired of paying for me to be the network Janitor. And I am with them.... Being the Network Janitor isnt much fun.

On the flipside, a simple solution that I've been implementing, is a simple linux box, setup as a transparent proxy, using Squid, with DansGuardian (a pay-for product) doing content filtration, as well as stopping Active-X controls dead in their tracks.

This has proved to be very cost effective, around $300-400 in my time to setup, and stops the junk dead.

Perhaps some other IT managers can put this software to use.

-H

REGMON and FILEMON

[Wolfier]

If you're a Windows user, I suggest you go to:

SysInternal

To get utilities like REGMON and FILEMON.

While people has used them for other purposes (for example, figuring out where sharewares store dates), they can useful tools against spywares too.

Run them before doing anything you think MAY be dangerous, and you'll be able to see spyware activities right in front of your eyes.

About Opera--Switched 3 days ago

[jmenon]

I moved to Opera three days ago after finally getting cheesed off with having IE launch spyware apps and then crash virtually every time I opened it.

I have the free version right now, in which I can even choose whether I prefer Google ads or big, noisy banners. I went with Google, since I am a Gmail fan anyway. One of my friends thinks I am a wuss for thinking this, but I actually like the text ads by Google. They are becoming familiar, and they virtually disappear on the Opera interface unless I need them, and then they are actually relevant!

What I like best about Opera is, well, many things:

1. Never had a popup since I have used it.

2. Easy to read RSS feeds, including a customized Opera newsfeed that brings Slashdot, Salon and some other feeds together as one.

3. Easy password fill-in (I know IE has something like this too, but I just never trusted it, given all the security holes.)

4. Easy, comprehensive toolbar customization. You can also customize your menus and toolbars with single-click "Setups". The toolbars are also far more intelligent than IE. You can set them to appear only when you need them, like the download status bar, which disappears as soon as your page is completed.

5. I imagine the mail and newsgroup features of Opera are also excellent, although I am married to Outlook and don't intend to switch.

6. Not the least important thing is that the design of the interface shows some visual design sensibility; a trained graphic designer of two must have actually designed it!

Basically, it feels like a much more sophisticated, softer Internet experience. I have Firefox installed as well, but mainly for testing my Web pages. It seems too simplified for me. I like complex but well-designed interfaces.

Are there rumours about Opera selling out? If so, I hope Google buys them (and then makes Gmail Opera-compatible.)