Slashdot Mirror
The Spyware Inferno
An anonymous reader writes "Ever thought there should be a scale for quantifying the evil Spyware does? In an editorial article at news.com.com, a Silicon Valley Venture Capitalist uses the levels of hell in Dante's Inferno to do just that. The article also goes into depth on how vendors, and Claria in particular, make money - of particular interest, 31% of Claria's revenue came through Overture. This may explain why Yahoo took so long to list Claria as Adware in its anti-spyware toolbar."
Claria is Gator is Spyware.
Right is wrong when left is right.
I run IDS's for about 9 different Class C's and a handful of Class B subnets out there. I would say Gator, (to include all of it's baddies, stuff like, PrecisionTime and PrecisionDate), are about 60% of the signatures that alert on those IDS's. Not much I can do about it except report to the SA's which in turn choose to ignore me or run with it, but malware in general is becoming more of a prevalent problem. And frankly it's annoying.
We all know spyware is a fucking waste of both resources and internet bandwidth, please do everyone a favour and install either Ad Aware from http://www.lavasoft.de/ or Spybot Search & Destroy from http://www.spybot.info/.
:-).
If you happen to run an OS where these aren't supported (everything but win*) just ignore this post
Rest in peace Malin "looxn" Kristiansen. We miss you...
Are you removing them using msconfig? That seems to always do the trick for me. Just erasing them from the startup section in the start menu won't necessarily do it.
Removing the Quicktime task is really pretty simple.
1) Find qttask.exe
2) Rename or delete.
Disable Real's SmartCenter by right-clicking on the real icon in your system tray (bottom right hand corner of the Windows screen) and select Disable Smartcenter.
Hardly "digging".
this sig limit is too small to put anything good h
and btw, if you'd like to read the actual Divina Commedia for free online (with footnotes in Italian) you can see it at:
http://www.mediasoft.it/dante/
In version 6 you can right-click on the icon and set a preference to not have it load every time the machine starts up.
I just wish the stupid Outlook 2003 icon could be killed as well.
One little utility I find helpful is Mike Lin's StartupMonitor. It hollers at you whenever something (AIM, Real, Quicktime, etc.) attempts to register an executable to run at startup, and allows you to approve (or more to the point, deny) the attempt. Useful and educational!
As the Intern/Pc Support Help Desk guy at my work, I'd estimate that about half of the problems here are a result of spyware. However, I have a process that works MOST of the time to totally eliminate it it from a computer. It takes time (usually around 30 minutes), but being totally thorough makes sure that one piece doesn't get left behind and bring everything else back. This is what I do:
-Run AdAware and Spybot Search and Destroy (get latest updates!)
-Run CWS Shredder
-Run HiJackThis and locate all curious entries and remove them
-Run msconfig.exe and clear all suspicious or even borderline suspicious entries from startup
-Check running processes for suspicious entries (doing this a lot makes you familiar with what is good and not good. Stuff like WhatsUp.exe -- usually bad. Or WJLHOWPDMNW.exe)
-Try to kill the processes, and then locate and delete those files. If you cannot delete them or end the processes, write them down and boot into safe mode to delete those files
-Finally, check Program Files for suspicious folders. That's where much of spyware hides. Apoint2K and and search bars and anything else are BAD!
Been doing it wrong for a while, I'm guessing, since they are not nor do they resemble TSRs. As you probably know (but this is for the audience) TSRs only leave a piece of themselves in memory and the programs which put the icons in the system tray are full-fledged processes.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Dorty Sayers, the Author of the Lord Peter Whimsey series of murder mysteries is also a noted translator of the Divine Comedy. Highly recomended. The mystery novels are also a ripping good read!
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
OK I'm a bit confused. How does just compiling yourself protect against spyware? It seems to me that, to be 100% sure, you must audit the source code line by line.
Perhaps you're thinking of the argument that since it's open source then others will spot any anomalies in the code. But you could still be compiling and running the app with the spyware before anyone finds it.
Uhhhh. Did anybody in this thread bother to check the program preferences?
In Quicktime preferences: uncheck "Quick Time system tray icon" and it will never come back.
I haven't messed with Real player in a long time, but I recall a similar option being available if you right-click the tray icon, possibly in a preference panel.
I'm sorry it's so easy.
"I am not a number! I am a free man!"-- The Prisoner
I have the idea that it keeps all the various settings Windows has for file association in sync with what the user has specified in the QT control panel.
But qttask is easy to get rid of! The Quicktime control panel has a checkbox for it, and once unchecked it is gone forever, inlcluding a reinstall or upgrade of QT as far as I remember.
During goldrushes, it was very seldom the prospectors that actually made any money -- the people who really got rich were the shopowners who sold supplies to the people who actually looked for gold. I think that spam, at least, is like that -- the real business is probably selling the tools of the trade to idiots who will go out of business in half a year.
Nope, 9 is correct. The Divine Comedy
-- Mein Systemadminstrator hat einen großen schwarzen Moustache.
Claria prefer to call it Online Behavioral Marketing, according to their web site.
-- Mein Systemadminstrator hat einen großen schwarzen Moustache.
Just toss up a link that opens www.weather.com and puts in their zip code for them.
Addendum: Mentioning spyware in the "license" does not constitute meaningful disclosure.
Schwab
Editor, A1-AAA AmeriCaptions
Set NTFS rights to the file to DENY for yourself or some subgroup. Deny rights take precedence.
For executables, setup a software restriction policy, (start, run, secpol.msc) that disables based on the path. Just enter the exe name or it has a nice handy browse button, but the path also accepts wildcards and environment variables. (Don't tell your netword administrator this, but putting %logonserver% in here prevents those annoying domain logon scripts.)
The URI in my .sig is not a pyramid scam, but it is a marketing thing. If you're not interested, don't go there. This is very offtopic, but for anyone who wants to know what it is without clicking in my sig, it's a marketing company who gives rewards for getting other people to try out the services of their clients. It's not a scam, as it doesn't require you to put any money into it, and you're not getting paid off by other people. Marketing companies pay money for customer acquisition, and this marketing company has decided on a rather novel approach to getting you to try something. Giving part of the money to you. No software required, nothing installed, and if you're intelligent, you will use a one-off email address, because, even though they promise not to share your info with anyone else, their clients probably haven't (companies like AOL, columbia house, etc.)
For the record, I joined because of someone else's slashdot link, and the company has done nothing but act respectfully. No popups, no spam (so far), no attempts to misrepresent themselves, etc.
Marketing is not going to stop. People want to try to sell you stuff. What's abhorred here is companies who try to take over your computer to make money, even when you haven't given consent, or don't realize what's happening. Also, those companies who try to contact you without your permission, or prior inquiry.
You don't have to bury it in the EULA and install spyware through the back door to do ad supported software. ICQ, Opera, and many shareware products incorperate ad sponsorship into the product in a manner that most users do not find offensive and which does not completely destroy the usefullness of the computer on which it is installed.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Disabling the systray icon doesn't disable qttask.exe.
I hate to break it to you, but weather.com has become corrupt as well. weatherunderground.com is about as good as it gets right now, and then you get people complaining to you for political reasons when you have them go there. Weather on the internet is lose-lose.
As far as real goes it just depends on what version you are using.
Most of my work as a PC tech these days is removing spyware and trojans from user's machine. Some of the stuff out there is really, really nasty. Spyware creators have now started employing trojan tacticts such as wrapping the spyware files in rootkits to hide files and registry entries. I suspect this is mostly due to the money involved. The more bucks that are in the game the nastier these critters will become.
I just wish everyone ran a tool like Trojan Hunter or Ad-aware, as it would make my job much easier. After cleaning the same stuff from the 10th machine the same day you get kind of fed up...
There is a .pdf file listed in the article. Downloading it shows Claria belongs in circle 6, The Heretics. Browser hijackers are circle 7, The Violent. Software that charges you without your knowledge is circle 8, the Liars, and software that tracks you keystrokes or transmits personal information belongs in the lowest of the low, The Betrayers.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
You've turned off the icon, not the task. Also, if you delete it from the registry the little bastard puts itself back any time a quicktime is played.
I'm tempted to just remove all the permissions on the run key so nothing can put itself there.
Quicktime is even easier than another poster described--(right-?)click on the tray icon, properties (or whatever), and uncheck 'quicktime system tray icon' in the 'browser plug-ins' settings page (which, IIRC, is the first to come up.) Or go start menu - control panels - quicktime. its in the options. no need to delete files, etc. of course, I'm sure it comes back after each update, but it's not too horrid. I agree that any intrusion is too much, but still, compared to others', it's no too bad.
I hate real's with a passion, not only because it's hidden, but because once you find it, you still have to wade through a couple confusing "aren't you not sure you don't want to not have this not launch at startup?" confirmation screens.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
My current recommended free antivirus is Avast! Home Edition [avast.com], which is very low maintenance for the home user, and requires registration for the free license. It also protect a number of common Instant Messenger clients, as well as several common P2P clients. It is better than AVG in my opinion, and detects many trojans as well as spyware.
You can get a system that is so hosed that it will not boot, not even into safe mode, even under XP. The solution there to remove the hard drive, drop it into an external drive enclosure, and hook it up to another system where you can use scanning software to do a basic clean so you can boot in the original configuration. Once it boots you can install cleaners from safe mode, and then run cleaners from inside every user account. Note that you still need to run the clean from inside each user account because otherwise things will hide in the seperate user folders.
Re: the LSP chain break -- HijackThis can sometimes fix it. Otherwise, Spybot can fix it. Xblock will also fix it. [xblock is an excellent first pass cleaner, with a freeware version available). (Spybot second, AdAware third)I always use more than one scanner, and scan multiple times.] Immunisers such as SpywareBlaster are also nice. All of these packages are mentioned at spywareinfo.com, which sometimes goes under due to DDOS problems from people who do not like the services they provide. (insert obligatory plug for someone to help them out, one way or another.)
"It is a greater offense to steal men's labor, than their clothes"
The RealPlayer agent keeps running even when the option is disabled. You need to remove it from the register, by hand.
QT agent runs when Windows boots, but shuts down quickly if the option is disabled.
Only WinAmp actually disables the agent from starting at all -- well done Winamp!
Uninstalling Quicktime on an MS-Windows machine is pretty straightforward.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
removal instructions here
"It is a greater offense to steal men's labor, than their clothes"
I don't consider Claria all that bad. It's easiesh to remove, and can be done by practically any anti-malware program (except maybe Yahoo's earlier attempts), and actually tells you *what* is installed. (At least it did when I had it on my PC)
Possibly the most annoying ones are the anomymous ones such as 'CoolWebSearch' which you don't know what to search for to get rid of it and the ones which you have no clue how to remove 'MySearch'.
Or the worse ones at all, the ones that break the address bar so you can't access any sites via. internet Explorer. Thankfully PC Gamer has started including Mozilla Firefox on its Cd's and I reckon a few other major magaizes will follow suite.
Quite possibly the worse one is that piece of paid adware, the one which you have to format your entire P.C to get rid of all traces of it. 'AOL'.
Hehe. Starup Monitor is a TSR that loads up on startup itself! It does look pretty darn useful though. At the moment, I'm using Startup Mechanic. Same deal, but it doesn't run as a process, it's a standalone program that you run once in a while when you suspect something weird going on. Good for those who want to run as little processes as possible.
--- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]
Bonus points to anyone who reads this and thinks "thaumaturgy.log"
My favorite use for this is AOL Instant Messenger. While I love the app, it has an insatiable desire to create a directory named "filelib" within the HKCU's "My Documents," even if you never use the program's file transfer capabilities. "filelib" gets further populated with subdirectories named after each screen name you use. To fix this: exit AIM, delete the "filelib" directory, create a file named "filelib" inside of "My Documents," and set it to read-only. AIM will no longer create its unneeded tree there.
The same trick works to permanently prevent Windows ME from writing its subdirectories into C:\_RESTORE. Those who are familiar with this lovely feature, and who share the frustration that disabling it doesn't really disable it, may find this advice useful. I don't recall the subdirectory names, fortunately it's been awhile since I've had to deal with WinME.
My Documents\Application Data is another location where this comes in handy. Some versions of Windows Media Player write out a datafile on exit which contains MRU file lists among other things. I believe that some Adobe products used to write their MRUs to data files in AppData also, none installed so I can't double check.
Of course there are times when this trick won't work, several spyware apps tend to infest a system so deeply such that a) if you delete a component, another running component notices and immediately writes out a new copy; or b) some or all components run in a manner where attempting to delete them gives an error that the file is in use by the system. Safe mode, Ad-Aware, Spybot, and HijackThis - sometimes a combination of all of the above - will take care of these cretin.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Well just looked at the link, shure looks borderline to me. send us $$ get 20 others to do so and get I-pod. This with non-functional links to thier terms and privacy policy. I didn't bother to try find out wich country thier operating out of to avoid the lawsuits and such when they happen.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
"You can get a system that is so hosed that it will not boot, not even into safe mode, even under XP."
For crying out loud; Boot from the CD, go through the motions of installing Windows XP, choose 'repair this installation'.
You can now recycle the extra verbage for other things.
Oddly Draconis
Too cynical to live, too stubborn to die.