The Spyware Inferno

An anonymous reader writes "Ever thought there should be a scale for quantifying the evil Spyware does? In an editorial article at news.com.com, a Silicon Valley Venture Capitalist uses the levels of hell in Dante's Inferno to do just that. The article also goes into depth on how vendors, and Claria in particular, make money - of particular interest, 31% of Claria's revenue came through Overture. This may explain why Yahoo took so long to list Claria as Adware in its anti-spyware toolbar."

Remember Kids...

[romper]

Claria is Gator is Spyware.

Re:Remember Kids...

[TheSpoom]

I had a caller recently who I was doing technical support for, and I believe the issue was that they were getting some sort of error message when they booted up. I was going through MSCONFIG and unchecking startup items as she read them to me, and the conversation went something like this:

Her: "CMESYS."
Me: "Uncheck that, it's spyware."
Her: "Isn't that Gator?"
Me: "Umm... yes."
Her: "Oh, I pay for that, I don't want that removed. It fills in my passwords for me!"

Apparently she paid $30 / yr. for the "service" that the Gator eWallet was providing. She had called them (and in hindsight I should have asked for the number) before and they assured her that the paid version doesn't come with their normal great advertising code. I was considering banning her from the internet, but I would have been fired. :^(

IDS's

[kc0re]

I run IDS's for about 9 different Class C's and a handful of Class B subnets out there. I would say Gator, (to include all of it's baddies, stuff like, PrecisionTime and PrecisionDate), are about 60% of the signatures that alert on those IDS's. Not much I can do about it except report to the SA's which in turn choose to ignore me or run with it, but malware in general is becoming more of a prevalent problem. And frankly it's annoying.

Helpful tools

[zokum]

We all know spyware is a fucking waste of both resources and internet bandwidth, please do everyone a favour and install either Ad Aware from http://www.lavasoft.de/ or Spybot Search & Destroy from http://www.spybot.info/.

If you happen to run an OS where these aren't supported (everything but win*) just ignore this post :-).

Re:It's not just the shady companies

[VAXGeek]

Removing the Quicktime task is really pretty simple.

1) Find qttask.exe
2) Rename or delete.

Disable Real's SmartCenter by right-clicking on the real icon in your system tray (bottom right hand corner of the Windows screen) and select Disable Smartcenter.

Hardly "digging".

Re:It's not just the shady companies

[throughthewire]

I had to grin when you referred to the tray programs as TSRs. You've been doing this awhile, eh?

One little utility I find helpful is Mike Lin's StartupMonitor. It hollers at you whenever something (AIM, Real, Quicktime, etc.) attempts to register an executable to run at startup, and allows you to approve (or more to the point, deny) the attempt. Useful and educational!

My Spyware Experience

[BlueOtto]

As the Intern/Pc Support Help Desk guy at my work, I'd estimate that about half of the problems here are a result of spyware. However, I have a process that works MOST of the time to totally eliminate it it from a computer. It takes time (usually around 30 minutes), but being totally thorough makes sure that one piece doesn't get left behind and bring everything else back. This is what I do:

-Run AdAware and Spybot Search and Destroy (get latest updates!)
-Run CWS Shredder
-Run HiJackThis and locate all curious entries and remove them
-Run msconfig.exe and clear all suspicious or even borderline suspicious entries from startup
-Check running processes for suspicious entries (doing this a lot makes you familiar with what is good and not good. Stuff like WhatsUp.exe -- usually bad. Or WJLHOWPDMNW.exe)
-Try to kill the processes, and then locate and delete those files. If you cannot delete them or end the processes, write them down and boot into safe mode to delete those files
-Finally, check Program Files for suspicious folders. That's where much of spyware hides. Apoint2K and and search bars and anything else are BAD!

Re:My Spyware Experience

[Johnno74]

Download process explorer from www.sysinternals.com. It will tell you the full path, command line and TONS of stuff about each process.

It will even tell you what files/registry entries the process has open, and what DLLs it has loaded.

I've often seen spyware in a DLL that is open so can't be deleted. Sometimes they load themselves into explorer.exe.

Open process explorer, search for the DLL and it will tell you the processes that have it open.
Either kill the process, or force close the file handle (often nukes the process, but whatever...)
then delete the dll.

Re:It's not just the shady companies

[Octos]

Uhhhh. Did anybody in this thread bother to check the program preferences?

In Quicktime preferences: uncheck "Quick Time system tray icon" and it will never come back.

I haven't messed with Real player in a long time, but I recall a similar option being available if you right-click the tray icon, possibly in a preference panel.

I'm sorry it's so easy.

Re:as long as spyware actually does something

[Wescotte]

Just toss up a link that opens www.weather.com and puts in their zip code for them.

Re:It's not just the shady companies

[Schmucky+The+Cat]

There are several good suggestions here on how to disable recurring apps. Here are mine.

Set NTFS rights to the file to DENY for yourself or some subgroup. Deny rights take precedence.

For executables, setup a software restriction policy, (start, run, secpol.msc) that disables based on the path. Just enter the exe name or it has a nice handy browse button, but the path also accepts wildcards and environment variables. (Don't tell your netword administrator this, but putting %logonserver% in here prevents those annoying domain logon scripts.)

Re:Cliche

[dmayle]

The URI in my .sig is not a pyramid scam, but it is a marketing thing. If you're not interested, don't go there. This is very offtopic, but for anyone who wants to know what it is without clicking in my sig, it's a marketing company who gives rewards for getting other people to try out the services of their clients. It's not a scam, as it doesn't require you to put any money into it, and you're not getting paid off by other people. Marketing companies pay money for customer acquisition, and this marketing company has decided on a rather novel approach to getting you to try something. Giving part of the money to you. No software required, nothing installed, and if you're intelligent, you will use a one-off email address, because, even though they promise not to share your info with anyone else, their clients probably haven't (companies like AOL, columbia house, etc.)

For the record, I joined because of someone else's slashdot link, and the company has done nothing but act respectfully. No popups, no spam (so far), no attempts to misrepresent themselves, etc.

Marketing is not going to stop. People want to try to sell you stuff. What's abhorred here is companies who try to take over your computer to make money, even when you haven't given consent, or don't realize what's happening. Also, those companies who try to contact you without your permission, or prior inquiry.

Re:Where do you draw the line?

[afidel]

You don't have to bury it in the EULA and install spyware through the back door to do ad supported software. ICQ, Opera, and many shareware products incorperate ad sponsorship into the product in a manner that most users do not find offensive and which does not completely destroy the usefullness of the computer on which it is installed.

Re:What defines the circles?

[knarfling]

There is a .pdf file listed in the article. Downloading it shows Claria belongs in circle 6, The Heretics. Browser hijackers are circle 7, The Violent. Software that charges you without your knowledge is circle 8, the Liars, and software that tracks you keystrokes or transmits personal information belongs in the lowest of the low, The Betrayers.

Recovering from Spyware.

[Alien54]

Spyware removal can be a pain. Here is a repost of something I posted earlier, along with some added details

He went down the merry path of trying to rescue the system in order to keep customer data intact. The story is typical of someone who is entering the fray without have their tools prepared in advance. The solution always looks easier than it really is.

In his case, he needed

• a CD with all of the relevent tools and updates
• a windows boot disk with CD support
• an understanding of the windows command line in order to copy a subset of these tools to a convenient folder on the hard drive from the CD
• The knowledge to run these tools from Safe mode, and how to get there in the first place
• Include in the subset of tools one that can fix the broken LSP setup.

  [LSP or Layered Service Provider is a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet. Spyware is good at this, and some cleaners leave a broken LSP behind.

  With the correct tool, the fix takes seconds. Without the tool, you need to uninstall and re-install the winsocket, or else the same with the entire network support. Otherwise you fall into the trap this poor bloke got into.]

tips - I deal with this stuff all of the time. The best data on this stuff can be found in articles at spywareinfo.net - the forums are not bad either, although spywarewarrior.com also has good forums. also good to have is this list of known rogue spyware cleaners [spywarewarrior.com], along with this list of Anti-Spyware Orphans & Outcasts [spywarewarrior.com]

My current recommended free antivirus is Avast! Home Edition [avast.com], which is very low maintenance for the home user, and requires registration for the free license. It also protect a number of common Instant Messenger clients, as well as several common P2P clients. It is better than AVG in my opinion, and detects many trojans as well as spyware.

You can get a system that is so hosed that it will not boot, not even into safe mode, even under XP. The solution there to remove the hard drive, drop it into an external drive enclosure, and hook it up to another system where you can use scanning software to do a basic clean so you can boot in the original configuration. Once it boots you can install cleaners from safe mode, and then run cleaners from inside every user account. Note that you still need to run the clean from inside each user account because otherwise things will hide in the seperate user folders.

Re: the LSP chain break -- HijackThis can sometimes fix it. Otherwise, Spybot can fix it. Xblock will also fix it. [xblock is an excellent first pass cleaner, with a freeware version available). (Spybot second, AdAware third)I always use more than one scanner, and scan multiple times.] Immunisers such as SpywareBlaster are also nice. All of these packages are mentioned at spywareinfo.com, which sometimes goes under due to DDOS problems from people who do not like the services they provide. (insert obligatory plug for someone to help them out, one way or another.)

Re:Recovering from Spyware.

[Alien54]

Unless your windows back is infected, which often happens. Often the buggers will be in there for several months, which means that your backup is infected, even if ghosted.

Re:Recovering from Spyware.

[gblues]

XP SP2 also includes an automatic LSP chain fix tool.

Nathan

Re:It's not just the shady companies

The RealPlayer agent keeps running even when the option is disabled. You need to remove it from the register, by hand.

QT agent runs when Windows boots, but shuts down quickly if the option is disabled.

Only WinAmp actually disables the agent from starting at all -- well done Winamp!

Personally

[odaen]

I don't consider Claria all that bad. It's easiesh to remove, and can be done by practically any anti-malware program (except maybe Yahoo's earlier attempts), and actually tells you *what* is installed. (At least it did when I had it on my PC)

Possibly the most annoying ones are the anomymous ones such as 'CoolWebSearch' which you don't know what to search for to get rid of it and the ones which you have no clue how to remove 'MySearch'.

Or the worse ones at all, the ones that break the address bar so you can't access any sites via. internet Explorer. Thankfully PC Gamer has started including Mozilla Firefox on its Cd's and I reckon a few other major magaizes will follow suite.

Quite possibly the worse one is that piece of paid adware, the one which you have to format your entire P.C to get rid of all traces of it. 'AOL'.