Defeat Spyware
Why you should consider it: By not preventing spyware on your computer and keeping it clean, you participate in a global problem.
| Defeat Spyware | |
| Supplied by: | Short-Media |
| Author | Brian “Primesuspect” Ambrozy |
| Article Date: | Feb. 06/04 |
What is spyware and how do I get rid of it?
Spyware is variously referred to as “Malware,” “Adware,” and “Scumware,” among other things. Basically, spyware can be defined as a class of software that is designed to take over various aspects of your computer. It does this in order to generate profit for unscrupulous people or businesses or to use your computer for various illegal or immoral reasons. Spyware is generally installed by you, the user, either wittingly or unwittingly. Trojans and Viruses are either installed by you or installed by taking advantage of security exploits that exist in Microsoft Windows. This article will focus on Windows, since spyware is not a phenomenon that has hit the Mac or Linux world yet.
ActiveX tricks
In order to truly understand spyware, and thus why it is so insidious, we must understand a little bit about how Windows works and how the internet works. A few years back, Internet Explorer gained the ability to run little programs called “ActiveX Controls” over the web. This was a boon to usability and created all kinds of neat ways to use the internet to interact with your machine - take WindowsUpdate, for example. You can connect to Microsoft’s WindowsUpdate site and it installs an ActiveX control that allows the website to scan your computer and tell you if you need any security or stability updates. This is an extremely helpful site that would not be possible without ActiveX. Sometimes computer manufacturers use ActiveX controls for a similar reason: They can tell you if your machine needs any updates that can help it run better.
However, somebody realized that they could use ActiveX to get you, the user, to install whatever software they wanted onto your computer. With home broadband use exploding, millions of computer novices now have high speed, always on connections to the internet, and no knowledge of how to keep them safe. Malicious and unethical software developers realized how easy it would be to tap into this huge pool of smiling consumers with relatively large disposable incomes. Spyware was born.
As I just mentioned, they had to get you to install it yourself. The easiest way to do that is to trick you into clicking the ActiveX installer.
You’ll notice that there is always the sentence ‘Do you want to install and run “……”?’ Spyware installers will often trick you into thinking that what you’re about to install is some magical piece of software that will make your life better. They may say things like “Do you want to install and run MegaCute Robot, a free and fun character for your desktop that will help make your web surfing more fun and productive by helping you find the things you need instead of things that just waste your time?” or “Do you want to install and run SuperClock, a free application that will always make sure your computer’s time is correct and also do neat things like show you the weather and help you find millions of free songs and games for your computer?”
So the average uninformed computer user thinks, “Wow.. That sounds neat!” and clicks it. Now, you have a free and fun character for your desktop that helps make lots of money for some company with a name like AffiliateNetwork GiantCorp. How do they make money? They take over your computer. They take it over so that if you go on the web and look for things, they prevent you from going where you intend to go and instead direct traffic to their search sites. Their search sites are usually affiliated with “clickthrough” advertising networks or CPC advertising (cost per click) and they will make a penny or two if you click on a link on their site. They try to keep you within their network by spawning popups that also contain clickthrough links. Some are so clever (and scummy) that it may look as if you are trying to close the windows by clicking the red “X” but even the “X” will lead to a clickthrough link. Now, pennies may seem frivolous, but if you have your spyware installed on hundreds of thousands or even millions of computers, you can see how it becomes profitable.
The other thing they can (and often will) do is open the floodgates for the manufacturers of OTHER malicious and unscrupulous software. Many spyware programs will take control of certain aspects of your computer and actually start installing other software, all of which is bad. Spyware can do many terrible things to your computer, including running tracking and logging software constantly in the background, thus reducing your computer and internet performance, tracking every single website you go to and report it to a central server somewhere, breaking critical parts of the Windows system so that they can’t be uninstalled through normal means, and even redirecting every single thing you type through their servers so that they know every single thing that you use your computer for.
Many spyware companies operate “offshore” - that means they operate from servers in places like Russia or China that cannot be governed by US law, and thus they have free reign to do whatever they want to your computer. The worst part? Many of the people who are actually profiting from this nefarious scheme ARE in the United States, but since the server itself is offshore, they are protected.
Get the tools to protect yourself
Now that you know what spyware IS, the most important thing to do is find out how to remove it from your system, and then how to protect yourself from ever getting it again.
Since I remove spyware so often as part of my day job, I have a toolkit of sorts. Removing spyware almost always requires a “cocktail” of spyware removal applications. The four that I use most often are:
HijackThis
CWShredder
Spybot Search & Destroy
AdAware
As you may know, Windows has the ability to launch applications upon startup. However, there are many “hooks” into the Windows startup system, meaning there are several ways to get things to run on bootup. Spyware installers make sure their software is put right into those hooks, often in multiple places, so that even if you delete it from the startup sequence in one place, the other will just keep it running and copy it back into the startup sequence for the next time around. The first program on my list, HijackThis, will show you exactly what runs on windows startup, as well as showing you all the programs that are “hooked” into Windows and into Internet Explorer.
Now, HijackThis is sometimes dangerous for the novice to use because it does not make any distinction between legitimate software such as your instant messaging program or your scanner’s control panel for example, and spyware. Its job is to show you what exactly runs when your computers starts, that’s it. You have to rely on the help of experienced computer users to know what belongs and what doesn’t. You can easily break your system by deleting the wrong item from your startup sequence. However, nothing works better to show you everything that is hooked into your system.
There is one particularly bad piece of spyware that has been grouped into a family known as “coolwebsearch”. CWS is an extremely well written, extremely hard to kill piece of spyware. It is so “hooked” into the system that until CWShredder came around, some people wrote it off as impossible to remove without breaking windows. CWShredder is a fantastic program that identifies (at the time of this writing) 30+ variants of the CWS engine and is able to remove them without destroying windows. CWShredder is updated almost weekly because of different variants of the spyware that come out. It is essential software if you have any of the pieces of spyware that uses the CWS engine to hook into your system.
Spybot S&D is one of the best all-around spyware removal applications. It is also updated quite often and has a pretty big library of known spyware programs and other privacy-invading bits. It acts quite like an anti-virus program in that you can update your “spyware definitions” from a server over the internet and then scan your system for spyware and kill any that you find. It finds and removes MOST spyware out there.
Anything that Spybot S&D misses can usually be found with AdAware. AdAware operates in much the same fashion as Spybot S&D, but sometimes catches things that S&D doesn’t, and vice-versa. If you have a seriously bad infestation, I recommend running both. Some people prefer one to the other, but I don’t get into those arguments.
Removing the spyware
We’ll get into the specifics of each application in a moment, but first let me explain my usual method of spyware diagnosis and removal.
First, I close all running programs and then I bring up the task list by clicking start –> run –> and typing in taskmgr (you can also hit ctrl-alt-delete and click “Task Manager”). Click the “Processes” tab, and you will see something like this:
Here you can see a list of things that are running on your computer. As you can tell, most of them run in the background, without putting anything on the screen, thus this is the only way you can see them. A clean windows system should only be running between 10-20 processes when it’s doing “nothing”. If you see something like “52 running processes” then you know right away that there’s a problem.
Two of the most immediate places I look for spyware startups are in the following locations:
C:/Documents and Settings/username/Start Menu/Programs/Startup
C:/Documents and Settings/All Users/Start Menu/Programs/Startup
Replace “username” with whatever name you use to log in (sometimes Default, for example).
Anything in those folders will run immediately. Many OEM computers (computers from Dell, Gateway, etc. - store bought as opposed to home-built) have many things in these folders right from the factory. Dell, for example, usually has their musicmatch jukebox application startup, the Dell Support connector, and if you have a Dell printer, the Dell Printer control panel. You have to use your judgment on what is legitimate here. You can always temporarily move things to a folder that you make on your desktop (or wherever) called “temp” or something, and reboot to see if anything important has been affected. If suddenly your scanner stops working, you know you deleted the wrong item.
Usually the first thing I do is run CWShredder. Here’s why: If a CoolWebSearch variant is indeed running on your system, it will actually stop you from running spyware scans. It is smart enough to detect efforts to detect it, and stop it from happening. After you run CWShredder to determine and kill a CWS infection, you should reboot and then run Spybot S&D.
Upon opening Spybot S&D for the first time, you should immediately check for updates. Download any of the updates it offers and then click “Check for Problems” under the “Search & Destroy” heading. It will run and if you have any spyware infections, it will list them in red. You might be surprised at just how many things you actually had running on there.
Check off the red items and click “Fix selected problems”. This will take care of the majority of your spyware problems.
I say “majority” because lately there are especially difficult removal problems with certain well written and prolific spyware installations. I have encountered some programs that actually break Windows’ ability to get on the internet without them, so that when you remove the spyware, you break Windows. Not to fear.
Here’s where HijackThis comes into play. Even after a Spybot S&D and AdAware scan, you may still have Browser Helper Objects and other creepy things installed. Browser Helper Objects (also referred to as BHOs) are basically little applications that run from within Internet Explorer and Windows Explorer (despite several lawsuits, Internet Explorer is still inextricably tied in with Windows) and have carte blanche as far as what they are able to do. BHOs can be installed in so many ways that I won’t even bother listing them right now. When you run HijackThis, you will get a list of all kinds of things - as I said before, many are legitimate. One thing to look out for is the entries that have “BHO” in them - I would venture to say that you don’t need ANY of the BHOs. Some of the few legitimate BHOs are the Yahoo Companion and the Google Toolbar, but some people even find those questionable. At any rate, you should delete any suspicious-looking BHOs from within HijackThis. One of the other key things to look for in HijackThis is the word “Search” - basically if the word “search” appears in a startup item, it’s generally a piece of spyware. “SearchHelper,” “CoolSearch,” “SearchCompanion,” “WebSearch,” etc. Get rid of them.
After you clean up BHOs with HijackThis, run Spybot S&D again, just for good measure.
Removing the trojans and viruses
At this point, your system should be fairly clean. At least, clean of spyware. You may still have trojans or viruses. For most people, these things go hand-in-hand with spyware. What I mean to say is, people who have spyware on their computers generally have a trojan or two as well.
What’s a trojan? It’s essentially the same as spyware, but it can differ in a few key ways. It doesn’t necessarily have to be installed by the user - trojans can install themselves on your computer utilizing security exploits and “backdoors” in an unpatched or unprotected Windows installation. While some trojans ARE installed by you (like the ones that come in email attachments), there are others that are installed by hackers or trojans on other computers (they propagate themselves with no human intervention.) Another way they differ is that they can serve no purpose other than to propagate themselves and give somebody else (the virus author or their friends) unrestricted access to your computer. They may not be for profit either. Take the MyDoom virus that came out in January of 2004, for example. It served two purposes; to log keystrokes and send them to the virus author, and to attack the website of the SCO company at www.sco.com on February 1st, 2004 so that the SCO website would go down.
Generally you need a commercial product such as Norton Antivirus to get rid of Trojans and viruses, although there are free alternatives such as AVG AntiVirus. Symantec, who makes Norton, also provides free virus removal tools for specific, individual viruses. However, you have to know that you are infected in order to run them, and they only kill that one particular virus. Antivirus software is a must-have on any computer system, so if you don’t have any installed, not only do you have any excuses, you are actually a part of the problem.
At any rate, after your spyware removal, you should definitely update your virus definitions and then run a full system scan.
After you run the virus scan, if you had any trojans or viruses, I would highly recommend running another Spybody S&D scan, just in case the virus reinstalled a spyware component before you killed it.
An ounce of prevention
Okay, now you should have a clean system. If you’ve got no spyware and no viruses, you are almost golden. The next order of business is to prevent infections from happening again.
1) Go to Internet Explorer and go to tools–>internet options. Under “temporary internet files”, click Delete Cookies, then Delete Files.
2) Choose the Security Tab. Click “Default Level” under “Security level for this zone”
3) Select the “Programs” Tab. Click “Reset Web Settings” to restore IE defaults.
4) Select the “Advanced” Tab. Click “Restore Defaults” and then under the “Browsing” header, UNCHECK the “Enable Install On Demand (Internet Explorer) button.
While you are still in Internet Explorer, go to windowsupdate.microsoft.com — you may be prompted with an ActiveX control from Microsoft called the WindowsUpdate control. You do need this, so go ahead an install it.
Once the screen says “Welcome to Windows Update” click on the button that says “Scan for updates”. It will go through the scanning process and then on the left hand panel you will see Critical Updates, Windows XP (or Windows 2000) and then Driver Updates. If there are ANY critical updates for your system, you should install them right now.
Make a habit of coming to this page on a weekly basis and installing the critical updates. This will close backdoor vulnerabilities and security exploits. Again, if you don’t do this on a regular basis, you are part of the problem because your computer will be used to propagate trojans and viruses to even more computers.
Other prevention measures
Here are some other things you can do to really make your computer safer:
1) Don’t use any file sharing (P2P) applications. This includes KaZaa, morpheus, iMesh, or grokster. Come on, admit it, you are not doing anything legal with it, and you are contributing to the spyware and trojan problem because many trojans propagate through the P2P networks. Plus, you might get sued by the RIAA or MPAA. It’s not worth it, just buy the CD.. In fact, use iTunes, it’s pretty cool.
2) Don’t use Internet Explorer as your browser. There are many alternatives, and in some cases the alternatives are better browsers. Of course, it’s a matter of opinion, but it is fact that IE is the most easily exploitable and vulnerable browser. If you don’t use IE, you will not experience ActiveX exploits or BHO infections any longer. I highly recommend Mozilla Firefox since it has integrated popup blocking and tabbed browsing, which is an amazingly helpful feature. Many people also recommend the Opera browser. It’s your call, but I would recommend against IE just because it is a common source of spyware infections.
3) Do not open any email attachments. I can’t stress this enough. If you would stop opening email attachments that had “funny jokes” or “cute screensavers” or “hot babes”, then the virus problem would be seriously reduced. Just don’t bother. And never, ever believe the sender of the email. If your Aunt Sally’s computer is infected with a virus, it will send you email, and it will look as if it is coming from her. “Oh, Aunt Sally would never send me a virus” you think, and so you open the cute screensaver that she sent you. Now you are infected, and you are a part of the problem. DON’T DO IT. I truly believe that the ability to attach files should be eliminated from email. There are better ways to transfer files. If you MUST open attachments, make SURE they don’t have the following file extensions: .EXE, .SCR, .BAT, .PIF, .ZIP, .COM .. Also, watch out for “fake” file extensions, such as .JPG.EXE or .GIF.PIF .. The first three letters are designed to trick you. It’s only the last three letters that count. If they are executable, you’ve just infected yourself.
4) Do not install any activeX controls. With the exception of a notable few such as WindowsUpdate control, Macromedia Flash, Macromedia Shockwave, products from McAfee or Symantec, or from your computer’s manufacturer (Dell, Compaq, etc.) there are no safe ActiveX controls. If you don’t use Internet Explorer, of course this won’t be a problem. But if you are married to Internet Explorer as your browser, please observe diligence and safe browsing habits so that you aren’t (say it with me now) part of the problem.
5) Don’t visit questionable websites. There is nothing free on the internet, don’t be fooled. Nefarious sites use porn, casino gambling, free games, free screensavers, free desktop backgrounds, free tools, free organizers, you name it. There is nothing free. Don’t believe it. If it’s free, then that means they want you to agree to giving up your privacy in order to partake. And generally, that means installing spyware. If you install a “free” game, you are generally installing spyware on your computer. If you visit porn sites, don’t be surprised when your computer starts getting porno pop ups all the time. I can’t tell you how many people I’ve had INSIST that they didn’t go to porn sites, but “magically” porn popups started appearing everywhere, along with porn sites in their favorites and porn site links on their desktops. If you visit porn sites, you should not be a computer novice, since your computer will get infected with spyware at some point. If you MUST visit porn sites, at the very least don’t use Internet Explorer, and make sure you run spybot and anti-virus scans when you’re done.
6) Don’t be a cheapskate. Go out right now and buy a commercial anti-virus product. You need it. I personally recommend Kaspersky AntiVirus.
7) Check for updates daily. If you have a bad spyware infestation, you probably have a high-speed network connection such as cable or DSL. If you do, there is no excuse. You must update your anti-virus definitions daily. It takes seconds. Just do it. Also, check for windows updates at windowsupdate.microsoft.com while you’re at it. Come on, you’re not that busy. If you’re stuck with dial-up, you have my condolences, but you still need to do it. Update virus definitions daily at the very least. Please.
Educate yourself. If you plan on spending a lot of time on the computer, you owe it to yourself and to the rest of the community to learn a bit more about the tools you are using, since computers can become a liability. You wouldn’t want to get into a car and start driving around if you’ve never done it before and are unlicensed. A computer can cause a lot of damage in today’s networked economy. You have the responsibility to keep yours from becoming “part of the problem”.
There you have it. If you follow this guide, and practice the eightfold path that I’ve laid out before you, you should become a safe citizen of the internet and prevent any insidious software from ever plaguing you again. Enjoy!
Last updated 03/12/2006
I feel so special.. It's been a couple of years since I've been published
Excellent article, but you forgot SpywareBlaster!
If you can't solve your problems with hijackthis, CWShredder, Spybot S&D, and AdAware, then I hate to say it, but SpywareBlaster isn't gonna change anything.
GREAT article!
I can think of quite a few people who should give this a read themselves.
P.S.
I think it's about time I gave Firebird a shot...
w00t! Look on the [H] !!!
I see you're not familiar with SpywareBlaster. Its purpose is not to remove spyware, but to prevent further "infestations". It's used after all spyware is removed.
From their site:
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
By setting a "kill bit" for spyware ActiveX controls, SpywareBlaster can prevent the installation of any spyware ActiveX controls from a webpage. It does this while not interfering with "friendly" ActiveX controls - so your browser can work correctly and you can have peace of mind!
You won't get any more annoying "Yes/No" boxes popped up, asking you to install a spyware ActiveX control (which can increasingly be found in pop-up ads!). In fact, Internet Explorer will never even download or run the spyware ActiveX control!
In addition, SpywareBlaster can prevent many of these spyware ActiveX controls from running, even if they are already installed on your system.*
The newest SpywareBlaster version can even block spyware/tracking cookies!
And SpywareBlaster does not need to be running in the background to provide this protection!
Hi Prime!
Your Spyware article is top dog @ Overclockers.com too!
Selling yourself out all over the net Huh, you cheap www floozy!
Great article, nice job!
When I click the links to the programs, I am sent to the short-media homepage. Shouldn't the links point to where the programs can be downloaded?
They are supposed to go to the download section. It seems they got fuxored in the posting process.
Adaware and Spywareblaster go GREAT together
It's all I use...
It's a shame spyware even exists though :\
I visited the download section, and only Ad-Aware is there (added way back in October)
Great job Prime.
We have a celebrity in da house, the worldfamous primesuspect.
Thanks guys..
I fixed the download links in the article, so they should all work now
That's a great article prime(suspect). It was very concise and well written. It's obvious you took your time and you produced an excellent article. You should do it more often, I'm certain you'd get published.
Spybot S&D has an "immunize" feature that will add an extra measure of protection for combating future possible downloads of spyware. On my version it even recommends SpywareBlaster. I've never run it by I would take an educated guess that it would run a memory resident program. The downside of this is the additional resources needed to run yet another background program. A good firewall, either hardware or software, can't be spoken for enough to help block some of the filth in the first place. Zonealarm and Norton Internet Security often comes to mind as solid software firewalls. Most spyware, though, is by the unintentional installing of the spyware by the end user. One method that GiantInternetCorp uses to get its messages across is by using the Windows Messenger Service, which is not to be confused with the Windows Internet Messenger. This allows spyware companies to broadcast messages to people even when their computer is not even connected to the internet. This is the same process that network administrators would use to broadcast a message to users across the local network. Usually these messages consist of the "Shut down your computer while the server is restarted" or something similar. Although not used today as much as in the past, it still resides on your computer. If you desire to turn off the process, in winxp, go to START -> RUN -> type "services.msc" and hit ENTER. You will have a window pop up listing services available. Double click on the line that says "messenger". Set to "disable". Needless to say, you will most likely need admin access to change this. Most all the current anti-spyware apps will catch the spyware that uses this method but it's an added layer of protection if one felt the need to take that step.
Again, excellent article primesuspect. Be sure to wear your sunglasses around here now.
KingFish
Speaking of security.
Gibson Research Corporations has some excellent small utillities.
UnPnP, DCOMbobulator, Shoot The Messenger, XPdite.
There's also a couple of firewall tests, Shields Up! and Leaktest.
Here's the link:
http://www.grc.com/default.htm
I always go there after a reinstall, to secure my installation.
Similar to SpywareBlaster, the immunize feature in Spybot is not memory resident. It also works by setting a kill bit in the registry that prevents the component from being installed.
ah, thanks. I appreciate the insight. I won't have to take guesses on that anymore.
KingFish
One thing-- I have seen things that prevent Active-X from loading or downloading break things, even when the Active_X offered is actually benign. So, be aware of what your system is doing, have a trojan and worm aware app that reacts fast to trojan and worm intrusion(some AVs are weak in this regard, one that is very active in this regard is N-Prot in the paid version-- they provide program updates for automatic update when needed and defs for macro viruses, trojans, worms, hybrids, known bad active-x, and even some word viruses which have reappeared recently adn have done same day updates for many majors and my paid version grabs any available defs and program updates daily from one of three servers it knows of in the us or tells me there are none if none), and since any one app can be imperfect or fixes delayed if there is no money coming in, most folks end up donating to the dev of their favorite app or if none do then it withers and dies in the long run or updates are slow in coming when the devs have to take time out to make money to earn a living. If I like an app I support it regularly, and to my mind I am paying to keep it alive. With a paid app, you are hiring them to do the dev, same principle applies to regular donations-- then they can and do spend more time at it and hopefully you get faster updated apps and more debugging work.
This might seem to be a thread sidetrack, but what lots of the Active-X folks do to get Active-X that is not good installed is to use trojans. Kill the trojan, no download of Active-X occurs-- the download of the DOWNLOADER never happened.
I will always use an imunizer that tells me what it wants to do and lets me revoke its ideas beforehand-- here's why, just from today's run: SpyBot S&D wanted to kill parts of N-Prot (including what runs the def pickup) and soemthing I want and use occassionally which is the launch bar icon for WinZip's wizard. It also found that Opera had an Alexa module to search using Alexa installed, that I let it kill, and had pulled the access itself to that feature at Opera Install time. Use apps also that let you undo and then choose at worst to rekill all but what you undid-- some apps force you to undo what you killed in a batch, the best let you recover just one change.
System knowledge and knowing how things get on your computer are key, and they ways (plural) that they can mean that you need a complete security solution suite and knowledge of how it can happen and what you should NOT kill also for best results. Spyware killers that let you undo what you want left before the fact are best, together with the other tools that let you prevent junk from getting on the box and detecting it is there.
Prime's article is excellent (GOOD WORK, Brian), but keep the whole system security idea active in your mind. Learn who to trust more(but not any one source exclusively, each security pro knows some things and has his or her own preferences as to how to prevent and detect and then kill things right-- none of them know everything) and who is making claims that are exaggerated. But use software that lets you undo what misuse can do. And address the areas including AV for your box-- none of them can be exclusively done by one program. Use all the tools you can trust including those suggested here(spyware and adware killers, PLUS AV that includes robust trojan and worm (internet and other) and macro viral\malware killing capacities, firewalls, and system intrusion detection software(A good firewall can provide warning of intrusion that HAS occured and when it happened if you learn how to read the logs the best of those keep)), and your box is likely to be up and effective without major repairs much longer so long as hardware does not fail.
John D.
I believe what Ageek is saying is: Be aware. Think before you click. I suggest everyone
read up on ACTIVEX so we aren't misinformed about what ACTIVEX is and what it does. There's no need for us to start running around yelling "The activex sky is falling."
First line of defence is to use a good virus protection program and keep it updated. Second is to use a good spyware search and destroy program, keep it updated and run it from time to time. Third...be cautious when poking your cursor in places you normally wouldn't go.
That and:
Since no one dev team can be all knowledgeable, it is usually best to use more than one program and use what you can undo. Know the program, know how to use it, but use other good programs also that do not break each other. Here is an example-- Ad-Aware can trigger on SpyBot S&D's backup it gens when it immunizes. Blast the backup, and if you were not careful your undo for SpyBotS&D just got vaporized by Ad-Aware. If you do not know and only suspect, keep the undo option open. Know how not to vaporize your undo.
Prime and I have done a lot of junk removal, you could ask us if in doubt before committing to a change that might do things you do not want done, or ask and find out where to ask, the program authors and those who use the program how to use it.
I've been doing junk removal with as little damage as possible for a long time(over a decade), one of my major interests has been keeping junk off boxes. I make 90% of my money consulting, adn lots of what I charge very minor amounts for or give free is how to safely take junk off boxes without destroying major apps and core O\S parts or parts of programs you want. I am not perfect either, get security info from more than one source. But, I will say do not do that yet and later say do it when I know that this one thing can be done if I am honestly not sure. I tend to say don't until you understand the major consequences, and do not trust global promises in security(Gibson Research has lots of good fine tools, but I do nto agree with all his opinions). Each software dev team has specialties they learned, and out of specialty they are not so good as they are within their specialty, and that goes for all coders.
There is no one specific IT security Bible (or any one Security Oracle that is not constantly learning) that lasts, what is being doen is in flux. Yuo need software that can flux as needed also, so look for software that has been around a long time or test the new stuff and make it prove itself while also using what you know works and is being actively updated. If new fights old and old is still proven good, use old for now until new is mature.
The best fix is to kill on entry, but that is not always possible, so you need some scanning tools also-- actively working if running all at once does not slow your box too much. Prevention is good, but coding rules morph so if you use something that runs mostly on rules or heuristics to pick out what is bad, it might kill future software that is good if you put some of that on the box.
The obverse is true also-- lets say you have a favorite program that was written way back when and you cannot find anything that does exactly that in a way that is intuitive fro what you know. Lets say when it was written, the rule that what is considered wrong because folks are taking advantage of holes did not exist and it used things that did the things that would be considered wrong in ways that would not harm your box and you knew that. ACTIVE-X itself has morphed over the years. Impose new rules on old code, you are likely sooner or later to break the old code accidentally. There is a balance here between getting rid of what you know is bad and what LOOKS LIKE IT MIGHT BE BAD or that ONE person has told you is bad.
John D-- who recommends trusting those who have proven skill and knowledge and make a career of security MORE than those who do not, but give no one person exclusive and total trust for the unique box that is yours, and that includes what the security software does. I run AV software through ICSA and IECAR tests, at random, for instance.
Great article prime. I've been using mostly spybot but downloaded the other progs too. And i urge everyone to visit www.grc.com. There's a lot of usefull stuff there. Letting the shields up util try to penetrate your firewall is a if not the only good way to know it's working. Also try leaktest. It tries to connect to the grc.com server and obviously a working firewall will prevent this. The program will tell you if it got through or if it failed. If it says that it got through and your firewall didn't say anything about it, then you're in trouble.
BTW has anyone ever heard of the makecall virus. According to startup mechanic (www.startupmechanic.com) i've got it but i don't know how to remove it and norton hasn't said a word. I'll try the apps in the article and see what happens.
I think Startup Mechanic may have a problem with false alarms. It tells me that GrabClipSave is added as part of the CUYDOC virus. I emailed the guy who wrote GCS and he is trying to sort it out with the author(s) of Startup Mechanic. My email even made his front page news section! (I am "Steve")
Like you, I run NAV with latest defs and it hasn't made a peep. Since CUYDOC has been in Norton's defs since last October I'm sure it's just a glitch.
Yea but something has been trying to start the dialer in windows. Checkout this thread for more info. After i used startup mechanic the popup dissapeared but the c:/programs windows opens every time instead. Here a screenshot of what i disabled. Is that a valid app or something else.
I gave the solution I found in your other thread. Hope it gets it!
And now, back to our regularly scheduled program: the primesuspect hour
eep!
I googled my name tonight, and i found this:
"Wat is spyware en hoe te verwijderen 8 februari 2004
Echt dol op spyware zijn we niet. Vaak is het een geniepige manier om allerlei rotzooi om onze computer te zetten, en echt beter worden we er niet van. Maar wat is eigenlijk spyware, en belangrijker: hoe komen we er vanaf en voorkomen we het? Brian Ambrozy schreef een uitgebreid item over het onderwerp.
Meer info bij Short-Media"
Okay, I know it's in dutch, but wtf does this say!?!
1. Please warn people that if their View File Name Extensions are not enabled they will see something like babes.jpg instead of babes.jpg.exe - this applies to email attachments in particular.
2. Tell people that if they want porn DO NOT patronize web sites - learn how to use USENET. alt.binaries is a good place to start. Free Agent by www.forte.com is the most popular. If you do not know about the newsgroups you are missing out on the best secret on the Internet. There are many wonderful things out on the newsgroups besides naked women. You will be amazed if you haven't been there yet. If you are on AOL enable newsgroups in your preferences and then go to keyword Newsgroups. feester at aol
I get a 404 when I click the link...
Link is fixed.
Preface: I know very little about PCs... I do medical transcription for a national company who provides my PC and I have almost no problems with security, spyware, viruses, etc. (in trying to protect patient privacy, I am assuming there is hypervigilance on the part of my company).
Anyway, I just sit here and transcribe from voice files all day long, oblivious to current problems like spyware and identity theft. Then I get on my husband's home PC, and boy, it's like working on a piece of crap. He uses a few online gambling sites and I suspect that's where the problem is. He finally started running Ad Aware, but just last night, his default home page was reset to some bogus search page covered with ads.
Anyhow, I started searching on my work computer for a solution and found this great article. Unfortunately, I don't feel I have the expertise to start in on this. I couldn't even access the Task Manager so I could see the processes running from the run menu or by ctl-alt-del. I can do this on my work computer, no problem. My husband's computer is running Windows ME and I couldn't find anything resembling the task manager.
Any ideas would be welcome. Poke fun at me, if you must, but at this point it seems like his PC has the equivalent of Ebola, and I would like to do something about it.
Depending on the Operating system (Windows XP, W2K, Windows 98) boot into safe mode (start system and wait a few seconds, the lights above the number pad should light up, repeatedly press F8... that should give you a selection of Safe Mode). Booting into safe mode should keep most of the bad things from starting. Then run the newest version of Adaware, Spybot S&D. Delete anything they find. Reboot and hope that clears enough to allow you to run "Hijack this" and post the results and we can trim the rest of the garbage off...
-qch
fantastic site vrey helpful
Very well written article. I use Spyware Doctor and it works great!
Gigawatt6
Thanks
I think it may be time for an update soon. This article is several months old now, and we know a lot more now than we did when I wrote that 
Mate this article is awesome!!
Bit spewin bout a number of things though. I always thought Internet Explorer was the only internet thing lol, currently downloading mozilla! and i knew that p2p networks were risky, but never knew they would be that risky. And the other thing is porn!!
Dam!
Among all the bad thing produced to be on the internet, there is a shining star, bit like a Knight in shining armour.
It's called.....Short-Media......saved our butts many a time, hehehe.
This was a very good article. I'm noticing a terrible slowdown and crashes of Firefox. So I wondered if somehow I'd picked up some malware that was using resources.
Also sometimes won't finish load after typing in the password to log on to Windows, just sits there until I get tired of waiting and push the button. I got here because did the Windows Troubleshooter for startup problems and it said to restart in Safe Mode. I have a USB keyboard and can't get into Safe Mode (which was a thread on Software/Windows forum). But then I found this neat article on spyware and how to avoid it.
I have a LOT of software (trying things out) but I also have a lot of free space; and ran defrag and cleanup (norton's and XP's), registry checkers, SpyBot, Ad-aware. Nobody found anything. I really want/need to do a backup, but don't want to backup bad guys and poor function.
I'm kinda afraid of HijackThis because they say you have to be so careful editing the Registry...
I belong to a bunch of other forums, but haven't been here before.
Callie
I am a computer novice and just caught "about blank". I wish I would have come across your article earlier.
Thanks.
Ive only been using computer couple of years. Very interested in it all..Like trying to learn about our problems.Shall add your appreciated information to my favourites,for future referance.Thank you...Johnbo.
COngrats prime i remember when one of my case articles made it on [H] over at IC i was tickled to death
I googled my name tonight, and i found this:
"Wat is spyware en hoe te verwijderen 8 februari 2004
Echt dol op spyware zijn we niet. Vaak is het een geniepige manier om allerlei rotzooi om onze computer te zetten, en echt beter worden we er niet van. Maar wat is eigenlijk spyware, en belangrijker: hoe komen we er vanaf en voorkomen we het? Brian Ambrozy schreef een uitgebreid item over het onderwerp.
Meer info bij Short-Media"
Okay, I know it's in dutch, but wtf does this say!?!
Essentially, that he liked the info, and that there is more info here!!! Right on both counts!!!
Fir more help, Google DICT, please. Yes, AFAIK, there is a windows version, and IIRC recent versions know dutch also. This is logical, given Linus Torvald's home counry....
just sent your art. to my father in law. saved me a bunch of typein!!!! thanks again!! shortly
Prime...
Excellent article. I've spent the past two weeks dealing with CSW & HSA spyware and its been driving me nuts. Slowing down my entire system to a stall. After reading your article and downloading a few things, I'm running great!! I'm going to employ the same tatics at home and with friends. Thanx again.
Fuz