Adware - The New Scourge

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Adware, spyware and advertising trojans are becoming worse than viruses.

Like I imagine everyone else here, I have run minor-malware detectors over people's PCs, smug in the knowledge that all sorts of pests will be quickly revealed and quietly removed. Usually, the PC then appears to have a new lease of life.

Yesterday, I took pity on a guy whose DSL connection finally became terminal after maybe three months of occasional flakiness. Previously, I'd figured it was down to his cheapo PC. He'd spent the day wrestling with the oiled eel that masquerades as ISP support.

The internet connection came and went (subject to rebooting, yanking the USB cable, etc). I was startled to note that one of the tasks was an FTP server going at it hammer and tongs.

Windows had a memory commit charge of >200MB just displaying the desktop. I went through the registry and stopped twenty or so tasks from loading, most of which looked iffy.

The user had noticed that since a few days earlier, SpyBot (a leading anti-spyware product) was now giving him a clean bill of health. He was astute enough to find this alarming.

The connection stayed up long enough to download Ad-Aware, so I cut it loose and it found the expected 190 or so suspect objects.

But now there was no internet connection. I could ping the ISP's router, but neither http or email wanted to play. It's remarkably difficult to troubleshoot these days without a working web browser, and he didn't have any other computers.

Ad-aware found another object, said it would need to reboot to clean it, then happily claimed it was expunged from the disk.

After the reboot, it was back. I deleted it myself, but noticed a second file with a similar name. Sure enough, I couldn't delete this one. "No worries," said I. I'll just bring this baby up in Safe Mode and zap it. Everyone knows that malware doesn't get to start in Safe Mode, so it's like shooting fish in a barrel. Yet I still couldn't delete it!

I tried booting from CD into the Recovery Console, but attempting to connect to Windows caused the PC to reboot - consistently. In the end, I ran SFC (System File Checker) over it, but it made no difference to either internet access or the invulnerability of those files, so I went home.

A google search for the filename, awmparse.dll, yielded exactly zero results. Fortunately, I managed to find references to a similar phenomenon that involved a completely different filename. Otherwise known as Look2Me or Better Internet, this is the VX2 transponder family of little beasties.

I discovered that although Lavasoft don't appear to be openly admitting so, Ad-Aware cannot remove this bug. In fact, I can find only a single solution, and that's a combination of manual steps and a dedicated cleaner program.

Once I'd performed this operation, rebuilt Winsock with a handy utility I found, then uninstalled and reinstalled the USB DSL modem a couple of times, all was well. Many reboots, naturally. :(

To finish off, I installed NOD32 and cleaned off five more trojans and viruses. For all of you who use PC-Cillin, you probably don't want to know that the PC was already running it ...

To sum up, here we have mostly legal software, that collectively, rendered internet access flaky or unusable, slowed down the entire PC, stealthily disabled at least one security product, and was harder to remove than any virus I can think of. That's without even talking about the privacy and security issues, or the ramifications of unwittingly hosting an FTP server undoubtedly used for nefarious purposes.

The user's main app is absolutely dependent on reliable internet connectivity - without it, he has nothing. This little exercise ultimately cost his business three and a half days downtime, not to mention my time of five to six hours (including research, plus the parasites were also slowing down reboots so they took 5 to 10 minutes!). Never mind spam and mildly annoying worms - this stuff is going to run right over the top of all of us at this rate.
 

sechs

Storage? I am Storage!
Joined
Feb 1, 2003
Messages
4,709
Location
Left Coast
Another reason why I tend to clean-install Windows every once in a while. Even with the best tools, you can't catch everything -- and it's oh so easy to get something new.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
I'd sneer at the almost hysterical tone of your post, Time, except for one thing. I feel exactly the same way. Your view is entirely justifed by the facts at hand.

I haven't met that particular nasty (yet) but a pretty fair swag of other beasts. Spyware is now the single most common reason for a PC to turn up in our workshop. Yep: #1.

We have more machines fall over and come in for us to fix because of spyware than we have machine come in with viruses. We have more machines fall over and come in for us to fix because of spyware than we have machine come in with mothrboard problems. We quite possibly have more machines fall over and come in for us to fix because of spyware than we have machine come in with all hardware problems put together!

It's a major, major issue. For us, it is OK in the sense that, these days, instead of spending a lot of time bolting hardware into peoples' machines, we spend a lot of time editing the registry and running Ad-Aware. Either way we get paid for it - but the poor buggers on the other side of the counter are getting it in the neck. They have downtime and they are shelling out money to people like me, and they aren't getting a bigger, faster system at the end of the day - just the system they originally paid for back again in working order obce more, only it's cost them another $65.

The big question, I gues, is what do you do about prevention?

I spend 5 to 15 minutes with the punters, giving them the Basic Security Lecture #3, and try to get them to have a bit of a feel for what places and what downloads are likely to to be spyware vectors. I also tell them to abandon Internet Explorer in favour of Mozilla, on the theory that Moz is less vulnerable to spyware. (Which it probably is, but I don't know for sure.)

On Win98 machines, we remove the Windows Scripting Host as a matter of routine. But I don't think you can do that with W2K or WXP.

What else can we do?
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Couldn't agree with you more, Time.

I previously was running MacAfee AV, then in April of 2003 installed Norton Systemworks 2003 Pro (free after rebates) which comes with AV. I've always prided myself on having a clean system, and in being careful with my online habits. Some days ago, the AV subscription ran out, and I purchased Norton Systemworks 2004 (free after rebates). Since the new AV kept screaming at me repeatedly that I had not done a full system scan (didn't seem to know I had done it with its predecessor), I let it do it.

On a system that was previously considered "clean", it found 6 adware thingies, none of them installed but embedded in programs I had dowloaded but never installed. The AV window showing these hot linked to Symantec's web site, which listed them as low in danger, but also said that these could only be detected with Norton SW that had advanced detecting features. This I found very weird; a non-pro (albeit newer) version detecting stuff that the pro version didn't? Anyway, the AV could delete only 3 of them; the other three I had to delete by hand. Since none of them was actually installed/running, getiing rid of them was easy, though I checked the registry thoroughly to make sure they had not left their footprints there.


These days, more than ever, I remember Andy Grove with fondness for saying "Only the paranoid survive".
 

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
This same thing could have happened to a Linux box too. Maybe easier to clean up though....fewer reboots.


Bozo :mrgrn:
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
I can't over-emphisize enough that you are entirely correct Time. It is unacceptable what is happening with Spyware/Adware to innocent peoples machines. At one time you could blame the people themselves because they allowed stuff to be installed that shouldn't have been (Gator as an example). That situation is no longer.

These programs install themselves with little to no warning and they often negatively affect the stability of the machine. They do their best to hide themselves and make themselves unremovable. they can be a real bear to fix.

Where's the class-action lawsuit that I can join?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
A fairly recent trend in Adware crap is to snag your DNS server entries for their own nefarious purposes. I've even run into programs that write entries in the hosts file, where almost no one would think to look for such things. I'm sure that's what happened to your customer.

The thing I can't believe is that any self-respecting programmer would write code like that; it seriously limits the function of a PC, and yes, I'm getting a good chunk of my income right now just from being smarter than the Parasites. All my regular customers have adaware pro on at least most of their desktops, but lately it seems to be the majority of the problems I deal with.

I think a big fish needs to buy Lavasoft. I don't care who: Microsoft, AOL, Symantec, CA, but Adaware needs to be in a bright red box on retail shelves next to the AV products so people can't claim ignorance on the subject

It took us a long time, but we finally got to the point where most people understand that not backing up is their fault, and that not having up-to-date AV software is their fault. Anti-parasite software needs to be in the same boat, but unfortunately, it isn't visible enough yet that I can actually say that.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,927
Location
USA
I think the demand will eventually get there. Broadband IMHO brought on a huge wave of firewall awareness, at least more-so than it was in the past. It's only a matter of time before some CEO has a big problem with spyware and they encourage their company to mass-produce awareness of the matter...at a profit of course.

Now I think in the same respect the over-use of wireless has left people clueless in the security of their system. Firewall or not, one door was closed, and another opened...

The way I look at it is; stop complaining. Seriously, I read some of you folks talking about income...is that so bad? Sure, maybe I'm wrong for encouraging profit at another's expense, but so is life...there is much worse that one could make profit on at another's expense. This doesn't mean I want spyware to stick around...but at least for the time being, some of you guys should be able to cash in on it, while educating people about spyware. You guys know your stuff, and should be paid for sharing a valuable knowledge.

FWIW, time...I understand your point and concern, and I do hope we can find a way to combat this plague.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
Mercutio said:
I think a big fish needs to buy Lavasoft. I don't care who: Microsoft, AOL, Symantec, CA, but Adaware needs to be in a bright red box on retail shelves next to the AV products so people can't claim ignorance on the subjet.

No no no no NO!

What on earth are you saying, Merc? Good grief, that's exactly the worst thing that could happen!

Ad-Aware is free.

Ad-Aware is honest.

Ad-Aware is a product you can trust.

Please, don't even think about it.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
You think Ad-Aware would still dfetect and remove Alexa or the Media Player unique ID after Microsoft bought it?

Hell, the only reason we are in this pickle in the first place is because Microsoft think security is something to do with a Peanuts character and a blanket.

I can't believe you said that.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
Word of mouth isn't working. I talked to someone today whose job included maintaining ~40 PCs who had NO IDEA there was such a thing as adaware. Was the guy incompetent? Yes, probably. But the fact remains that NO ONE HAS HEARD OF THESE PRODUCTS.

There is no retail distribution here and there's nobody telling anyone they need to get this software ('cept us geeks). Can you imagine what the world would be like if no one bought virus scanners? 'Cause that's just about exactly how it is with parasite crap now.

Lavasoft isn't going to grow a marketing department, but in this one isolated case, there's a deep and commanding need for one, and I don't think anyone will provide it out of the goodness of its corporate heart.

By the way: No way in hell could something as pervasive and obnoxious as, say, FlashTrack, be installed on a Linux box if the user wasn't logged in as root-equivalent (granted, a lot of idiots do that).

Can someone please show me an example of an "innocent user" hitting a page and getting parasite crap installed? I suppose it's possible but I tend to believe that most of that stuff gets installed because users have been bribed with 1.) Porn, 2.) Gambling software or 3.) A bunch of cutesy icons and wallpapers.
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
Thankfully, we're planning on incorporating AdAware in our corporate PC software image. Deployed & updated through SMS or SUS. Forced onto the machine via policies; same as we do for AV software. Not only will it be good for my company, it'll pump a few grand into Lavasoft's pockets (we're talking somewhere between 2000 and 6000 licenses) so they can keep providing the free version. :)

While a Symantec or a Microsoft would be bad for AdAware, I believe Merc's overall point is to get it on the store shelves and advertised in the Sunday Best Buy & CompUSA ads so average consumers start to think about it. Right now it's not on their radar; something has to happen to get it there.
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
i have an interesting bit of spyware causing someone I know torubles...

1) any page that links to ie6setup.exe gets a page cannot be displayed error... even if the page starts to load, as soon as IE sees ie6setup it gives a page cannot be displayed error..

2) computer does not want to accept cookies, we've tried IE and also installed moz. Both have the same behavior, both are set to allow all cookies.

3)some pictures on websites do not display, the non-flash www.rr.com page for example.




They had spybot, it says the machine is clean.. I installed ad-aware.. it cleaned a bunch of things.. both programs are up to date.

checked the host files.. clean... reinstalled IE.. ran system file checker and I think I also ran the netsh command to reset the NIC to defaults.

System has ez armor firewall and AV, both are up to date and give the machine a clean bill of health.

I havent checked msconfig/registry for nasties on startup... I will do that along with trying a program called "hyjack this" to see if I can find any more buggers, anything else to try?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
ie6setup.exe = the setup downloader for IE, right? Why not download the IE6 admin kit and get a full IE6 installer?

Anyway, you've got the basic list. It's a good idea to poke around in places like Program Files and the Common Files folders, and in the registry under the SOFTWARE keys for both USER and COMPUTER.
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
ie6setup.exe can be the stubby installer or it can be the full installer, depends on where you get it.

I'm thinking at this point it may just be easier to reinstall winXP ontop of itself after backing up the favorites and my documents folders...
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Fushigi said:
Thankfully, we're planning on incorporating AdAware in our corporate PC software image. Deployed & updated through SMS or SUS. Forced onto the machine via policies; same as we do for AV software. Not only will it be good for my company, it'll pump a few grand into Lavasoft's pockets (we're talking somewhere between 2000 and 6000 licenses) so they can keep providing the free version. :)

While a Symantec or a Microsoft would be bad for AdAware, I believe Merc's overall point is to get it on the store shelves and advertised in the Sunday Best Buy & CompUSA ads so average consumers start to think about it. Right now it's not on their radar; something has to happen to get it there.

While its admirable to support a company you like there is absolutely no need for Adaware in a corporate envronment. There are so many social tools at your disposal never mind technical tools that this should not be a problem.

We have over 1500 non-servers in this city and neither I nor any of my team-mates have ever seen any adware on them. This includes laptops that are used from home and the fact that because we are still on NT every one is an local admin on their own machine.
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
We don't restrict people's browsing habits by computer policy - just by HR policy. The HR policy simply states to keep internet access related to work. From a legal standpoint, that's a much better position to take since as soon as you explicitly block some specific content, you are, by implication, saying everything else is OK. The legal precident was set a number of years ago when Prodigy selectively disallowed certain things.

So there's no telling where someone will browse -- accidentally or on purpose. We have to be able to clean up behind them (regardless of whether what they were doing was legit or not). We also have about half of our user base not located at any corporate office so they generally will not be behind hardware firewalls. They may not even authenticate at all against the corp. network; software & policy delivery to them is problematic.

BTW, there have been terminations based on internet abuse so it's not like we ignore it.

Another factor: our global WANs are interconencted so we have to protect ourselves from traffic from Asia-Pacific & Europe. We can't count on their education, HR policies, technical policies, governmental regulations, etc. to protect our network.

Fun stat: At our main office we have a 48Mb Internet pipe (growing all the time) and over half of it is consumed by garbage -- spam, virus attacks, DoS, etc.

We use a spam filter on the corporate email servers and we use at least 2 AV packages on the servers in addition to what's on the workstations. Zip files, for instance, are scanned up to 10 levels deep. Viruses still get through once in a while. So we need protection from spyware that may be delivered that way.

Finally, we don't lock down the corporate desktop. We reserve the right to remove anything that doesn't meet standards, but a locked desktop is counter-productive in our industry where there are so many vertical market apps, client-required apps, and users who run disconnected from corporate resources. We even have users on client networks.

The end result: There are limits to our ability to restrict what people do with their PCs so we have to be able to react to whatever comes up. If spending a few grand on an AdAware helps at all, then it's money well spent.
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
I'd like to see a round-table here on what lets spyware through in the first place.

Prevention is a lot better than cure, and I'd like to know more about how spyware gets onto machines.

OK, I tell people not to use Kazaa and to prefer Mozilla or Opera over Internet Explorer, not to click "yes, install this add-in" without making sure they know what they are doing ... but there has to be a liot more I can do. Ideas?
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
I recently visited my mom as she was reporting windows booting into safe mode. Her resolution just needed to be set right. But I decided to check it with an AV and Adaware while I was there. All clean, well except for a couple of cookies. This is in a 2-3 months timeframe since the last computer checkup. I was surprised.
 

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
My son was complaining about his computer being slow and he couldn't load some programs. When I started checking things out, I found over 1GB of programs and junk had been install. Opening IE resulted in a window that was about 6"x6" in the middle of the screen (17" monitor) surrounded by a multitude of menu bars and trash. I updated and ran AdAware. After about 30 minutes of grinding away, I stopped it. It had found 84 spy files and was only half done. I went into add/remove programs and found 12(?) programs that he had no idea were installed. Some of them could not be removed.
I formatted and reinstalled the OS and programs.
Seems he signed up for Yahoo mail and instant messaging and thats when the computer went to shit. I imagine that AOL is the same way. These companies are poison to a computer.

Bozo :mrgrn:
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
Will Rickards WT said:
All clean, well except for a couple of cookies.

I should note that she uses Netscape, albeit like 6.2 or something like that.


In my mind the probable sources of adware/spyware are:
1) IE - specifically activex behaviour
2) File sharing networks (P2P) - I'm not familiar with the players here so I lump them all together. Is there a legit use for any of these?
3) Other infected machines.
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
I see most things come in through IE because it makes it easy for web programmers to try and install stuff onto your computer (and fool the user), another obvious place is kazaa, weather bug, and the like which come bundled with trash.

I recomend people use mozilla or myIE2

I think simply telling them what to do and informing them about spyware is the best way to prevent it. Just like viruses.
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
Bozo said:
When I started checking things out, I found over 1GB of programs and junk had been install.
Yeah, lots of us have MS Office. What's your point? :lol:
Seems he signed up for Yahoo mail and instant messaging and thats when the computer went to shit. I imagine that AOL is the same way. These companies are poison to a computer.
Yahoo mail, if read via a browser, is fine. My wife's been using it for years. YIM & AOL, OTOH, I couldn't say.

BTW, to add to my above post, we do specify IE at the office. Beyond my beloved AS/400s, we only really run MS stuff. And our Intranet only works right on IE (built with MS tools so what do you expect?). I have and occasionally use alternate browsers, but pretty much every one uses the blue evil e.

And if we detect any P2P apps like Kazaa, we educate the user & get the app removed.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Fushigi said:
Yeah, lots of us have MS Office. What's your point?
Sheesh, Fushigi, you're hitting below the belt! :wink:

I've been using Yahoo mail via browser for the last 4 years without any problems. As my saved mail grows, I'll run Yahoo Pops from time to time to suck it down to my mail client.

By their very nature, I think IMs lend themselves to abuse. Without exception, every PC I've looked at that had an IM installed had oodles of adware/spyware on it.

I continue to be amazed at what users will accept in exchange for some eye candy or dumb functionality they can very well live without.
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
I have IM software installed and don't have any problems with adware/spyware.

I also have several p2p applications installed and don't have any problems with them either.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Fushigi said:
We don't restrict people's browsing habits by computer policy - just by HR policy. The HR policy simply states to keep internet access related to work. From a legal standpoint, that's a much better position to take since as soon as you explicitly block some specific content, you are, by implication, saying everything else is OK. The legal precident was set a number of years ago when Prodigy selectively disallowed certain things.

So, you don't have a web filter running at all. If so, this is asking for a sexual harassment lawsuit. If it is the suit I'm thinking of, the Prodigy suit was a libel suit. This is not the same thing.

The HR policy should be written such that the user does not get internet access until they sign an agreement. Within that agreement it is stated that an attempt will be made but nothing is 100%.

Regarding the original topic, the only little bits of trash software I've seen in the corporate enviroment in the three different places I've worked has been weatherbug, precision time and the calendar that goes with precision time. The installation of these programs are a user training issue, but no adware software needed to remove them.

Unfortunately, the users are so clueless as to how the software ended up on the computer it is difficult to combat the problem.
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
Howell said:
So, you don't have a web filter running at all. If so, this is asking for a sexual harassment lawsuit. If it is the suit I'm thinking of, the Prodigy suit was a libel suit. This is not the same thing.

The HR policy should be written such that the user does not get internet access until they sign an agreement. Within that agreement it is stated that an attempt will be made but nothing is 100%.

Regarding the original topic, the only little bits of trash software I've seen in the corporate enviroment in the three different places I've worked has been weatherbug, precision time and the calendar that goes with precision time. The installation of these programs are a user training issue, but no adware software needed to remove them.

Unfortunately, the users are so clueless as to how the software ended up on the computer it is difficult to combat the problem.
While the Prodigy suit wasn't identical, it does establish a precedent for filtering electronic communications. Namely that if only A, B, and C are blocked then D, E, F and everything else can be considered approved.

Anyway, agreeing to the HR policy is a condition of employment and is renewed every year as part of every employee's performance objectives. We have our own legal firm (we're their sole client); this, as with all major policies, has been scrutinized by them prior to implementation.


Did you ever run into PointCast? That real-time weather/news/stock thing would just chew bandwidth as if everyone had GbE to the desktop. Not spyware but malware nonetheless considering it's impact to the corporate network.


Well, we can certainly agree that the users can be clueless. Despite constant reminders, refresher training, etc. people just don't learn about the technology at their disposal. To a certain degree I can't blame them. Computers are just another tool/appliance like a car or microwave oven and, as several have already said, we in IT act as the repairmen when necessary. Most people don't want to know how they work. The problem with this is that computers are rather delicate things and are easily affected by outside influences and usage patterns.
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Will Rickards WT said:
In my mind the probable sources of adware/spyware are:
1) IE - specifically activex behaviour
2) File sharing networks (P2P) - I'm not familiar with the players here so I lump them all together. Is there a legit use for any of these?
3) Other infected machines.

That makes sense to me. One thing that I can't miss seeing is Kazaa - any machine with Kazaa on it can be just about 100% guaranteed to be loaded up to the eyeballs with spyware.

Instant messengers? Not so sure about that. I think the connection is not technical but psychological - i.e., users that install instant messenger software are the same sort of user that is a natural-born spyware victim. (Except for our Tim, of course.) But maybe there is a more direct connection.

On the topic of his mother's clean machine, Will also wrote I should note that she uses Netscape, albeit like 6.2 or something like that. Figures. Netscape 6.X is a rebadged Mozilla.

A legit use for P2P? Not that I ever heard of.
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
By the way, a handy metric for spyware removal.

Safe mode is your friend.

Boot in safe mode, install Ad-Aware in safe mode, add the latest update patch, and run it without rebooting.

While you are doing that, use MSCONFIG to nuke everything that you are not 100% sure of. Your motto is If in doubt, take it out. And fire up REGEDIT too. Clean out everything in HKLM/Software/Microsoft/Windows/CurrentVersion - run, run once, run services, anything else that seems like a good idea at the time. Be brutal.

For machines that don't have CD-ROM access in safe mode (Win9X for example), you need to copy the installation files over to the hard drive first. You can boot off floppy to do this, or you can try it in normal mode (if it's still functional in normal mode). Don't install Ad-Aware in normal mode when you suspect a bad infection.

PS. There is a particularly nasty one called W32.Spybot (not to be confused with the anti-spy-ware program of the same name, which is well regarded.) W32.spybot disables Ad-Aware, disables MSCONFIG, and disables REGEDIT. Not to mention all the popular anti-virus products.

To kill it, you need to use safe mode and instal Ad-Aware from there. Plus tinker in the registry. Very nasty.

By the way, it's a Kazaa special. That's how it spreads.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
blakerwry said:
Howell said:
Have you SFCed?

Do you get the same results under a different profile?

sorry, didnt see the post. yes and yes.

Ah, I missed it in your first post.
If you have ot already nuked it, you might try "restore previous configuration" to back-level IE. Sometimes reinstalling an OS service pack will fix odd problems.

I had to track down a problem here recently where Outlook had stopped working and even the control panel applet for mail would not open. Additionally, IE would open but not work; displaying only a grey background. It turned out that the update to one ofthe custom programs we have here had been packaged with older versions of file integral to a functioning OS. In this case, neither reinstalling IE nor applying a service pack worked.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Fushigi said:
Did you ever run into PointCast? That real-time weather/news/stock thing would just chew bandwidth as if everyone had GbE to the desktop. Not spyware but malware nonetheless considering it's impact to the corporate network.

Yeah, in maybe 95,96. I was always a bigger fan of Marimba/Castanet. I'm convinced these two programs made technologists consider QoS. I've not seen either in a corporate environment though.

Well, we can certainly agree that the users can be clueless. Despite constant reminders, refresher training, etc. people just don't learn about the technology at their disposal. To a certain degree I can't blame them. Computers are just another tool/appliance like a car or microwave oven and, as several have already said, we in IT act as the repairmen when necessary. Most people don't want to know how they work. The problem with this is that computers are rather delicate things and are easily affected by outside influences and usage patterns.

Exactly, I agree 100%. And I advocate locking the computers down to protect the users from themselves. Even with all of the apps you guys need to run, they only need be installed once. If the app won't run without being an administrator the apps needs to be fixed AND you can mitigate most or all of the requirement with creative regkey rights granting. If I had to make a guess, I'd say you work for an engineering company and this issue is political. I only wonder if you guys "work with" data computation or data transmission. :)

For savvy users I think we should continue to push for not logging in all the time as admin. They should come to understand that in today's wired world you need one login for daily driving and one for maintenance.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
The biggest problems IMO are people who use IE and click "yes" every time they're prompted to do something. That is absolutely the way that people have been conditioned in using a PC. Microsoft's Wizards almost always create a pattern of click "yes" or "next" and, let's be honest, most people using computers can't comprehend what they're being asked to do 95% of the time, if they even take the time to read what's in front of them.

Users also don't know about IE's different security zones. Now, in Windows 2003 Server, almost everything is turned off for Internet Zone browsing. Admins are expected to move sites where they use ActiveX and the like to the trusted zone, and to have essentially crippled browsing otherwise; everyone I've ever seen use 2003 Server has done the opposite, though, and just turned on all the insecure crap that leads to spyware infestation for the internet zone.

Now, if skilled professionals with appropriate training can't be bothered to use/understand IE's security models, what hope does Joe Sixpack have?

The BEST ANSWER to the spyware problem is to migrate people from IE.

As for things like P2P programs: I actually teach a short session about how to use those programs (at least, Kazaa Lite - still obtainable if you're willing to look, Emule and WinMX). What I've found is that users will FREQUENTLY grab exactly the wrong sorts of files - Oh look, here's a copy of "the theme from Shaft" that I can download in only 3 seconds! - because they're looking at only the ID3 name of the file (not the actual file name, which ends in, say, .VBS) and the download time (and not the size of the file).
Without understanding things like relative file sizes, the meanings of the various icons in Windows explorer (since the Windows default is to not show extensions), or the file extensions themselves, A LOT of people inadvertantly download and execute trojans from Kazaa. This is something that won't change without a great deal of user education.

Worms that spread through P2P are also a problem (W32.Spybot is one of them), and one that I don't know how to solve, except to suggest that maybe one might be better off using another network.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
[Nods head] Yep.
I'm helping my brother install drivers last night (drivers...integral to the system) and while I'm letting him drive I can't get him to stop clicking thought the ERROR boxes too fast for me to read them. sigh.
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
Howell said:
They should come to understand that in today's wired world you need one login for daily driving and one for maintenance.

I don't agree on this. Maybe ideally but it is such a pain to have to logout and log back in as administrator to do something. Sure you can use run as to do most things but I made myself a local admin a long time ago and never looked back.

If windows XP pro supported the fast-user switching, maybe it would be a good idea since I don't have to logout. And for people who I help with their computer, I don't want to have to remember the administrator password or get it lost. And I don't want them calling me everytime they need to install some software.

I think having a separate maintenance/administrator account is a huge waste of time.
 
Top