Official Anti-Spyware info thread

F

Fark_Maniac

2[H]4U
Joined
Feb 21, 2002
Messages
2,438
Okay, only rule to the thread is no questions for getting help. The idea of this is to provide information and links to everyone so we all can make educated decisions on how to remove spyware that is getting more and more prevelant.

Spybot Search and Destroy 1.3 Final
With the release of 1.3, there are two new features that will start to help you cut of Spyware before it starts...though some do slip through. TeaTimer is a new feature that will prompt the user to allow or disallow any registry changes. A bit on the annoying side, but worth the effort. ResidentIE is a feature that will block some tracking cookies. Double Click and Avenue A are some of the most prevelent on the net.
Information | Download

Adaware SE
Adaware has been around for a while and has done a good job. This should be one that is always installed on a machine. Update it often for best results.
Update - There has been a new release of Adaware. The Second Edition (SE) is now supposed to scan better and faster. If you still have version 6, uninstall and re-install SE.
Information | Download

HiJackThis!
HiJackThis is a new software that shows you exactly what is running currently. This program will not scan all files and registries... It creates a log file that one can analyze later and can post online for others to review.
Information | Download

CWShredder
This is another small application written by merijn, however it does one thing that Spybot and Adaware does not. It will kill off CoolWebSearch. However...
merijn said:
There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).
Click to expand...
Information | Downloads

Sent via PM
Hi there, I do computer tech work, and recently I found a variant of CWS that (most likely) uses a variant of the sony root kit tech and is impossible to remove with Adaware, Spybot and CWSshredder

The only program I could find that would find and identify the files and hidden dll, for clening and delete was this:
http://www.f-secure.com/blacklight/
Tyler
Click to expand...

NAI/McAffee Virus Scan 7.0/7.1
I doubt that many have this, however I get this through my university for free...other versions or brands may work similarly. However, VScan 7.0/7.1 will find trojans, dialers, spyware, etc...and again, will find some that Spybot and Adaware do not find. Just another program to utilize. Do not count virus scanners out of the picture of spyware hunting.
NAI Information | NAI Virus Scan Updates


Okay, so now that we've covered some programs that *should* get the job done...here are some websites that if you are still stumped...you can go to for advanced help.
Google Search
Yeah, yeah...everyone says to google to get an answer. Problem is, people don't always know what to search for. Recently I saw a thread where they were asking about something like ' res://krappy.dll/index.html#9667 ' or something to that effect. On a google search of the whole thing, you'll get nothing. On a search for ' krappy.dll ' you'll also get nothing. However, if you search for the ' index.html#9667 ' (or whatever the number is)...bingo! You'll get multiple hits with links with different .dll files in there. Put 2 and 2 together and I'm willing to bet that it is the same piece of spyware/malware. The tip here is: Don't just search for the whole thing...search for parts of it that may yield more results!
For the lazy

ComputerCops.biz
This is a recent site I found that generally comes up in google searches aobut spyware. Upon further looking into this site, I've found it to be chocked full of good reading. Mainly the good hard information comes from the forums. While they deal with all sorts of computer security, since I'm talking about spyware...they have a whole sub-forum dedicated just for such things. The only thing I wish not to see is a bunch of us [H]'ers is going over there and just posting HiJackThis logs wishing to be spoon fed resolutions. The best way to educate yourself is to go through the removal process on your own and realize what you are doing when you do it.
ComputerCops Homepage | ComputerCops General Forums | ComputerCops Spyware Forum
 
Things you can do to avoid spyware.

Opera, Mozilla, Firefox & Thunderbird
Alternatives to Internet Explorer. Since they don't natively support Microsoft's ActiveX, you are less likely to get spyware from viewing a webpage. Nasty spyware usually targets Internet Explorer, so it may be safer to use a different browser. It is not recommended to use Internet Explorer unless it is fully patched with critical updates from WindowsUpdate . Also, Internet Explorer currently does not have a popup blocker. The Google Toolbar for Internet Explorer has a built-in popup blocker. If you install the advanced features of the toolbar, be sure to turn of "Page Rank" if you don't want it fetching info on page you view. You must have "3rd party extensions" enabled in internet options>advanced tab to use the toolbar.

Thunderbird is an alternative to Outlook Express. Again, since its vulnerabilities are more often exploited, avoiding Outlook Express AND Outlook may be a wise decision.

Opera Firefox, Mozilla & Thunderbird

Internet Explorer - Strict Internet Options
To make IE safer for browsing, you can adjust your internet options. The idea is to have security on high and cookies off for all sites that are not trusted. This can be annoying for sites that you don't have as trusted or set to allow cookies because you don't frequent those sites, but it's worth the trouble if you use IE.

In Internet Explorer: (always click apply after making a change)

tools>internet options>advanced tab
uncheck "install on demand(internet explorer)"
uncheck "install on demand(other)"
select "do not search from the address bar" //limits the effects of some browser highjackers

privacy tab:
click the "advanced" button
check "override automatic cookie handling"
select "block" for both first and 3rd party cookies
make sure "always allow session cookies" is unchecked.

Then, no sites will be able to set cookies unless you click the "edit" button under the privacy tab, type the site/domain and click "allow".

security tab:
Set the internet and restricted zones to "high"
Set the trusted and local zones to "default level" (click apply) and then change them to medium (make sure to click "apply" again).
Click the "custom level" button for the trusted zone and disable "user data persistence".
Click the "custom level" button for the trusted zone and disable "user data persistence".

Now javascript, java and activeX will be disabled for all non-trusted sites.

select the trusted zone and click the "sites" button.
uncheck "require server verification"
Add your trusted sites. e.g.. *.microsoft.com *.hardforum.com


Sygate Personal Firewall
Recommended FREE firewall. Unlike many other firewalls, this one is non intrusive and DOESN'T *do more harm than good* like so many other well known firewalls.

WinXP users will want to right-click on the "start" button, left-click on "properties", switch to "taskbar" tab and uncheck "hide inactive icons" before installing sygate. Once you see the sygate icon in the systray, you can change the setting back if you want.

Info Download


Grisoft AVG
Free Antiviral Software. It is very non-intrusive and non-system hogging. It's even better if you disable the email scanner, resident shield, auto updater, task scheduler and set AVG to not load up when windows starts. This way, avg is only loaded when you right-click on a file/directory and "scan with AVG".

Note: on Win2K,WinXP and Win2K3, you'll want to set the AVG service to manual instead of automatic.

Info Download Updates

Shields UP & GRC Security fixes
Test your ports and make sure your firewall is doing its job. Disable unneeded, vulnerable windows services.

Info

Win2K & WinXP services guide
Fine out what services you really need to have enabled. If you have fewer services running, you COULD GENERALLY be less vulnerable.

Info Win2K WinXP
 
To kill a persistent VX2/x spyware variant called "ABetterInternet", d/l and use this:

VX2Finder

AdAware and SpyBot S&D can't seen to clean this one, although they do find it. VX2Finder is the silver bullet / wooden stake / +15 Sword of Justice for this particular zombie... :D
 
Some new updates have come out for Spybot.

They add 500+ spywares to the list. Immunize ASAP. :cool:
 
Found (yet another) spyware program that seems to work well, better than ad-aware, in the couple of cases I have used it. WAY better in the last spyware infested PC I worked on.

Spy Sweeper
It also has 'active protection' but I'm not sure how good it is.
 
Schadenfroh said:
Made this little website today, hope it helps

Spyware prevention
Spyware FAQ
SpyWare removal
Click to expand...

Change this "1. Always Click No. Many times you see a little box pop up in Internet explorer that asks if you wish to install something or set your home page to something new. Always click no, unless this is on a trusted site where you requested the application."

to this: Always right click the applications window in the start menu and click close.
Sometimes the popups are not the actual 'is it ok to install' and is instead a popup window that looks like it where yes=yes and no=yes. They will also remove the X at the top right corner of the screen. Result, the only way to handle 100% of these windows is to close it from the start menu/task bar.

Also look at Spy sweeper, it has host file blocks built in, you can of course edit and add your own list. It also has memory and install shields, which will detect currently running spyware so you know to scan, and will prompt you when stuff is installed to the startup group. I would add it to the list of software to prevent/remove spyware.
 
AdAware SE seems to work very well. I've been trying it out on a few computers that were in less than healthy condition.

As for security settings definately make sure an anti virus is installed. For internet options in IE set both the sliders to the highest setting except for the one that blocks all cookies regardless, leave that at the second highest level. Any sites you have problems with just add to the trusted websites list. Typically these will be sites that you don't have to worry about. IE email, banking, big name online retailers etc if you even need to add them to get the site to work correctly.

Also if you're running XP install SP2 since it seems to do a good job cutting down on crap.
 
I run a few internet cafe's in London. Before I found a wonderful app called Deepfeeze I had to battle weekly the pain of spyware mixed with the generally dumb public and my workstations. I tried every app under the sun. THE only one that works 100% for all spyware removal is http://www.pestpatrol.com/

All the others miss stuff.. :( this is the best. You have to buy the corporate edition. :eek:

Cheers.
 
the new free host intrusion prevention product from prevx.com

• Stop ‘Buffer Overflow’ attacks used by Internet worms (such as Sasser) and hackers
• Stop the installation of malicious files
• Stop malicious modification of critical files and directories
• Stop frequently used attacks on Internet Explorer
• Stop unauthorized changes to critical areas of the registry
• Stop covert modification of start-up scripts.

this can stop them before they even get installed. so less nightmares later on. it doesnt seem to slow down my pc noticeable (still first to join bf1942 maps :) )
 
DESmack said:
I run a few internet cafe's in London. Before I found a wonderful app called Deepfeeze I had to battle weekly the pain of spyware mixed with the generally dumb public and my workstations. I tried every app under the sun. THE only one that works 100% for all spyware removal is http://www.pestpatrol.com/

All the others miss stuff.. :( this is the best. You have to buy the corporate edition. :eek:

Cheers.
Click to expand...
I've see Deep Freeze I LIKE it mainly because of the added bonus of nixing ALL spyware.

Mind you the 100% solution is format/reload :D
 
I am a network admin and spyware has/had become a pretty large problem on our network. The two programs that I use to stop it are:

Spyware Blaster
and Spybot

These two have virtually elminated the problem. We still get some. But, our infection rate is down by 90+%. Machines that would get new spyware everyday haven't seen spyware in over a month. Check it out.
 
I've tried to use spybot, but its not overly friendly in a locked down Novell environment. If anyone has any tips to hide the tray icon for instance so it can't be turned off by the user that'd be helpful. As for my contribution, i have found this site to be extremely helpful in diagnosing things:

http://www.sysinfo.org/startuplist.php

also would be interested in experiences with other corporate solutions...
 
Avast! - http://www.avast.com/

Free virus killer. Looks like one of the best free ones in terms of detection reliability (along with AVG), and the auto-update is seamless. Unfortunately, you need to pay for it to get IE script blocking.
 
Ok how is it possible that spyware & adware can be so easily installed without little to no knowledge to the end user? I used to use Windows, then got a Mac for the lack of complexity when setting up a video system and trouble, like viruses . I guess I have gotten lazy because of lack of trouble I've had to deal with, but when I just got my PC to be able to enjoy video games, because Mac sucks in that Dept. I'm getting all kinds of weird things happening to my system.

I know I'm preaching to the choir but isn't there anyting legally that can be done? This is from what I understand a kin to "hacked" into.
 
[v]@bans said:
Ok how is it possible that spyware & adware can be so easily installed without little to no knowledge to the end user? I used to use Windows, then got a Mac for the lack of complexity when setting up a video system and trouble, like viruses . I guess I have gotten lazy because of lack of trouble I've had to deal with, but when I just got my PC to be able to enjoy video games, because Mac sucks in that Dept. I'm getting all kinds of weird things happening to my system.

I know I'm preaching to the choir but isn't there anyting legally that can be done? This is from what I understand a kin to "hacked" into.
Click to expand...


Sometimes users ACCEPT to download spyware because they see the yellow bar at the top and they click Yes cause they figure they need it to view a website. The house is trying to pass a bill that will make spyware illegal as we speak. But Spyware is "downloaded" into your PC by visiting websites. It's not placed there by other users hacking into your system. Thats why we have all these programs to block those downloads and they work really well.
 
A nice loop hole but hacking all the same. I sometimes see those "download this" dialogs, but I still get stuff installed. I just installed a fresh copy of win2k & I had to deal with spy being installed and just becuase I'm using an old version of software I should not have to worry about having spy ware installed into my system.

As we speak I just had a "messenger Service" saying that I have spyware installed on my system, but I just installed win2k a little of 12 hours ago, I'm using firefox for my web browser. And this is the same message I got before I installed a fresh copy of win2k and I reformatted everything to get rid of it.. Whenever I reboot I get a program no responding msg for a program called "Your not supposed to see me". How? I just got online just last night? This stuff is real concerning, and I don't feel comfrontable with the government being the middle man.
 
One technique I haven't seen mentioned yet (and all these tips are really great, don't get me wrong) is the use of Group Policy to restrict certain pieces of IE (and, consequently, Windows) that you didn't need in the first place, as well as to tighten down Windows itself.

If you have Windows 2000, or XP (though I've very little experience with XP. This may only be applicable to the Pro edition, not Home), then go to Run, fire up mmc, go to Add/Remove Snap In from the Action menu (maybe it's File, whatever's in the top left, there, you got it), find Group Policy, add it, close, return to the main screen.

Now, just work your way through the tree of options. You'll run across all kinds of nifty things. Be aware that several options are repeated in both the Computer and User sections, so be sure to address both if that's your intention.

Of particular importance: Disable Legacy Run List and Disable Run Once List. These options, when enabled, kill that ridiculous registry loophole that allows programs to start up with your system very often without you knowing (who checks the registry before every reboot, anyway? Why bother?) Enable these restrictions to stop a slew of malicious software from loading with your intended startup items.

For things that you actually do want to start up with the system, you can use the "Run these programs at logon" option to add them manually to a list that, to my knowledge, is not programmatically editable. This is a good place to put touchpad drivers, printer helpers, MBM, etc.

Anyway, this is far from the only thing I set on all my machines. Also visit the Internet Explorer section. Disable 3rd Party Branding of IE. Disable customizing the toolbar/adding toolbars. Disable 3rd Party Extensions. Disable Install-On-Demand. In the Users section (if you have multiple users on your system) make sure that the Security settings are imported from your master set (also defineable while you're in mmc) regardless of what the user picks.

The level of control is great. Turn on Event Auditing... see not only what went wrong, but when it went wrong, too.

Why stop with Group Policy? Go back and add another snap-in. Try the one for .Net, if you've installed the framework. You can further restrict programs by code class. Did you really want programs with Unlimited access to the machine running in the first place? I didn't think so. Here's where you can limit that access.

Have fun with it!
 
I wanted to mention another program which got rid of a nasty bout of about:blank which Spybot, Adaware, Hijack This and about:buster would not remove.
It's called Adaware Away. That link has specific instructions for removing the pest with their program. Check the site for the program download.
The program is not freeware, but you can use it for a number of days before required to purchase.
 
What is everyones opinon on Spy sweeper? Some ppl at work are nagging me to use it and say that the adaware+spybot se solution is bad. I don't seem to think so, but I'd like to hear from the [h] to see whats what. Thanks in advance!

-Rikus
 
I like Spy Sweeper, but the new MS AntiSpy tool is pretty nice. I'd rate them in this order.

MS Antispy>SpySweeper>AdAware>Spybot.

The biggest problem I have with most spyware removers is the manufacturer. Who is webroot? Lavasoft? Some guy who makes spybot? All little fish. MS isn't. They are the first big guns to setup into the arena, and I don't like straddling up to an unknown company. At least not for corporate stuff...
 
A rather well-updated hosts file.

http://someonewhocares.org/hosts/

A Hosts file may at times act as a pop-up blocker too.

Also, a download manager is nice to have. Especially if it can increase your DL speed somewhat like DAP, since someof the spyware stuff like trojans can download other stuff onto your computer and this will let you take note of it if it's the default dl manager.

My openion on SpySweeper is not good. I've had more success with Ad-Aware for free than SpySweeper when bought.
 
A few FYIs:

For Spybot and AdAware, make sure you set them to scan everyhing and not just do a smart scan. Otherwise, they'll miss a lot of things.

Do the same type of thing for a virus scan.

Keep in mind that a lot of Spyware gets installed by trojans, so it is usually wise to get rid of all viruses etc first and then get rid of the spyware. (There are exceptions though of course).

Also, for windows, I've found that system restore can be infected where virus scan programs won't detect it, but after restart it'l respawn viruses in c:\system volume information. So sometimes you need to disable system restore tell you get rid of all infections and clean/heal system restore (which can be a pain).

As for Microsoft AntiSpyware, it's a pretty good program and worth having.

For adaware, I think it sometimes falsely detects the presence of vx2 narrator spyware. Adware has a tool to detect and remove it. I've encounted a situation were the tool does not detect it and all other anti-spyware tools will clean it and then show no infections, but AdAware itself shows that there's still an infection. AdAware will report that a different, random dll is infected each time you restart the computer and trying to clean the file will cause explorer to restart. AdAware very well may be right, but consider that it might be a false positive.
 
You must log in or register to reply here.
Back
Top