Official Anti-Spyware info thread

Ice Czar said:
between phishing serach results and DNS poisoning
there is no "safe computing" any more

of course thats just the absolutes not the day to day habits
Click to expand...
You know, one of my security thoughts waaaay back in the day, when I was doing cabling work was: if there is a connection between two computers, one can compromise the other. This is why wireless internet scares me so much.

That said, this post was generated on a wireless connection. :D
 
Here's my chosen arsenal of weapons:

Spybot 1.4

Counter-Spy (its flaky and can be a resource hog, but its inexpensive as a rider to Spybot, $30 for 2 licenses)

Sygate Personal Firewall

ProcessGuard.

AVG 7 when I'm bored and want to scan some downloaded zip files that I think may be questionable.

Hostsman for host file monitoring and redirection of spam sites to 127.0.0.1

This 6 pronged approach is as safe as I think one could get w/o pulling the plug.

Spybot and Counter-Spy work in tandem, finding things the other can't. Between the 2 I've had a 100% success rate so far (I scan with Pestpatrol as a 3rd step to verify cleanliness). Counter-Spy generally updates 2-3 times a week, and as such, they are pretty much on top of the new things that pop up here and there.

Other than that. My feelings are still the problem with anti-spyware and these types of products is they are reactive, not proactive in most cases. Without a definition for a certain malware, it won't know it exists in most cases. Heuristics can help, but the fact remains that as long as you're on the Internet you can't stay completely safe. There's always something waiting to hit you in the face tomorrow. Your best bet is to just avoid questionable sites, and use the hosts file to your advantage
 
Spyware Eliminator is the best one outta all the spyware detectors out there, currently. Dont take my word for it, google up some reviews or try it out urself.
 
All I use anymore is spyware blaster. It prevents spyware from being installed in the first place. I also use Firefox.

Lyquist
 
MS Antispyware and Spyware Blaster are really the only spyware programs I use anymore. I always keep Hitman Pro handy though. Its basically a shell for different programs. Last time I checked it had CWShredder, Spybot S&D, AdAwareSE,SpySweeper, and SpywareBlaster included. The only down side I know of is it needs an internet connection, once you start it, it downloads all the updates for the programs, then runs each program. It is fully automated....I recommended it to someone here and he was like "holy shit it took over my pc!"..lol. But it does a really nice job IMO.
 
I've been fixing a buddies laptop. Mind you he is computer illiterate, ran with no AV, no firewall and no anti-spyware. Damn if it didnt take me almost 4 days(5+ hours) to clean the damn thing. McAfee showed over 2000, hits ad-aware and spybot almost 1000 each, plus I had to LSPFix because his internet connection would not work(this actually took me the longest to figure out). I also had to reset a few other files because Windows Update wouldn't work. Jeez! To top it off his laptop only has 128megs of ram so you know it just flies. Anyway, I ordered an extra 256meg for good measure. It's running almost perfect except.....I cannot for the life of me get rid of ad w-a-r-e. I've tried everything. I even tried the new ad-aware vx2.0 plugin, all it says is that it has detected a new variant and to report it, which I did. It doesnt give the option to clean it. Can someone help me out here? I'd hate to slick and reinstall everything when I'm so close. TIA.
 
jeez , i think its better to back up all his stuff, run everest to determine the drivers for his laptop soundcard, video, etc and find them , burn into cd and reformat his com.

and reinstall......4 days isnt worth it IMHO , i could do with 1 using the steps above.
 
Yeah I ended up formatting his drive and doing a fresh install. It's good as new. But on the bright side, I did learn some interesting stuff.
 
Best I have found in the last couple years...

FREE
Spybot

NOT FREE, THE BEST!
Pest Patrol Corporate edition and Norton System Works 2006 (new included spyware application). Been using PP for a long time, and the Norton works well too. Both have frequent updates.
 
Spyware Blaster is great for blocking spyware websites from installing in the 1st place. (free)

And AdAware is great for scanning & catching spyware (& many viruses too) (free)

McAfee is my preferred A-V program. Norton uses up WAY too much resources (over 100Mb of active page file increase with full suite installed & running). McAfee is effective & efficient.

ZoneAlarm is my preferred firewall. (free)
 
good stuff here. an addition i've found useful:

for the polymorphic child-process spawning malware that puts umpteen randomly named processes into memory (check task manager, if you see jkdfkjfg.exe and six other variants, this is for you.) try right clicking on the weird processes and selecting "End Process Tree". In many cases, if you do this to several or all of them, you will hit the "mother process" and it along with it's children will be killed. This can sometimes allow you to delete files which you wouldn't otherwise be able to because of them being in use and automatically re-spawned when killed.

For anti-spyware software, I've had good luck with spybot, adaware, MS antispy and either avast! or NOD32 to get rid of the real nasties. a2 (a-squared) was also very useful on one particularly badly infected machine recently.
 
I do a lot of spyware removal for people at a certain retail chain. I usually try spbot and ad-aware first, but on really badly infected systems the only thing that does the trick is webroot's spysweeper. I have used this to remove some pretty bad spyware that no other program would detect and people in forums were giving a 5 step process to remove. I have yet to have spysweeper fail me. I highly recommend it to everyone.
 
Id concur in the paidware category

Webroot State of Spyware Report
(coverage) http://www.technewsworld.com/story/42844.html
(access) http://www.webroot.com/land/sosreport-2005-q3.php

however any ap seeking to "fix" spyware has a vested interest in continuing to do so
so I again stress that an ounce of prevention is worth a pound of cure ;)
its just simpler if your at a certain level of competance to write rules about what is allowed to run on your box and exclude everything else

but Ive outlined those steps previously
entirely different story if your sanitzing someone elses problem ;)
Webroot from what I hear is a damn fine automated tool
as opposed to potentially more powerful but also higher learning curve freeware aps
 
In my experience, Spysweeper does the job. It's a bit of a resource hog, quarantines rather than deleting infections, and has a long scan time, but it works.

The fact that it works easily outweighs the disadvantages in my mind since you are probably only going to run it once in a great while if the user is not being repetitively stupid.
 
just got a new PM about a new variant of CWS and sony rootkit...woohoo

Hi there, I do computer tech work, and recently I found a variant of CWS that (most likely) uses a variant of the sony root kit tech and is impossible to remove with Adaware, Spybot and CWSshredder

The only program I could find that would find and identify the files and hidden dll, for clening and delete was this:
http://www.f-secure.com/blacklight/
 
I know it's only a matter of time before all the vendors update their AV/Malware detection rules, but in the meantime, for those of you that are brave :), how does your current system protection arsenal stand up to this? FWIW, this particular exploit is pretty easy to clean *after* you've been infected, but I'm curious which combination of pre-exploit patched tools actually stop this 0-day exploit in the first place.

http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html
 
Ranma_Sao said:
Deleted
Click to expand...

know Im really curious what could "our man in Redmond" have deleted? :p



PS off \ on topic addendum at large
I ran into Steve Thomas, the founder of Webroot last week and he seemed interested in doing an interview ;)
Now I have to convice Kyle we do interviews :p
 
I do a fair bit of Spyware removal now, and I usually start with disconnecting the computer to reduce the number of popups and keep the spyware from redownloading itself or its friends. First turn OFF system restore and clean out the crap(CCleaner), run HijackThis! and kill obvious malware processes. Clean the registry(both with CCleaner and RegSuprememPro), and install Spyware Removal Tools from CD or Flash Drive. (That HitmanPro in very intriging, I need to try it.) These are: Ad-Aware, Spybot(these are fairly quick), then CounterSpy, ewido, and AVG. Sometimes we throw in SpySweeper, MS AntiSW, Blacklight, and Rootkit Revealer.

Before running the scans you might check to see if the hard drive is badly fragmented, spyware can really frag a drive and can more than triple the scan times. Sometimes I even throw in extra RAM. In msconfig, disable everything for the initial scans, in both the startup and services tabs, except for the microsoft ones. It isn't worth the time to analyze a system until after the initial scans get rid of the first few thousand, and disabling nonessential apps makes things much easier, especially for broken Norton, McAffee, AOL, Yahoo or NetZero apps. This also applies to MS Office, printer software, buddy lists, calendars, and anything else that is just "in the way."

Run all of the scans from safe mode, first with the definitions installed manually, then with those that need to download. CounterSpy and ewido usually need to download their definitions and reboot to reconize them, just reboot back into safe mode. Try and keep your reboots to a minimum as the "run" section in the registry is a trigger event. You don't want some virus to notice that you removed something, and morph into something else. You want to get it all at once, if possible. Also, make certain all the updates are installed, especially SP2. After running everything at least twice to get a clean scan, the second time in normal mode, follow up with at least two online scans:
http://www.pandasoftware.com/products/ActiveScan.htm and .com/spyxposer or http://www.pandasoftware.com/spyxposer/pavspy1.asp
http://www.kaspersky.com/virusscanner
http://housecall.trendmicro.com/ - even works with firefox using java, though sometimes it doesn't seem to work at all, they have recently added this functionality.

Note the files they find, you may need to delete their entire directories and search the registry for those entries to see what calls them, but registry cleaners should get most of the entries for those that were just removed. Files in question can be googled, or scanned at http://virusscan.jotti.org/, they scan with several AV programs at once. It is a fairly safe bet that any file that has no google results is random named malware.

Some things like Smitfraud, need specific tools. And some registry changes and file deletions are near impossible. Killbox for the files, and registrar lite for the registry. You can sometimes take ownership and then delete. Some registry entries have a "?" in them and cannot be deleted directly. For example, "n?lookup.exe" is usually pointing to nslookup.exe (which was likely deleted by the scanners and is now flagged as not pointing to anything), and although that sounds legit, it is usually malware posing as legit. Just delete the nslookup.exe registry key in that case. I have also seen d?dplayer.exe, in place of dvdplayer.exe. Some files are reported by the scanners, but you can't find them, Killbox those. Sometimes even if you boot to Linux you can see the file but can't delete it.

You may find it easier to remove the drive and slave it onto a good system to run the scanners. Since the registry is not processed the malware will not be active and is easier to remove, but the scanners cannot properly "uninstall" them either. This has the potential to break your system. Proceed with caution.

Basically, I have never found a single app that finds everything, so I run several. If they all find something, I run more, there are many more to try. Just check http://www.spywarewarrior.com/rogue_anti-spyware.htm to make certain your scanner of choice isn't on the rogue list. Also, malware takes time to be identified, reverse engineered, and updated for, you may have something that hasn't yet been found, so most, if not all, scanners will miss it. A clean scan does not mean a clean system, Fdisk/format/reinstall is the only sure way.

What? You're still here? Eh, I'll stop talking now. I need to get a life. ;)
 
While this may seem unorthodox to many of you, actually changing your browsing and internet usage habits are the most effective method of keeping spyware off your system. Once you're infected, of course you need some software to help you remove those mal-wares, but you should not stop there. LEARN from the incident, and next time you encounter a situation where you think that it might trigger another infection you will know to stay away, or how to prevent infection. I used to get spyware, but after learning what internet usage habits cause infection, my system stopped getting infected. My system has been clean for over a year now without the help of any software. Trust me, you will get along fine on the Internet after you make some changes to your habits, and educate yourself. You won't even miss your old habits. The software I use to test for infections are SpyBot S&D and Ad-Aware. The case where both of these won't find something is so rare that dealing with those on a case by case basis is fine with me.
 
KoolDrew said:
Very nice guide, but I have a few suggestions.
First of all if you have other people in the house hold especially if you have kids who use the PC it may be best to make limited accounts. Many people may not like this idea, but it should be mentioned as an option.
Click to expand...

Definately a good Idea. I had to set my dad up on a limited account due to all the virii and spyware issue's. Given that all he does is browse porn and the occasional document in word, he doesn't need access to the whole system. Putting him on Firefox also helped.

On my own system I have a seperate limited account for just browsing the web. Since the limited accounts have no access to the more important directories on the system, some spyware can't do the damage it would like.
 
What about the new Adaware 2007 free edition. How does it stack up against ADAWARE SE?


Personally I dislike the new Adaware's GUI.
 
MalwareBytes should be added to the list on this sticky as it is now one of the best anti-spyware programs out there.
 
this sticky is really old, lol. is there any way we can get an update?

got most of my bases covered, stickies like this are really good to know about if you have to reformat and forget to backup your protection installs (done it more than a few times, orz).


edit: opps, it's not a stickey, I coulda swore it was when I started to check it out o_O
 
You must log in or register to reply here.
Back
Top