September 18, 2004

Curious George: Spyware prevention I am wondering if you monkeys know of a good Win2K app that will aggressively prevent backdoor registry changes, startup changes, and software installs. Even though I have the latest AdAware + defs, don't use IE, and scrutinize my task manager and startup files, I'm still getting stuff sneaking in. I can't seem to pin anything down on Google... too much noise and untrustworthy content.
  • Spyware Blaster is a good tool that prevents certain KNOWN things from being downloaded. Like anti-virus and anti-spyware, it needs to be updated regularly and can't do anything against things it doesn't know about. I like it because it doesn't actually run at startup, it just changes the registry to prevent the programs from installing.
  • Spybot is another good one which often catches stuff that AdAware and the AV programs miss. Netwatchman has lots of good advice and online vulnerability tests. If you're on broadband, you gotta have a firewall and/or a router.
  • (Ditch Windows if you can.)
  • fuyugare was a bit terse, but the "ditch Windows" sentiment rings true. RolyyPoly, are you running any apps that absolutely require Windows? You've already mentioned that you don't browse the web with IE (certainly a good idea). I support Windows applications for a living. (Unix and VMS too). Corporate America has dealt with the Windows Worm Thang (tm) by walling off their networks with multiple layers of firewalls, port scanners, odious user policies, and dog-breath legal threats. Home users don't have such options - not that they're very attractive to begin with. I retired my Windows PC some time ago. I have a far-from-current Mac - a ca. 1999 G4 running OS X. My home computer does everything I want. I really couldn't justify buying anything fancier. If you're going to run Windows, do any or all of the following: 1. Put a firewall appliance between your PC and the internet if you're using cable or DSL broadband. 2. Uninstall any components of Windows that you don't use. Microsoft likes to pretend that some components are "part of the operating system", but third party apps like LitePC will help you remove them. 3. Run "Windows Update", and install any updates that are rated "critical". 4. Run multiple spyware scanners. The aforementioned AdAware and Spybot are both good. No scanner catches everything. 5. Build a bootable rescue CD. Check out the Bart's PEBuilder site for a good one. Hey look! I didn't say "Buy a Mac!" :)
  • Also don't use Outlook/Outlook Express if at all possible. If you must use them, turn of accepting HTML formatted e-mail (that's just like running IE). Running XP Pro, FireFox, and Thunderbird just about all I ever see in Ad-Aware and Spybot are cookies (maybe your're confusing ad cookies with spyware in the ad-aware results?) Another possibility is you have a spyware virus installed that comes back after being deleted everytime you start up. I had one like that once, Spybot and Ad-Aware would delete it every time and it would always come back. I actually had to kill it with a virus scanner and a registry edit.
  • Stop using IE and OE. Use Firefox and Thunderbird. It's that simple.
  • I induced a colony of fire ants to live in my computer - they knock some serious shit out of nasty malware.
  • Yeah, colonies work in the beginning, but soon they will start demanding autonymity and resist taxation. Revolution, then independence, is inevitable; it is a matter only of time.
  • Err, I meant 'autonomy'. What the fuck kind of word is 'autonymity'?
  • check out mike lin's page for start up monitor and startup control panel also javacools SpywareGuard another good FAQ on spyware etc at christian wagners page If your going to get AdAware make sure to install the "tea timer" as well, also in the AdAware settings there is a couple of IE tweaks you should turn on.
  • Spybot also has an immunization tool that prevents some 1000 objects from installing themselves on your system I believe. Although I'm not sure on the details of it I know Spybot is a trusted program and this feature should not be overlooked to get the best prevention. Be advised that many programs doing what you want it to do (ie. prevent stuff from installing itself) will be geared towards Internet Explorer (Tea Timer, Spybot Immunization, etc.) so you'd want to check into programs that do more in a universal sense to help secure the computer. Also, always check the security settings on any browser you use. Make sure that AT LEAST the defaults are set for that. Spyware can be tricky in getting through holes like that.
  • What the fuck kind of word is 'autonymity'? One's right to decide to remain unnamed? A perfectly cromulent word.
  • What a great thread! And, moneyjane wins.
  • doesn't spybot suggest spyware blaster as supperior to their own tool? OR am I misremembering what it says on install?
  • yed, fuyugare - yeah, I gotta have Windows; I've written some Windows apps that help pay our bills. Thanks for the suggestions. drivingmenuts, pivo - let it be known that I ditched IE and OE many moons ago and even put IEradicator on one of them. I successfully squashed the punk-ass startup malware by force-editing HKLM\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run . jccalhoun, islander, beeza, genial - thanks for the leads moneyjane - I live in Austin so I'll look for a fireant mound tomorrow. fuyugare - autonymity is self-rule incognito --- Also a tip that I've never seen discussed anywhere yet is, when your system is clean and rebooted, make a list of all the Processes (not Applications, but Processes) in the Task Manager. That makes it easier to detect something that shouldn't be in there and is how I found "webrebate0.exe" which the latest AdAware & defs missed. Will keep monitoring the thread. Thanks everyone.
  • HijackThis is a program which has features to get rid of spyware etc and also allows you to post vital data about your computer on computer help pages so that others who are more knowledgeable can help you. * HijackThis v1.97 * Written by Merijn - merijn@spywareinfo.com http://www.spywareinfo.com/~merijn/files/hijackthis.zip http://www.spywareinfo.com/~merijn/index.html Also come to PressF1 in New Zealand for online help, you will have to register (free) and that is no problem and then you will be able to get expert help. http://pressf1.pcworld.co.nz/forum.jsp?forum=1 Robert.
  • HijackThis is a program which has features to get rid of spyware etc and also allows you to post vital data about your computer on computer help pages so that others who are more knowledgeable can help you. * HijackThis v1.97 * Written by Merijn - merijn@spywareinfo.com http://www.spywareinfo.com/~merijn/files/hijackthis.zip http://www.spywareinfo.com/~merijn/index.html Also come to PressF1 in New Zealand for online help, you will have to register (free) and that is no problem and then you will be able to get expert help. http://pressf1.pcworld.co.nz/forum.jsp?forum=1 Robert.
  • What the fuck kind of word is 'autonymity'? Technically, a very handsome example of what Lewis Carroll labelled 'portmanteay words', fuguyare. Great fun -- do it again!
  • Ooooooops sorry for the double post. I am trying out, experimenting with, a program called "Proxomitron" which is very interesting and cuts out all the adverts, flash etc on web pages viewed, and I am unfamiliar with some quirks. Robert.
  • In case you are interested the link is: http://www.proxomitron.info/
  • Spycop was recommended to me a little while ago by a trusted source, but I haven't tried it personally.
  • zqwery--you don't have to sign each comment off with your name.....that's kinda what 'zqwerty' is for. Just sayin'. Also, I have Proxomitron. I like it although it tries to stop you from getting to certain sites, just keep trying. /Off Topic; If you have to live in Texas, can I just say that Austin is by far, the COOLEST place to live. Thank you.
  • Take a look at Shields Up. It reviews some firewalls and has a "leaktester." I second the mention of Mike Lin's app. I also use F-prot to search for viruses, and an ancient version of Tiny Personal Firewall that I find superior to every firewall I've ever used (including the cruddy "new" version). Also, if you're using W2K go to services and disable messaging, NetMeeting sharing, and routing and remote access.
  • There's four things you can do on Win2k (and XP, WS2k3, NT4, etc.) that will make your life infinitely easier. Do not run as admin. Set your user account to be a member of the "Users" group only. Consult your favorite win2k info site (or the online help) for details. Doing this prevents spyware from writing junk into the registry where you (as a user) don't have write access - like under HKEY_CLASSES_ROOT or HKEY_LOCAL_MACHINE. Do convert your disks (all of them) to NTFS. FAT32 doesn't support access control, while NTFS does. If you didn't set up Win2k with NTFS from the get-go, try Microsoft's security tool to get these set right. Do set a strong password on the Administrator account - don't leave it blank. Use runas.exe to elevate to the Administrator if you must, or log out and log back in as admin to do any software installations. Change the ACLs on "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" to deny your account write access. If you're super-paranoid, find where your start menu's Startup folder lives, and deny yourself write access there as well. Use ACLs - they're your last best line of defense on an NT-based system. Sure, spyware might still be able to install itself into your profile directory, but it won't run more than the one-time; after you logout and login again, it'll be dormant and something like Spycop, AdAware, etc. will be able to detect it. Check out Microsoft's How-To and/or their Microsoft Security Baseline Analyzer to make sure your system is secure. (Disclaimer: I used to be an admin, I work for Microsoft, I don't run as a local administrator, and while they're in line with them these are not necessarily the views of said employer.)
  • I use IE (I know, Boo!), and even Outlook Express. I guess it could be said that it's only a matter of time before the hordes of Spyware and Malware overrun my machine, but I've been 100% spyware and virus free for the 5 years I've been using this computer. My last job was as a Producer at a web design company, so I'm quite familiar with all of the things that can and do go wrong... but here's how I go about keeping my computer safe: Mail tips: 1. NEVER NEVER NEVER NEVER open an attachment that you are not expecting to receive, and know is from a specific person who let you know something was coming. No exceptions. My family doesn't send me cute little heart-warming pictures of cats or sunsets anymore, but I also don't have any viruses for 5 years running. 2: Never use the preview pane. If you get an email that appears to be from a friend and has an attachment, in Outlook Express, you can right-click the email, view properties, click the details tag and view the original source text of the email to see if it's safe. Web surfing tips: 1. Nothing will save you more headaches than your friend and mine, the HOSTS file. I get my skeleton hosts file updated regularly from sites such as Everythingisnt.com. I also keep a shortcut on my desktop to the file, so I can add servers which try to send me "Browser Helper Objects" like the Gator Wallet or Comet Cursor. Even the (few) popups which get past my Google toolbar (advanced tracking disabled, btw) pop up with lovely little "Server Not Found or DNS Error" inside rather than an ad. 2. If you are visiting any sites that you do not know much about and may or may not be trustworthy, disable java and javascript. Most especially, I look for MAME ROMs (old arcade game files which my computer can emulate), and sites like that are lousy with spyware and malware, dialers and javascript redirects to porn sites (which are 100% untrustworthy anyway and will try to send you into recursive popup hell), so disabling all scripting is very very wise.
  • 3. Aside from using Adaware, Spybot, and ZoneAlarm (and having a firewall installed on my router, talk about multi-layered web-prophylaxis), I also highly recommend a little freeware program I found called BHO Demon. It identifies ALL "Browser Helper Objects" for IE and you can disalbe any and each independently. 4. As with e-mail NEVER NEVER NEVER NEVER NEVER say "yes" to any popup which asks you to "insall" ANYTHING unless you are actually on the Microsoft Website or ABSOLUTELY trust the site, such as Trend Micro's Housecall web-based anti-virus. Luckily, with SP2 for XP (which I'll update to in a few months after more bugs are worked out), you can set that popup to "never trust content" from someone and not have to say "no" every time. 5. Virtually every special "toolbar" that espouses to help you out is evil. Google Toolbar is the ONLY one I trust. I don't even trust the Yahoo toolbar, as I've seen in the past (it may not be still true, but it once was) that some "partner" programs which the Yahoo toolbar installs without you knowing are themselves not quite trustworthy, and it starts looking like the STD-tree: by having unprotected surfing with a company's toolbar, you are surfing with every company they've ever partnered with, every company THEY'VE ever partnered with, and so on, until you realize that you got a nasty virus passed through 5 companies' hands to your machine. General Tips: Most File-sharing Utilities (things like BearShare, KaZaA, and the like) are just as bad as any porn site. I don't download or share music or videos, not because it's unethical but because it's unsafe. ----- So, to sum up, it IS possible to use IE and Outlook Express and remain spyware, virus, and malware free if you are vigilant and aware of the dangers that exist. Also, all of the Firefox people should be careful: malware/spyware/viruses don't target it much because its market penetration is low. If Macs ran on as many desktops as Windows does, the virus writers would target them. Doesn't mean it's safer, it just means that crackers wouldn't bother writing a virus for 3% of the PC market.
  • No pr0n chimaera? Why have an internet then? :) Also, all of the Firefox people should be careful: malware/spyware/viruses don't target it much because its market penetration is low Actually I would lean toward it doesn't run Active X components and is not an actual part of the OS as a big reason as well. Mozzilla group has had a few security scares along the way...I think avereage turnaround on a patch being out was like 8 hours. Not Tuesday next month...maybe.
  • No Mozilla isn't perfect, however, the biggest Mozilla holes that I have heard of are only on windows. Why? because they take advantage of capabilities of windows to do their evil! Yes you can use IE, but why bother? Honestly, everytime I have to use IE, I just get frustrated within 5 minutes. I have even installed Portable Firefox on a networked storage space so that I don't have to put up with IE's crap when I use computer's in a computer lab on campus.
  • So, to sum up, it IS possible to use IE and Outlook Express and remain spyware, virus, and malware free if you are vigilant and aware of the dangers that exist. That's the greatest point is keeping up-to-date with potential security threats. Knowing how it's done. The prevention becomes second nature once you know the how and why. I've remained trojan, spyware, virii free by following some basic rules as well. Most of which has already been posted. Some sound advice from the commenters. Though I disagree somewhat that once you battened down everything your still not at risk if you use IE. The temp folder and IE being "hardwired" into the shell of the OS is a major problem. For me running IE is like playing russian roulette. Frankly no one (well ...windows users at least) is safe anymore. Recent discovery by microsoft showed that even jpeg's can carry a virus As mentioned before, mozilla isn't as popular so goes under the radar of programs to attack but it has two things going for it; - they offer a bounty to people who report bugs found within the browser (and people have taken advantage of this offer) - the turn over rate from bug discovery to patch relase is insanely fast. One recent bug was reported (on a non mozilla site)and the patch was already available. Compare that to IE where some security flaws haven't been fixed in over a year
  • McDonalds MP3 Player Prizes Infected With Spyware Ten thousand winners received the McDonalds-branded MP3 player preloaded with 10 songs and the QQPass spyware trojan. The trojan reportedly began to transfer username and passwords once it was connected to a Windows PC. Heh.