[wplug] Windows - Is this happening to you too?

techmike mikeslists at access995.com
Sat May 29 12:37:54 EDT 2004


As an ISP helpdesk tech I see hundreds of theese a day.  I setup a site to
refer the users to.  Drastically cut the number of 'spyware' related tech
calls..

from fixmy (dot) net, download AD-Aware, Spybot (new version), and Spyware
blaster.

What AD-Aware misses, spybot will catch and viceaversa.  Spyware blaster
is a legit program to block around 1300 variants of spyware.  The new
spybot can block some stuff too, homepage hijackers, various activex
controls and has it's own lmhosts manager to keep your users from getting
to pages known to provide spyware..

-mike


-----Original Message-----
From: Bill Moran <wmoran at potentialtech.com>
To: General user list <wplug at wplug.org>
Date: Sat, 29 May 2004 10:29:51 -0400
Subject: Re: [wplug] Windows - Is this happening to you too?

> Robert E. Coutch wrote:
> > Hi all,
> > 
> > I'm sooooooo glad I'm running Linux.
> > 
> > I've have been innundated with Windows 98 PC's lately with pretty
> much the 
> > same problem.
> > 
> > They all have ads, toolbars and other unsolicited software installed.
> 
> Yup.  Saw an article somewhere where Earthlink took a survey and found
> 28 adware program on each PC on _average_.  Keep in mind, that's
> _average_,
> so some must have had many, many more to offset the some that had few
> or
> none!
> 
> > After spending DAYS working on the problem here's what I have found.
> > 
> > Spy-bot, Adaware, and virus checkers do not cure the problem.
> > 
> > Adaware finds most of the problems and removes them but then they
> reappear 
> > after reboot. Even after cleaning up the registry and other startup
> files.
> 
> The various ad removers can fix some of them, but not all.
> 
> > The folks who write this crapware to infect Windows PC's are getting
> better at 
> > their craft.  It's no longer enough to clean out a few registry keys
> and 
> > remove a few program files off the hard drive.
> 
> They're not really getting any better:
> http://www.comedia.com/hot/jargon-4.2.3/html/The-Meaning-of-Hack.html
> See the last example, it's probably where these copycats got most of
> their
> ideas.
> 
> > It seems they have started using dll files that look like normal
> system files 
> > to load the unwanted software.  Some of these dll's look like part of
> the 
> > printing subsystem but are actually downloading and installing
> toolbars, 
> > search links and so on.
> 
> I've seen this one.  The only way to tell them apart is that the .dlls
> are in
> the wrong directory.
> I've also seen where they use random filenames, and change the name on
> every
> reboot, which means you can't look the problem up on the 'net, because
> the
> symptoms aren't consistent.
> And I've even seen dual-processes that restart each other when killed,
> and
> rewrite the registry on shutdown.  Very hard to fix.
> 
> To make it worse, I have yet to see any antivirus product that protects
> against adware.  I guess the AV folks are afraid that some adware maker
> will
> find a way to sue them if they label their adware a "virus".
> 
> If you ask me, the adware is _just_ as bad as any virus, only worse.
> 
> > So far I've only seen this on PC's running Windows 98.
> > I want to know if anyone has seen this sort of nonsense going on with
> other 
> > versions of Windows.
> 
> Yes.  On Windows XP professional.
> 
> > None of the tools I've found have the ability to fully remove and
> block this 
> > stuff. Does anyone have any suggestions that I should try.
> 
> Nope.  We're looking at a whole new field of expertise if you ask me. 
> One that
> I'm qualified to do, but have no desire to do.  And one that's not
> appreciated
> either.  I just had a client leave me for another provider because I
> charged
> him for two hours to clean one of these things off.  I seriously doubt
> if
> anyone else would have been able to do it any faster.
> 
> > I've been cleaning out the registry by hand one suspicious class id
> at a time.
> > This is a very looooong and tricky process. 
> 
> Yup.
> 
> > The wife is actually considering switching to Linux because while her
> machine 
> > was down, she used mine.  She's also considering a Mac.
> 
> Mac is very nice.  If you're looking around, try FreeBSD as well ;)
> 
> > I don't think my paying clients will even consider going Linux or Mac
> but I 
> > don't want to recommend they "upgrade" to XP unless I can be sure
> this is not 
> > happening (yet) with that version of Windows.
> 
> Doesn't help much.  XP is vulnerable to most of these as well (but not
> all).
> Plus, just to reduce the infection rate you have to set up proper
> security,
> which means your clients won't be able to install software without
> logging out
> and logging back in ... in my experience, most clients won't tolerate
> this.
> 
> > Can any of you help me or point me in the right direction?
> 
> Unfortunately, no.
> 
> This is a case where people expect you and I to fix this for free. 
> What you
> can do to reduce the incidence:
> 1) Use XP or 2000 Pro
> 2) Set up properly restricted user accounts.  This is a problem,
> because most
>     crappy software will crash or fail to start when run under a
> properly
>     restricted user account (welcome to hell, pick one "I get adware"
> or
>     "my important programs won't work")
> 3) Set up IE and OE to be very paranoid
> even better ...
> 4) Remove IE/OE and replace it with Mozilla, which has less attack
> routes
> 5) In a business environment, put in a packet filtering system that
> blocks all
>     internet traffic except what is absolutely required for business.
> 6) Replace Windows with Linux, BSD, or Mac
> 7) Educate users to not install every damn thing that a popup asks you
> to
>     install!
> 
> -- 
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug





More information about the wplug mailing list