[wplug] Windows - Is this happening to you too?

A. McCullough amccullg at hotpop.com
Sat May 29 14:13:32 EDT 2004 

Have both Ad-Aware and Spybot running and have HAD them both running. Neither
caught this particular pain in the a$$. Don't have SpywareBlaster yet though -
I'm always leery of installing yet another program to the mix (and frankly, a
lot of so-called adware removers are nothing but adware themselves).

Cheers,
Anna
----- Original Message ----- 
From: "techmike" <mikeslists at access995.com>
To: "General user list" <wplug at wplug.org>
Sent: Saturday, May 29, 2004 11:37 AM
Subject: Re: [wplug] Windows - Is this happening to you too?


> As an ISP helpdesk tech I see hundreds of theese a day.  I setup a site to
> refer the users to.  Drastically cut the number of 'spyware' related tech
> calls..
>
> from fixmy (dot) net, download AD-Aware, Spybot (new version), and Spyware
> blaster.
>
> What AD-Aware misses, spybot will catch and viceaversa.  Spyware blaster
> is a legit program to block around 1300 variants of spyware.  The new
> spybot can block some stuff too, homepage hijackers, various activex
> controls and has it's own lmhosts manager to keep your users from getting
> to pages known to provide spyware..
>
> -mike
>
>
> -----Original Message-----
> From: Bill Moran <wmoran at potentialtech.com>
> To: General user list <wplug at wplug.org>
> Date: Sat, 29 May 2004 10:29:51 -0400
> Subject: Re: [wplug] Windows - Is this happening to you too?
>
> > Robert E. Coutch wrote:
> > > Hi all,
> > >
> > > I'm sooooooo glad I'm running Linux.
> > >
> > > I've have been innundated with Windows 98 PC's lately with pretty
> > much the
> > > same problem.
> > >
> > > They all have ads, toolbars and other unsolicited software installed.
> >
> > Yup.  Saw an article somewhere where Earthlink took a survey and found
> > 28 adware program on each PC on _average_.  Keep in mind, that's
> > _average_,
> > so some must have had many, many more to offset the some that had few
> > or
> > none!
> >
> > > After spending DAYS working on the problem here's what I have found.
> > >
> > > Spy-bot, Adaware, and virus checkers do not cure the problem.
> > >
> > > Adaware finds most of the problems and removes them but then they
> > reappear
> > > after reboot. Even after cleaning up the registry and other startup
> > files.
> >
> > The various ad removers can fix some of them, but not all.
> >
> > > The folks who write this crapware to infect Windows PC's are getting
> > better at
> > > their craft.  It's no longer enough to clean out a few registry keys
> > and
> > > remove a few program files off the hard drive.
> >
> > They're not really getting any better:
> > http://www.comedia.com/hot/jargon-4.2.3/html/The-Meaning-of-Hack.html
> > See the last example, it's probably where these copycats got most of
> > their
> > ideas.
> >
> > > It seems they have started using dll files that look like normal
> > system files
> > > to load the unwanted software.  Some of these dll's look like part of
> > the
> > > printing subsystem but are actually downloading and installing
> > toolbars,
> > > search links and so on.
> >
> > I've seen this one.  The only way to tell them apart is that the .dlls
> > are in
> > the wrong directory.
> > I've also seen where they use random filenames, and change the name on
> > every
> > reboot, which means you can't look the problem up on the 'net, because
> > the
> > symptoms aren't consistent.
> > And I've even seen dual-processes that restart each other when killed,
> > and
> > rewrite the registry on shutdown.  Very hard to fix.
> >
> > To make it worse, I have yet to see any antivirus product that protects
> > against adware.  I guess the AV folks are afraid that some adware maker
> > will
> > find a way to sue them if they label their adware a "virus".
> >
> > If you ask me, the adware is _just_ as bad as any virus, only worse.
> >
> > > So far I've only seen this on PC's running Windows 98.
> > > I want to know if anyone has seen this sort of nonsense going on with
> > other
> > > versions of Windows.
> >
> > Yes.  On Windows XP professional.
> >
> > > None of the tools I've found have the ability to fully remove and
> > block this
> > > stuff. Does anyone have any suggestions that I should try.
> >
> > Nope.  We're looking at a whole new field of expertise if you ask me.
> > One that
> > I'm qualified to do, but have no desire to do.  And one that's not
> > appreciated
> > either.  I just had a client leave me for another provider because I
> > charged
> > him for two hours to clean one of these things off.  I seriously doubt
> > if
> > anyone else would have been able to do it any faster.
> >
> > > I've been cleaning out the registry by hand one suspicious class id
> > at a time.
> > > This is a very looooong and tricky process.
> >
> > Yup.
> >
> > > The wife is actually considering switching to Linux because while her
> > machine
> > > was down, she used mine.  She's also considering a Mac.
> >
> > Mac is very nice.  If you're looking around, try FreeBSD as well ;)
> >
> > > I don't think my paying clients will even consider going Linux or Mac
> > but I
> > > don't want to recommend they "upgrade" to XP unless I can be sure
> > this is not
> > > happening (yet) with that version of Windows.
> >
> > Doesn't help much.  XP is vulnerable to most of these as well (but not
> > all).
> > Plus, just to reduce the infection rate you have to set up proper
> > security,
> > which means your clients won't be able to install software without
> > logging out
> > and logging back in ... in my experience, most clients won't tolerate
> > this.
> >
> > > Can any of you help me or point me in the right direction?
> >
> > Unfortunately, no.
> >
> > This is a case where people expect you and I to fix this for free.
> > What you
> > can do to reduce the incidence:
> > 1) Use XP or 2000 Pro
> > 2) Set up properly restricted user accounts.  This is a problem,
> > because most
> >     crappy software will crash or fail to start when run under a
> > properly
> >     restricted user account (welcome to hell, pick one "I get adware"
> > or
> >     "my important programs won't work")
> > 3) Set up IE and OE to be very paranoid
> > even better ...
> > 4) Remove IE/OE and replace it with Mozilla, which has less attack
> > routes
> > 5) In a business environment, put in a packet filtering system that
> > blocks all
> >     internet traffic except what is absolutely required for business.
> > 6) Replace Windows with Linux, BSD, or Mac
> > 7) Educate users to not install every damn thing that a popup asks you
> > to
> >     install!
> >
> > -- 
> > Bill Moran
> > Potential Technologies
> > http://www.potentialtech.com
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
>
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>

More information about the wplug mailing list