Defeating Spyware

“This isn't a backpacking issue, but since we're all using computers to access TT, I'd thought I'd post this heads up:

My computer's ability to surf the net has been getting progressively slower. Even to the point where my typing on a TT thread would take a few seconds to appear - I would type a sentence, then wait a few seconds for my cursor to catch up. I've been running Ad-aware for some time and it finds stuff every now and then, especially if I've been surfing the net alot. But my system has remained slow. I thought maybe it was just my old machine, need more RAM, whatever.

Yesterday, though, I installed Hijack This, Spybot Search & Destroy, and CWS Shredder. Wowie! I ran them all and every one found something. This is particularly interesting as I ran them sequentially (one after a previous one had cleaned my comp to the best of its ability). Now my comp is back to speed, at least I can see what I type on TT, and it doesn't take the page 5 seconds to load (I have broadband).

Here's what I used:

Ad-aware
Spybot Search & Destroy
Hijack This
CWS Shredder
and, of course, regular virus scanning

All of these spyware eliminator programs are excellent. If you've never done a spyware cleaning you'd probabaly be surprised what's on your machine. It's time to check into it. Moreover, my experience indicates that one might want to run a combination of them to get all of the spyware off your system. Just my opinion.”

“BTW, I should have called the thread "BATTLING" spyware. I'm not sure there is a way to completely "defeat" it.”

“Well, you could switch to Linux. There's probably not much spyware out there for it.

Of course, you might not be able to do much with your computer, but that's beside the point, lol...”

“Gosh, I only use Spybot! Maybe I'll have to download a few more. Thanks.”

“What kind of stuff are the spy programs doing?”

“Most of them simply log your web activity, and tailor spam or pop-up ads to what they think you will be most interested in. There are malicious spyware programs that log your keystrokes and do things like steal your passwords and credit card numbers. Those are mostly trojan horses though, and most virus programs search for them. But the benign spyware they don't look for, which is why you need a different tool to find them.”

“I use Spybot S&D along with Pest Patrol. Amazing how much crap can end up on your computer.”

“Veddy interestink. Da dirty bastids!”

“The funny thing is that, now that it's not a pain in the @$$, I've been posting like mad this AM! It's like I've fallen off the wagon.”

“Lol I just ran a syware program on my mac and it deleted my pass word for here! almost didn't remember it.

I have Ad-Aware on my PC and it works nice. There are some other programs on that website for spam and pop ups. Microsoft recomended Ad-Aware. So unlike them it didn't cost anything.”

“I've had smillar problems with spy ware. I ran spy hunter every few days and it seems to help, but not completely fix things.

Pop ups suck”

“My computer is doing exactly what you described. ASAP!”

“Try doing a search on any of the names MM mentioned. I downloaded SpyBot and it found about 170 problems the first time through.”

“Ad-aware
Spybot Search & Destroy.

Are the ones we use and they work great.”

“I found the download sites. Saved them to favorites. I tired to do CWS first. When I get the download do I save to disk or open from this location? what program to open the file?”

“Danababy -

Download the files to your desktop (or My Documents, or where ever you want) and then double click them to install. After that you should have a desktop icon for running the program.

Of the programs I mentioned, I'd suggest running Ad-aware first. If you want to run more, like I needed to, then run Spybot Search & Destroy. After that CWS Shredder if you want and finally Hijack This. The reason I say this is that the first three are fairly idiot proof. They basically run themselves and clean what they know are problem files. Hijack This just gives you a list of stuff and you check what you want removed. It requires that you know more about the files that are on your machine so you don't delete stuff you need.

Find links to all here:

http://www.spywareinfo.com/downloads.php?cat=sp#det”

“Oh, and as time passes by make sure you use the update functions in these programs to keep their lists of spyware, hijackers, etc. current.”

“I find that if I update adaware before I run it, spybot doesn't find anything more. Either one used to pick up a few that the other missed, but not lately.”

“Once again TT has proved to be a valuable resource. I will let you know what comes of it.”

“I have run Ad aware and spybot
I have downloaded CWS shredder and hijack this. I cannot get the files to open or run. The other two saved as applications. These two others saved as zip files to desk top. I cannot get them to open or run. and I am still having problems with lag in my typing and being able to view it.”

“Dana, all I had to do is double click the files and then run it. One of them I think was a zip file, I needed winzip to unzip it.

I could do it, but I have a hard time to explain, so I hope someone else will be able to explain this to you.

sorry :(”

“Ad-aware is definitely a well known program, but many things are "ad-aware aware", making it necessary to run other programs to pick up what it misses.

Ran ad-aware and spybot on my home computer last week, and found 300+ items! really should have been watching those things more carefully in the past.

Bitpusher, you said:
""Well, you could switch to Linux. There's probably not much spyware out there for it.

Of course, you might not be able to do much with your computer, but that's beside the point, lol..."

What exactly would you not be able to do? I find I have not lost any functionality between my Windows PC and my Linux PC (well, except for the call tracker at work that is not available for Linux). Many of the programs are different, but the functionality is all there.”

“i noticed more and more products available for linux.”

“Looks like somebody was visiting the porna sites. You'll get hijacked everytime.”

“The online dating sites will worm into your machine too. A lot of online shopping sites too.”

“Kewl MM - I just used spybot and adaware on the computer the teenagers in my house use... un farging believable - many hundreds of buggies gone!

And things are running much faster on the net.”

“My father's machine had about 500 items and was running slower than thick, dark syrup produced by refining raw sugar during January.”

“We refer to that as molasses in the south, violin.”

“Isn't that an awful long word for a southerner to say without making it into a contraction?”

“i ran a few. now i keep getting backweb errors”

“okay, so I run a couple of those spywares, and I did find some dialers and other crazy stuff...

then I checked my "filemanager" and under "my network places" I found 2 schools with direct access to my computer. At least I think they did have direct access.

I asked my kids...none of them did it. I know they didn't because they knew they would not get in trouble.

one school was a web design/ art school in PA and the other was a middle school in CA.

What do you think? Kids trying to hack this computer? How did they get access?”

“Spyware cleaners can clean up the problem, but you're better off avoiding it in the first place.

Run Zone Alarm Pro or some other firewall with a privacy manager, especially defeating ActiveX, Java and Javascript, along with an ad blocker and none of that crap will get into your machine in the first place.

I use ZAP, with Mobile Code and Ads blocked, and use Netscape as my primary browser, because it's easier to turn off mobile code than it is with IE.

I keep a default install of IE around though, for those few occasions when I need to access a site that requires mobile code or ads to be enabled. That way, when I need to access a site that is blocked, I close Netscape, (after cutting and pasting the URL if necessary), disable privacy protection in the firewall, and open IE, and do not have to reconfigure the browser before and after.”

“without getting busted by Machinehead. arrgh!
I HAD to surg those porn sites to see about the reviews on my new skin flick were doing. That will be volume number IV of The Book.

I'm givin' you a long look. Every day, every day, every day, evry day I write the book.
http://hjem.get2net.dk/petermad2/books/guestan.gif">
”

“Power to the people!”

“Don't search google for "Britney" and then go to the sites (seriously). I have a {ahem} close personal friend who did that to his work computer and spent the next 2 hours with the tech guy installing and running spyware (which works well).

Hey - she was in Esquire! That's literature!”

“What did Elvis Costello do to get dragged into this?”

“bad hair?”

“my computer is on a router and on a firewall. I don't understand how this network connection could've happend.

what is it? part of spyware or what?”

“bump”

“A dialer is a program instructing your computer to dial either the internet or another number at a time of someone else's choosing. Your computer's security has been breeched and you have trojan horse programs inside.

If the guy is any good, your computer is now much safer than it was before he got in, because he doesn't want any other hackers taking away his prize.

There is no way to clean the machine well enough to be sure you have erased all of his presence. He may have compromised both the firewall and your AV software, in such a way that they appear to work perfectly now.

Your best bet is to remove the compromised drive, install a new one, build the OS from the original CDs, bring up the AV and firewall software, patch the OS to current, reinstall your applications, and restore the data from backups.

If you do not have good backups, once the machine is known to be clean, you can re-install the drive as a slave, run an AV scan and every bit of spy check software you can find on it, and then copy data over selectivity. You need to be careful copying mail, word documents, mpegs, executable files, anything other than raw text or image files, even after extensive checks. Remove the drive after copying safe files and destroy it.

If you have to reuse it after you have copied the data over, start with "fdisk /mbr" from a dos prompt, then run at least 7 zero fills before using it again. I recommend against using it again, no matter what you do to it.

Odds are the bad guys got in via an unpatched OS or application like IE. Many firewalls prevent outside computers from establishing connections with your computer, but allow applications inside the firewall to establish outgoing connections.

If you visit a malicious website, or are attacked via allowed normal communications, OS or application vulnerabilities are able to bypass the firewall.”

“woah, that's pretty deep stuff. I still don't understand why they even want on this computer?? Nothing on it....it's the family computer, I don't have anything interesting on it. It's actually used for browsing the web, especially hiking sites. My kids visit game sites. my husband visits the army page and a hunting site.

Can he get my credit card info this way?? If so, he wasn't lucky so far. I really don't know what he/she wants.

I did notice that the direct access was from an design school, which makes me wonder if some fellow designer just was out to get my work. BUT again, this is not my business computer.... nothing on this computer that's really great.

Anyway, I know what a dialer is, but I wasn't sure what dialer is belonging to what...

Thanks jeffers, it did help me alot. A totally new hard drive huh? dang!!! this computer has a brandnew drive! :( another one? Oh boy!!”

“I have dialup and thought I didn't need spyware, wrong!

I installed the first couple of spy programs and was shocked at what they found. 315 data mining hits!
What exactly are these?”

“I installed AdAware and it came up with 263 hits. The vast majority were ad cookies. Most of the rest were bogus registry entries. I'm glad the bogus registry entries were found and removed, but the cookies, well, that's just part of surfing the web. Almost every time you go to a site, an ad leaves a cookie on your drive. Is there a way to globally disallow that, like an IE setting?”

“Bit yes you can disallow cookies go into Internet prefrences through your control panel. you should be able to find it there. You can also reduce the amount of memory that your computer will allow cookies and temp internet files to use up.”

“The problem is that non-malicious sites (like this one) use cookies too, so if you completely disallow them, it won't remember things like, who are you, lol...”

“At least part of it. My website got spammed by some weird Italian dude using Yahoo IT (Italy) I got it cleaned up and reported the first time. Today it happened again. I cleaned it up and reported it again to Yahoo. The first time I followed the identity back to its source. It meant that in order to gather info on the individual I was logging on to porn sites . Well, unknown to me at the time, you never click on one of those sites without coming away tagged so to speak. Today I was sure not to do .I have been digging in the registry to see if I can find out what is resetting the homepage. Looks like that came from About .com I didn't have that many trojans on the machine after all. Perhaps 90 total. Still alot but not by comparison to what some are finding. I've still got the lag between what I type and what I see. Maybe someday I'll either find the problem or KILL the computer by deleting the wrong thing from the registry. At this point. I'm not caring too much one way or the other.”

“Got it! I think I've finally rooted out all the bugs. I got to reading back over the post of what Mile Monster ran as a fix. I used a different version of Spywater removal the first go round. After using Spybot search and destroy)the correct one this time) it is fixed. Now..... i gotta go out and get the firewall Jeffers told me to get. LIKE A GOOD GIRL. :-)
And get that going. Goodness knows I don't need any spankings or anymore trouble like this. phew!”

“Gemini, they want your computer for a variety of reasons. One, it is always connected to the net if you are using a cable modem. Two, it probably has your personal information on it, including credit card numbers. Most hackers do not want your credit card number to steal your money, they need it for the legitimacy it gives to their alternate online identities. Many hackers use the number to open additional AOL accounts, which they then use to secure more credit card numbers, building up an army of online identities from which to operate anonymously. Three, they want your computer as a place to store and possibly test malicious code. Four, they want your computer as a place from which to launch malicious code anonymously. Five they want as many other computers as possible under their control so as to enable them to conduct distributed denial of service attacks, either on legitimate organizations, other hackers, or held in reserve. Six. most hackers admit some degree of voyeurism. just being in your machine, watching you when you don't know they are there gives them a rush, even if you are shopping for plumbing valves or reading CNN.

I seriously doubt these were true professionals. Leaving not one, but two connections visible in your dial up networking folder is hardly the mark of an elite, more like a script kiddie. Pros cover their tracks, to the extent of underutilizing your machine so as not to alert you to their presence and securing your machine against other hackers.

The attacks are automated. The would be hacker starts a script, say, "probe every IP address from 107.0.0.1 through 107.255.255.255, testing response from TCP ports 135, 136, 137, 138, and 139" and then goes off to school or work.

When he returns to that machine, not his, somebody else's, just like yours, he retrieves a text or encrypted report outlining all the vulnerabilities his port scan produced, and most likely initiates yet another script to exploit the various security holes he has discovered. You are not even on his radar. You are simply a machine under his control, a CC number to gain additional access elsewhere, a member of his standing army, and one of hundreds of otherwise meaningless statistics he brags to his friends about.

A firewall renders you invisible to his probes if set properly, and a patched OS and applications deny him the ability to use your connections with normal appearing websites to get his foot in the door. Understand that a properly set firewall will not allow any use of IRC chat, and only the barest minimum functionality in chat programs such as Instant Messenger or ICQ.

When you rebuild the box, make sure you let everyone who has access to it know that proper names, addresses, phone numbers, ISP e-mail addresses, and other personal imformation is forbidden during any application installation, including Windows itself, and that the same information should oly be given to blue chip websites for a specific and limited purpose.

This computer has no idea who I am, other than the few times I have shopped online, and running Spybot S & D erases all of those transactions immediately after they take place and either are printed out or an edited version of the receipt is written to a file.

It all sounds complicated, but it isn't. Build the OS, add AV and FW software, patch the OS, add the applications, patch the applications, keep the OS, applications, AV and FW patched current, say once every two weeks or so, only type personal info in for considered reasons and clean house afterward. It's like home security. If the bad guys wanted to work, they wouldn't be stealing. Make them work and they'll go elsewhere. Better yet, "disappear" through the use of a firewall, and make them work only if they somehow get lucky and discover you exist. That keeps out all but the most capable pros, and those few of them who might want your box will treat it nicer than you do.

Be aware that the ports scans I described above take place against your machine hundreds of times a day, whether you have a firewall or not, and simply seeing them happen after installing a firewall is no cause for alarm. The only reason to worry after you do what I outlined above is when you see a very slow box, even after a reboot, unexpected code or connections to your machine, activity across the hard drives, internet or home network when there shouldn't be any, alerts from your AV software, unexpected files or programs running in your task manager, in short signs of an actual penetration. Don't sweat attacks, they happen all the time you are online. Worry only about signs of actual penetration.

Dana, get busy girl. That firewall isn't going to install itself. Just make sure and leave UDP port 67,535 open so the webcam I programmed into that little green light on your monitor still works so I can keep an eye on you.”

“WOW! I've noticed all the dang ad programs. My homepage keeps getting reset to "zestyfind" . Then I run the Search and Destroy program and I'm fixed for a few days. But every few days, it happens again.

I don't visit porn sites. I don't visit game sites. I do tax research at a reputable place and use this site, a few others, CNN and such. I do a little shopping but nothing major.

Guess I need the firewall stuff.”

“puts hand over the green light.

I'm going to look back thru there one-a these times and see if I'm able to check on YOU. Never know what I might see!

You're too good to take time to explain how all that hacker mumbo jumbo works.”