Skip to comments.Getting and keeping spyware off your computer
Posted on 01/18/2003 8:49:27 AM PST by Sir Gawain
Just thought I'd give this little PSA since I'm such a nice guy.
Many of you are already familiar with Lavasoft's AdAware, but you may not be familiar with SpyBot Search & Destroy, which is actually more powerful and more up-to-date. Lavasoft hasn't updated their definition file since September because they're working on a new release, so it won't clean newer spyware creations like CommonName. I would keep AdAware however. It's still very useful.
SpyBot also has a lot of other cool functionality built into it, like a clean on startup in case you are unable to remove the spyware's .exe or .dll because they have processes running. Yes I realize you can just unregister the .dll then reboot and delete it, but not everyone knows how to do that.
Here are a few other cool (and free) tools to help keep the stuff off your PC:
(From website) "SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
How? By setting a "kill bit" for the CLSIDs of spyware ActiveX controls, it prevents the installation of any of them from a webpage. You can run Internet Explorer with Active-X enabled, but you will never even get a "Yes/No" box popped up, asking you to install a spyware Active-X control (Internet Explorer will never download or run it!). All other Active-X controls or plug-ins will work fine.
The SpywareBlaster database contains information on these known spyware Active-X controls. Make sure you run the Check For Updates feature frequently to get the latest database! (And make sure you check the new items to protect your system against them!)
As a side benefit, setting this "kill bit" will also prevent the spyware Active-X from running, in many cases, if it is already installed on your system.*"
(From website) "SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
Features Listing: Fast scanning engine
Scans exe and cab files - the two most popular file types for distributing spyware
Signature-based scanning - for known spyware (list)
Heuristic/generic detection capabilities - some spyware programs can be detected even if the code undergoes significant changes
Small size - with a small size and small definition sizes, download and updates are quick
SG Control Panel - provides easy access to help and integration options
SG LiveUpdate - provides an easy updating solution
Spyware files are blocked before being opened or run - they are not simply shut down after they are loaded in memory (and after they have performed their tasks)
The full path to the spyware executable is provided on the alert screen
Once a spyware file is detected and blocked from running, the options are provided to either continue or to delete the spyware file
It's a free download
Most of this info and much more can be found at http://www.spywareinfo.com/
FreeRepublic , LLC
PO BOX 9771
FRESNO, CA 93794
Plain English tutorial?
More info can probably be found here: www.windowsbbs.com
"Read this on another site--thought it might be of interest to some folks.
XP Phone Home
I've mentioned my recent play with ZoneAlarm Pro, and while I don't use it heavily, I have left it to start automatically on one workstation where I do a lot of software testing. It's a fairly clean installation of Windows XP Pro, Office XP and a few other commonly used tools. Part of my routine with XP is to put a halt to the various automated procedures that it attempts to shove down my throat. This would include Automatic Updates most notably, but I also be sure to disable Windows Messenger, IE automatic updates and Error Reporting. Nothing should be contacting Microsoft without my knowledge as things are configured.
Imagine my horror when ZoneAlarm informs me that rundll32.exe wishes to contact 184.108.40.206:HTTP. I realize that spyware and viruses have posed as the legitimate rundll32.exe, but there are two things to consider. First of all, 220.127.116.11 is Microsoft's Windows Update site. Second, the version and date are identical to those of the rundll32.exe file on a different Windows XP Pro installation.
Nothing is launching from any of the startup registry entries or Startup Program Group using rundll32.exe explicitly, and there certainly isn't anything specific to Microsoft that is launching in those areas.
A service perhaps? Well, the process associated with rundll32.exe is executing under the context of my username, versus SYSTEM, which most services utilize unless configured to use different credentials. Speaking of services, both the Cryptographic Services and (gasp) Automatic Updates have been started by the operating system behind my back!
I have denied the access for now, but I have not forgotten. Next, I dig out a hub so I can sniff the packets as they wander by for clues regarding the suspicious activity. Not that I'm going to let it contact Microsoft, mind you. I also plan to fire up a full- blown hardware router to further isolate the machine from Microsoft, add a static route for the offending IP address, pointing it at a Windows 2000 server running IIS so there will at least be a session establishment attempt instead of the request being immediately stomped by the router and/or ZoneAlarm.
My suspicions at this point are not that Microsoft is being deceptive, collecting my hat size or preference in pain relievers for subversive use, but this lends weight to my very sincere believe that Microsoft is overstepping the bounds of reasonable respect to paying customers. Whatever XP is trying to do is likely trivial, but how it's being done is far from it. I'm plenty steamed, believe me."