All the standard IP laws are applied to this, but it's 'reprinted' here with my permission; (duh.
just gotta say it for the legal guys.) This document has not been error-corrected yet, as in doing so would have additional legalities on it. So, this is the final rough draft.Good comments are welcome.
:::Start of report:::
So.. how many of you out there have spent hours working on spyware-related problems? How many have lost internet surfing ability because of them? I don't suspect many have here, but I can personally guarantee that I've been stuck on the phone with thousands that have. I've helped thousands of people with this.. and now, I'll teach some of my 'secrets' to you good folks, to toss into your bag-o-computer-tricks.
The infection » Why?!
The first question to ask usually, is why.
'Why would anyone want to put buggy or defective software on my computer? I've not got anything useful to anyone!'
Quite the contrary really.. in fact, you have everything they want. I'll explain:
Spyware was meant to infect computers any way possible, regardless of the negative side effects that come with it, including broken layered service providers, and damaged Winsock files that are CRITICAL to getting an internet connection. The reason why, is it's all for money. Here's how it works:
1. Spyware gets in, and begins monitoring your internet cache², and cookies³
2. The spyware can harvest information from cookies and cache. The sorts of things that can be collected are names, addresses, email addresses, phone numbers, usernames, passwords, and in the right circumstances, even credit card information.
3. After collection, the spyware 'phones home' to the maker of the software saying something along the lines of "Here's what I've learned about this person..."
4. The person receiving all this info then in turn collects it, and compiles it. They can then go to advertising companies and say something like "I have 10,000 names and their addresses. You can have them if you pay me $0.10 per name and address. And 10,000 names and phone numbers that I can let go for $0.05 per name & number. I've got 15,000 valid email addresses for $0.02 per address; Additionally, for another $0.03 per advertisement, I can send this advertisement via a popup ad to 100,000+ people's computers... saving your company thousands in advertisement costs."
As you can see.. that's a lot of money. $500 for that CD full of addresses, $300 for that phone number addresses, $450 for emails and easily over $3,000 (likely to be much more as they can send the ad to -all- of the people infected... whether their info was being successfully harvested or not.)
The end result? Not a bad deal... if you're the guy making the software. If you aren't, You get popup ads for crap you would never have any interest in, you get junk mail crammed into your mailbox, bucket loads of email spam, and you get more of those #%*&ing telemarketer calls, and when you try to remove that software, it breaks your internet connection!
And here's the worst part... most of these instances, are legal. At some point or another, you or someone using your computer has unwittingly agreed to a terms of service agreement that states something along the lines of this:
Code: Select all
We may transmit our Subscribers' search queries to search partners, who use this information to provide us with search results and other information, which we then display to our Subscribers.
We may share information we collect with our Third Party Advertising Partners. If we do so, we will require by contract that they treat this information in accordance with our privacy promises.
We use data regarding Subscribers' online behavior to better understand how consumers use the Web. To that end, we may use aggregated, online traffic behavior to report emerging Web usage trends to the press or to the public. For example, we might issue a press release stating that Subscribers tend to visit certain websites more often than others. We may also use this information to develop reports for our corporate clients so that they can better understand trends in online consumer behavior and how those trends relate to their businesses.
Other Limited Circumstances. We may also share information with third parties who help us perform a business function (their use of such information is limited by our internal policies and/or confidentiality agreements, as applicable); to protect our rights, or if under a legal obligation."I don't remember EVER seeing anything like that on the 'agree' screen when installing free software"
And you probably never will. Some retard in a high-ranking office made a law that states something along the lines of 'If the company puts a LINK to the terms of service, it is the equivalent of actually having the terms of service right in front of the user.'
So.. all they have to do is provide a link, even if it looks like just normal text with no apparent or obvious way to tell it's a link.
Combat » Choosing the right weapons and tools
Now that we've covered the 'why', we move on to how to fight it. First thing when fighting this stuff is to know your enemy. These programs are coming from roughly the same 200 companies all the time. Give or take a few. They just keep coming up with new innovations to infect their victims. Additionally, these people are typically in places like France, Sweden, Korea, China and other places where America and the UK have no authority. Additionally, there's the fact that someone agreed to the terms given with some free game or that flashy new animated screensaver.
So much for the legal system. Let's take a look at a few options:
Antivirus Software & Firewalls
I cannot count the number of times I've been told by a n00b that they have norton/mcaffee/panda antivirus to keep that junk off. Let's break this down just a little bit: Antivirus is not total protection for your computer, though the makers of the software would all like you to think it is. All an antivirus does, is watch for commonly known virus activity. All viruses try to procreate and spread. Spyware doesn't breed to spread and infect... it just infects. As far as the antivirus or firewall is concerned, it's no different than a program you would run on your computer, such as MS Paint.
((this is not true for all firewalls... Tiny Firewall is an exception to this; but it's a bit to advanced to suggest to n00bies.))
Popup Blocker
"So why don't we just block their popup ads?"
Because, that's a farce. You're still being victimized by the malware, as it can still harvest information and you can still get hit with spam emails, telemarketers and junk mail.
Hosts File
You can use a HOSTS file to block ads, banners, cookies, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems. Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements. For full instructions and details about it, please visit http://www.mvps.org/winhelp2002/hosts.htm
Pros: This is a simple, and quick fix with no download or software needed.
Cons: This does not solve the problem. It still doesn't clean off the software that has been installed, and doesn't stop things from popping up, even though the popup pages will be blank, or 'page cannot be displayed.'
So, as you can tell... the really only good option would be to clean the garbage up so it's no longer a problem.
Spyware Removal Tools
"Wolf in sheep's clothing." This statement could not be any more true than when it comes to spyware removal tools. Nowadays there's a ton of them coming out with their own 'free' version of spyware removal tools (McAffe, Norton, Earthlink, AOL, Yahoo, webroot, etc.)
These cheap, sloppy, wasteful and destructive programs are as much, or even more of a mistake to use than just leaving the spyware alone! There are more that you can pay for, but they are just as bad, if not worse. So, save your money.
Lavasoft's AdAware personal is their free version, they have another pay-for version that is supposedly better, but to pay for spyware removal is like paying to breathe free air.
Another program called Spybot Search & Destroy is a good little tool. They ask for a donation, but don't demand payment like Lavasoft does, and the program is actually worth supporting with a donation, no matter how small the donation is.
While these two programs are okay to clean the system up, but the problem is they don't offer a long term solution. You have to scan the computer to check for spyware, they don't scan it for you... they don't get updated automatically, and they don't detect the latest threats very well, and they both have problems when repairing hijacked browsers. Between these two programs you could get rid of the majority of the problems, but they have their weak points.
Microsoft has also just released an antispyware tool... and this time someone did their research. This program is still in its Beta stage testing. It's not perfect, but it's more efficient and effective at removing spyware than both adaware and spybot. It can be downloaded free here.
Today, I'll be using my nice involuntary volunteer, ForestRain. She had amassed some spyware awhile back, but I never got around to fixing it all the way until just today. I'll be using Microsoft's antispyware software for these lab tests.
Step 1: Prepare for the worst. Remember, removing spyware can break your Winsock and Layered Service Providers which are needed to get online. So, to start, I download a tool for fixing LSP's. The tool I picked up was located at http://www.cexx.org/lspfix.htm -- For your convenience, I have linked the file HERE from crystalrecipes.com.
Here is the description of the program, quoted from cexx.org:
Code: Select all
LSP-Fix
Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access
LSP-Fix is a free utility to repair a specific type of problem associated with certain Internet software. This type of software is known as a Layered Service Provider or LSP, a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet.
Unfortunately, this type of software is sometimes quietly installed by unrelated software such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Common offenders include New.net* (NEWDOTNET) and WebHancer*, which are often bundled with file-sharing utilities, DVD player software, and other free downloads. LSP-Fix repairs the Winsock LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.
LSP-Fix is not a malware removal utility and does not target specific products. LSP-Fix does not delete any files. I downloadedand installed the software from Microsoft, then run the scan.
For configuration I ran the following settings:
Automatic Updater = Enabled
Real-time Security Agent = Enabled
Join SpyNet Community = Yes
Auto-scan computer daily at 2 AM = Enabled
I began the scan, and right off checked the CPU usage. It remained at less than 10% for the majority of the scan. Though the memory usage was a little high at just under 24 megabytes, it scanned the computer noticeably quicker than Adaware and Spybot ever could!
The end result: 22 detected problems that Spybot and AdAware missed.
I had it remove the problem files, then rescanned the system. On the second scan, it showed a file that I recalled being in the first one. Here's a screenshot:
Ok... let's see the details of the file... Well, it certainly reports useful information... I know what the problem file is, and more importantly, where it's located. (C:\windows\system32\vx.nls)Ok.. I know how to deal with files that won't disappear.. but I'll give Microsoft's tool the benefit of the doubt. I let it try remove the problem again.
Run the scan after removal, and there it is again..
I looked at the detailed results, and found that actually, the spyware removal tool did remove the first file that was named vx.nls... but now there is a new one: C:\windows\system32\vx1.nls
Occasionally, you'll find viruses like this too, where no matter how much you delete it, somehow it puts the file back on. Now, I could go into explaining how to find and remove what is causing the files to be re-created, but it's so complex, that it's easier for me just to show you how to fix the file
One of the most powerful tools you can ever use in windows, is a tiny little program called notepad.exe. So, I open up notepad, go to File > Open, then in the filename section I type out the entire location of the file (C:\windows\system32\vx1.nls) and click open.
I examine the file to see if I can find details to its origins.. and sure enough, I see "Bullseye Network" in the list, as well as it's file install location (C:\Program Files\Bullseye network) and the website locations where the ads come from. Take a look:
Interesting, isn't it? Well.. now that we know where its from and what it's doing, we fix the problem. First, I select all the code in the file by holding the 'Ctrl' button, and pressing 'A'. Now all the text is selected. Next, I press the 'Delete' key on my keyboard.. *POOF* .. there goes all that precious code that was needed for the spyware to get installed. To finish up, I go to File > Save. Now the file is saved as a totally blank document.
Run the scan again, and here's the final results:
Score:
QuakeDragon 1
Spyware 0
The final Verdict » Labmunkie Wins!
For once, Microsoft has released something that would be almost universally useful to all windows users. I decree this file as a good, recommended download. The downside is that the program will not work after July 31st 2005. By that time, I'm sure the final version of this program will have been released.
« Footnotes »
² - Internet Cache -
When you get online, any website you view or pictures you open is actually physically downloaded to your computer, into a special folder that's called the internet cache. It is saved there for a period of time, and depending on the file, can even be there forever, until you go and erase it. To clean cache for IE use the following steps:
{Windows XP Home/Pro} go to start > Control Panel > Classic view > Internet Options, then click the Delete files button, then check the 'delete all offline content' box.
{Windows 95/98/ME/2000} go to start > Settings > Control Panel > Internet Options, then click the Delete files button, then check the 'delete all offline content' box.
This should be done about once a week for clean optimized surfing.
³ - Cookies -
A 'cookie' is a file that's created on your computer whenever you log into a website. Any website, even these forums, create a cookie file on your computer. It's just a natural part of being online, and it cannot be avoided. To clean cookies in IE, do the following:
{Windows XP Home/Pro} go to start > Control Panel > Classic view > Internet Options, Delete Cookies.
{Windows 95/98/ME/2000} go to start > Settings > Control Panel > Internet Options, Delete Cookies.
This should be done about once a week for clean optimized surfing.
