Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

How to prevent spyware from hi-jacking your PC

by
10th Dec 2005
Save content
Have you found this content useful? Use the button above to save it to your profile.

Recent Any Answers postings suggest that AccountingWEB members are being pestered and disrupted by spyware and related internet irritations. This Expert Guide presents a summary of useful counter-measures suggested by commuity members.

In August, 'Knuckles' complained he was being harassed by an unwanted browser toolbar, while in November Jane Cable had trouble installing BT Broadband on a laptop running Windows XP (Service Pack 2), because the BT installer insisted there was spyware on her machine. The suggested treatments are documented below.

In its introduction to the topic, Spyware, Adware - Be aware!, RAN ONE describes several sub-species within the overall category of spyware. One of the most common sources of the affliction come from peer-to-peer software such as KaZaA used to swap music and move tracks commentary

'Spyware' is a broad category of commercially driven software that is usually bundled with other programs and downloaded innocently. A good way to attract a piece of spyware is to download the software for peer-to-peer services like KaZaA Emule, WinMX, and Morpheus that are used to swap free music tracks between PCs on the Net.

Another variant is Adware, which displays pop up messages on your screen, or in more sophisticated examples, it can even throw up a pop-up if you visit a competitor's website. And "drive-by downloading" occurs when spyware loads itself on to your machine when you visit a particular website.

Spyware and adware are typically low impact infections. But they can be irritating in the extreme, and as RAN ONE warns, more malicious variants can act as a backdoor on your computer to capture keystrokes and other information that might gain them access to bank accounts and other secure information.

Anti-Spyware applications
Most spyware varieties can be prevented by firewall programs and a range of antidotes suggested by AccountingWEB members:

  • Lavasoft's Ad-Aware was the most popular suggestion, and a free version is available from the company's website.
  • Spybot was another common suggestion.
  • Aladin Systems' Internet Cleanup
  • Pestpatrol
  • MRU Blaster
  • Panda ActiveScan
  • Housecall from Trend Micro
  • CWSShredder from the Castlecops website, which targets spyware from the insidious CoolWebSearch site.
  • Prevx
  • Norton Internet Security was suggested for corporate users; and
    HijackThis was also recommended, but not for novice users.

    The different tools use different methods of identifying and removing offending files, registry values and the like. Using a combination is recommended for more complete protection. And regardless of what software you use, keep the reference files up to date or the anti-spyware will be effectively useless.

    Sometimes the preventive software can cause more worry than is necessary. Many websites, including AccountingWEB, store information about you in tracking cookies and often these cookies will be identified as a possible problem by programs such as Ad-Aware.

    Spyware masquerading as anti-spyware
    In a November posting, David Thorne commented that popular programs such as Spybot and Ad-aware clean up the mess, but put in a word for tools that prevent infections in the first place, including:

  • Spywareblaster; and
  • Spywarguard.

    Just to fuel your paranoia, Thorne added that many so-called anti-spyware programs which either do not work or contain spyware of their own. He suggested a visit to Spywarewarrior.com to check whether you're being offered a bogus program. Nigel Harris also found Spychecker.com, which provides a database to check downloads before you install them, and provides links to anti-spyware resources.

    Rogue homepage attacks
    Knuckles wanted to keep AccountingWEB as his homepage, but some spyware had other intentions. Many of the anti-spyware tools above were mentioned in reply. But there are other countermeasures you can take.

    Using a browser other than Internet Explorer and an operating system other than Windows makes you much less vulnerable, as Spyware, like other viruses, targets Microsoft software over anything else. However, that does not mean that Mozilla, Netscape and other non-Microsoft browsers are 100% secure.

    I Robinson experienced the same problem and grew frustrated that whenever he tried to reset the browser's default homepage, the spyware greyed out the relevant Internet Options in Microsoft Internet Explorer. If this happens to you, select the Programs tab at the top of the Internet Options dialogue box and click the Reset Web Settings button. This will overwrite the site imposed by the spy program.

    Rogue diallers
    In October, Andy Shady reported his ongoing problems with BT, after he was stung by £300 bill for accessing premium rate phone lines he knew nothing about. This was a result of an internet dialler scam.

    Rather than taking your credit card details, some websites (usually containing dubious content) will get you to hang up your normal internet connection and redial on a premium rate. Less scrupulous operators will lure you to websites that download auto-dialler programs, or will send out autodialler viruses via email. Strange dialogue boxes that pop up and ask if you wish to continue accessing a particular site may alert you to the problem, but use of any current, reputable anti-virus application should keep them at bay.

    Regulators and telecoms operators are beginning to crack down on dialling scammers, but that was too late for Shady, who is still trying to reclaim his money. Chris Davis was advised by BT that if he used a dedicated line for (non-broadband) access, the line could be barred from accepting premium rate numbers. IT Consultant Marc Wilson recommended taking advantage of this facility for any business line used for accessing the internet.

    Broadband problems
    Spybot on its own was not enough to enable Jane Cable to convince the BT Broadband installer that her Windows XP (Service Pack 2) laptop was clean. "I have run the most up to date version of Spybot and it had cleared everything that was there - yet the problem persists," she noted.

    Mark Snowdon replied that there are some well documented problems with BT (and other) broadband suppliers and Windows and XP SP2, which enforces a lot of security controls that can cause conflicts.

    And "If you have one of BT's USB modems, put it back in the box and buy a firewall/router/ADSL modem." Belkin, US Robotics, Netgear, D-Link and other suppliers offer these for around £80, often with wireless capabilities. "Make sure they have 'SPI firewall' not just NAT," he advised.

    If you have broadband you will catch infections if you are not using a decent firewall, Snowdon added. If you are not satisfied with the built-in Microsoft firewall, there are alternatives such as:

  • ZoneAlarm and
  • Kerio.
    These are discussed at some length in another Any Answers thread on firewall software.

    The ultimate solution to Jane Cable's problem was provided by Gareth Jones who recommend using some of the anti-spyware programs mentioned in a certain order and in conjunction with further programs, because different checkers find different things.

    The following procedure, he said, "May seem like overkill, and does take time, but will be worth the effort":
    1. Load and run Panda ActiveScan then Housecall
    2. Visit the Windows Update site, scan for updates in the main frame, and download and install all critical updates recommended.
    3. Download, extract and run CWSShredder
    4. Install, then run Spybot Search and Destroy and Ad-Aware SE Personal.
    5. Reboot.

    Cable followed the instructions and reported back that CWSShredder had done the trick.

    Related articles

  • Spyware, Adware - Be aware!
  • Information Security Expert Guides - 10-part series by Stewart Twynham
  • Any Answers firewall debate
  • Virus clinic: practical advice from community members

    Our thanks to all the AccountingWEB members who provided the comments and advice contained in this guide: David Thorne, Nigel Harris, Nasar Ramzan, Jim Mercy, Des Farry, Dave Brown, Gavin Collins, Robert May, David Honeyman, Jenni Frost, Neville Ford, Paul Wakefield, Marc Wilson, Andy Shady, Chris Davis, David Wordley, C Prescott, Drew Edgar, Paul Taylor, Jane Rees, Steven Payton, Charles Verrier, Gill Walker, Daniel Clark, Clint Westwood, John Savage, Jane Cable, Tom Cadogan, Alastair Harris, Nicholas Myles, Gareth Jones, I Robinson, Christopher Lee, Mark Snowdon, John Terrill, Lester Perera, Mike Howard and John Kemp. If you are experiencing internet or other technology problems, you can often find the answer by searching the Any Answers archive or posting a question.

    by Joseph Vallender and John Stokdyk, AccountingWEB.co.uk

  • Tags:

    Replies (18)

    Please login or register to join the discussion.

    avatar
    By keith.donovan
    13th Dec 2004 12:38

    WinMX OK so far as I know
    Unfair to tar WinMX with the Kazaa brush. WinMX has been consistently found free of any piggyback nasties, and a quick Google search just now failed to turn up anything new (other than on one of the fake remover sites, which for some reason I don't trust).

    NB the Kazaa site says its software "contains no spyware". However this article is dated November 26, 2004. Maybe Kazaa classes its nasties as adware and not spyware and is playing a semantic game. (I note that the article also mentions WinMX, but it seems to be a misreading - if you visit the CA site itself and search for WinMX, the sole reference returned is to a trojan called WinMX, not to the P2P program itself).

    Thanks (0)
    avatar
    By chris.lee99
    07th Jan 2005 16:52

    Spywareguard
    Thanks for your comment. I look forward to hearing if they have a solution.

    What I don't know is whether or not liveupdate tries to run itself on windows start, and because at that time I am not connected to the internet it causes the pc to think that drwtsn32 had crashed. As I said it is only when I end task on drwtsn32 that my pc comes back.

    CHRIS

    Thanks (0)
    avatar
    By AnonymousUser
    13th Jan 2005 13:40

    Easier and safer to change IE settings
    I posted this to the MS anti-Spyware thread before I saw this one which is maybe even more relevant...

    Rather than increase the complexity of your PC software it's a lot easier simply to change the relevant MS Internet Explorer setting for the Internet Zone (i.e. default) to stop things such as Active-X, Desktop installs etc.. This also stops 95%+ of Worms and other nasties.

    When you need full access to a site that you trust commercially and their IT competence then 'promote' that site (only) to the LAN or Trusted Zone depending upon your LAN setup - ask your IT support if available. BTW This also helps stop 'phishing' because you can then look to the 'Zone' to see if the address is valid.

    I haven't had a single Worm, Trojan or Spyware in the past three years despite being on-line 8+ hours every working day and regularly visiting 10+ new sites per day.

    BTW The comments about downloading software - even 'plug-ins' are far too 'soft' - the rules for a business PC are simple - violate them and be instantly dismissed - no compromise for anyone. This is VITAL in a LAN environment in particular.

    Thanks (0)
    avatar
    By taxinfo
    14th Dec 2004 11:10

    couple of comments
    Firstly, I don't believe kazaalite is the problem. It's what users download that causes difficulties.

    Secondly, a program new to me is Webroot Spysweeper. It costs a little but seems to be working very well. It appears to catch some things other programs miss. Here's the link........

    http://www.webroot.com/products/spysweeper?rc=266&ac=627

    Another shield in the anti-malware armoury.

    Thanks (0)
    avatar
    By DavidT
    07th Jan 2005 12:02

    Same here on one PC!
    Christopher I don't know the answer. However I do have exactly the same problem on one of my two home PC's! They both have XP Service Pack 2 etc and the same other security software. However on one Spywareguard is completely fine and works perfectly one the other I have the identical problem you have. The only thing I have determined so far is that it is the Spyewareguard Liveupdate bit which seems to cause the problem. As I can install the program fine but the updater causes the freeze as soon as it is run.

    As I say operating systems, service packs and patches etc and security software etc are the same on both machines

    It is the oldest of my two PC's that has a problem. That one was upgraded to Windows XP from ME whereas the newer machine came with XP pre-installed but wouldn't have thought it would make any difference.

    I think I will ask on www.Spywarewarrior.com when I get home later and see if they have any ideas.

    Thanks (0)
    avatar
    By chris.lee99
    06th Jan 2005 16:46

    Spywareguard
    I installed onto my home pc XP sp2 the spywareguard.
    When I rebooted the dr watson program hung the pc and I could access the desktop until I end tasked the drwtsn32.exe

    I know it was something to do with this as when I uninstalled it and rebooted, it went straight into the desktop no problems.

    Does anybody have any suggestions as to how I can get this to work for me WITHOUT hanging my pc.
    I understand the the drwtsn32.exe is a information catcher for when a program crashes.

    I look forward to any comments on this.

    Thanks (0)
    avatar
    By DavidT
    14th Jan 2005 11:18

    Agree and disagree
    Certainly agree with prevention which is why I use Spywareguard and Spyware Blaster and things like IESpyads. I assume it was the new versions of Spybot and Adaware and up to date definitions you used. Interestingly I helped someone the other day where both these showed a "clean" machine. I then used MS anti-spyware which found two more Spyware items with over 400 registry entries which I checked out and were genuine Spyware. Probably A-Squared or Spysweeper etc. may have found something else. I have four anti-spyware programs I rotate.

    Surely the safest thing is not to use IE anyway? Firefox isn't foolproof but it is much safer.

    IE tweaks are a good start but I'd still argue you need a decent layered protection policy. Personally I wouldn't be happy otherwise.

    Thanks (0)
    avatar
    By AnonymousUser
    13th Jan 2005 21:22

    Spyware scans and what is reasonable as a dismissable offence
    I work in NW England in the area of 'PC Protection' and strongly believe in the 'prevention is better than cure'. The reason I claim not to have had a single intrusion in 3 years is that I have run AdAware, SpyBot, MSBasec etc. on a regular but infrequent basis - as they never find anything there seems little point. Just to confirm - I just ran SpyBot - 1st time in 1-2 months - it said zero problems. AdAware reported 3 cookies that were Low (TAC 3) and they were for a site I 'trust'.

    Regarding what I tried to say about sacking people... Once you have your 'rules' laid out for (all!) staff AND well communicated! and also the PCs (esp. LapTops!) setup correctly then it is simple - any change to PC settings or downloading / installing of any program or unanticipated e-Mail attachment needs to be approved by the line manager and an IT literate support person who logs the request/response.

    If a problem occurs that results from an 'authorised' action then 'OK' - get the IT person to be more competent without being excessively risk-averse, otherwise P45.

    If you were 'starting from scratch' in an organisation that had no policy/procedures etc. then you would obviously have to offer a 'three strikes and your out' paleative for the first six months.

    Obviously no readers could provide names or even reveal statistics about intrusion effects in this forum but maybe someone who is willing & able to 'talk' could give other business owners a feeling for the scale of disaster that could hit them? Or maybe that should be a request in a 'liquidators' forum?!

    Thanks (0)
    avatar
    By AnonymousUser
    13th Jan 2005 20:22

    How do you know?
    I couldn't let AWB Ross's posting pass without comment. While I'm quite sure you have prevented viruses, worms and trojans I'd like to know how you are sure you haven't experienced a spyware attack. Some spyware is obvious, eg where it enforces an IE toolbar. But most is much more insidious, collecting information about you without you being aware. Hence the term spyware.

    The thought of the legal arguments if you sacked an employee who unknowingly downloaded spyware brings out the barrack room lawyer in me!

    Thanks (0)
    avatar
    By DavidT
    11th Jan 2005 08:12

    Response
    Christopher

    The people at spywarewarrior have pointed me to this thread on the Wilder Security Forums. They are not sure if tis is the answer and I'm not too. I'm at work now so can't try it until later.

    Here's a link if you want to have a look:

    http://www.wilderssecurity.com/showthread.php?t=25749


    Thanks (0)
    avatar
    By DavidT
    12th Jan 2005 08:50

    Worked for me
    Chris if you are still following this I tried the suggestion and it has worked for me. The four files it suggest are manually saved to the Spywareguard folder are the updates. Seems to be running fine now.

    Still have no idea why one PC worked and one didn't though.

    Thanks (0)
    avatar
    By chris.lee99
    12th Jan 2005 10:07

    I'll give it a try.
    Thanks David for this update.
    I will give it a go when I get home later.

    It just goes to show how good these forums are.

    If you ask, then there is someone who knows the answer. It is almost like a think-tank.

    Thanks again.

    CHRIS

    Thanks (0)
    avatar
    By eoinriggs
    13th Dec 2004 12:06

    Best Software
    I have been tackling this problem for sometime and used Adaware and Spybot. But recently I have come across a much better product - Giant Antispyware. This costs a few pounds but picks up items most products miss and includes realtime protection which identifies all attempts and allows you to block.

    You can check your level of infection by monitoring running programs and internet bandwidth, right down to individual packets. Giant is the only product I have found to do a 100% job.

    Thanks (0)
    avatar
    By DavidT
    14th Dec 2004 17:37

    Preventation
    Really recommend Spywareblaster and spyware guard specifically as preventative measures. These block the stuff in the first place rather tthan clean them up afterwards. I know Spybot has an immunize feature but these are excellent additions and just run in the background with no noticeable performance issues.

    Also the spywarwarrior forums are a brilliant place to learn all about it and get profesional help for specific problems.

    I've used Giant Spyware too and its pretty good, however early versions were somewhat prone to false positivess so be careful.

    I didn't want to reignite the Firefox debate but I use it all the time too.

    Thanks (0)
    avatar
    By DavidT
    14th Dec 2004 15:10

    My list
    Okay here is my list! All free for home use.

    Preventative and Clean Up Tools

    Spywareguard http://www.javacoolsoftware.com/sgdownload.html
    Spywareblaster http://www.javacoolsoftware.com/sbdownload.html
    MRU Blaster http://www.javacoolsoftware.com/mrudownload.html
    Prevx https://www.prevx.com/homeoffice/prevxhome/prevxhome.htm (got a good write up in the new Computeractive)
    Adaware http://www.lavasoftusa.com/support/download/
    Spybot Search and Destroy http://www.safer-networking.org/en/download/index.html
    A Squared http://www.emsisoft.com/en/software/free/
    BHODemon http://www.definitivesolutions.com/bhodemon.htm
    WinPatrol http://www.winpatrol.com/

    Free Anti-Virus

    AVG Version 7 http://free.grisoft.com/freeweb.php/doc/1/
    AVAST Antivirus http://www.avast.com/

    Specialist Spyware Remover Tools

    Hi-JackThis http://www.spychecker.com/program/hijackthis.html (use with extreme caution!!!!!)
    CWS Shredder http://computercops.biz/downloads-cat-14.html
    McCaffee Stinger http://vil.nai.com/vil/averttools.asp

    Free Firewalls

    Zonealarm http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=nav_za
    Sygate http://www.tucows.com/preview/213160.html

    Anti-Phising Software

    PhishGuard http://www.phishguard.com/ (alerts you to fake sites that are requesting your bank or personal details etc)

    Specialist Forums to help you

    Spybot help forum http://forums.net-integration.net/index.php?
    Adaware help forum http://www.lavasoftsupport.com/

    The reason different programs find different things is because no one agrees on all the products to target. What one person considers spyware someone else doesn't which is why you should always run more than one anti-spyware program. In addition beware of false positives, items that are flagged but that are not spyware.

    Please everyone before using any anti-spyware product you haven't heard of check here:

    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    It's a list of known dodgy anti-spyware programs and there are loads, that generate false positives or actually install spyware.

    Thanks (0)
    avatar
    By AnonymousUser
    14th Dec 2004 17:14

    It's worth keeping a regular check
    I'd agree there is no one answer, but, following a rather nasty spyware attack, I've used Spybot and X-Cleaner on a regular basis to check out what is going on.
    Hi-Jack This is very good if you are using Internet Explorer but after the spyware problem I switched to Mozilla as my default web browser and it has proved very effective (Firefox, made by the same company, should be equally good but I haven't tried it).
    To get hold of anti-spyware (and other shareware/freeware packages) try the MajorGeeks site:
    http://www.majorgeeks.com/

    Thanks (0)
    avatar
    By keith.donovan
    14th Dec 2004 13:49

    Kazaalite
    The article is about spyware. Spyware most often piggy-backs on downloaded applications. Nasties that come with downloads from the Kazaa P2P network are far more likely to be trojans/viruses/etc than spyware. Different topic, different problems, different solutions.

    Kazaalite is an unofficially reverse-engineered version of Kazaa with the adware/spyware taken out. The people who reverse-engineered it broke their agreement with Kazaa in doing so. It is supposedly (was last week, anyway) free of nasties. Unlike Kazaa.

    Thanks (0)
    avatar
    By AnonymousUser
    10th Dec 2004 12:17

    Comment from personal experience
    In various posts in this forum, commentators have expressed satisfaction with the products that they personally use. I find it difficult to understand how they can be confident in that conclusion. The best that you can be sure of is that the software doesn't crash your system - that at least is an observable result. But if you have malware on your system that is not detected by your chosen product, the product will report a clean system and unjustified confidence may result.

    I make this criticism having personally tried out most of the products mentioned above (and some not mentioned), only to find that EACH product has identified threats that are missed by the others.

    Normally I would say that cost is not a significant factor: Sure, some of the products are free, but even those that charge do not charge more than about £30 for a one-user licence, which is insignificant in the decision process. Where it gets expensive is if you are sufficiently paranoid to run several malware-tracking systems each at £30 or so, which I am tempted to do given the experience above. A secondary problem is possible conflicts between several memory resident malware trackers (which might slow the system down as much as the malware).

    Thanks (0)