WinXP and spyware/popups

[Walter Cohen]

A bit off-topic but it does pertain to a WinXP machine (if anyone cares to
mention the correct newsgroup to ask this question I'd appreciate it - even
a non-MS group).

My friend has a home wireless network and one of his wireless XP desktop
machines (his kids) is being overrun by popups and probably ad-ware. He
said when he turns it on it just keeps coming up with various popups. I am
going over to see it one day this week and was planning on taking with me
and installing an antivirus program (for trojans, etc.) as well as an
ad-ware program. I'll unplug it first from the network and run through and
try to clean it up/out.

Any other suggestions?

Thanks,
Walter

 

[Tony Talmage]

Sounds like a good idea; also, it may be a good idea to put a firewall in
place to protect the machines on the LAN, and you may also want to check
(most likely once you've done the malware/virus scans) to make sure the
machine is current with all Windows Updates.

However, I'm not sure where you stand on software issues, but it might not
be a good idea to install a purchased copy of virus software on his machine,
as he technically would still most likely be violating the EULA and using a
free copy. You might try AVG antivirus software, as it is free:
http://www.grisoft.com. Anyhow, good luck, hope things clean up nicely.
--
Tony Talmage
Web Developer
Graphic Education Corporation
http://www.graphiced.com
(888) 354-6600

 

[Bob Dietz]

A bit off-topic but it does pertain to a WinXP machine (if anyone cares to
mention the correct newsgroup to ask this question I'd appreciate it - even
a non-MS group).

My friend has a home wireless network and one of his wireless XP desktop
machines (his kids) is being overrun by popups and probably ad-ware. He
said when he turns it on it just keeps coming up with various popups. I am
going over to see it one day this week and was planning on taking with me
and installing an antivirus program (for trojans, etc.) as well as an
ad-ware program. I'll unplug it first from the network and run through and
try to clean it up/out.

Any other suggestions?

Thanks,
Walter

Kids and overrun by popups - that probably means file sharing software
(free music downloads) is installed on the machine. If that's the case,
you're likely to save time by chasing the ad-ware/spy-ware first.

With any spy-ware / ad-ware removal tool, always download the latest set
of definitions before bothering to scan. (After you've got the latest
defintions, unpluging from the network is a good idea.)

After the first scan and attempted repair, your spyware removal tool may
prompt you to reboot so it can run an automated scan at start-up. If so,
allow it to. Afterward run another manual scan to make sure. If spy-ware
/ ad-ware is still found, try a manual scan in safe mode. Still no joy,
start googling on executable names in the Applications and Processes
list in Task Manager. Kill any non-essential BHOs. (See BHOs in SpyBot
SD tools or in WinPatrol).

The spy-ware/ad-ware tools I like/use are:

Javacool's SpywareBlaster. (Free but the author asks for donations.)
http://www.javacoolsoftware.com/spywareblaster.html

... no more annoying "Yes/No" boxes, asking you to install a
spyware ActiveX control ... Internet Explorer will never even
download or run the spyware ActiveX control. ... can prevent
many spyware ActiveX controls from running, even if they are
already installed ... By setting a "kill bit" for ActiveX controls.

I think the current list of items blocked is up to about 1500.
Having these kill bits set probably consumes something like 0.000001%
of system resources and even fewer CPU cycles. By no means does it
stop everything. But it does stop some real nasties with no drag on
my system.

BillP Studio's WinPatrol (Standard is Free. Plus version is $20)
Warns you when new items are added to areas most typically targeted by
ad-ware and spy-ware and allows you to prevent their addition. Startup
programs can be Enabled, Disabled or Removed. When you Disable
a Startup program, WinPatrol remembers. If the program is reinserted in
the list, WinPatrol automatically removes it. An upgrade to the Plus
version, gives you one click access a web page in an on-line database
describing what any particular executable does. Example what is the
purpose of the MSECLK.DLL BHO? The on-line database says, "... a new
variant of the ClientMan Spyware program. This varian of ClientMan
redirects ..." In a large, bold typeface at the bottom of the entry you
see. * Spyware. * Remove.


LavaSoft's Ad-Aware http://www.lavasoftusa.com/
and
PepiMK's Spybot SD http://www.safer-networking.org/
Good for cleaning up machines that have already been compromised.

Bob

 

[Yves Leclerc]

Wireless routers have a NAT firewall.

Sounds like a good idea; also, it may be a good idea to put a firewall in
place to protect the machines on the LAN, and you may also want to check
(most likely once you've done the malware/virus scans) to make sure the
machine is current with all Windows Updates.

However, I'm not sure where you stand on software issues, but it might not
be a good idea to install a purchased copy of virus software on his machine,
as he technically would still most likely be violating the EULA and using a
free copy. You might try AVG antivirus software, as it is free:
http://www.grisoft.com. Anyhow, good luck, hope things clean up nicely.
--
Tony Talmage
Web Developer
Graphic Education Corporation
http://www.graphiced.com
(888) 354-6600

 

[Dominic Vautier]

I don't think you should worry too much about a virus.
The guys who sell antivirus programs are not addressing
the many spyware attacks that go on all the time. The
important thing is that spyware can easily and quickly
cripple an xp system, especially if you have kids who like
to download music.

One of my kids said his computer was broken so he started
using mine. The next day I noticed that my cursor was
very slow and so I started checking things out. I ran
spybot (a free download) and it detected thousands (I'm
serious) of spys. I purchased spysweeper, and had to run
it several times to get my systems clean. Spyware attacks
are a frequent and insidious intrusion and everybody
should have spyware protection tools installed. I have a
hardware firewall but it is not designed to protect
against spys. They get in anyway, believe me.

You may also want to change the browser security level,
and especially keep out third party cookies.

I figure that $20 a year for a spyware license is a cheep
price to pay because those guys are paid to keep up the
definitions.

 

[Bruce Chambers]

Greetings --

There are at least three varieties of pop-ups, and the solutions
vary accordingly. Which specific type(s) is troubling you?

1) Does the title bar of these pop-ups read "Messenger Service?"

This type of spam has become quite common over the past several
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats, such as the Blaster Worm that
recently swept cross the Internet. Install and use a decent,
properly configured firewall. (Merely disabling the messenger
service, as some people recommend, only hides the symptom, and does
little or nothing to truly secure your machine.) And ignoring or just
"putting up with" the security gap represented by these messages is
particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure
UDP ports 135, 137, and 138 and TCP ports 135, 139, and 445 are _all_
blocked. You may also disable Inbound NetBIOS (NetBIOS over TCP/IP).
You'll have to follow the instructions from firewall's manufacturer
for the specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?

2) For regular Internet pop-ups, you might try the free 12Ghosts
Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper
from http://www.panicware.com/, or the Google Toolbar from
http://toolbar.google.com/, which is what I use.

3) To deal with pop-ups caused by any sort of "adware" and/or
"spyware,"such as Gator, Comet Cursors, Xupiter, Bonzai Buddy, or
KaZaA, and their remnants, that you've deliberately (but without
understanding the consequences) installed, two products that are
quite effective (at finding and removing this type of scumware) are
Ad-Aware from www.lavasoft.de and SpyBot Search & Destroy from
www.safer-networking.org/. Both have free versions. It's even
possible to use SpyBot Search & Destroy to "immunize" your system
against most future intrusions. I use both and generally perform
manual scans every week or so to clean out cookies, etc.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH