Spam, spyware, virus and malware help and information

A new resource to help clear your system of spyware, malware, viruses and spam



13th June 2007.
Ackadia logo
New site, brought to you by Ackadia. (Malachim on Yahoo! Answers)

(Started 5th June)
I've started this to answer the many questions asked daily at Yahoo Answers. I will be breaking it up into sections within the next few days as it's expanding rapidly.
In the short term you should find these existing pages on my main site useful:


Ackadia on:Computer security

Ackadia on:AntiVirus company links

and Ackadia on: Stopping Spam


Help me help you!
I'd appreciate any and all feedback to help develop this site. Though I'm sure support technicians and the like will find this site useful, it isn't aimed at them, it's aimed at YOU. It's aimed at the real world, everyday people who neither know nor care about the issues, who just want their computer back, fixed, preferably without spending any money, thank you very much.

They say 80% of computers are "infected" with Spyware. Pttt. A lot of this is just tracking software from big name companies. If you don't like the Big Brother mentally disable cookies, or at least flush them often (I'll cover this shortly).

It's when these parasites start messing with your registry, running programs, slowing down your computer, launching undesirable windows or phoning premium rate number, it's when they start keylogging and hacking into your files to steal your credit card, even your entire identity. About then it stops being fun or something that only happens to other people. Other people isn't 80%, but I would guess it's around 60% of all home users. I'll get true figures another day, but believe me when I say these other people it only ever happens too runs into the hundreds of millions!

Anyway, I'm rambling. The point is that while I can and will try to help a few people a day if they ask if just not possible to hold hands with the millions that will eventually visit this site. So, please let me know how you find this. Is it to technical? Did it help? What are your experiences? Are you in support and want more detailed sections? Do you need a particular Worm/Trojan/Virus looking at? Maybe something infecting your mobile phone? There are forums dedicated to security but would you like one here, one dedicated to helping YOU rather than geeks and hackers?

You can ask for help over on Ackadia's forums or via ( ackadia2006 at yahoo .co .uk )


Laying the blame
Sometimes the problem is that bad that you are up the creek without a paddle. On more than a few occasions recently I've sat dumbfounded at the mayhem unfolding on the screen before me, computers so badly infected you just can't do anything, literally, even in safe mode. Given I am an expert with over 25 years experience and that despite being retired still have half the neighbourhood knocking on my door for help should give you a grasp of the scope of the problem.

I blame the greedy ISP's and telephone companies rolling on the bandwagon, scrabbling over and fighting each other for customers. More, more, give me more customers - and not giving a thought or care for the fact most of you are new to the Internet and don't have a clue. Some are now making the effect, at least.
Because they realise the error of their ways and love you?
Dream on, when too many computers - like yours - get infected and start spewing out millions, billions of Spam and other un pleasantries what happens is the other Internet companies block them. Generally for up to three months. All of a sudden YOU can't send email, so these negligent companies start losing customers in droves. Why do you think companies like TalkTalk, which incidentally is/was one of the worst offenders in the UK, tie you into a years contract ? *Mutter*


The points below and screen grabs later are from just one neighbours' computer - and it was riddled. I'm retired now so only really sort family and the odd friend that calls in dire straights, but whenever I do have to fix them it's always a similar story. Below is a typical example and gives an incite into the matter.

A typically bad infection:



What gets me is I hear this all the time, see it more often than I'd like - and it's always for the same avoidable reasons. Lack of education and a friend that knows about computers.

How to avoid getting infected:




To clear out Trojans and Spyware I recommend:



McAfee's Site Advisor to help avoid the problem in the first place!
As highlighted in this screengrab of McAfee's SiteAdvisor it will sit on your toolbar flagging good and bad web sites. Even works for search engines, warnings in advance about rogue sites and offering a link to advice you of all the known risks. Also works in Firefox and with MSN, Google and Yahoo searches, amongst others. HIGHLY recommended!


Finjan SecureBrowsing
I came across this site via one of the security newsletter I recieved and wandered over for a look. Bearing in mind this company looks after seriously large enterprise companies and large ISPs I think it's remarkable that they took the time to release their (free) open source based SecureBrowsing plug-in.

It does needs installs for Firefox and Explorer, but so does the Google toolbar and many others, so it's hardly a big issue. Personally, based on what I've seen so far, I'm going to recommend this to people as a backup to SiteAdvisor. Personally I think the two compliment each other and do seem to work together without conflict. They might not agree with each other all the time, but that's due to how it works.

SiteAdvisor, amongst other rules and tests, relies on user into. This just looks at the code. As such is slowly with the light change, but ultimately faster with security checks. SiteAdvisor will advise us this 'is a known good site' while SecureBrowsing will catch that 5 minutes earlier a Trojan /may/ have been added. Overzealous at times, but I'd rather be paronoid and safe myself. Of course, if both agree and red-light a link or website, stay the heck away!

Importantly, it will also check GoogleAdsense links. Just because Google are taking money for an adverts doesn't mean they are safe or trustworthy. Of course, a green tick doesn't mean a site isn't a rogue, just that, initially, it seems safe. Just thought I'd clarify that!

Gives you the highest rate of malicious code detection:

Scans the current form of a page as it available on the Web now, in real-time.
Detects malicious content based on code analysis, rather than using signatures like anti-virus products.
Provides the most accurate page safety rating based on the actual page content, rather than database lookup of web address like URL filtering products.



Lavasoft's Ad-Aware Version 2007 now out!
I believe some Trojans are actively blocking Ad-Aware, disconnecting computers that try to reach the site. If this seems to be the case try to get Ad-Aware SE Personal Edition from Download.com. Fairly that either get a friend to download it and copy it onto a CD or USB stick and run if from there. As a push, on request, I'll download it and make it available here. Not an ideal solution but sometimes needs must if the devil drives, eh!


Search & Destroy is OK, and free. Donations welcome.


Sunbelt Software's CounterSpy
After trying it yesterday (June 7th 2007) to clean out a particularly infested system I can thoroughly recommend CounterSpy. It is only a 15 day trial, but there's no nagging, no crippling, it just works. OK, maybe it's a tad slow, but it's thorough. Even found a Trojan that Symantec missed. If you want to keep using the program it's only about £15 or £35 for a three user license, which compares well with the registered versions of Ad-aware. It also has a blocker with a top level of "paranoid" which tickled me, because really, I am. Here's a screen grab of Sunbelt Software's CounterSpy.


Microsoft Windows Defender
Not greatly enamored with it, but it is free and does sit on sit on your toolbar monitored for mailicious activity. If you don't employ the monitoring guards of CounterSpy or the Pro version of Ad-Aware then absolutely, give it a run. It does need a legitimate copy of Windows to download and run, but really, you need to have a kosher copy anyway or you are just setting yourself up for a fall.


After these three above you are on a slippery slope down! I'm not even giving them a link!


A number of people also recommend SuperAntiSpyware [ superantispyware.com ] - not me!. From the reviews I've glanced at it fairs well, but not outstandingly so I really, really wouldn't rush to buy the registered version the site promotes. If fact, after trying it I really wouldn't bother at all. Embarrassingly, I've, ummm, forgot why I don't like it. I seems to recall issues with crippling, nagware and that when you uninstall it sends you to their web site demanding to know why. I don't like it, the three at the are more than enough, take it on trust, I wouldn't bother. Screen grab of SUPER AntiSpyWare. Not so "super" in my opinion.


You can also try CA's eTrust Pest Control [ pestpatrol.com ] . Personally, after trying the latest version this week though I wouldn't bother! It will clean out some threats (like cookies) and then list all the high level threats which it can clean when you register. Idiots!
this screen grab of CA's eTrust PestPatrol - NOT recommended


Also dumped in the "as much use as a chocolate teapot" class is PCTools SpyDoctor [ pctools.com ]. I intensely hate crippleware, but when it also tries scare tactics to get money out of the innocent and gullible, then I really take offense!

Most if not all the people that come here will be relatively new users with problems. What they don't want is to find a solution that claims untold problems - pay up and we'll sort you. I am utterly disgusted with them. Also complete BS are half the "infections" are just really tracking cookies that can be flushed anytime by anyone via the browser options.

OK, It says I have a key logger on my computer. I know, I'll enter my credit card details to get the registered copy of this and then (after the horse has not only bolted it's been run over by a truck) I'll be safe.
IDIOTS! One to miss, really. I have no tolerance for fools. Guys either release a 15 day trial, or nothing. NOBODY likes crippleware! See what I mean with this screen grab of PCTools Spydoctor - NOT recommended. Pay particular attention to the bottom right corner - Removal of detected threats requires a registered version of Spyware Doctor.
You may have seen these advertised as part of the 'Google Pack'. Note that this does not give them credence in my opinion, rather it lowers my opinion of Google who obviously haven't real world tested the product enough!


UNTRIED, as yet: Spyware Blaster. Recommended by someone reliable over at Yahoo 360. Web site is OK at any rate. I'll give it a try on my next clean up job, there's nothing like a real world test, eh.

If you are on a tight budget free firewall can be had from Comodo, amongst others. Looks OK at any rate. In the anti-virus stakes, AOL offer a free version of Active Virus Shield. It's powered by Kaspersky Lab, so it should be OK.


[ spywarebot.com ]
I saw this advertised on a Google Ad and wandered over for a look. My first assessment is I simply doesn't trust it's reliably. I found several obvious faults on the web site*, without even looking at the source code. If they are that sloppy with the face they present to the world, I don't want to know, thank you! (FAQ's that try to download a setup file, corrupt scripts and missing images, mismatched designs. All to rushed. In fairness though, it is free to try, so I'll not entirely rule it out.

Killing Malware, Trojans and Viruses one at a time


Toolbars and Peer-to-Peer programs

You can use the programmes own un-install, if they even have one, or use control panel:


Start » Control Panel » Add & Remove Programmes


If the likes of Ad-aware haven't ousted the buggers, try this:
With Internet Explorer 7 you can flush the lot! You loose any and all toolbars etc, but those you want can be re-installed. It doesn't remove them from your computer, but it will remove them from your browser so you can get on with finding something else to extract the things. Note than this doesn't uninstall them at all, it just disables them in Explorer.



IE: Tools » Internet Options » Advanced (tab) » click Reset

Works if Explorer (7) acts up due to corrupt add-ons and caches too.

Firefox: Tools » Clear Private Data


Note that un-installing these things (and most genuine programs for that matter!) tends to leave bits of them behind in the registry, which is why you need to use the like of Ad-Awre you root them out. You can get registry cleaners and some of the do work well, but the problem is they can be over-zealous or even flaky and if you don't know what you are doing it's all to easier to break Windows.


Safeboot
Generally you can get away without doing a safe boot, not that there's any harm or hassle involved and indeed it's probably the best way to do it and but there are times when this is the only solution. If you are wondering, it just loads the absolute bare minute to get things going. Good for fixing things!



To do this restart your computer and tap the F8 key repeatedly on boot up, you will then be presented with various boot options, choose 'safe mode' at the top of the page, use your arrow keys to highlight safe mode option then hit enter. While in safe mode run your anti-virus, spyware scans etc and you you should see better results for removal of the more tenacious or seemingly 'blocked' infections.

Tenacious programs loading on bootup
Try to above solutions first, but if, as happens, the virus or Trojan is stopping you by either eating all the resources and/or actively blocking and disabling your security products then the following should help. If you don't know what you are doing I suggest you get professional advice - and preferably not from a friend that knows a bit about computers.

I'm assuming Windows XP here as that is what the vast majority of you will be using.

Start » Run » msconfig

Tab to startup and disable everything. Do the same for services. You can check to leave Microsoft services running, saves instability issues. Then restart to apply the changes (You can restart in safe mode too, evenbetter!). This basically gives you clean environment to start working from, to get patches, updates, run scans etc. When you are finished and your system is secure you can reset / re-enable all the services. Works a treat!

Start and run in XP

Run msconfig

Disable startup programmes with msconfig

Disable service programmes with msconfig

Restart computer to effect changes






This doesn't always work as some infestations have a nasty habit of opening two more copies of themselves if you try closing it down. If nothing else it is a good way of getting a list of subjects:

Load Taskmanager ( Start » Run » taskmgr ) (or just press Ctl-Alt-Del once) and get a list of processes:

Taskmanager

OK, this is second nature to me but it is easy to get the hand of. Look for anything running multiple instances of itself, viruses etc will do this. Note though that other applications, particularly Microsoft ones like 'svchost.exe' legitimately do those. Also look for any with strange names. Note however than the hackers writing these have a tendency to give them similarly names to genuine programs, thus:

"csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated."

Whereas "the similarly named crss.exe is a process which is registered as W32.AGOBOT.GH Worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process is a security risk and should be removed from your system."

Source: ProcessLibrary

Devious b******s, eh!

Anyway, write down a list and head over to:
Process Library and do a search.
My computer is clean, obviously, but for arguments sake we shall assume we found these candidates and wanted to check them:
[ isamntr.exe ] [ isamini.exe ] and [ msiexec.exe ]

I first one is flagged as under review. I know I made a note of it an the last computer I cleaned though, might have been an obscure driver.
The last one is actually another Windows program, so that's fine
Aha, red flag goes up on this nasty Trojan:

"isamini.exe is a process which is registered as a Trojan. This process is a security risk and should be removed from your system. isamini.exe is a dangerous program. It is suggested that you update your antivirus program and scan your system."

ProcessLibrary does (now) tend to push you towards getting a copy of Wintasks. Note: I do NOT personally recommend this program. Yes, it has good reviews, no, I've never tried it myself. However, in my opinion, it currently (June 2007) uses sensationalist tactics to scare you into buying the software. This is social manipulation and I would never trust a company, any company that stoops to such underhand tricks to sell it's products. The fact it is animated just compounds it, implying, "OMG, you are infested". Shady gits!

The site used to point to multiple third party sources for solutions. I can only assume it was taken over by this shady lot!

Wintask-scare-tactics

Untrustworthy and Rogue (anti)spyware programs



Incidentally, the Trojans crawling all over my friends computers seem to have come from one of more of the following places he was tricked into trusting:

Do NOT visit these sites or products and NEVER, ever use or trust anything from them, ever!

All the above are known to use social engineering to scam people into using there protects to ostensibly clean your computer when what they really do is infect them. These can be a beggar to get rid of once they infect you!


And I believe they all represent just one company!


According to a recent report by VNU: Rogue security software on the rise (04 June 2007). Trend Micro has reported a fivefold year-on-year increase in the use of such programs, which claim to clean a computer system but end up infecting users.

Typically a user will visit a web page that includes a pop up (usually falsely) warning that their computer is infected and offering a free trial of software to clean up the computer.

They go on to list suspects as:


Elsewhere venders such as Snapfiles and Tucows claim Malware writers are flooding the market with rogue anti-spyware applications in an attempt to steer consumers away from genuine security software and make money from selling bogus applications and that 4 out of 5 (80%) of all applications are dodgy.

As I said at the start, they use social engineering to themselves as legitimate security solutions, but have no intention of ridding a user's system of malware. The applications invariably try to scare the user with false test result and misleading results (something supposedly legitimate company are also guilty off!), they, fails to get rid of existing spyware infections, and in many cases even infects the system with additional pieces of spyware and adware.

Another article points out that the problem is exasperated by networks of affiliate websites and advertising networks, pushing them - and I do mean the implied (moral) link with drug peddlers. By and large I've found that the 'affiliate community' are a dirty lot and couldn't give a monkeys what they push, nor how they push it, as long as they make a few quid. Naturally this is a gross view and unfair to the genuine marketing firm but it is nevertheless true.

Here's a few tests:
First search for it in Google, MSN, Yahoo etc. If it's dirty it will show in the first page for most search engines.

Look at it's Google Page Rank (if you have the tool installed). You can buy rank, but it's neither cheap nor easy and anything below 6 is to be treated with caution: They either haven't been around long enough, or don't have a loyal base of subscribers. Similarly so with Alexa, though that is very easy to cheat, in the short term, less so in the long term.
For instance:

Spybot S&D is Google PR 8, Alexa traffic rank 16,317
Ad-Aware is also PR 7, Alexa 5,226
Counterspy is PR 6, Alexa 24,868

Conversely, the insidious Spycrush (apparently a variant of VirusBurst) is PR 1 and Alexa 2,806,673 - but if you look at the graph, it has shot up from nothing, absolutely unrated (less than 10,million) in just a few days. It's listed on Symantec and other sites as a threat and this thread from Yahoo says it all. Note that this is typical of nearly all spyware programmes. *Twitch*

Yahoo Answers thread: Trojan SpyCrush?

Answer by Classic:
SpyCrush, a variant of VirusBurst, is a rogue anti-spyware program that uses deceptive tactics to trick you into purchasing their software. Once you're infected with SpyCrush, a security message similar to a Windows notification pops up saying your PC is infected with malware. This fake message is used to lure you into purchasing, downloading & installing their program to remove the imaginary spyware. SpyCrush program can be extremely difficult to remove manually, and will continue to try to recreate itself. SpyCrush may also download and install other software without your permission.

Answer by Mark:
SpyCrush is a Dangerous fake antispyware software and it is update version of SpyLocked. SpyCrush maybe a variant of Trojan.Zlob. SpyCrush display a fake warning message to purchase the paid version of SpyCrush.
SpyCrush also displays a fake warning alert with flashing icon on your system tray. A Pop up balloon warning messages claiming that your PC is infected. For example : "Critical System Error", "Your computer is infected", "System Alert", "Security Alert", Trojan-Spy.win32@mx", "Virus Alert", "Security Alert" or "Spyware.Cyberlog-X".


Similarly, Spyshield, mentioned a few times by Yahoo Answers members with problems, is un-rated by Alexa and only PR 2 by Google.

Looking at 'AdwareRemoverGold' despite a steady flow of traffic registered by Alexa and supposedly copyright 1996, it is only PR 3 by Goggle, uses pop-ups (which I blocked) and laughably claims Just after using ad-aware, i tried this product and found 768 components which were missed by ad-aware..
I have never seen a system with that many infections, let alone that many after Ad-Aware had scanned it. Never trust a liar!

On firmer ground than my paranoia, VNU reported that Rogue anti-spyware vendor Secure Computer LLC was fined $1m (Dec 2006)
The suit names that Popup Padlock, another Secure Computer LLC product

The article adds: Rogue security software is a popular revenue stream for online criminals. It is often put into a category with fake codecs, where malware is presented as codecs that promise to allow users to play video or audio formats.



This however will shock, scare and upset many of you
In February (2007) VNU reports that MS Live Messenger was running ads for a rogue spyware company!

This one - Errorsafe (Winfixer) - as I've mentioned is a particularly nasty begger and I'm really surprised Microsoft didn't come down heavy on them for the egg-on-face factor. I just I hope those that let it though get sacked!


The story points out that:
the software is notorious because it often gets installed without the user's permission, and presents false security warnings intended to persuade the user to purchase a licensed copy of the software.

How can you run ads like that without checking the background of the company? The mind boggles!

Mentioned here on McAfees SiteAdvisor blog and on the video click below, they are believed to scam around $35 million a year - and that is just based on the evidence found to date!


Zango (previously known as 180solutions)
In earlier settlement case malware vendors Zango were fined $3million for their practices. They claim to have cleaned up their act since but a number of researchers have found evidence to the contrary. Reading between the lines, they are following the letters of the FTC settlement, which, in my opinion is a shady way of saying we have found loopholes and are exploiting them.


~ Paul


Links to other good Spyware and related security sites



Get Safe Online
Get Safe Online will help you protect yourself against internet threats. The site is sponsored by government and leading businesses working together to provide a free, public service.


McAfee's SiteAdvisor service also contains information that blacklists websites containing spyware, spam, viruses and online scams - including comments on newly found threats that haven't yet made the rounds of the AV companies.


CastleCops A lot of good information can be found on this security orientated Wiki.


Spyware Sucks blog run by Microsoft MVP, Sandi Hardmeier. Her February 2007 entry on Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements makes for a good read. Someone should have been strung up for that. That said, Google are continually running adverts for scams, fraudsters, copyright friends and con artists. They seriously need to clean up their act too. Alway very well playing them playing the righteous, heavy-handed father with (Adsense) publishers when they can't keep their own house clean, eh!


Precise Security has some good advice and seems to keep current with warnings


Forums…