Under Siege - Spyware and God Knows What Else

Oh, and stop using IE. Use Firefox.

And don’t use Outlook. Use Thunderbird.

You had a little gem called “Smitfraud”

I’ve seen 2 or 3 cases of it myself. There’s a smitremove tool that gets rid of it.

I have a few friends who run into this same problem, and it has nothing to do with inherent insecurity in Windows or firewalls or whatever. They download fucking warez and no-CDs and cracks and stuff, get a trojan/virus, and then the floodgates are open.

Using a Mac will protect you from this stuff, but for social reasons more than technilogical ones - the hackers/crackers/etc aren’t releasing tons of infenced noCD patches and executable cracks and inftected keygens and stuff for the Mac. They could, it wouldn’t be that hard. I have two friends that work as consultants for a big-shot computer security firm (they come in to audit places like eBay and the Universal Studios lot and stuff). They have coders that know how a Mac could be compromised quite easily if you were download and run whatever the hell malicious code. But there are lots of folks who do that on their PCs, and then wonder why their firewall didn’t save them.

The vast majority of my clients don’t use “noCD patches and executable cracks and inftected keygens.” They browse the net using IE and click on things. That’s all it takes. If someone wants to put out a Mac virus, then they better know they’re going up against 30 yrs of Unix security.

Here’s another link that could be helpful if anyone else has this problem.

http://www.pchell.com/support/spyaxe.shtml

The most elaborate viral marketing scheme ever?

:)

SpyAxe is the nastiest thing I’ve ever seen in person. I fixed a colleague’s computer and it took me a while to figure out how to remove it properly.

If they are your clients, would it not be better to get them off IE, or at least configure it in such a way as not having them infected on every site they visited?

I remove most of the spyware and virii I come across by hand. Find out what is running using Norton Process viewer, as many pieces of spyware can hide from Taskman. Then write down all the processes and reboot into safe mode. Or even better reboot using Bart PE. Then search the registry for the processes you found. Make note of any other files they mention in the registry. Remove the reg entries, and then search for and delete the files.

For the most part this works very well. Although if you find they KEEP coming back after you reboot even after this, you should do a registry search for Nail.exe, if it is there remove it. Also you might want to make sure in the registry that your Shell has not been replaced. There are a few bugs out there that replace your explorer.exe with another explorer file that loads more spyware into your system at boot.

I usually send my clients home with a copy of Ad-aware. Even though it is only mildly useful against the worst bugs out there. Which piece of spyware removal software to recommend seems to change monthly. This month the best one for removing the most common nasties is Spyware Doctor. Next month it may be Ad-aware, or someone else. Who knows.

edit
Oh yea, MSInfo32 is your friend here also. Look for services that just don;t seem right. Look for random letters, misspelled names and stuff that just does not seem to fit. (assuming you already know what SHOULD be there) Also search for those services in the registry.

Which piece of anti-spyware software to recommend? Three of them.
Any three that don’t cost money.