Dr. Dobb's Journal June, 2005
The Spyware menace has gone beyond all reason. Spyware costs time and money. It costs you directly, and it destroys Aunt Minnie's confidence in the Internet. Something must be done; indeed something will be done because if things go on as they are, the Internet itself is doomed.
And yet, despite the increasing Spyware/Adware/Malware assaults, there are spyware companies out there with lawyers sending warning messages to anyone who calls their malware by its right name. See, for example, the story at http://www.ahbl .org/notices/iSearch.php.
We have tools that can partially protect us against this plague, but they don't entirely work, and they take time and effort to use. Meanwhile the lawyers are having a field day defending the rights of their clients to invade and take over your computer. They claim that you have agreed to let them do it, and they have every right.
Here is a typical "license agreement" that supposedly sane users have in theory "accepted":
2. Functionality—Software delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages. iSearch is able to provide you with Software free of charge as a result of your agreement to download and use Software, and accept the advertising and promotional messages it delivers.
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it's [sic] partners, in the form of pop-up ads, pop-under ads, interstitial ads and various other ad formats, display links to and advertisements of related web sites based on the information you view and the web sites you visit; store nonpersonally identifiable statistics of the web sites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party web sites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.
In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer.
I submit that no one in his right mind has ever agreed to this; that the only way it was "agreed" to was by stealth, not through anything like informed consent. There may be, out among the Aunt Minnie's of this world, one or two who actually saw something like this and "agreed"; but how many DDJ readers would accept such a thing?
My own case is illustrative. I had a report from Associate Editor Dan Spisak on his not very successful attempts to remove the iSearch Toolbar and a number of other infections from a friend's machine. He tried everything, and in the course of his efforts discovered that, while it goes without saying that Internet Explorer was hijacked, even the Firefox browser was affected.
I collected notes on this and other spyware subjects in OneNote on my TabletPC, then started another column section on Bill Gates's recent speech at the Governor's Conference. When I did a Google search for a particular quote to use, I found one likely source at a place called "Study World." Fair warning: If you want to go look there, set your browser security level to HIGH and don't agree to anything.
When I went to that location, up popped a warning from Microsoft that I didn't read closely, and in a moment of sheer madness I clicked OK. Microsoft Anti-Spyware instantly popped up to warn me that something was trying to infect my system. Other warnings came thick and fast. Meanwhile, though, my Internet Explorer browser changed home pages. Popup advertisements of every kind began to appear. My system was in real trouble.
Microsoft Anti-Spyware said it was blocking this and that (about six messages, all stacked). I told it in each case to block the stuff, and I closed the browser. Eventually that flurry of messages stopped, but when I ran Microsoft Anti-Spyware, it found I was infected with WinTools, Toolbar Websearch, Network Essentials Browser Modifier, and CYDOOR adware. Microsoft Anti-Spyware offered to remove them, trundled, and then said it had removed them. Then Microsoft Anti-Spyware wanted me to reset the machine.
I wasn't sure I wanted to do that just yet. Suspiciously, I ran Microsoft Anti-Spyware again. It produced precisely the same result, finding the same infections. I ran AdAware and Spybot Search and Destroy. They didn't find anything wrong at all. Clearly, the infection had managed to bypass or compromise all my antispyware tools.
Now I was sure I was in trouble. I quickly opened a command window and used XCOPY to copy off to a thumb drive all the files in the places I keep documents, using the /e/s/d/y switches to get only those I hadn't backed up recently. (I keep batch files for just that purpose.) With that done, I was ready to battle for possession of my machine.
The first move was to use Microsoft Anti-Spyware one more time and this time reboot. As I suspected, that did nothing at all: Although Anti-Spyware was very unhappy, WinTools was still in there, complete with the directory Program Files/ Common Files/Wintools that WinTools creates and Microsoft Anti-Spyware thought it had deleted. Deleting that directory does nothing until you get the actual program that regenerates it; this is considerably harder because it hides deep in your file system in another directory entirely (in my case it was hiding in the System 32/ DRIVERS subdirectory but infections use different hiding places). In fact, eliminating the source generator for the infection files is beyond the capabilities of any automatic program I can find.
Time to go to hell—that is, the web site PCHell (http://www.pchell.com), particularly to http://www.pchell.com/support/ wintools.shtml where there are complete instructions for getting rid of the Wintools infection. Well, practically almost: I would never have got rid of this thing without the PCHell folks, and they have my gratitude, but even their instructions didn't do it all. They also led me to the wonderful HijackThis program (http://www.spychecker .com/program/hijackthis.html) which, despite the ominous name, is one great program. While you are thinking about it, go download that program so that it is on your computer. You may never need it, but if you do need it you will want it badly.
The solution to exorcising Wintools involves rebooting in Safe Mode. Once in Safe Mode, open a command window (or Norton Commander) and eliminate any directory called Wintools. Then edit the registry to remove every reference to Wintools. That done, use HijackThis several times. HijackThis will find things you don't want removed—such as the Google toolbar—and offer to do other things you don't want done because its goal is to get your system as close to the default registry configuration as possible; meaning that you want to employ some intelligence when using the program. On the other hand, better safe than sorry. You can always reinstall things you want to keep if you have accidentally eliminated them.
When you run HijackThis, you get a list of registry entries the program doesn't care for. There is an option to check items on that list one at a time and ask for more information. One item might be "This is a change from the default home page for your browser." Another might be a reference to the Yahoo Toolbar. In each case, HijackThis has an option for "fixing" the problem. The fix in general will be to eliminate the registry key, or to restore it to the Windows XP default value.
I let HijackThis fix everything I didn't understand. Once I had used Regedit and HijackThis but before I left Safe Mode, I ran AdAware and Spybot Search and Destroy. Neither found anything but cookies, which Spybot wanted badly to remove for me. Then I ran Microsoft Anti-Spyware, and lo! it found references to CYDOOR, an advertising robot. (CYDOOR has a web site; you can go there and see what they claim to be doing. It won't say anything about stealth infections. Before I went over there I made sure my browser security setting was "HIGH" and I wished there was a level above that; I'd call it "PARANOID.")
I let Microsoft Anti-Spyware remove the CYDOOR references, then I went through the registry searching for Wintool—and found several more references. I think they were pretty well harmless by then, but I deleted them all, and then did a search for CYDOOR, but found nothing. Then I ran HijackThis one more time.
This time, HijackThis found nothing I didn't understand. Neither did Microsoft Anti-Spyware.
All was well. I shut down the system, turned it off, counted to 60, and brought it up again. All is still well according to freshly reinstalled copies of AdAware, Spybot Search and Destroy, and Microsoft Anti-Spyware. If any spyware lurks in here, it's not doing anything. HijackThis lists all running services, and there are none I don't expect.
Many Adware/Spyware/Malware programs will direct you to a "removal site," where you can download a program that, they promise, will remove their Adware and restore your system to its pristine condition.
To do that you will have to run an executable program provided by a company that snuck up on you and installed its ware by stealth.
If you think this is a good idea, please contact me. I have a bridge I want to sell you.
First and foremost: When your system tells you something, listen. In this case, I was actually warned that something wanted to install, and I let it, thinking that Norton Anti-Virus and Microsoft Anti-Spyware would prevent any real problems. They didn't. By the time Anti-Spyware got on the job, the damage had been done—and Norton didn't do a thing.
Second: Least done, soonest mended. If you think you've been infected, stop what you are doing and deal with it. Don't give it a chance to do any more damage. Pull your Ethernet connection plug and start disinfecting.
Third: Seriously consider using Firefox rather than Internet Explorer. I say this although there is evidence that some malware understands Firefox. I don't make this an absolute because this malware didn't exploit a hole in Internet Explorer at all. It talked me into letting it install. I am not sure what I thought I was allowing it to do, but I did okay something. I have no reason to believe Firefox can protect me against stupidity. If you let an executable program download and run, browser theft is likely to be the least of your problems.
Fourth: If you are considering participating in various software and music swapping schemes that give any kind of control over your system to the scheme, don't do it. Malware and viruses and worms, o my! ride in with those file swapping schemes. There ain't no such thing as a free lunch. I got bit by a drive-by browser infector. Bringing in file swapping schemes practically invites infection.
Fifth: Nothing finds it all. The Microsoft Anti-Spyware program is pretty good, but you'll also want to keep AdAware and Spybot Search and Destroy. Don't run them at the same time.
Finally: Well, when you come down to it, it cost me an hour. In my case, it gave me something to write about. But it wouldn't have happened if I'd been doing all this on a Mac or a Linux box.
Earlier this month, Microsoft released Release Candidate 2 of Windows XP 64-bit Edition for AMD and Intel processors along with a confirmation that the product would be released to retail stores by the end of April. If you happen to have an AMD 64-bit processor, such as the Opteron or Athlon 64, then this is the release you will want to experiment with before the retail version appears. We installed it on our NForce3 250-based motherboard without incident. More drivers were included in this release of the OS as it managed to install drivers for the Marvell gigabit Ethernet chipset onboard this time along with chipset drivers. (64-bit XP Release Candidate 1 didn't recognize this chip.)
We can also successfully report that going to the Start Menu and selecting Windows Update now works as it should without giving cryptic error messages. ATI and NVIDIA both have recent builds of drivers available for their video cards and motherboard chipsets for XP 64. Give the current release candidate a try if you have been waiting for a working version of the OS to test. This time it works pretty well.
I had expected the Game of the Month to be the new release of Sid Meier's Pirates!. I very much enjoyed the game on my early Macintosh, and was disappointed when I couldn't get any of the PC or Windows versions to run well. Consequently, when the new one came out, I leaped at it.
Alas, it has been a disappointment to me, largely because there is no game speed control. Now I realize I can jigger one up. I can run it on a slow machine and employ one of those programs that waste cycles, but I don't really want to do that; perhaps it's mere funk. For me, though, the game plays too fast, so that it's more like a shooter than the delightful combination humor/role playing game that the original Pirates! was.
Clearly, my view isn't shared by all. The game has many excellent reviews, and indeed, except for the unchangeable too fast game speed, I found little to dislike. It retains much of the flavor of the old game, but with better graphics. There's a lot to like about it, but I find that it tires me to play it for long. Ah well, back to Everquest II, except that I find I am putting too much time into that.
The first computer book of the month is Kathy Jacobs and Bill Jelen's, Life on OneNote (Holy Macro Press, 2004). If you are a TabletPC user, or thinking of becoming one, you'll want Michael Linenberger's Seize the work Day: Using the TabletPC to Take Total Control of Your Work and Meeting Day (New Academy, 2004). It has a wealth of examples of TabletPC applications and how to use them. If you are building your own equipment, you already know you need Bob and Barbara Thompson's Building the Perfect PC (O'Reilly & Associates, 2004). You'll also want their PC Hardware Buyer's Guide (O'Reilly & Associates, 2005) to help you choose components.
DDJ