Want to know where Microsoft’s virtual server tech is going, or are you
just a VMware bigot? If the former, here’s the skinny: Virtual Server
2005 will ship by the end of the year and will be
, which supports some Longhorn server technologies.
After that, Virtual Server will support new hardware virtualization tricks from
AMD and Intel. More details here.
I applaud this effort, but price and availability is only one concern; keeping
third-world PCs actually running is another. What good is a $100 machine if
it’s brought to its knees by viruses and spyware?
“I had a home network of four to five computers for development
work on Windows and Linux, plus my kids’ computers. It got to the point
where I spent 30 or more hours a week on home tech support (viruses, spyware,
Trojans, hijackers, Windows versions not playing well together, rebuilds and
reinstallations) and couldn’t put 40 hours into my paid telecommuting
work. Then I found a fix. Everything that used to run on five computers now
run on two, I don’t get malware, everything works, I spend zero hours
on tech support, I never reboot, and life is good.
I bought Macs, specifically a PowerBook for me and an eMac for the kids.
I run Mac OS X, Linux, and three kinds of Windows (98, 2000, XP) on the laptop.
The only things that ever crash on the Mac are MS Word and MS Virtual PC.”
-- Bayard
"I’m a reader of Redmond Report and read your story about spyware
and the attempted removal thereof.
I have some suggestions that may or may not help you:
The first being Norton and McAfee are not worth their weight in salt for
spyware and malware detection and/or removal. I had used over 30 different
products (trial versions) to remove an ActiveX script my wife had contracted
during a Web site visit. She knew immediately as soon as she clicked on the
link that she was in trouble. Within seconds there were numerous Trojans,
spyware and malware tools installed on her machine.
Keep in mind, installed on this machine and running were Lavasoft’s
Ad-Aware, Norton Internet Security (with updated definitions for viruses and
spyware), and the new [firewall] beta that Microsoft bought from the spyware
detection company Giant. I thought I was fully protected against electronic
diseases and realized that virus tools are great for virus detection but not
spyware. I’m still pondering on the reason Giant allowed this type of
activity when it’s supposed to prevent it. All of the files found were
listed as files that would be removed by all of the majors previously listed.
The second is the fact that it takes multiple pieces of software to removal
all traces of different spyware and malware software. These are my recommendations
after six days of research and trial-and-error of trying to remove these 'utilities.'
Ewido Security
is great at finding Trojans but nothing else.
Spybot finds most spyware
and most trojans but not all.
Spy Sweeper
found all of the remaining spyware and Trojans. I assume it would have
found the same as Spybot, but I’m not willing to attempt a reinfection
to test this theory.
This is a useless link in my opinion
but thought you might want to experience what software shouldn’t do!
The last suggestion I have for you is to put something in place that will
prevent this type of malicious software from being installed in the first
place.
The last
link will provide some great utilities for prevention and detection as
well. This is the best of the best freeware and shareware, and there are a
couple of really decent utilities that will help you prevent a reoccurrence
of your scenario. I hope you find these utilities as effective and useful
as I’ve found them."
-- Phillip
"I, too, have spyware sponges. I use Virtual PC with undo on. This
way, all changes to the virtual hard drive are dumped each time I reboot the
machine and all the sponge's clicks on 'OK' in the insidious 'You've just
won' popups or blanket DIVs that so many sites now employ are expunged."
-- Dave
" I would make a VMware (or Virtual PC) image before handing the
PC to spyware an attractive target. Turn on snapshots, and if there’s
a problem, roll back to a previous snapshot. Makes it easier to move the user
to a different PC, too."
-- John
"I read your Redmond Report item 'Spyware Never Sleeps' on Aurora
spyware. Aurora is part of a group [of spyware] from Direct Revenue that includes:
ABetterInternet, ABI Network, Ceres, Aurora, WinFixer, Direct Revenue and
Search Assistant. One can prune the registry and delete keys manually, but
… I’ve discovered that Aurora changes the file names of the files
it uses to reinfect the host. In this respect, I think, therefore, that it’s
similar somewhat to a 'polymorphic' or 'mutation engine' virus that can modify
itself with each new infection. Aurora also apparently hijacks some legitimate
running processes.
I have a user [whose computer is] perpetually infested with this Direct
Revenue group of spyware and am going to reformat. I’ve wasted way too
many man hours (cumulative days) using software (Spybot) and manually pruning
registry keys and files, only to see the spyware regenerate within one minute
of reboot. Have you found software that deletes Aurora permanently?"
-- Robert
"The answer is very simple. Here in Belfast we have a shop called
B&Q, which is a hardware/home/garden improvement type of place. Now, in
there they sell nice handy lengths of timber. Sand one end until it’s
rounded and provides a nice tight grip, allowing both hands to hold roughly
4 feet of 6x4.
Find out from the local authorities who the onion is that wrote the spyware
code. Go around to his/her (you never know) workplace or home using transport
of your choice, preferably a low-budget airline or bus as we are already out
the price of the lumber. Apply the said piece of timber several times to the
body of the numpty who is responsible for causing this irritation. Before
he/her loses consciousness try to find out anything about his/her contacts
and pass this info on to like-minded people you know. Hopefully, this will
mitigate the cost of the timber and transport by spreading it about and eventually
these people will give up their activities since it’s hard to type with
broken fingers.
Incidentally, in order to comply with health and safety regulations, it
may be prudent to wear some form of protective gloves and a visor just in
case some loose splinters fly about."
-- Kevin
"I recently assisted a customer in removing 20 Trojans and numerous
spywares on her system. The application that I found most useful, besides
HijackThis, Spybot-S&D, Ad-Aware, Microsoft AntiSpyware and Bullet Proof
Soft was Ewido. This
was a slow process (taking three-plus hours to complete in Safe mode), but
it worked wonders. As there were two separate accounts on the Windows XP Pro
system, I made sure to run the apps under both profiles to catch any lurking
bugs."
-- John
"I suspect most readers of your magazine have a few spyware horror
stories to tell, but I've found a fun and effective technique that has worked
on a number of stubborn magically reappearing processes.
While trying to scrub a machine of one of those processes which reappear
shortly after they're killed, I found that a bit of clever dialog box arrangement
and quick clicking can hose a feisty file and process quickly enough to break
the cycle. Once I've identified the executable file that needs to be deleted,
I open the task manager and find it in the process list. In another adjacent
Explorer window, I navigate to the file in question, highlight it then press
the delete key. With the delete confirmation dialog box up, I move over to
the task manager, and end the process. I move the end process confirmation
dialog box next to the file delete confirmation dialog, and in quick succession,
ok the file dialog then the process dialog, usually with a combination of
mouse click in one and the space bar in the other. With the timing just right,
the file is deleted before the process can kick off again, and the cycle is
broken.
This won't work in every case, but it can jump-start a cleaning session
when the frustration level has reached a fever pitch."
-- Greg
"Run 'ntbackup' and backup system state (known good system). Restore
when needed. Free!"
-- Robin
"You never mention which three anti-spyware tools you used. I general
use three or more spyware removal tools: Spybot Search & Destroy, Lavasoft's
Ad-Aware Plus, and Trend Micro's Anti-Spyware. I also use Avast
anti-virus software that also finds malicious spyware. They also have what
they call their BART CD (Bootable Antivirus & Recovery Tools CD). Give
those a try and if you've used any of those, well best of luck to you!
Oh, and by the way, may I suggest you install Firefox on your son's computer
and remove any links or shortcuts to IE."
-- Charles
"So your 9-year-old manages to find lotsa spyware, eh? Yeah, my sister-in-law
still thinks that replying to spam messages to ask to be taken off the list
will decrease the amount of junk in her inbox, no matter what I say and history
reveals. Ugh ...
Nonetheless, I gotta tell ya that it’s so much easier to keep spyware
from ever entering the box then cleaning it up afterwards. Two of the best
ways to do this are: Javacool's
SpywareBlaster, which uses the magic ActiveX 'kill bit' to lock out billions
of known spyware programs from ever installing themselves and is updated all
the time; and never logon as Administrator unless you're installing software.
No, it's not a panacea, but just these two steps will probably make a
huge difference in avoiding spyware. Prevention is the key!
Of course, if you want to be all hardcore about it, there are lots of
other things you can do. For example, I only browse with Firefox with the
AdBlock extension and Filterset.G, which prevents ads and spyware-type content
from loading. Then, I run a couple of other anti-spyware programs, including
Lavasoft Ad-Aware and Spybot-S&D, both of which have some preventative
measures as well. And I'm looking into downgrading my IE and Firefox process
privileges, since I'm usually logged in as an administrator, and domain privileges,
when at work."
-- Eric
"I had the same problems except that it was my wife who caused the
trouble. (Lots of tension followed, of course!) The solution that I found
took a couple of days and involved using HiJackThis and posting the results
on TomCoyote Forums.
There are some VERY generous souls who patrol these forums and look to
help the novice spyware-infected unfortunates. I’m extremely grateful
for the help that I received and was lucky to have stumbled into this Web
forum."
-- Bill H.
"I've got a much better way than manually scrubbing or reloading
a machine in the wake of your 9-year-old.
Schools, libraries and other computer labs often use a program called
Deep
Freeze. This allows users to make whatever mischief they think they can
get away with, after which the admin can restore the computer to its original
system state. Some labs have the systems automatically rolled-back every night
to make sure everything will be working in the morning."
-- Steven
"Just an idea that nobody seems to be doing anything about: How about
booting a live CD of Windows and using that as your boot volume. All data
could be stored on the local hard drive, but the OS and necessary apps would
reside on the CD, where they couldn't be harmed.
I'm not sure what's available in the way of full-function live Windows
CD creation tools, but if the penguinistas can do it with their OS, why can't
it be done with Microsoft's? I've thought for some time that the only sensible
way to run a computer, in these days of rampant spyware, adware, viruses,
worms and what-not, is to have all your apps and operating system files on
a read-only medium. Maybe it should be a live DVD -- whatever, I don't care.
But you're not going to be altering my programs by installing something bad
if you can't write to the program folders.
If someone had half a clue, this would allow data to be stored where data
should be, separate from code, and outbreaks of malware could be contained.
Come on, rocket scientists, the current model of computer security is BROKEN.
I'm tired of the same old excuses. Give us something better!"
-- Dennis
"I use several techniques to address the problem of spyware, aside
from two spyware scanners. One is to use a removable disk tray like those
from Addonics
-- this way, I keep a separate drive for the kids, which I can reformat as
needed and keep a drive for myself that I keep locked way from the kids. Another
is once I get the machine set up the way I like, I create an image using Acronis
True Image that I write onto several CDs or DVDs. That way I can easily re-create
a drive as required.
Of course, I also disable every service I can as well as keeping my computers
behind a NAT router and enabling software firewalls on all of them.
This doesn’t stop everything, but it helps."
-- Charles
"Regarding your 'Spyware Never Sleeps' column, I frequently have
people come up to me at work and tell me about their problems at home and
how their kids have wrecked their PCs. Even the latest and greatest systems
only a couple months old are being brought to their knees with spyware and
viruii in no time. Even when they have seemingly prevented it by reducing
Windows permissions for their kids, it comes back.
Though Ad-Aware is in my opinion the best spyware removal tool around
for its thoroughness and ease of use, there still remains the problem of virii
and grayware that’s not detected. It comes as no surprise, then, when
Ad-Aware keeps finding spyware scan after scan until I remove the virii with
a virus scanner. As this is in itself often a difficult step due to the virii
crippling the installed and online scanners and there being no command-line
scanners for NTFS drives, this adds a whole new dimension to the problem.
(Do you know of a bootable command-line scanner for Windows NX/2000/XP?)
| Subscribe
to Redmond Report |
This column
was originally published in our weekly Redmond Report newsletter.
To subscribe, click here. |
|
|
Two solutions immediately come to mind. The first is what I’ve been
using: Instead of trying desperately to weed out individual components, which
could take hours or even days, I simply pop the case of the PC, plug in a
hard drive at least 4GB, make it the first bootable drive in the BIOS, and
install a fresh copy of XP. After it comes up, I just need the network drivers
and then I can use Trend Micro’s HouseCall and download a fresh copy
of Ad-Aware. I can get 99 percent of the junk off the system this way. After
that I just remove the hard drive and viola, clean PC.
The second solution isn’t ready yet, though. I’m preparing
a BartPE (http://www.nu2.nu/pebuilder/) disk with Ad-Aware and AVG on it so
I can just boot from CD to clean the hard drive. The only caveat with this
is that I have to keep updating the patterns. I could pull it off the network,
a floppy or flash drive. It’ll still be faster than cleaning the PC
manually or popping off the cover, and I’ll probably be able to update
the pattern even from an infected PC."
-- Stephen
"Wow, you admit to having had an AOL account? I thought that was
career suicide in the IT field. My bad."
-- John
"Sorry, but I don't have any better solutions because I’ve
done the exact same things that you’ve done! The main thing I’m
doing is educating my 9- and 12-year-olds about spyware and adware. They’re
amazingly savvy about this sort of thing -- much more than the adults at work!
One helpful thing would be a list of Web sites that they go to that put
spyware on the computer. My kids go to these online game sites that use Java
stuff to play games online. My paranoid, conspiracy-theory mind leads me to
think that these people who create spyware are using these sites made for
kids to spread their malfeasance. I’ve warned my kids that if it continues,
I will be forced to take Internet privileges off of their computer. That definitely
got their attention!
Anyway, nice blurb in the newsletter about this! Any further info you
gather would be great to hear!"
-- Juan