Anti-Spyware Tips And Tricks

Anti-spyware technology isn't keeping up with the spyware threat, according to Security Pipeline readers.

When I put out a call for spyware information a couple of weeks ago, IT managers and consultants came back with highly useful advice on the best anti-spyware products, how they tell if your system is infected, and what to do about it if it is.

Readers said that anti-spyware products aren't accurate; they need to use two, three or even four products in combination to detect all the spyware on a system, and even then they're not sure if they got everything. Many systems managers are forced to go into the Windows Registry and Task Manager by hand and edit out rogue processes and settings.

Five products recurred in the recommended-use list: Microsoft AntiSpyware, Spybot Search & Destroy, Lavasoft Ad-Aware, Webroot Spy Sweeper and HijackThis. But readers praised other products as well.

"Technology has a long way to go to keep this trash off business computers," said reader Bob Hunter. "I run ZeroSpyware 2005 on my desktop at work - but I still get spyware. I have to go into safe mode and run Ad-Aware, then Spybot Search & Destroy, and finally HijackThis. Even then, I am sometimes forced to search my registry. And this is all with Windows XP SP2 Professional, fully updated."Brian J. Bartlett, systems engineering/security, PearTree Associates: "On the machines that I disinfect I use a combination of at least two tools to detect spyware. I use various other tools to find hidden processes and registry keys. The Sysinternals site is great for these. Given the current state of the art in terms of tools this is about the best that can be done, although that is cold comfort for the average home user out there, who has no clue what a normal task list looks like, let alone what parts of the registry to go spelunking in to find the culprits."

Chip Burkitt said his pet peeve about anti-spyware is that it identifies too much software that isn't running. He explains: "When it comes to trojans, keyloggers, and the like, I don't care if it's running or not; I want it out of there. But who cares about a little adware app that got left behind when you uninstalled some supposed freeware utility that turned out not to be very useful? The uninstall didn't clean everything up, and now you've got a bit of junk lying around taking up space but not doing any other harm. Should it really be called spyware?"

He said Spybot catches all running spyware, in his experience.

Burkitt continued: "I've had nastyware that ran in pairs; if you killed one, the second piece would reload the killed process before you had a chance to kill the second one. I've also seen 'em mutate so each time they load they have a different process name. I also had one that would install itself in a randomly selected system folder (e. g., %SYSTEMROOT%system32) with an innocuous-sounding name, then if you deleted it, it would re-install itself under another system folder with a different innocuous-sounding name. I've tried other anti-spyware after running Spybot S&D and gotten hits, but when I check on whether the spyware is actually RUNNING, it turns out not to be.

"I use Spybot S&D and HijackThis to keep my systems clean. I also browse my process list every now and then just to make sure I know what's supposed to be there. I know some spyware can hide from the process list, but most don't, so I think it pays to know my process list. I also periodically scan my system's ports to see if any are open that shouldn't be. And I'm not even paranoid."I also use Spybot S&D and HijackThis on clients' systems to check for nastyware that their antivirus software doesn't catch. Used together, I find them to very effective. If the spyware won't let me kill it, I boot in safe mode or from CD and kill it that way. "

Cletus Piper said he coordinates 10 offices and about 150 users for a large non-profit organization. He said he started using Microsoft AntiSpyware, and was at first gratified to see how little spyware it found. Then he tried Sunbelt Software Counter Spy and found that Counter Spy discovered several spyware programs that Microsoft missed. He later added Spy Sweeper to his toolbox, and said that Counter Spy and Spy Sweeper together are the best products he's found.

Buz Allen said: "I own my little computer company and work out of a dedicated workshop behind my house in South Mississippi." He said he makes a respectable income "debugging computers that are stopped up and constipated with spyware, cookie programs, and other junk."

He added: "The price for debugging and Windows Updates and other things runs less than $150 in most cases. Some may think this steep. On the other hand, most of these units were completely unusable when they came here. They returned in a nearly new state with the speed greatly increased, making the owners very happy.

"I use a mixture of four to five programs in my efforts to relieve most PCs from their sorrow. On several occasions, I have dumped over 2,300 cookies, malware, trojans, browser hijackers and the like from hard drives. Sometimes it's just a challenge just to get the computer to boot in a normal manner. Of course, safe mode only allows a basic number of drivers to load so many system functions aren't available in safe mode.

"Window Washer is one of the best cookie malware removers I have used, in conjunction with Ad-Aware and Spybot. It's a sure thing your on the right path to success. But another program that I stumbled upon that's a wonder to me is PestPatrol. That one found over 2,000 programs on one PC alone! Last but not least is Advanced Registry Optimizer. It's user-friendly, and it's great for re-organizing your registry files with backup, optimization and registry defragmentation.Some additional advice from Allen:

- "Ad-Aware and Spybot work well, but you have to be savvy using these programs. Many Quicken files appear to be malware files to Ad-Aware and Spybot.

- "You learn as you go here. If you're good enough, download HijackThis. But be warned, this is death if you don't know what you're doing.

- "Buy a jump drive or other external data storage backup and use it before you dump anything. Some programs have back-up and restore and some don't. Read everything you can about the programs you use. Utilize and take on-line courses. Educate yourself.

Jason McFall said: "I have this habit every day or so going through the services on my Windows 2000 machine. If I can't remember what the service is for, I look it up on the Internet. I have found more malicious crap this way than any other way. I regularly export the entire registry to a new file and compare it to an older version. If I find something I don't like, like 'Search Optimizer' or '180Search,' I start deleting off the hard drive and out of the registry, even though that can be dangerous."Misti Balcom, systems administrator for William A. Smith & Son, said: "I am the system administrator of an insurance agency. I walked in the door Monday morning bright-eyed and ready to take on the world. Ten minutes later, I was battling seven trojans and a mass of spy/ad/malware on one PC."

She added, "It is now Thursday. Yesterday, I stopped fighting the little buggers, and reformatted the drive, reinstalled XP Pro and just finished reinstalling all the programs needed for the user's job.

"The point? I run not one, but three anti-spyware programs and Symantec AntiVirus Corporate Edition. They all found these digital monsters and they said they were deleting or quarantining them, but the malware kept coming back (even after running the PC through safe mode gauntlet)."

She said she uses Spybot, Ad-Aware, and Microsoft AntiSpyware, and is evaluating Webroot Spy Sweeper.