Foiling spyware, browser hijackers, dialers

Computer security has become a major issue in cyberspace, with spyware running rampant and security holes everywhere you look.

As a service to readers — and as a reminder to myself — I’ve pulled together some preventative steps that can be taken to enhance the security and privacy of your online forays.

I hope readers will add comments to the bottom of this posting in the months ahead to alert other users of additional steps we can do to detect, avert and eliminate spyware.

(1) Computer security

The journey toward computing peace of mind begins with these 14 steps recommended today by my friend Robert Scoble of Microsoft: The layers of security I use to keep criminals at bay. See Robert’s blog for details, but the 14 steps are:

• Install Windows XP Service Pack 2.
• Get a good anti-virus program.
• Get a good two-way firewall on every machine.
• Get a hardware-based firewall or NAT at point of network entry.
• Turn on automatic updating.
• Run the latest email and Web clients.
• Visit www.microsoft.com/security regularly.
• Run at least one good anti-spyware program like Adaware or Webroot’s Spy Sweeper or Spyware Blaster.
• If you visit high-risk Websites, turn off ActiveX and scripting in your browser.
• Don’t run in administrator mode.
• Keep an install partition on each of your machines.
• Don’t allow anonymous users on your wireless network.
• Use better passwords.
• Back up your data regularly.

(2) Fighting spyware, Trojans, hijackers, malware, spamware, and adware

Spyware is basically software that outsiders plant on your computer to capture keystrokes or monitor e-mail, instant messages or Web pages that you’ve visited. The tiny, automated programs then send that data back to the invader’s home base without your knowledge. Spamware and adware place unbidden ads on your computer, especially on startup. Malware is the term for all of these pernicious practices.

Windows XP Service Pack 2 fixes many of Internet Explorer’s security holes but doesn’t prevent spyware from infiltrating your system.

File-sharing sites like Kazaa, shareware sites, adult sites and certain gambling sites are the biggest purveyors of spyware, but even some major U.S. newspapers plant tiny transmitters that track some aspects of user behavior to deliver targeted ads, often without the user’s express permission. Trojans and browser hijackers are even more noxious, overriding the user’s choice of home page and hijacking your browser to visit the perpetrator’s Web site. No reputable company does that.

Some chief culprits

Some of the major spyware/malware offenders include:

• Portalsearching. I wrote about Portalsearching last fall, and have gotten scores of thank-you emails from readers who had lost control of their computers due to this highly offensive program.

• Intelligent Explorer is spyware designed to trigger a large number of search engines whenever you look for something by keyword search. The software then lies in wait and broadcasts information about every site you visit. Clients who receive the info then send you pop-up advertising based on what you’re doing online at that moment. (To eliminate Intelligent Explorer from your machine, IE PlugIn offers uninstall instructions that are somewhat difficult but supposedly work.)

• Xupiter’s auto-installer is malware.

• Spybot Worm is a virus that spreads through AIM and Kazaa.

• Trojan programs like SubSeven, Back Orifice and Netbus allow a black-hat hacker to remotely take control of your computer while you are online in order to view, copy or delete files, steal passwords, or commit other pernicious acts. Some of these can bypass some personal firewalls.

Scanning your system for spyware

Experts estimate that as many as 90 percent of all computers connected to the Internet have some form of spyware on them without the owners’ knowledge. You should run a spyware check of your hard drives at least once a month.

I either use, or have heard positive reports about, the following tools for removing spyware and malware from your system:

• Ad-Aware. Rid your system of adware and spyware with the latest version of this free utility from Germany’s Lavasoft. Over 8.8 million downloads. Here’s a brief PC World review. The Ad-Aware Plus and Professional editions (cost: about $27 to $40) offer additional functions.

• PepiMK Software’s Spybot Search and Destroy. Protect your privacy by removing spybots and replacing them with empty dummies. More than 3 million downloads. Here’s a brief PC World review, and more info on the Siena College site.

• Intermute makes the reliable products SpySubtract, AdSubtract and SpamSubtract, all designed to block the booby traps outsiders attempt to get installed on your machine.

• Hijackthis! is a versatile tool created by Norwegian code writer Merjin Bellekkom that can track down problems with your computer. It creates a log of running processes and other information that can be used to track down and remove offending spyware. It sometimes solves problems AdAware and Spybot Search & Destroy can’t.

• PestPatrol is another anti-spyware app recommended by the Chicago Trib’s Jim Coates.

• Spy Sweeper is another reputable anti-spyware application.

• Trojan Remover removes Trojan horses from your hard drive.

• Browser Hijack Blaster lets you prevent Web sites from changing your home page without your permission.

• X-Cleaner. Blogger-reporter Jeremy Wagstaff of the Wall Street Journal writes: “X-Cleaner, from what I can see, is a bona fide anti-spyware program produced in Belgium by a company called Xblock. It has been reviewed in PCWorld and elsewhere, so is probably kosher.”

• Aluria Spyware Eliminator from Aluria Software of Lake Mary, Florida: Download the program, scan your drives for free, but like most of these products you have to buy it to remove the offending spyware (at last word, you get a discount if you enter the word “savings” into the coupon code). Standard price is $30 a year.

• Spyware Doctor offers a free scan and can remove spyware and adware.

• Panda ActiveScan is a free antivirus utility that works within your browser to scan your hard drive.

• PC-cillin Internet Security helps you protect yourself from black-hat hackers, privacy threats, viruses and spam.

• Registry Mechanic for Windows is a “registry cleaner” that lets you safely fix PC registry errors. Free trial.

• WebWasher Classic. Eliminate banner ads and protect your personal information with this freeware.

• More anti-malware programs listed at PC World.

• Spyware-Guide is a legitimate guide to spy and anti-spy software.

Disreputable ‘anti-spyware’ companies

• SpyBan, an “antispyware” program, has been accused of installing spyware, CNET News.com reports.

Browser hijacking or browser trapping

If your browser has been hijacked, it means that your default home page has been changed without your permission. Or, the backspace button has been temporarily disabled by a rogue site. Or, you visit a site and multiple pages suddenly pop up all over the screen.

First, let’s tackle a remedy for the hijacked home page.

The first step is to fire up Internet Explorer, click Tools > Internet Options. In the Home Page Address field, type in your preferred home page, or click Use Blank for an empty field.

Often, this won’t be enough. In some cases, when you reboot, you’re back at the page the hijacker has sent you to. That means they’ve used the Javascript or ActiveX controls on your machine to tamper with your registry settings.

To prevent this from happening again, disable Java scripting. In Internet Explorer, go to Tools > Internet Options. Then click the “Security” tab. Make sure the Internet icon is highlighted. Then set the security level to High. (You can always move the sliding bar lower if you need Java enabled later on.) See “Additional steps,” below, for other actions you may want to take.

Now, on to the disabled backspace key or multiple pages popping up. James Coates of the Chicago Tribune had this advice in March 2004:

With slight variations, this trick can also cause those nightmares when you click on an address and multiple pages suddenly pop up all over the screen, something just about every Web user has endured.

The ultimate solution is to hold down the Alt key and tap the F4 key to shut the page or pages down and start over.

Sometimes it is possible to use the History tool built into the Web browser to go back a few pages and find the place that sent you to be trapped. This doesn’t always work satisfactorily, however.

Another, even less satisfactory way to move back to before you got trapped is to click on the browser’s address bar, where there will be a list of the major jumping-off points for that session. It’s usually more effort than it’s worth to try to get back on track, however, and the best fix is to just close the browser and fire it up to start over.

The ultimate fix is segregation.

If you want to keep one of these trap sites from tricking you again, just highlight the address at the top of the browser and tap Control plus C to copy it. Now click on Tools and Internet Options, then select the tab called Content.

Select Enable in the first box on the Content menu and you will get a command called Approved Sites. Now use Control plus V to paste the address in the supplied box. This lets you click a box to never allow that page to display again.

It’s a lot of trouble, but it does solve your problem.

You can find details about the rogue Web page programming commands called “onLoad” and “replay” that let creeps trap browsers at this delightful site.

Misleading alert messages

Many users have seen a dialogue box that pops up on screen alerting you of hidden spyware on your PC and offering a free download to eliminate it. Don’t do it. This is nothing but a trick by the spyware scam artists themselves.

Coates had this advice in January 2004:

Whenever a box pops on the screen, keep your fingers off the mouse and tap Alt + F4 on the keyboard (or Apple-W on an Apple computer). This command closes the most recently opened window and so eliminates these kinds of trick-bag message boxes. To get a solid view of the big picture, check out www.spywareinfo.com.

A filtering solution

A friend, journalist-blogger Bob Dunn, writes to say:

Another fairly painless way to deal with crap such as parasites and spyware is to filter them out automatically with your host file.

This is a plain-text file that your browser references. You can trick it into essentially returning nothing instead of allowing content from bad sites to make it onto your screen.

There are several pre-fabricated host files out there, whose owners have already gone to the trouble of researching offenders such as portalsearching and doubleclick.

Here’s a link to a good one, with easy instructions on how to use it.

The exe file and dialer scam

Relating to browser hijackings is the scam involving dialers that kidnap your browser and reconfigure it so that your default dial-up ISP is changed to an overseas or 1-900 number. The charges are considerable — up to $7 per minute.

Never download or open an “exe” file from the Internet unless you are completely certain of the source’s legitimacy. Commodon Communications has additional details here.
For user horror stories involving dialers, see Iggy’s Consumer Alert page.

Some dialers and so-called adult “browser enhancements” that have downloaded and installed themselves in Internet Explorer as ActiveX controls may be viewed using this method:

1. Select Tools > Internet Options > Settings > View Objects

2. Select View > Details

3. Double click each item in the Program File column. Be suspicious if you see the word “dialer” in one of the fields of the General tab, or if there are very few or no details in the fields of the Version tab.

For details on deleting an ActiveX control, Microsoft offers removal instructions here.

Oversize browser windows and exitless consoles

Here’s some good advice from Angelfire:

Another favorite trick of desperate spammers is to open oversize windows or exitless windows. An oversize window by virtue of its size hides its close icon off-screen, as well as covering the Windows taskbar and sytem tray. The exitless console may or may not be oversize, but its main ‘feature’ is that there are no buttons, menus or even a close icon to allow you to close the window with your mouse.

The main aim of both of these types of windows is to allow more time for the graphics and other junk to completely download and to increase exposure time to any ads or links on these pages.

Incredible as it may seem, the spamdick webmasters who employ these methods seem to think that a surfer is going to be more likely to join a paysite or click trash links after being assaulted by these methods, which border on hijacking.

A tip to remember should you come across an exitless or oversize window is that even if the close icon is hidden or absent, it can be still be closed by pressing Alt + F4 together (as you normally can with any window).

Another tip worth remembering is that even if the console/window has no ‘Stop’ icon you can usually still halt the loading of images and HTML by pressing the Esc key on your keyboard.

Disabling Javascripting will prevent both oversize and exitless consoles. Yet another reason NOT to have Javascript enabled while surfing adult sites!

Other malware tricks

Here are other malware tricks — and how to foil them — as outlined by Angelfire.

Time-delay Redirect Hijack
Ever been at a particular site, gone to another window, then on return found yourself at a completely different site? It is simple for a spammer to redirect you to another site (usually one that pays him a penny for the redirect) after a time delay or after a period of user inactivity (i.e no mouse clicks detected in the window). Disabling Java scripting will prevent ‘no-activity’ redirects but it WON’T prevent ALL timed redirects – it pays to watch your address bar.

MouseOver and Right-Click Tricks
Again, these are methods used by the truly desperate of penny-collecting spammers. The MouseOver involves redirecting you or opening a new window when you bring the mouse cursor above a link or picture, without even needing a click! The Right-click trick involves the spammer using Java script to reprogram your mouse so that instead of bringing up the normal gray menu you are hit with a redirect or pop-up.

Back Key Hijacking
Otherwise known as mouse-trapping and sometimes (probably incorrectly) called circle-jerking, this involves altering the browser window’s use of the Back function so that clicking the Back icon or pressing the backspace key simply reloads the same page. The idea is to trap you at the spammer’s page while increasing his hit count, which the extra-sleazy of the spammer brigade use to move up in popularity lists (toplists).

Hit-and-Run Pop-ups
This type of pop-up once opened immediately minimizes itself, so that if you’re not paying attention (or have a super-fast computer) you don’t notice it until later, by which time it’s had enough time to completely load its graphics and other junk.

Circle Jerking
This sleazy technique involves promising the surfer free movies or pictures by clicking on links. However this does nothing more than open another window full of links (usually in the form of so-called ‘toplists’) which again promise the same. The end result is that the surfer simply goes around in circles, gaining nothing with each click except helping the spammer(s) to pennies and nickels via all the instant and exit pop-ups and redirects that these trash links load with each new window.

Disabling Java scripting will prevent most of the tricks described on this page.

More ways to protect yourself

In addition to the steps outlined above, you may also want to disable Javascript and ActiveX. If your home page or search page preferences are hijacked every time you reboot, you can undo the rogue site’s actions by following these steps (caution: a single misstep can create problems for your PC):

1. Click Start > Run

2. Type in C:\windows\regedit (assuming your Windows is installed in C: drive) and click OK

3. Click Edit > Find

4. Type in the name of the website that has hijacked your settings e.g. bessybug.com or globesearch.com and click OK. A “Searching Registry” dialog box should appear.

5. Double-click an entry that contains the website name you entered if it appears at the right-hand side of one of these names:

Start Page
Search Page
Search Bar
Search URL
SearchAssistant

6. In the Value Data field of the Edit String dialog box, type the name of the website you prefer for search or home pages (or simply leave blank and change later through Explorer)

7. Repeat steps 5 to 6 as necessary.

8. Click OK and exit Regedit. Go back to Explorer and check that the new settings have been accepted and are correct.

I haven’t done this, so don’t email me if this solution doesn’t work (but feel free to post below).

Additional resources

The Consumer Software Working Group maintains a list of “Examples of Unfair, Deceptive or Devious Practices Involving Software” here (PDF).

The Center for Democracy & Technology offers more information on spyware here.

The Federal Trade Commission maintains a Spyware Workshop Page.

The Center for Democracy & Technology’s Campaign Against Spyware calls on users to send in their spyware stories. If you want to do something about spyware, snoopware, or “trespassware,” this is the place.

JD Lasica, founder of Inside Social Media, is also a fiction author and the co-founder of the cruise discovery engine Cruiseable. See his About page, contact JD or follow him on Twitter.