Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • WinDeals
  • E-Books
  • Lounge
  • Polls
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>More cases of adware running amok

Windows Secrets Newsletter • Issue 92 • 2007-01-18 • Circulation: over 400,000

Table of contents 
  • LangaList Plus: More cases of adware running amok
  • LangaList Plus: Tips for a safer, smoother New Year
  • Over the Horizon: Last year’s flaws still plague users
  • Patch Watch: Does your CPU get 100% bogged down?
 
LangaList Plus

More cases of adware running amok

Fred Langa 1 More cases of adware running amok By Fred Langa

Don’t you hate it when software refuses to uninstall?

I sure do. So, today’s issue begins with help in rooting out recalcitrant software. I then cover a free utility, an IE 7 speed-up, and lots more!

Did you catch ‘AntiVermins’? How to uninstall it

There’s nothing more frustrating than software that keeps coming back after you uninstall it. Even worse is software you never wanted in the first place that keeps coming back. Reader Gene Axtell discovered a virulent case:
  • “I recently committed an error in browsing and was hit by a Trojan virus. The virus was Trojan-spy.win32@mx. It took over some of my browser (IE 6) and started showing a virus-removal tool called ‘AntiVermins.’ The software was loaded and launched without my knowledge.

    “I tried to uninstall the software via Control Panel. The uninstall appeared to have worked, upon initial results [but AntiVermins returned]. I use Norton Antivirus, but I was quite surprised and disappointed to hear that Norton has no fix for the issue!

    “I did a search on the Web and found much information about the Trojan. I was very careful not to use just any suggested fix. I finally decided on SpyBot, ran it, and it found a great deal of ‘infections’ on my desktop, including the AntiVermins program that I thought was removed earlier.

    “Since I am a fairly cautious administrator, I also purchased [PC Tools'] SpyWare Doctor. I know that any single program will not see all infections. This was proven yet again. SpyWare Doctor found an additional 250 infections on its first thorough scan and 6 more on its follow up… including the AntiVermins… again!

    “So, Fred, how does one permanently eliminate the AntiVermins program and whatever the Trojan-spy.win32@mx does to a desktop? I’m certain your readers have experienced this and are at least as frustrated as I am!”
There are probably several different things going on here. First, one very common way that Windows PCs can get reinfected immediately after a malware cleaning is via System Restore, GoBack, or similar automatic-rollback tools.

For example, if System Restore previously backed up a virus or other malware (by itself or as part of a corrupted system file), the malware or infected file may get restored when System Restore detects that the original copy has been cleaned or deleted from the system. This is why many antimalware tools recommend at least temporarily disabling System Restore and similar tools prior to cleaning a system. (Need help disabling or otherwise managing System Restore? See Microsoft Knowledge Base article 310405, or this article I wrote for InformationWeek on optimizing System Restore.)

Second, you may have run afoul of a semantic issue with Symantec. AntiVermins is not a virus, so an antivirus tool, per se, won’t be able to help you. AntiVermins is also not a Trojan horse, because it doesn’t enter your system by pretending to be something other than what it is. That means that narrowly-focused anti-Trojan tools also may not help.

So what is AntiVermins? It’s adware. For example, McAfee defines AntiVermins this way:
  • “This is not a virus or a trojan. It is detected as a ‘potentially unwanted program.’ This is an anti-spyware application claiming to remove unwanted malicious spyware programs in an attempt to get you to purchase the full version of the product…”
Webroot SpySweeper (a recommended tool in Windows Secrets’ Security Baseline) is more succinct:
  • “AntiVermins is an adware program that may display advertisements on your system… It may also cause slowing of your Web browser and system performance issues.”
A number of tools can automatically handle AntiVermins, including Webroot’s free-trial versions. (Download a free scanning tool by clicking the Scan your PC for spyware link in the lower-left corner of Webroot’s home page.)

Finally, as for the “hundreds of infections” you found, please note that some antimalware tools try to impress you with how hard they’re working. They do this by playing up even the most minor potential threats (such as routine and harmless cookies) as if they were imminent catastrophes.

Spyware Doctor probably didn’t really find “an additional 250 infections,” but rather a large number of minor or potential threats. It’s fine to remove these minor threats. But just remember that not all threats are equally dangerous, even though an antimalware tool may report them that way.

So, what’s the takeaway from all this?

1. System Restore. Make sure that System Restore (or any similar automatic rollback tool) doesn’t simply restore any malware you’re trying to remove.

2. Flavors of malware. Be aware of the differences between viruses, adware, Trojans, and other forms of malware. Tools that specialize in one form of malware may miss others. Often, running two or more different antimalware tools will catch and cure far more ills than any one tool alone can do.

3. Don’t panic. When you do use anti-malware tools, take the threat counts reported by such tools with a grain of salt: Things are rarely as dire as these tools can make it seem!

Trogladite Software simplifies ‘Send To’

Raphael Altman took the time to remind us of a very handy, free utility:
  • “Re: Restore a missing ‘Send To’ shortcut in Explorer in the paid section of the Jan. 4, 2006, issue: The freeware “SendTo 1.6” allows you to send more or less anything from anywhere to anywhere on your computer. I love it!”
Thanks, Raphael. I agree — it’s a handy little gem!

Is IE 7 too slow opening new sites?

Reader John McLaughlin is frustrated with the performance of the new Internet Explorer:
  • “Do you know of any problems that may cause IE 7 to respond slowly when opening and closing tabs, windows, or download pages?
Oh, yes, indeed, John. In fact, my first hour or so with IE 7 was very frustrating because of its slowness. But the major speed-sapper turned out to be the built-in Phishing Filter. Once I turned it off, pages loaded at the normal speed again.

Microsoft has recognized the slowdowns that the Phishing Filter is causing. The company released on Dec. 12 a fix for Windows XP SP2, Windows XP x64 Edition, and Windows Server 2003. You can download the patch for free by visiting Knowledge Base article 928089.

W070118 Phishing Filter More cases of adware running amok
Figure 1. IE 7′s Advanced settings let you rein in or disable the speed-robbing Phishing Filter’s settings.

If that fix doesn’t work for you, you can disable the Phishing Filter by clicking IE 7′s Tools button, clicking Phishing Filter, and then clicking Phishing Filter Settings. Scroll down to the Phishing Filter section under Security in the list of options, as shown in Figure 1. To completely turn off the Phishing Filter, click Disable Phishing Filter. To leave the filter available but inactive, click Turn off automatic Web site checking. (That’s the setting I use.) When you’re done, click OK. That’s all it takes!

Alternatively, if the filter is currently active in IE 7, you can right-click on the filter’s icon to disable it. The icon looks like a little window with an exclamation point and is displayed in the browser’s status bar only when you’re loading a new page. When you right-click, a context menu will appear. Select Phishing Filter Settings, then follow the steps in the above paragraph.

Disabling IE 7′s Phishing Filter causes you to lose real-time protection against sites that look legitimate but are actually hacker tricks. If you suspect that a Web page you’re visiting might not be what it seems, click IE 7′s Tools button, then click Phishing Filter, Check This Website. You’ll receive instant feedback on whether or not the site has been reported as a phishing scam.

You can re-enable IE 7′s filter using the same dialog box as described above. There’s lots more info at Microsoft’s antiphishing home page.

When hardware subverts your software…

Reader Chuck Deich found a hardware solution to what appeared to be a software problem:
  • “In reference to ‘What to do when missing NTLDR and Hal.dll‘ in the Dec. 7, 2006, newsletter: I recently experienced the ‘missing NTLDR’ error message. After a number of failed attempts to correct the problem using most of the methods discussed in the article, I finally found the solution. Somehow the CMOS setup setting that specifies which hard drive is the boot drive changed. All I had to do was change the setting back to the C: or boot drive. Problem solved!”
A PC’s BIOS (sometimes called “CMOS” because of the semiconductor material it’s made from) stores the low-level instructions and information that a PC uses when it first starts up, before the operating system loads. That stored information includes the number and type of boot devices, and the order in which the PC should activate them.

It’s somewhat rare for the BIOS data to go bad spontaneously, but as Chuck found, it happens: Power spikes, errant software, and (believe it or not) even cosmic rays can corrupt the data stored in the BIOS or in any other solid-state memory, for that matter.

For example, NASA (says): “If a cosmic ray passes though a sensitive part of a semiconductor chip, the logical state of the bit (‘on’ or ‘off’) can be flipped…”

So, while this isn’t the first thing you’d suspect when your PC misbehaves, it’s worth remembering to check the BIOS when more traditional problem-solving approaches have failed.

You usually can access the BIOS by pressing a key during system power-up, just after the first wake-up beep. The key varies from brand to brand, but it’s usually the F1, F2, Esc or Del key. (Many sites, including Computer Hope, provide more detailed instructions on various startup sequences.)

How do you know the correct BIOS settings for your PC? Many vendors include a way to return the BIOS to its factory settings, and that can be a good place to start. I use another way: When I get a new PC and I’m sure everything is working the way I want, I access the BIOS and take a photo of each setup screen with a digital camera. That way, I have a permanent record of the known-good settings for that PC. Simple!

Fred Langa is editor of the Windows Secrets Newsletter. He was editor of Byte Magazine and editorial director of CMP Media, overseeing Windows Magazine and others. Subsequently, he edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.
 
LangaList Plus

Tips for a safer, smoother New Year

Mark Edwards 1 Tips for a safer, smoother New Year By Mark Joseph Edwards

Passwords are a constant problem, whether it’s defining a strong one, finding a way to store them securely, or recovering a lost one.

This week, we give advice on how to protect against password theft, disable annoying password requirements, recover lost passwords, and more.

Can on-screen keyboards protect your password?

Keyloggers can be very dangerous if your system happens to become infected with one. They can record every keystroke made on your system, and sometimes they can record other information, such as mouse activity and communication between your applications. Mike Bartlett writes to tell us how he tries to get around these nuisances:
  • “When using sensitive sites such as online banking, I do not use my keyboard, as I am concerned about keyloggers — even though I hopefully have all security bases covered. To add another layer of protection, I use the XP ‘On-Screen Keyboard,’ thereby using my mouse to log in.

    "To find this handy feature, go to Start, Programs, Accessories, Accessibility, On-Screen Keyboard. It’s not quite as convenient as using your normal keyboard, but the extra time spent should give you more peace of mind. I don’t think you can ever have enough security these days, I’m sorry to say.”
Not so fast, Mike! First, you need to remember that there are two kinds of keyloggers: software-based and hardware-based. While using an on-screen keyboard might foil hardware-based keyloggers, it won’t foil software-based keyloggers. This is because some software-based keyloggers are capable of intercepting character keys, even when entered through the Windows on-screen keyboard.

One kind of on-screen keyboard that might offer added protection against software-based keyloggers is the kind driven by HTML or Javscript. Some banks and merchants offer this sort of authentication mechanism, but it’s not widely used. Even these types of on-screen keyboards aren’t effective against spyware that can record screen activity.

Your best defense against keyloggers is to keep your antivirus and antispyware programs constantly updated. That’ll protect you against keyloggers grabbing your online banking passwords. It won’t protect you, unfortunately, if you use Internet cafés, which you can’t scan for viruses — those PCs are never safe for online banking access.

Disable the standby password

Standby mode is really handy. With standby, you can put your computer to sleep and then wake it up exactly as it was before the system went to sleep. But, as you know, Windows requires you to re-enter your login password when a system comes out of standby mode. Jack Bartlett wrote to ask us about this:

  • “I have computers running WinXP Pro and Home. In Pro, it is possible to edit the Registry key

    HKEY_LOCAL_MACHINE SOFTWARE Microsoft WindowsNT CurrentVersionWinlogin

    and enter a DefaultUserName and a DefaultPassword. This way, you can avoid entering a password each time you log in. This works fine in Pro when you use standby. In Home, it will always ask for a password to log back in (after standby), even though the only user is ‘Administrator.’ “

Jack, there’s a way around that problem for any version of Windows XP. Follow these steps to let your system come out of standby mode without having to enter your password:

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Over the Horizon

Last year’s flaws still plague users

Chris Mosby 1 Last years flaws still plague users By Chris Mosby

As the first Microsoft Patch Tuesday of 2007 came and went, the IT community is left to deal with the unpatched flaws that Microsoft left behind.

Once again, we do the dance of patching what we can and protecting what we can’t. We hope no one’s toes get stepped on in the process.

Print Spooler service can cause DoS

The Print Spooler service in Windows (spoolsv.exe) is vulnerable to a remote denial-of-service (DoS) attack. The flaw could allow a hacker to consume almost all available memory on a computer by sending a specially crafted RPC (Remote Procedure Call) request. No admin rights are needed to use this exploit, and there is already a publicly available exploit code for this flaw.

This hole has been confirmed on a fully patched Windows 2000 system. Other operating systems may be vulnerable as well, but this is still being researched.

What to do: Exploiting this flaw requires a hacker to have access to your computer over a network or the Internet. If you’re using Brian’s Security Baseline, then your hardware and software firewalls should automatically isolate you from this threat.

More information: CVE-2006-6296, US-CERT, ISS, SecurityFocus, FrSIRT, SecurityTracker, Secunia, eEye

Windows hole can leak sensitive information

A flaw in the Windows Client/Server Run-Time Server Subsystem (CSRSS) component, csrss.exe, could allow a local user to read memory in the CSRSS process memory and/or crash the exploited system.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

Does your CPU get 100% bogged down?

Susan Bradley 1 Does your CPU get 100% bogged down? By Susan Bradley

Patching should protect our systems first and foremost, but lately I’ve been tracking issues that affect the patching process.

First, some folks were turning off auto-update to ensure they wouldn’t get Windows Genuine Advantage (WGA) or Internet Explorer 7. Now, Microsoft’s very patch mechanism itself needs some help.

When svchost.exe consumes all CPU time

I started tracking the first patch for this issue back in July. Users were reporting that the svchost.exe process was taking 100% of the CPU resources.

The more tech-savvy among us used Sysinternal’s ProcessExplorer tool and discovered that the culprit was WUAUCLNT, the service that provides automatic updates.

KB 914810 was the first patch offered up to fix this issue. Then, a few months later, came KB 916089. This announced itself as a “fix” for the issue. Even then, the patch wasn’t publically released and could only be obtained by calling Microsoft Product Support.

Now, there’s yet another patch for this same issue, which is discussed on Nick Whittome’s blog. When a Knowledge Base article about this fix is released, the number will be 927891. (An article with that number was not yet live while I was writing this column).

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.56
  • LizaMoon infection: a blow-by-blow account 4.46
  • RPV: Win7′s least-known data-protection system 4.35
  • Recovery: the last step in total data security 4.31
  • The sorry tale of the (un)Secure Sockets Layer 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Get wired performance from your Wi-Fi network 4.24
  • Caution: Bumps in the road to IPv6 4.23
  • Patch Watch adds problem-patch update chart 4.23
  • ZeuS Trojan reinvents itself as bots rock on 4.22
  • Pros and cons of a ‘keyfile’ password 4.21
  • April brings showers of browser patches 4.20
  • Readers comment on the LizaMoon infection story 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • The advanced system-recover toolkit 4.18
  • One year and 99 security bulletins later 4.18
  • Don’t pay for software you don’t need — Part 3 4.17
  • What to do when Windows refuses to boot 4.17
  • Make the most of Windows 7′s Libraries 4.16
  • Keeping you up to date: say no to .NET — again 4.16
  • Internet Explorer gets another round of patches 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Big-time Wi-Fi security for the small office 4.14
  • Office File Validation patch leads to problems 4.14
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb