Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Non-Scanner Generic AntiSpyware Tools

News See also Recommended Links Recommended Books

Recommended Papers

Softpanorama Spyware Defense Strategy

HijackThis
DDS by sUBs Integrity checkers BHO listers Winsock LSP tools Toolbars Removing Tracking Cookies Blocking spyware sites via the hosts file
Registry
tools
Registry snapshots Registry Monitoring Registry Backup Windows DLL Download Archive - DLL Archive Spyware Removal Using Spybot S&D
Registry Cleaning Windows Process viewers Ghost SDFix SFU 3.5 Humor

Businesses want an inexpensive software tool that can be used to clean up a Spyware infection on a one-time custom basis. Larger companies usually have staff that can do quite some analysis of a particular sample of Spyware, but this now become less and less common due to commodization of IT. So both home users and enterprise users are now dependent of so called "anti-spyware" vendors which by and large are the same companies that used to provide AV solutions. If you know a little bit about those vendors, to be 100% dependent on those guys is somewhat humiliating. They can lie and cheat customers like there is no tomorrow.

That means that developing some skills in this area is important, unless you want to be royally ripped off. Fortunately there are tools that can help to analyze unknown strains of spyware and there is a method to eliminate them. That's what this page is trying to provide. It was done in my free time and is not updated often, so don't expect much. But despite my AV researcher background I am not in any way connected to AV/Antispyware business. That makes this page (and generally all /Malware tree of Softpanorama) a pretty rare breed for the Web.

If you see some suspicious entries you can run them via VirusTotal or if you can't delete some files in "C:\Documents and Settings\user\Local Settings\Temp\" with all applications closed. VirusTotal allows to submit sample and run it over more then two dozens of AV tools. It produce some useful results and is best of the breed as of 2012.

Generally anti-spyware tools can be classified tools into two broad ranges:

Non-scanner tools are useful for detection unknown to scanner strain of spyware and can be used to delete them. For example Windows Steady State mechanism will wipe all the changes no matter what type of malware you encounter.

Cygwin and SFU 3.5 are probably the most powerful generic antispyware tools available for Windows. but they require Unix knowledge be used effectively. Also any tool that can search and delete entries in Registry is useful. There are several such tools in Microsoft Resource Kits and they are probably the safest to use.

The non-scanner based strategies of fighting spyware includes several lines of defense:

  1. Restoring an image of your C partition ("Softpanorama strategy"). Splitting your harddrive into two (or more) partitions (using for example Partition Magic), formatting the second partition as FAT32 and writing a clean snapshot of a C: partition (for example via Ghost) to this partition, so that you can restore it anytime your system stops functioning properly (whether because of spyware or other problems).
  2. Systematically updating your OS and IE and using p[roper setting. For example one common path opf spyware now is via Google seraches. That means that it makes sense to pur google.com into "Restricted sites" category in IE brower. It is also really important to keep your computer up-to-date. Spyware often rely of IE vulnerabilities so the latest and greatest version of IE from Microsoft helps to protect your computer. IE proved to be the most vulnerable of browsers and for this reason it is better to avoid using it when browsing Internet unless you use it in High mode (only signed executable can be executed in this mode). Firefox is not a bad browser which provides approximately the same capabilities of IE and additional tools that can make infection of your PC less likely. I would recommend Adblock Plus add on as a no-nonsence measure.
  3. Using virtual machine with separate blower to brows Interment. The beauty of Virtual machine is that it is disposable. If you have network drive then using virtual machine is the most secure way of browsing internet. You just save the file you want to preserve, you save it to network drive. Internet folder can also be used by most users.
  4. Running selected free tools via scheduler to detect Spyware. There are very useful and effective tools outside a typical troika of anti-Spyware troika (Hijackthis, Adaware and Spybot S&D). For example writing certain registry entries and the process list (see command line process listers) after startup and diffing it with the baseline is a pretty effective tool, especially for small companies. Home users can try registry watching tool like RegistryProt.

    There are several command line process listing utilities that can be configured to run during your startup and writing files to keep record of changes The Integrity checker would be most useful here but there is no clearly suitable candidate, see Fighting Rootkit and Similar Trojans: Integrity Checkers and Trojan detectors

    In the most primitive way, Hijackthis can provide a useful baseline for registry entries that need to be watched. It does not work in batch mode but better and more modern program Autorunsc can. Please create at least a process baseline. It will be extremely helpful in the case of infection. You cannot overestimate the value of the baseline in fighting complex Spyware beasts.
  5. Blocking (via proxy or redirection in the host file) Internet sites that download such pests. Using proxy is a pretty effective way for fight spyware for those guys who understand linux. This is a useful method of defense in a corporate environment when each detected "backchannel" can be instantly detected on proxy and in many cases the site that is responsible for the infection can be detected and blocked. This is not that effective in a home environment as it requires work in analyzing logs. Still host file can be used to block obnoxious advertisers on one by one basis. See Blocking spyware sites via the hosts file
  6. And the last but not least. Read the license of products that you are installing on your computer. Never ever install anything that is advertised via junk email or, worse, pop-ups. Most apps that install spyware usually have something in their license that says "we have the right to install whatever we want on your system".

Softpanorama Strategy of Defense

A simple generic and very effective strategy of defense against spyware involves cutting the size of your C-partition by moving user data to additional partition or harddrive. See Dual Partition Windows configuration. This strategy is discussed in more details on Softpanorama Strategy of Fighting Spyware page.

I would like to stress that the main tool in fighting spyware is your backups and your understanding of Windows OS.

On windows side of the house, first of all one needs to understand that a full scan of harddrive for malware is as almost as I/O intensive as full backup and much less useful :-)

In view of proliferation of Spyware keystroke loggers and sites/downloads trackers I strongly recommend to to use a separate PC for all you financial records and tax reports.

Especially vulnerable are home desktops that are shared with other family members (children) and those need to be restored to "pristine" image more often. Please note that unlike worms/viruses, Spyware represents professionally written programs that specifically designed to work in stealth mode and collect various types of information about the user including, but not limited to, confidential financial information. It is usually protected from partial removal from the PC which often happens if signatures that Spyware removal program is using are old: in case one or several components are deleted by the AV program, but remaining components are able to download and reinstall missing components. This fact alone makes using backup as a spyware fighting tool an attractive strategy.

Situation became more dangerous if the PC in question used to browse porno sites or other "grey" sites. Spyware installed from those sites often contains full keylogging capabilities and thus reveals all passwords that you are typing on your PC. Some dangerous Spyware specifically targets this category of users. For example Transponder Spyware (variant of VX2 mentioned above) is deceptively labeled as an "free movie viewer" to see "hard-core adult content".

Disclaimer: the author of these pages has no financial relationship with any of the companies whose products are discussed on these pages. I am not an employee, affiliate, representative, or other agent of any of these companies.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Nov 25, 2012] 15 Essential Open Source Tools for Windows Admins CIO.com

Wireshark can be used for analyzing traffic from an infected PC.

[Nov 25, 2012] Handle

Client: Windows XP and higher.
Server: Windows Server 2003 and higher.

Ever wondered which program has a particular file or directory open? Now you can find out. Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program.

You can also get a GUI-based version of this program, Process Explorer, here at Sysinternals.

Installation

You run Handle by typing "handle". You must have administrative privilege to run Handle.

Usage

Handle is targetted at searching for open file references, so if you do not specify any command-line parameters it will list the values of all the handles in the system that refer to open files and the names of the files. It also takes several parameters that modify this behavior.

usage: handle [[-a] [-u] | [-c <handle> [-l] [-y]] | [-s]] [-p <processname>|<pid>> [name]

-a Dump information about all types of handles, not just those that refer to files. Other types include ports, Registry keys, synchronization primitives, threads, and processes.
-c Closes the specified handle (interpreted as a hexadecimal number). You must specify the process by its PID.
WARNING: Closing handles can cause application or system instability.
-l Dump the sizes of pagefile-backed sections.
-y Don't prompt for close handle confirmation.
-s Print count of each type of handle open.
-u Show the owning user name when searching for handles.
-p Instead of examining all the handles in the system, this parameter narrows Handle's scan to those processes that begin with the name process. Thus:

handle -p exp

would dump the open files for all processes that start with "exp", which would include Explorer.

name This parameter is present so that you can direct Handle to search for references to an object with a particular name.
For example, if you wanted to know which process (if any) has "c:\windows\system32" open you could type:

handle windows\system

The name match is case-insensitive and the fragment specified can be anywhere in the paths you are interested in.

Handle Output

When not in search mode (enabled by specifying a name fragment as a parameter), Handle divides its output into sections for each process it is printing handle information for. Dashed lines are used as a separator, immediately below which you will see the process name and its process id (PID). Beneath the process name are listed handle values (in hexadecimal), the type of object the handle is associated with, and the name of the object if it has one.

When in search mode, Handle prints the process names and id's are listed on the left side and the names of the objects that had a match are on the right.

More Information

You can find more information on the Object Manager in Windows Internals, 4th Edition or by browsing the Object Manager name-space with WinObj.

Microsoft Handle KB Articles

The following Microsoft KB articles reference Handle for diagnosing or troubleshooting various problems:

[Nov 25, 2012] Runalyzer, a free, interesting autostart manager - 4sysops

Sysinternals Autoruns authorun is a very useful tool if you do have too much zeal ;-). With too much zeal you just hose your system more effectively then any Trojan. Download link is autoruns.exe. It is certainly the most comprehensive startup manager for Windows 7, Vista, and Windows XP.

There are many good autostart managers available for Windows XP/2003. The most comprehensive one is, probably, Sysinternals Autoruns (now Microsoft). Runalyzer from Spybot Search & Destroy, however, offers an interesting feature that is quite useful if you’re afraid of having spyware on your PC that make use of rootkit technology: You can autostart programs on Windows installations using attached hard disks.

So, if there is spyware installed on your machine hiding from the OS during runtime, you can boot from another device and use Runalyzer to search for malware. It automatically detects Windows installations on all connected devices. Since it also supports Windows PE, you could boot from a CD and use Runalyzer to analyze your hard disk.

It is also possible to disable autostart programs this way. Runalyzer lists Windows services, but you can’t disable them. If you don’t want a service starting whenever the system boots up, you have to delete it.

Runalyzer marks suspicious autostart programs as red. You can compare your system with their online database. This way, you’ll get the latest information about autostart malware.

Another nice feature of Runalyzer is that you can export your system setting as text file. This is useful when you want to consult an expert.

[Nov 25, 2012] Browser Guard 2011

We really need something for IT that blocks sites which has DNS just registered.

Trend Micro USA

Proactively protect your browser against new web threats. Browser Guard 2011 has zero-day vulnerability prevention and protects against malicious JavaScript using advanced heuristics and emulation technologies.

Browser Guard is quickly and continuously updated to deliver the most secure and up-to-date technology. The latest version includes detection enhancement for Web Trojans, and for tracing infection chains

[Nov 25, 2012] Trend Micro Browser Guard v2.0

Trend Micro Browser Guard 2010 is an Internet Explorer plug-in that monitors the pages you visit to protect you from malicious JavaScript.

The program works entirely automatically, so there are no complex settings to consider, no configuration worries at all. Just install it and Browser Guard will analyse any JavaScript on the pages you visit, detecting buffer overflow and heap spray attacks, blocking attempts to execute shell code, and generally keeping you just a little safer online.

While you might expect this extra layer of protection would slow down your browsing a little, there was no noticeable change on our test PC (and IE told us the add-on took a mere 0.03 seconds to launch). If you're running an old underpowered laptop then maybe you'll see a performance impact, but otherwise there are unlikely to be any problems.

Otherwise the program seems very compatible, running on 32 or 64-bit Windows XP, Vista or 7, and all versions of Internet Explorer from 6 to 9.0, and is most unlikely to conflict with any other security software. So if you use IE, even only occasionally, then Browser Guard 2010 offers an easy way to gain a little extra protection from malicious websites.

[Jul 18, 2011] Autoruns for Windows v10.07 By Mark Russinovich and Bryce Cogswell

Published: April 13, 2011

Download Autoruns and Autorunsc
(606 KB)

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

You'll probably be surprised at how many executables are launched automatically!


Screenshot

UsageSee the November 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of Autoruns . If you have questions or problems, visit the Sysinternals Autoruns Forum.

Simply run Autoruns and it shows you the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. Switch tabs to view autostarts from different categories.

To view the properties of an executable configured to run automatically, select it and use the Properties menu item or toolbar button. If Process Explorer is running and there is an active process executing the selected executable then the Process Explorer menu item in the Entry menu will open the process properties dialog box for the process executing the selected image.

Navigate to the Registry or file system location displayed or the configuration of an auto-start item by selecting the item and using the Jump menu item or toolbar button.

To disable an auto-start entry uncheck its check box. To delete an auto-start configuration entry use the Delete menu item or toolbar button.

Select entries in the User menu to view auto-starting images for different user accounts.

More information on display options and additional information is available in the on-line help.

Autorunsc UsageAutorunsc is the command-line version of Autoruns. Its usage syntax is:

Usage: autorunsc [-x] [[-a] | [-b] [-c] [-d] [-e] [-g] [-h] [-i] [-k] [-l] [-m] [-o] [-p] [-r] [-s] [-v] [-w] [[-z <systemroot> <userprofile>] | [user]]]

-a Show all entries.
-b Boot execute.
-c Print output as CSV.
-d Appinit DLLs.
-e Explorer addons.
-g Sidebar gadgets (Vista and higher).
-h Image hijacks.
-i Internet Explorer addons.
-l Logon startups (this is the default).
-m Hide signed Microsoft entries.
-n Winsock protocol and network providers.
-p Printer monitor drivers.
-r LSA providers.
-s Autostart services and non-disabled drivers.
-t Scheduled tasks.
-v Verify digital signatures.
-w Winlogon entries.
-x Print output as XML.
-z Specifies the offline Windows system to scan.
user Specifies the name of the user account for which autorun items will be shown.

[Jun 19, 2010] DDS by sUBs - Alternative to HiJackThis with better quality of reports

DDS is a tool disguised as a screen saver (thanks you Microsoft ;-) that can used to troubleshoot malware issues. The log files it produces are useful in identifying malware components.

Download DDS by sUBs here. After downloading, disable your virus protection/script blocking protection, and also disconnect from the internet.

Run DDS. If it won't run, rename the file and try again. A window will open, with info about the utility. You don't need to do anything, the scan is already running.

The results will open in notepad. Click No for the Optional_Scan.

When finished, DDS will open 2 log files: DDS.txt and Attach.txt (save these with your other log files).

Close the DDS window. Delete the program from your where you saved it.

Enable your virus protection and re-connect to the internet.

Universal Spyware and virus tracker

So I build an application that when it is running it simply monitors system folders for any new exe's or dll's being added or renamed: For example Windows and System32 folder is the main harbour for these bugs, but also Program Files or Documents and Settings.

Simple idea but the result surprised me big time. By going to some sites that I expected they add spyware through ActiveX I was shocked what was happening on my multistage-firewall and antivirus protected computer (ZoneAlarm, Norton AV, D-link Router with on-board Firewall and AlphaShield HW firewall - all running at once and none even beep). I could clearly see how a data from IE download folder has been renamed to exe and dll, obviously run, then copied to many places over my computer - to System32, Windows even DllCache folders. Then the exe was copied under different names few times.

System File Check
Additionally a button for SFC was added. This will run Windows Protection that checks all system files for changes and it will copy them from Windows CD if they are different.

Warning: On clear situation, like the one above where basically 3 spyware exe files were added by ActiveX, the Quarantine is a simple choice. But in case where system or IE Helper dll's are involved, forcing these files to Quarantine may make IE partially unoperational. Remember, Spyware use many methods to penetrate your system so if you are unsure then don't experiment. Just acknowledge some files were added and run anti-spyware! In any case run anti-spyware to clean up registry from the bugs.

Legit Files
Spy-The-Spy is a file monitor. It doesn't differentiate between real spyware and a legit file that has been added to watched folders. There are cases when such legit files are created:

WinPatrol - Free software downloads and software reviews - CNET Download.com

Similar to Hijackthis Startup manager, BHO manager, cookie file manager, service manager, and more....

This program uses a simple yet effective method of fighting all kinds of malicious programs. It inspects several Windows system spots that malware is most likely to alter, including programs launched at start-up, browser helper objects, scheduled tasks, services, and cookies.

The latest version includes two new logs: one emulates the popular HijackThis log style, while the other is a CSV-exportable format. There are also more tweaks for Vista users, as well as the usual bug fixing. The app consumes few resources, doesn't slow your PC, and is highly customizable. You can set the interval between checkups; the default is every three minutes. If something new installs on your PC, the program notifies you and asks whether you want the newcomer. This won't cure serious infections, but it will save you from annoying adware and malicious sites that hijack your browser's home page. You can view full reports in HTML format, and the app even lets you manage which programs launch on system start-up, including a "delayed" start-up.

Improved cookie handling is taken care of by Pinky the Squirrel, who eats "cookies with nuts"--that is, cookies that contain user-defined nuggets of text, such as ads. Users who install a lot of new software will find the program invaluable.

Ole registry Cleaner - Vers 1.5

The purpose of this program is to remove the Ole garbage left in the registry after installing and deinstalling several Ole (Com) dlls. This program can be especially useful to those who build dlls in Visual Basic. They know what I mean.

[Dec 1, 2009] rkill.com Tool to kill known spyware process

[Nov 14, 2009] A guide and tutorial on using ComboFix

For some reason, Combox changed the default code page in Windwos which destroys pseudo-graphic symbols in program like Far

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Please note that this guide is the only authorized guide for the use of ComboFix and cannot be copied without permission from BleepingComputer.com and sUBs. It is also understood that the use of ComboFix is done at your own risk.

[Nov 14, 2009] Resplendence Software - Advanced System Tools and Developer Components

New: SanityCheck 2.00 released

SanityCheck is an advanced rootkit and malware detection tool for Windows. By making use of special deep inventory techniques, it goes to great lengths to detect hidden and spoofed processes, misbehaving kernel modules and finds a number of different hooks and hacks which are typically the work of rootkits and malware. It creates a comprehensible report on any regularities found.

[Mar 21, 2007] TrendSecure Trend Micro Hijack This™

It is already available from the Web site. Looks like there are sharp executives in Trend Micro

[Mar 14, 2007] Trend Micro buys HijackThis, launches SiteAdvisor competitor Zero Day ZDNet.com

Trend Micro has acquired HijackThis, the freeware spyware-removal program created by Merijn Bellekom.

Financial terms of the deal, believed to be all-cash, were not released. This is the second transaction between Trend Micro and Bellekmom, following the company's purchase of CWShredder, a standalone utility used to remove the virulent Cool Web Search spyware program.

HijackThis is the de-facto standard for spyware removal from Windows systems. The tool generates a plaintext logfile detailing all entries — registry and file settings — it finds and offers tech-savvy users the ability to remove or disable files associated with malware.

[Mar 9, 2007] Description of the Port Reporter Parser (PR-Parser) tool

When a Microsoft Windows-based computer becomes vulnerable, an attacker typically uses the resources of the Windows-based computer to inflict more damage or to attack other computers. This kind of attack typically involves activities such as starting one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides this activity from the Windows-based computer itself, you can capture and identify this activity. Therefore, looking for indications of this kind of activity can help you determine whether a system is vulnerable.

The Port Reporter tool is a program that can run as a service on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server 2003-based and Windows XP-based computers, the Port Reporter service can log the following information:

The data that is captured by the Port Reporter service may help you determine whether a computer is vulnerable. The same data is also useful for troubleshooting, for gaining an understanding of a computer's port usage, and for auditing the behavior of a computer.

PR-Parser is a tool that parses the logs that the Port Reporter service generates. For additional information about the Port Reporter service, click the following article number to view the article in the Microsoft Knowledge Base: 837243 (http://support.microsoft.com/kb/837243/) Availability and description of the Port Reporter tool The PR-Parser tool provides the following three basic functions:

The PR-Parser tool has a Windows Graphical User Interface (GUI) that makes it easier to review the logs. By using the GUI, you can sort and filter the data in a number of ways. The PR-Parser tool helps you identify and filter the data that you are interested in. The tool provides the following functionalities:

The PR-Parser tool provides some log analysis data also. This data can help you understand the usage of a computer. This data includes the following:

[Feb 24, 2007] SDFix

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

[Aug 24, 2005] What a great app!

(Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):

Thanks for recommending this freeware - I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!

What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.

... ... ...

Keep up the great work!

Regards

Peter

Peter,

There are several good free registry editors, watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):

Often spyware is pretty primitive and removal of the component that is installed in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

registry key disinfects the PC.

To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:

  1. Open your registry in regedit
    • Click "start" (bottom left of your screen)
    • Select "Run"
    • Type "regedit" in the command line displayed
    • Click OK.
  2. In a tree that is shown select HKEY_LOCAL_MACHINE
    • then click on + sign for the key SOFTWARE
    • then click on + sign for the key Microsoft
    • then click on + sign for the key Windows
    • then click on + sign for the key CurrentVersion
    • then click on + sign for the key Run
  3. Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
  4. Print all entries (File, Print). Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
  5. Open Windows Explorer Click on Tools, Folder options , View and and Details View and
    • uncheck:
      • Hide extensions for know file types
      • Hide protected operating system files
    • check
      • Show hidden files and folders
      • Remember each folder view setting

    click apply to all folders and OK.

  6. Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section. If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
  7. For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware simply delete the key.
  8. For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.

[Jan 12, 2005] Microsoft Windows AntiSpyware (Beta) Overview -- free tool from Microsoft

Related Links
System requirements

Frequently asked questions

Download the beta

Microsoft Windows AntiSpyware (Beta) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed. This helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up to date.

[Nov 30, 2004] PCWorld.com - Poor Defenders

Some anti-spyware companies use confusing ads, and our tests show their $20-$60 products are less effective than free competitors.

You've almost certainly encountered the ads: A dialog box pops up on your system, bearing the message "Warning! Your computer may be infected with spyware" and suggesting that you scan your computer immediately. Click it, and you often reach a Web site providing a "free spyware scanner" that finds all sorts of malware on your PC--and then offers to sell you software that will clean it all up.

Should you buy these products? Based on our tests, our opinion is no. Following complaints from several PC World readers, we tested seven heavily advertised spyware-removal tools-- MyNetProtector, NoAdware, PAL Spyware Remover, SpyAssault, SpyBlocs, Spyware Stormer, and XoftSpy--and found that none were as effective as reputable free products such as Spybot Search & Destroy. A couple even installed new spyware.

PC Magazine Opinion Corruption at the Jersey Shore

I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

I did a little poking around in the Microsoft Knowledge Base and found that this was not an unusual problem and that it was caused by corruption of the Winsock. I hadn't thought about the Winsock—the Windows TCP/IP socket API and IP stack—in years, at least not since the advent of Windows XP. But it used to be a veritable Achilles' heel for Windows systems.

The Knowledge Base gave command line NetShell instructions that would reset the Winsock to its default configuration, and also listed Registry entries that I could remove to force a reload of the Winsock and TCP/IP stack. The two essential articles are 811259 and 299257. But before I did that, I decided to look further to figure out how the Winsock had become corrupted.

A little more investigation pointed to adware and spyware. Evidently some ad/spyware modifies the Winsock or installs itself into the IP stack to give ads access to your system—or to give a hacker free rein. When you run the removal programs (you do, don't you?), the shims inserted by the adware are not removed, but they no longer link to anything. The stack becomes unstable, and it begins reporting errors and behaving erratically.

I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP.

I decided to try it (I had a recent, full backup of my system on one of Iomega's great new REV 35GB removable hard drives, so I didn't mind living dangerously), and it worked perfectly. No more dropped wireless connections and no more "cable unplugged" error messages. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

PCWorld.com - Internet Tips Tweak Windows XP SP2 Security to Your Advantage

Trying to make Windows more secure, Microsoft released Windows XP Service Pack 1 in 2003, and Service Pack 2 recently. Whereas SP1 focused on remedying antitrust violations with bundled Windows utilities, almost all of SP2 is devoted to beefing up Internet security. SP2 doesn't thoroughly shield you from attacks, but it's definitely worth installing for its firewall improvements, Internet Explorer pop-up blocking, and security-configuration changes. Once you've installed it, you'll probably want to tweak some of SP2's new settings, and to know where--tweaked or not--the reinforced OS remains vulnerable.

SP2's most noticeable change to Windows XP is its introduction of a new Security Center Control Panel applet (see FIGURE 1). Security Center itself doesn't do much, but it provides a single location where you can view the status of the Windows Firewall (formerly known as Internet Connection Firewall) and of Windows' Automatic Updates service. The utility also tracks if you have an antivirus program installed, running, and updated.

If any of these three key security tools has been disabled or is less than fully functional, Security Center changes their corresponding status lights from green to either red or amber. The program also displays a warning icon in the system tray. A red light means that you should probably take steps to beef up security in the indicated area. An amber light signifies a service that is only partly enabled, or that a third-party product handles.

But even if all your dashboard security lights are green, you aren't necessarily safe. Conversely, certain red or amber conditions--triggered when Windows doesn't recognize your third-party firewall or antivirus program, for example--may be acceptable to you. So how do you disable that pesky tray icon?

Start by opening the Security Center: Choose Start, Control Panel and click Security Center. Many people will see a bank of green lights, thanks to SP2's more secure default settings. The firewall is now enabled by default for all Internet connections, which is a good thing if you don't have a third-party firewall program. The Automatic Updates feature downloads and installs often-crucial security updates from Microsoft while you're online. Unless you went out of your way to disable it during installation of Service Pack 2, this option will be fully enabled as well. And if you've installed an antivirus program that Microsoft recognizes, you'll get a green light in the virus-protection area.

Spyware Warrior » Beware of Spyware Removal Software Review Sites

On the Rogues page, there is a section for Trustworthy Anti-Spyware Products . There are spyware removal help forums, such as my own, where people discuss and compare products, often from having used and tested them. Other spyware removal help forums are also good sources of information. Download.com lists products and has reviews from consumers as well. I would take some of the reviews there with a grain of salt however, since they can be spammed by people who want to promote a particular product. Download.com does indicate the sponsored products in the listings.

Spyware Reviews, Anti Spyware Review, and Spyware Comparisons

It's not clear if this site is independent or objective. But still it contain a comparison that you might benefit from. Adaware rated as no.5. S&D as No. 6. Test score are are very questionable as there is no information about spyware mix used:
Spyware Test Score
91%
90%
88%
84%
64%
63%
50%
45%
37%
31%
Here are reviews of top free products. Both are grossly unfair:

Lavasoft Ad-Aware 6.0 Pro (read spyware review)

Ad Aware came in fourth. While it offers comparable protection to Spy Sweeper and Spyware Eliminator, it lacks some basic features (such as scheduling) and the user interface is very difficult to use. It is also priced higher than the other products. Some users report that the program doesn’t install correctly and there are reports that it has even corrupted hard drives, making some PCs unbootable (we did not experience these problems on our test computers). Despite lavasoft's claim that Ad-Aware protects against over 24,000 spyware programs, we found its coverage to be lacking.

My comments: What an idiotic requirement to have an independent scheduler. The reviewers seems to be openly hostile to the product and it is fair to assume that they just peddling a different product no matter what...

Spybot S&D (read spyware review)

Spybot S&D is the most well-known freeware removal tool on the market. The best part about Spybot S&D is that it’s free! The worst part is that you get what you pay for. Because Spybot S&D gives away their product, they can’t afford to give good customer support, nor is their product particularly stable on Windows XP. On our test platform, Spybot S&D brought our browser (Internet Explorer 6) to its knees. After installation, we were unable to download anything in under two minutes, and web pages took an excruciatingly long time to load. Alas, we fixed the problem by running Spy Sweeper! At last count, Spybot S&D only effectively protected against about 200 spyware products. If you can afford a modest fee, we highly recommend you choose a commercial product.

My comments: The claim that Spybot S&D is not stable on Windows XP is a deliberate attempt to downgrade a fine product. It is reasonable to expect that a free product requires slightly more knowledge to run then a commercial one, but the reviewer does not understand that Spybot provides some tools for fighting arbitrary spyware not just scanning for known pests.

Yahoo! Toolbar has anti-Spy feature.

Obsolete with the introduction by Microsoft free Windows Defender

Freeware downloads System Utilities - Command Line Tools - SnapFiles, we download it before you do!

A primitive integrity checker. Compare with Integrity Checkers and Trojan detectors

Berkes Notify allows you to monitor a specified directory and be notified if files are changed, added or deleted. The program runs from the command line and pops up a small dialog if changes are detected. Small simple and useful.

Mike Lin's Home Page

StartupMonitor watches the Start Menu's Startup folders and the Run entries in the registry.

StartupMonitor does not require Startup Control Panel, but it complements it nicely. When you choose not to allow a program to register itself, the program's entry becomes disabled in Startup Control Panel, so you can go back and enable it later if necessary. StartupMonitor watches the Start Menu's Startup folders and the Run entries in the registry.

StartupMonitor has been tested on Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP; unfortunately, it does not function correctly under Windows 95 because of some unimplemented routines in the operating system

Download StartupMonitor 1.02 (60kb)

Resources Enough is Enough! Outdated. Last Updated: Apr 14 '02

Have you just about had it with sneaky spyware installations, pesky third-party cookies from pushy advertisers and marketers, and the unending blizzard of popups and popunders from web sites? Haven't you really had just about enough of these obnoxious, invasive practices that trash your computer and violate your privacy?

Then it's time you said, "Enough is Enough!"

Overview

Enough is Enough! is a lockdown utility for Internet Explorer 5 and 6. When you install Enough is Enough!, it will:

  • Lock down your Internet and Restricted sites zones with restrictive settings for dangerous options like ActiveX, Java, scripting, and a few others.
  • Severely restrict the use of cookies (but not completely disable them for trusted web sites or for single session use).
  • Disable several Advanced settings, including Install on Demand and Third-party Browser Extensions.
  • Install Microsoft's IE PowerTweaks WebZone Accessory, putting two new options on your IE Tools menu, with corresponding buttons on your Toolbar: "Add to Trusted Zone" and "Add to Restricted Zone."

With these new Internet Explorer settings you will be protected from the more dangerous elements of the web without having to worry about putting known nasties into your Restricted sites zone:

  • You'll be protected from rogue crapware installations (e.g., Gator, BonziBuddy, WebHancer, Lop.com, and the like).
  • You won't be accepting cookies from direct marketing outfits who seek to monitor and track your travels around the Net.
  • You'll put an end to annoying, useless popups at most web sites by default.
  • You'll put all web sites on a "short leash" until you trust them enough to add them to your Trusted sites zone.

In short, Internet Explorer will start behaving as YOU want it to behave, not as direct marketers and spyware pushers want it to behave. What you do with Enough is Enough! is enforce your very own "opt-in" policy: no web sites get to use permanent cookies, ActiveX, Java, JavaScript and other dangerous Internet Explorer options until you explicitly give them the go-ahead by putting those sites into your Trusted zone.

Caution!

A word of warning: the severely restrictive IE settings that Enough is Enough! uses will break many web sites until you add them to your Trusted sites zone. These settings will also disable third-party browser add-ons (commonly known as "plugins").

Keep in mind that you can always tweak IE's settings through the Internet Options box after installing Enough is Enough!

And of course, Enough is Enough! installs Microsoft's Power Tweaks WebZone Accessory so that you can quickly and conveniently add sites you visit frequently (and which require permanent cookies or certain types of active content) to the Trusted sites zones. Once you add a site that you trust to the Trusted sites zone, it should start working again.

See the section in the ReadMe titled "Coping with Problem Web Sites & Browser Add-ons" below for more advice on dealing with problem web sites and third-party browser add-ons.

More than Enough?

Enough is Enough! isn't for everyone. If you find broken web sites extremely frustrating, and taking the time to add web sites to your Trusted sites zone is too annoying for you to deal with, then Enough is Enough! might be "more than enough" for you -- it might be much too much.

There are several uninstallation options, so you're not stuck with Enough is Enough! by any means, should you decide that it's not for you (see the "Uninstallation" section in the ReadMe for more details).

If Enough is Enough! isn't for you, you might consider downloading and installing IE-SPYAD. IE-SPYAD will add a long list of known advertisers, marketers, and crapware pushers to your Restricted sites zone, giving you a large measure of protection from the nastier elements of the web while still allowing you to keep your Internet zone settings fairly loose. You can download IE-SPYAD HERE.

Compatibility

Enough is Enough! is compatible with Internet Explorer 5.0 and above. The installer (INSTALL.BAT) will detect if you're using Internet Explorer 6.0 and adjust the settings it installs accordingly. Enough is Enough! also works with Windows XP Service Pack 2.

Enough is Enough! should not be used on Internet Explorer 3.0 or 4.0 (though the installer will let you do it). If you mistakenly install Enough is Enough! on Internet Explorer 3.0 or 4.0, you can uninstall it and restore your previous IE settings by re-running INSTALL.BAT.

Installation & Use:

Download one of the following files from the Download section below:

  • ENOUGH.EXE
is a self-extracting .ZIP file, which you can double-click on to extract the files inside (default dir is C:\ENOUGH).
  • ENOUGH.ZIP
requires that you have an "zip/unzip" program like WinZip, 7-Zip, or PowerArchiver to extract the files.

After you explode the files from the archive you downloaded, run INSTALL.BAT, or consult README.TXT for more information about this utility. You can view an online version of README.TXT HERE.

Download:

ENOUGH.EXE 115 KB PGP signature
ENOUGH.ZIP 77 KB PGP signature

These files have been signed with with my 4096/1024 DH/DSS PGP key. You can get it and my other PGP keys HERE.

The PGP signature files are digital signatures that PGP users can use to verify the integrity and origin of the download packages. If you're not a PGP user, you don't have to download the PGP signature files (or my PGP public keys) in order to use the utilities that I make available. If you're interested in learning more about PGP, check some of the links on THIS page.

This program is Please read this License & Disclaimer.

Last Updated: Apr 14 '02

How to temporarily remove string values from registry run keys when troubleshooting software conflicts

You are troubleshooting a suspected conflict between programs, and need to temporarily prevent programs from loading when Windows starts. The programs in question are loading from one of the Run keys in the Windows registry.

Solution:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified.

Please request the document, How to back up the Windows registry, before proceeding.

NOTE: If you are using Windows 98/Me/XP, as an alternative you can use the System Configuration Utility that is included with these operating systems. For these operating systems, this is the recommended method, as it does not require you to edit the registry. Please see your Windows 98/Me/XP documentation or the section "4. Disable unnecessary startup items" in the document, Basic guide to optimizing system resources for instructions on how to do this.

To temporarily remove values from the RUN keys in the Windows registry:

  1. Click the Start button and then click Run. The Run dialog box appears.
  2. Type regedit and click OK. The Registry Editor opens.
  3. Navigate to the following key, and open it:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. The right pane will display one or more string values.
    • If you only see (Default) or SystemTray, go on to step 10.
    • If there are additional values, for each value other than (Default) or SystemTray , follow the instructions in steps 5 through 9.
  5. Double-click a String Value in the right pane. The Edit String dialog box will appear with the value selected.
  6. Press the Home key on the keyboard. The cursor should be to the left of the string value, and the value should no longer be selected.
  7. Type rem and press the Spacebar once. This remarks out the string value, and prevents the program from loading when Windows starts.
  8. Click OK.
  9. Repeat these steps for each string value you want to remark (REM) out.
  10. Navigate to the following key, if it exists, and open it:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  11. Repeat steps 4 through 9.
  12. Some computers may also have Run or RunServices keys in the following location:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (or \RunServices)
  13. If it exists, repeat steps 4 through 9 for this location as well.
  14. Exit the Registry Editor when you finish changing these values, and restart the computer.
  15. Check to see whether or not this resolves the problem.
  16. If it does, and you want these programs to load with Windows, add back one string value at a time by removing the REM and the following space.
  17. Restart Windows, and then test the system after each addition. When you find the key causing the problem, you can either REM it out in the registry or delete the value.


NOTE: If you do this in Windows NT 4.0, for each REM line that exists you will see the following message when Windows NT boots:

"Cannot find the file REM (or one of its components). Make sure the path and filename are correct and that all required libraries are available."

You will need to click OK for each REM line that generates the message. To avoid this each time you start Windows, once you have determined the program that is causing the problem, delete the string value for that program.

Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Free version of Spybot Search and Destroy scanner Spybot Search and Destroy and/or Adaware provide better results (in case you are using the most latest signatures) and are recommended for checking. Please note that before the scan you do need to download the latest signature file separately (older signature files miss the most recent mutations of engines like SAHAgent).

Recently written

Spyware Removal Guidelines use Spybot S&D as example, as it provides some additional useful tools, but old good Adaware is also an extremely useful tool and can find and disinfect some Spyware variants that are missed by

Spybot S&D (see, for example its VX2 cleaner plugin that I mentioned before) . You probably are better off using both.

Recommended Papers

PC Review - Spyware and Adware Removal

HijackThis

HijackThis is a heuristic spyware detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against homepage hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgeable folks (e.g. the forums) before deleting anything.

HijackThis quickly scans a user's computer, and create a list of running processes and some settings. Comparison of this list with a known spyware-free environment greatly helps to decide what from the list needs to be removed. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer.

Please note that blind use of its removal facilities can cause significant software damage to a computer. If you do not have a map of your spyware free environment you should carefully check the name of program that you view as suspicious via Goggle.

Tutorials

BHO Listers

BHOs are similar to programs that run from autoexec.bat but they run during the start of IE not DOS. MS article Browser Helper Objects: The Browser the Way You Want It explains the concept. Spyware BHOs can conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance. BHOList contain the list of know BHOs with classification into several categories. To view the list of the BHOs that are installed on your machine you can use HijackThis or more pecialized program BHODemon (freeware).

Example 1: The LOP spyware creates random BHO identifiers (as well as corrsponding files):

Registry entries look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll

Be aware of this possibility if you discover an unknown BHOs with random names. Several other spyware products random of semi-random BHO names.

Example 2: Vx2 and its derivatives (Data Transponder, etc). Vx2 is a browser helper object (BHO) that was included in the AudioGalaxy Satellite file-sharing system, but a user outcry got it removed in November 2001. Today, vx2 and its variants can be found in a "free" viewer for adult video content and the "free" products from Mindset Interactive. According to PestPatrol, "it is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies." PestPatrol lists the aliases of the code and sources of each as Transponder from Blackstone Data; vx2, RespondMiter and Sputnik from vx2, Corp.; Aadcom Extreme Targeting from Aadcom; NetPal from NetPalNow and also Mindset Interactive.

Recommended Links:

Winsock 2 Layered Service Provider (LSP) Tools

LSP-Fix - a free program to repair damaged Winsock 2 stacks

Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access

LSP-Fix is a free utility to repair a specific type of problem associated with certain Internet software. This type of software is known as a Layered Service Provider or LSP, a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet.

Unfortunately, this type of software is sometimes quietly installed by unrelated software such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existance until something goes wrong, and he/she can no longer access Web sites. Common offenders include New.net* (NEWDOTNET) and WebHancer*, which are often bundled with file-sharing utilities, DVD player software, and other free downloads. LSP-Fix repairs the Winsock LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.

LSP-Fix is not a malware removal utility and does not target specific products. LSP-Fix does not delete any files. Downloads: (All downloads will fit easily on a floppy disk.)

Using LSP-Fix to remove O10 Entries in HijackThis

This self-help guide will walk you through using LSP-Fix to remove unwanted LSPs

Warnings:

Removing LSPs can cause your computers Internet connection to no longer work. If you follow these instructions carefully, you should not have a problem. If you feel that you are not comfortable doing this on your own, then please ask for help in our forums.

What are LSPs:

LSPs are programs that are attached to the networking protocols on Windows XP and 2000 computers. When a unwanted LSP connects to this chain, it has the ability to manipulate any data that passes through it manipulating it to their own desires. It is important to note that not all LSPs are bad, so it is important to do research as to whether or not the LSP you are going to remove is indeed unwanted. We will provide all the tools necessary, though, so that you can determine this.

Tools Needed for this fix:

Related Tutorials:

Symptoms in a HijackThis Log:

O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

PC Magazine Opinion Corruption at the Jersey Shore I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

I did a little poking around in the Microsoft Knowledge Base and found that this was not an unusual problem and that it was caused by corruption of the Winsock. I hadn't thought about the Winsock—the Windows TCP/IP socket API and IP stack—in years, at least not since the advent of Windows XP. But it used to be a veritable Achilles' heel for Windows systems.

The Knowledge Base gave command line NetShell instructions that would reset the Winsock to its default configuration, and also listed Registry entries that I could remove to force a reload of the Winsock and TCP/IP stack. The two essential articles are 811259 and 299257. But before I did that, I decided to look further to figure out how the Winsock had become corrupted.

A little more investigation pointed to adware and spyware. Evidently some ad/spyware modifies the Winsock or installs itself into the IP stack to give ads access to your system—or to give a hacker free rein. When you run the removal programs (you do, don't you?), the shims inserted by the adware are not removed, but they no longer link to anything. The stack becomes unstable, and it begins reporting errors and behaving erratically.

I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP.

I decided to try it (I had a recent, full backup of my system on one of Iomega's great new REV 35GB removable hard drives, so I didn't mind living dangerously), and it worked perfectly. No more dropped wireless connections and no more "cable unplugged" error messages. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

Toolbars

Yahoo! Toolbar has anti-Spyware feature based on CA antivirus. CNET rates Y! Toolbar 5 out of 5! "Yahoo has definitely become the toolbar to beat."

Intro Yahoo Toolbar - ZDNet Reviews

Yahoo offers a bewildering number of services and options on its site, and the company's toolbar is no exception. With a generous portion of specific types of searches, more customization options than you can shake a stick at, a pop-up blocker that goes above and beyond, and even a spyware killer, Yahoo Toolbar gets our seal of approval.

Installing Yahoo Toolbar was easy in our tests; it took us less than a minute to download and run the install program (0.4MB for the toolbar only or 3MB for the toolbar and Yahoo's Anti-Spy utility). Once the toolbar is installed, you'll need to either sign in to your Yahoo account or register for one--a minor inconvenience. Once inside, you're then taken to a Web page where you can choose from literally dozens of buttons and services. You can reorder the buttons in any way you want (most toolbars don't give you that flexibility) and view icons and text or icons only--impressive. Our sole complaint is that you can't resize the smallish search box.

Yahoo Toolbar serves up a generous variety of search types, including the Web, current site, images, local services, news, products, maps, Yellow Pages, directory, stock quotes, and movie showtimes, each using specific Yahoo search services rather than tacking "news on" or "maps of" onto a search. All that's missing from the list is the weather, and while an optional weather toolbar button is available, you will have to enter a city or a zip code in the Web page. You also get a garden-variety highlighter that calls out where your search results appear on a given page.

Yahoo Toolbar with Anti-Spy - User opinions and free download at Download.com

Good overall" 30-Nov-2004 10:50:00 PM Phil from Massachusetts
First, I'll say that if any other adware detectors report adware or spyware within the Yahoo toolbar, it's a false positive, because there isn't any. Adware detectors often interfere with each other and detect each other as adware, so this isn't surprising.

Now, to rate the product itself. On the upside, it has more features than the Google toolbar, and the spyware detector is pretty decent, although not as good as commercial products. The pop-up blocker is effective at blocking most common types of popups, but is quite powerless against certain obscure popup types, including those caused by Java error handlers and a few other kinds. These popups are rare in the real world though, and I would estimate that it blocks 90 to 95 percent of all popups, and doesn't interfere with routine surfing. The one significant downside is that it is a bit unstable.

The Y! Toolbar module has crashed Internet Explorer about 7 times during the 200 hours that I've used it during routine surfing, which isn't too awful, but hardly sterling, either.

Overall, I'd recommend it over competing free toolbars like Google. Obviously, you can't compare free products with paid products, but this is probably the best of the freeware toolbars. It's also the most comprehensive, being the only one with pop-up blocking, adware detecting, searching and navigating tools all-in-one.

"Helpful" 12-Nov-2004 03:10:02 AM Ai Tui
The spyware detector picked up on some dialers and adware that Spybot missed. Also, I've been a big fan of the Yahoo toolbar for quite awhile. I'm on the move a lot, in my office and in the field. The toolbar allows me to take the bookmarks to the sites I use frequently with me and helps keep me connected.

Tracking Cookies

If you are constantly prompted to remove 3rd party "Tracking Cookies" after scanning your machine with Ad-Aware or SpyBot then your IE is not set up properly!

Many web pages write a cookie to your computer's hard disk to record when you visited their page and which pages you visited. The tracking cookie goes further and records details such as how long you stayed on a page, what you ordered, other pages you visited, and builds up a picture of your browsing. This information is reported back to the company that paid for this service. Read Privacy pages of the companies you if you don't believe me. Or read an article by Keith Newman about it.

Mad about it? Don't get mad, get even. Put in Ad-Aware (it's free - click on 'Ad-Aware') and delete all tracking cookies regularly.

The HOSTS file and Restricted Zone (domains.reg) file both contain most of the "Tracking Cookies" listed in their database. The object is to prevent these (3rd party) Cookies from loading, not removing them "after the fact".

Netscape Navigator and Internet Explorer will still send out existing cookies even after disabling cookies in the browser settings. You must manually delete any/all cookie files on your system to eliminate being tracked by third-party ad networks or spyware or adware providers.

You can solve most of the tracking cookies problem with these two things: A malware-blocking hosts file and IE->Tools->Internet Options->Privacy tab->Advanced->Check "Override Automatic Cookie Handling", set Third-party Cookies (the ones used to track you across different web sites) to Block, and First-party to Enable or Prompt.

There are many arguments why cookies are not a bad thing at all. Among their more benign uses are:

And, contrary to rumor, it is impossible for a cookie to transmit a worm or a virus. However, the opportunity to "personalize your web experience" by means of cookies recording your preferences and interests is a double-edged sword, because few consumers realize just how much information about themselves they are giving away as they surf the internet, and fewer still realize how easy it is for this "online profile" to be linked to their real identity.

ITCookieView [freeware] allows you to view information stored in a Cookie, delete unwanted Cookies on your hard drive.

Karen's Power Tools Set of VB tools



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017