Yesterday I got hammered with my first spyware - some variant of a doozy called BookedSpace which both Spybot AND AdAware could not stop. They would say that they fixed it, but the program would come back (and as you probably know, BookedSpace installs other spyware -- and if you try to uninstall these things with Add/Remove Programs, it gives some warning about having to go to their site, and if you hit cancel, it installs even MORE junk!). One of the scariest moments was that a new password-protected Administrator account had been created, and the Guest account was disabled and had its user icon changed.

I finally got rid of all the crap, including the phantom XP accounts (I'm up to date, so something tells me we'll be seeing another security patch soon!!), after a few hours of intense manual effort (playing in the registry, deleting the Bookspace .EXE files in safe mode, playing in everything but the kitchen sink!). Thankfully I caught it on the same day and could simply search all files created yesterday and delete them. (Except for C:\Program Files\Xerox\Nwwia, which, as far as I can tell, is harmless... it's empty, but says it is in use by another user and I can't delete it).

I am wondering if my NEW precautions provide me with enough protection, or if there is anything else that I should be doing. Currenly I use the following tools on a 2GHz P4 running Windows XP Professional and connect using Comcast High-Speed Internet (broadband):

* Most recent updates from windowsupdate.microsoft.com, including all "critical" updates
* Norton SystemWorks 2003
HitWare Popup Killer Lite
AdAware 6.0
* Spybot Search and Destroy 1.2
the ActiveX Registry Blocklist from SpywareGuide.com
IE Spyad (adds domains to restricted sites)
* in Settings, Control Panel, Network Connections, Local Area Connection, Properties, Advanced, I have the firewall turned "ON."

*A star (*) indicates that I had this item installed or configured _before_ I encountered the problem yesterday.

In addition, I have set all my IE zones to HIGH security (previously the Internet zone was on "medium") except for a handful of trusted sites. Trusted sites have "medium" security. I also created a non-administrative account to do most of my surfing in (although I am not there now as I just got through installing all the new stuff), and password-protected my Administrator account.

So, bottom line, did I miss anything?

And, also, while not a spyware question -- when I know I am on a safe site, I just toggle an Internet Zone's security settings (from medium to high and back)... but I keep on getting those dialog boxes about "You are about to transmit information over the internet..." and even though I check "do not show this warning again," as soon as I change a security setting, it comes back.

Any help appreciated. Thanks!

Attached site may be useful for you.

http://forums.techguy.org/t208517.html

Am not sure but it seems you may be relying on the firewall that comes with XP. It's my understanding that the XP firewall protects against stuff coming into your computer but not stuff outgoing grom your computer. I stand to be corrected but if that is the case you may want to consider a better firewall if your firewall protection is limited to the one that comes with XP.

A free firewall a lot of people use is Zonealarm.

http://www.majorgeeks.com/download.php?det=388

Don't know if I've been lucky but haven'y had a virus, trojan, spyware infection in over 6 months. Am running XP Pro with internet security set to medium-high. Am on broadband high speed, with the following programs installed:

1)Spybot and AdAware

2)SpywareBlaster and SpywareGuard

http://www.majorgeeks.com/download.php?det=2859

http://www.majorgeeks.com/download.php?det=3045

3)Startup Monitor and Regprot to prevent unwanted downloads, entries to startup etc.

http://www.mlin.net/StartupMonitor.shtml

http://www.snapfiles.com/get/regprot.html

Understand that IE-Spyad and Restricted sites function within SpywareBlaster do not create conflicts for each other.

4)Zonealarm Pro 4.0 (paid version that has cookie blocking as well as a script, mime, embedded objects blocking functions)

It is also my understanding that some protection programs do not scan all user accounts within XP and must be individually run on each user account e.g. Ad-aware.

Hope this is helpful

Another thing you may want to consider is shutting down some of the unnecessary services that by default are set to run when windows starts up. Some of those unneccessary services are a source of vulnerability to having a computer compromised. A good reference guide is attached. Using the column "safe" is the least intrusive.

http://www.blackviper.com/WinXP/servicecfg.htm

Shutting down only 2-3 services at a time with reboots in between is safest. Any service running should be stopped before it is disabled.

lublin -- one of my troubles with AdAware is that my secondary XP account cannot run it at all. It only runs on an Administrator account.

I will be looking into these other items, though. Thank you!

StephenC,

See attached for ad-aware problem.

http://www.lavasoftsupport.com/index.php?showtopic=22374

See attached for complete configuration of Ad-Aware.

http://forums.techguy.org/t164245.html

StephenC,

If you have set up the second user account so that you could increase your security while surfing, you shouldn't have to do that, and besides by so doing it sometimes creates problems such as software installed in the administrator account not running on the other accounts like it has for you on AdAware.

If you can sort your way through setting up a good layered defense for virii, trojans and spyware you should be able to keep running off the administrator account alone with the internet security settings at medium and not high. With the settings at high other than the Restricted sites, you will probably have difficulty getting into some sites you may want to view.

lublin:

Actually the high-security setting isn't really a problem unless I want to download a file (usually one of the ones you're recommending). I use "trusted sites" for the places I go all the time and trust; everything else I do is running fine on its own.

I believe not connecting through an administrator account is actually recommended for XP? I created my second user account AFTER cleaning up everything originally (when there was only the one Administrator account plus the guest account). So I would think that this would be more secure -- to only use the administrator account for installations, but the user account(s) to surf.

Thanks again.

StephenC,

Hope you get it all sorted out. Nothing more annoying than having to clean up garbage picked up from the internet.

You may like to try this - http://www.soft-trek.com.au/prjPCLogger.asp - it detects in real time of any unauthorised changes.