Sites against parasites

LAST WEEK, I wrote that millions of Windows users unwittingly installed "parasites" when setting up music-sharing programs or other free marketing gimmicks. Some parasite programs harvest fake sales commissions from e-commerce sites. They can also make your PC unreliable and crash-prone. (See "Parasites in Windows" .)

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Many companies have banned employees from using music-sharing programs, not just due to copyright concerns. According to John Thornton, editor of Hacker's Digest, 6 percent of one peer-to-peer network's files are actually viruses. Downloads such as Pink.mp3.vbs are displayed by the music-sharing program without the .vbs extension, which indicates a Visual Basic Script virus ( www.theregister.co.uk/content/55/22119.html ).

Merely having a policy against peer-to-peer, however, doesn't clear up the mess that these programs quietly added to users' hard drives. A clean sweep requires new tools.

One of the most intriguing approaches to the problem has been initiated by a Web site developer named Andrew Clover. A British programmer who's fluent in Python, PHP, and Java, Clover divides his time between work in Germany and the United Kingdom.

Without installing anything, you can automatically test your PC for dozens of different parasite programs at his personal site ( http://and.doxdesk.com/parasite ). The test requires JavaScript, which is currently enabled in about 88 percent of browsers, according to www.thecounter.com/stats . Clover encourages visitors to copy and use the script on their own sites, perhaps modifying it to blend with their own styles.

The script works by querying your PC for character strings that various parasite programs insert into the Windows Registry. Each string, known as a Class ID or CLSID, is a globally unique hex number identifying a single program. These numbers are generated by GUIDgen.exe, a utility included with Microsoft Visual C++ 4.0 and later.

Many parasites use these strings to register themselves with Internet Explorer as a so-called Browser Helper Object. Microsoft designed IE to allow programs such as these to manipulate the keystrokes and activities of the browser. This is one way parasites transmit false e-commerce codes.

Unfortunately, Clover's test doesn't identify all worrisome parasites. Interviewed by telephone while he was visiting Bristol, England, Clover said, "There are lots of parasites that don't use a Class ID at all, and my script can't detect them."

It's my hope that a Web service can be developed that's truly comprehensive. Users could learn valuable info -- such as the symptoms and diagnoses Clover's site provides on 49 parasites -- even if their machines test clean.

Meanwhile, run the free Ad-Aware program, which searches for and allows you to remove almost all parasites. A helpful download page is at www.pcworld.com/downloads/file_description/0,fid,7423,00.asp . I'll have more on this next week.