My Anti Spyware

Temporary fix for IE vulnerability

eEye has released a patch for the active IE vulnerability.

Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation [my emphasis].

Read more and download here

But small comment, don’t bother using this patch — Disable Active Scripting Support in IE is a valid mitigator.

SpywareQuake Automatic removal

Good news for us
Now you can remove Spyware Quake from your system using CounterSpy.

If you have problems with SpywareQuake you can use manual removal instructions: How to remove SpywareQuake or try free trial version CounterSpy.

How to disable Active Scripting support

Some days ago, was found IE vulnerability. Today no patches available. You can only disable Active Scripting support.
Read how to…

Open Internet Explorer and hit the “Tools” menu and click “Internet options”. Jump to the “Security” tab, chouse “Internet” and click to “Custom Level” button.

After that, you would see:

Scroll down and change Active Scripting to Disable and click “OK” button:

If you have trusted sites, then add them to the Trusted Group.

To add a trusted site, chouse”Trusted sites” and then click the “Sites” button.

Type trusted domain name and click “Add” button.

Click “Close” button and close “Internet options”.
Now your PC protected against a new exploits for the vulnerability.

BHO malware used IE vulnerability for install

BHO malware used IE vulnerability for install. Sans reported

There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!

Don`t forget, you can block vulnerability, only disable Active Scripting support.

How to remove SpywareQuake

SpywareQuake is a rogue anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. The program is generally installed by a Trojan that automatically downloads and installs the program. More info here.
If you are infected with this program you will receive warnings in your task bar stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of SpywareQuake. These warnings are fake and are a goad to have you buy the commercial version of this software.

SpywareQuake Fake alert.

Your computer is infected!
Critical System Error!
System detected virus
activities. They may cause
critical system failure. Please,
use antimalware software to
clean and protect your system
from parasite programs.
Click here to get all available
sofware.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: SpywareQuake

Download smitRem and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

NOTE:

Currently smitRem alone will not remove this infection. We are including it in this fix because SpywareQuake has been seen to install with other portions of the Smitfraud infection.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 – BHO … C:\Windows\SYSTEM32\hp*.tmp (the name changes)
O4 – HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Using Windows Explorer, locate and delete the following file:
C:\Windows\System32\stickrep.dll
C:\Windows\System32\mssearchnet.exe
C:\Program Files\SpywareQuake\

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Reboot your computer back to normal mode.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present.
Download and run CCleaner.

CCleaner (Crap Cleaner) is a freeware system optimization and privacy tool. That removes unused and temporary files from your system – allowing Windows to run faster, more efficiently and giving you more hard disk space.

Reboot your computer.

Perform an online scan with Panda Active Scan. Do a full system scan. Make sure the autoclean box is checked!

Your computer should now be free of the SpywareQuake infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal – Read Before Posting

New rogue anti spyware Spyware Quake

Sunbelt blog reported about new rogue Anti-Spyware application Spyware Quake – replacement for Spy Falcon and SpyAxe.

Spyware Quake is installed through the infamous VCodec trojan as well as various exploits.

WHOIS Information:

Domain Name: SPYWAREQUAKE.COM

Registrant:
SafeSurf LLC
Kevin Gerad (Whois Privacy and Spam Prevention by Whois Source)
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332

In addition to just a stealth install of Spyware Quake, an infected machine will exhibit other unwanted symptoms such as Internet Explorer browser hijacks, a stealth installed “Security Toolbar”, and pop-up advertising that is often adult in nature. Also commonly seen is pop-up advertising for WinFixer.

Now availbale How to remove SpywareQuake

If you can`t uninstall or remove, tell us about your problem.

100 confirmed sites now using the IE vulnerability

100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. SunBelt analysed one site – www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.

[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

There is no patch available for this exploit. The only way to avoid it is
- turn off Active Scripting
- use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.

RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user’s system.

3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

A weakness when executing other programs is caused due to incorrect use of the “CreateProcess()” API. This may allow execution of an arbitrary program on the system, if this can be placed in the program path.

The following products are affected by one of more of the vulnerabilities:
* RealPlayer 10.5 (6.0.12.1040-1348)
* RealPlayer 10
* RealOne Player v2
* RealOne Player v1
* RealPlayer 8
* RealPlayer Enterprise
* Rhapsody 3 (build 0.815 � 1.0.269)
* Mac RealPlayer 10 (10.0.0.305 – 331)
* Mac RealOne Player
* Linux RealPlayer 10 (10.0.6)
* Helix Player (10.0.6)
* Linux RealPlayer 10 (10.0.0 – 5)
* Helix Player (10.0.0 – 5)

Patch your RealPlayer now.

New Internet Explorer vulnerability

Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of the “createTextRange()” method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

For block vulnerability disable Active Scripting support.

Top 10 spyware threats discovered for last 24 hours

Here are the top 10 spyware threats by Sunbelt Software:

01. DesktopScam
02. Hotbar – How to remove Hotbar
03. WhenU.SaveNow
04. Looking-For.Home Search Assistant
05. CmdService
06. BraveSentry - How to remove BraveSentry
07. 180search Assistant
08. iSearch.DesktopSearch
09. Vcodec – How to remove Vcodec
10. SpyFalcon – How to remove SpyFalcon

If you can`t uninstall or remove this spyware, tell us about your problem.

Coolwebsearch.info – new site from the Coolwebsearch family

Sunbelt reported about new CWS site – Coolwebsearch.info.
This site is an affiliate of Coolwebsearch.com that installs a toolbar which hijacks the home page without a EULA.

Run by our Best Friend Ever, Vadmim Praha
Whois Data:

Fedorov Vadim Praha CZ hali @ volny.cz
Fedorov Vadim Praha CZ sp @ prague-sex.com
Fedorov Vadim Prtaha 5 CZ sovsem @ nevest.net
Fedorov Vadim Praha CZ radmin @ radmin.kirov.ru

And he’s got lots more sites under the IP 194.187.96.195, which you are welcome to put into your blocklists.

Mirotino.com Domainname4you.com
Shopknights.com Fukingmachines.info
Adult-friends-finder.net Girls-porn-life.com
nevest.net Hogtied.info
Best-porn.biz Machinesboys.com
Analmaids.com Meninpain.biz
Boyknights.com Mirotino.com
Ultimatesurrender.biz pansion.cz
Mirotino.com Pereulok.net
coolsearcher.info Pornfree.info
Coolwebsearch.info Pornosaity.com
coolwebsearch.org Pornpic.org
Domainname4you.com Porn-sex-free.biz
Fukingmachines.info Prague-porn.biz
Girls-porn-life.com prague-sex.com
Hogtied.info rape-cool-video.com
Machinesboys.com Salabon.com
Meninpain.biz Sebastacz.com
Onlyfuck.com Sex-prague.com
pansion.cz Shopknights.com
Pavlovbooks.com Spviphost.com
Peniscontent.com Ultimatesurrender.biz
Pereulok.net Waterbondage.biz
Pornfree.info Zaseyan.com
Pornosaity.com Adultdvdlist.com
Pornpic.org Analmaids.com
Prague-porn.biz Boyknights.com
prague-sex.com nevest.net
rape-cool-video.com Onlyfuck.com
Sebastacz.com Zaseyan.com
Waterbondage.biz Adult-friends-finder.net
Zaseyan.com 100pantyhose.com
100pantyhose.com Pavlovbooks.com
Best-porn.biz jonnylinks.com
coolsearcher.info beesearch.info
Coolwebsearch.info Pantyhose-bangs.com
coolwebsearch.org planet-high-heels.com

If you don`t know how to block this sites, try next howto: How to use HOST file for block sites

Also if you can`t remove CWS hijacker or toolbar, try it: How to remove CWS Hijacker

New unpatched vulnerability in the Internet Explorer (mshtml.dll) found

There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE. The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.

This vulnerability can be triggered by specifying more than a couple
thousand script action handlers (such as onLoad, onMouseMove, etc) for any
single HTML tag. Due to a programming error, MSIE will then attempt to
write memory array out of bounds, at an offset corresponding to the ID of
the script action handler multiplied by 4 (due to 32-bit address clipping,
the result is a small positive integer).

The list of IDs can be found on the Web, and is as follows (values in
parentheses = resulting offsets):

onhelp = 0×8001177d (+0×45df4)
onclick = 0×80011778 (+0×45de0)
ondblclick = 0×80011779 (+0×45de4)
onkeyup = 0×80011776 (+0×45dd8)
onkeydown = 0×80011775 (+0×45dd4)
onkeypress = 0×80011777 (+0×45ddc)
onmouseup = 0×80011773 (+0×45dcc)
onmousedown = 0×80011772 (+0×45dc8)
onmousemove = 0×80011774 (+0×45dd0)
onmouseout = 0×80011771 (+0×45dc4)
onmouseover = 0×80011770 (+0×45dc0)
onreadystatechange = 0×80011789 (+0×45e24)
onafterupdate = 0×80011786 (+0×45e18)
onrowexit = 0×80011782 (+0×45e08)
onrowenter = 0×80011783 (+0×45e0c)
ondragstart = 0×80011793 (+0×45e4c)
onselectstart = 0×80011795 (+0×45e54)

This will cause a memory array to write out of bounds and cause overflow in Microsoft Internet Explorer (mshtml.dll) and as result an immediate or eventual browser crash. Both McAfee and Symantec have released signatures to detect this exploit. While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
as I can tell, other browser makes (Firefox, Opera) are not susceptible to
this attack.

Thanks to SecurityFocus

Multiple vulnerabilities have been identified in various Macromedia products

Multiple vulnerabilities have been identified in various Macromedia products, which could be exploited by remote attackers to execute arbitrary commands. These flaws are due to unspecified errors when processing specially crafted SWF files.

Affected Products

Flash Player versions 8.0.22.0 and prior
Breeze Meeting Add-In Version 5.1 and prior
Shockwave Player version 10.1.0.11 and prior
Flash Debug Player version 7.0.14.0 and prior

Update your Macromedia programs now

How to remove BraveSentry

BraveSentry is a rogue anti spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following program, if found: BraveSentry.

Download smitRem and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. (where your WINDOWS catalog)

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 – HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 – HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Using Windows Explorer, locate and delete the following file(catalog):
C:\Program Files\Bravesentry

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present (maybe another name).

Finally, restart your computer.

Post to the Spyware Removal Forum, if any problems persist

Fake Windows Sites + WMF Explot + Keyloger = New Botnet

Adam Piggott of Proactive Computing received message from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server

For more details on this current exploit and botnet, see SunbeltBLOG’s blog, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note – the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at VirusTotal

Trojan Horse keylogger steal end-user information for popular online games.

Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.

The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created

LdPinch again spammed via ICQ

Over the weekend, Kaspersky Lab intercepted Trojan-PSW.Win32.LdPinch.ahe – the latest variant of LdPinch.
This malicious program sends itself to everyone on the victim’s ICQ contact list. It sends a Russian message which says:

[translation] How to trick WebMoney!
To find out how, read the Help instructions!

The message includes a link to the malicious program file, which is called Help.chm.

BraveSentry – new rogue anti spyware

In the some last months we reported about SpyAxe, SpywareStrike, PestTrap, AlfaCleaner, SpyFalcon …
Now Sunbelt found new – BraveSentry.

Below is a screen shot of an infestation from Game4all(dot)biz that installed both BraveSentry and AlfaCleaner:

For more screenshots go here.

If your desktop hijacked with BraveSentry you`ll look message:

Your computer is danger!
Windows Security Center has detected spyware/adware infection!
It is strongly recomended to use special antispyware tools to prevent data loss

Whois info for your blocklist. (How to use host file for block rogue sites)

bravesentry.com
Ocean Industries Daniel Ocean
Amsterdam NL
Email: ceo @ bravesentry.com

Other site in the IP:

anosurfer.com
Pietro Miezani Privaweria Ltd
Gua EC
anosurfer @ anosurfer.com

Thanks to Sunbelt researchers Patrick Jordan and Adam Thomas.

If you can`t uninstall or remove, tell us about your problem.

Read some info about How to remove BraveSentry

Exchange rate conversion tool load Trojan.Downloader and Trojan.Muldrop

If you searching for a “currency” or “exchange rate” conversion tool with one of the more popular search engines, you can found a link or site like this one

This site is present the user with a lovely, extensive and complete list of currencies and exchange rates to convert from and to. All for free. The only catch being, the user gets the “result” of his calculation as … an EXE download

The download contains what some of the AV vendors refer to as Dropped:Trojan.Downloader and Trojan.Muldrop. If you are using any sort of URL filter, web-url.de and wechselkursrechner.de should maybe be part of your filter list if exe downloads make it past your perimeter otherwise.

Thanks to SansDiary.

Running as Limited User – The Easy Way to keep a system free from malware

Malware has grown to epidemic proportions in the last few years. Despite applying layered security principles, including running antivirus, antispyware, and a firewall, even a careful user can fall victim to malware. Malware-infected downloads, drive-by exploits of Internet Explorer (IE) vulnerabilities, and a careless click on an Outlook attachment sent by a friend can render a system unusable and lead to several hours with the Windows setup CD and application installers.

One of the most effective ways to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users group). The vast majority of Windows users run as members of the Administrators group simply because so many operations, such as installing software and printers, changing power settings, and changing the time zone require administrator rights. Further, many applications fail when run in a limited-user account because theyБ─≥re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.

Read more here.