* SpyWare Removal
How To Prevent Spyware - ZdNet June 7, 2004 from here
Spyware is even worse than spam in my view
We block most of our spam at a mail gateway and I'd say 95% of it gets flushed unread. Spyware, on the other hand, is in your face and crippling your PC, at least if you're one of those types of users who enthusiastically clicks yes to any prompt a web site might give you and who enjoys downloading moronic programs to put smiley emoticons in your Outlook mail, for instance. It's the leading cause of performance-related support calls at my organization and I've wasted dozens if not hundred of hours out of my busy days getting rid of this worthless garbage.
I'm not sure which bugs me more about spyware, the fact the programs that represent it are so utterly and completely pointless (shopping companions, stupid toolbars, special cursors, grinning purple monkeys, etc.) or the fact they're so poorly coded as to bring a system to its knees (it's ironic, because the poor programming skills on the part of the shameless cretins who write this drool thereby guarantee their products aren't going to last long, since IT will be alerted by complaining users to get rid of whatever is infesting the PC). I have seen public web browsing terminals that literally took 10 minutes to boot, and on which it was impossible to launch Internet Explorer due to the plethora of trash on them. Hotbar, MyWebsearch, BargainBuddy, Gator, Clearsearch, Clocksync, Precision Time, Date Manager, NewDotNet, CoolWebSearch, the horrendous Weatherbug program (which sucks down 18 Mb of RAM and adds at least 30 seconds to any PC's startup time), and my personal "favorite" - AdDestroyer, which pretends to be blocking ads but in reality makes sure it blasts you with nothing but junk - all of these need to be nuked on sight. And in my view the people who code this crud ought to be thrown in the slammer for trespassing and vandalism, given that this is pretty much all their miserable, misery-producing programs do. This is why people are utterly sick and tired of the constant, slobbering advertising that is out there, because the jerks pushing it are now invading their PCs to frantically shove ads in our faces.
I don't think end users should have to pay for anti-spyware solutions. I use four free tools: Ad-Aware and Spybot to scan for and delete this filth, Spywareblaster to prevent it from ever being installed, and HiJackThis as a general tool to see what's being loaded on startup and to remove some of the nastier elements of spyware which take over your start page in Internet Explorer, for instance. (Check Google for the download locations) Using these four programs plus making a careful analysis of what's under the Program Files folder and what is set in the registry to start up, I've always been able to tidy up the machines I support.
Lest there be any doubt as to what kind of vermin is behind spyware, some of these companies (Newdotnet, for one) are actually suing the makers of Ad-Aware for listing their product as spyware. Newdotnet is one of the nastiest components of spyware I've seen, if it is not carefully removed it will trash your network connection. That's by design. Easy rule of thumb: if any product forces you to go to their website to uninstall it or gives you some angry/pleading litany that "our product is NOT spyware!" that means it IS spyware and needs to be deleted immediately.
Follow these steps to remain spyware-free:
1. Set IE to disable downloads (for IE 6 go to Tools, Internet Options, Security, Internet, Custom Level) If you need to turn this off temporarily later on you can always reverse this.
2. Set IE to disable the installation of desktop items (for IE 6 go to Tools, Internet Options, Security, Internet, Custom Level)
3. Install Spywareblaster and update it periodically.
4. Never click yes if a website wants you to install some program in order to "view it properly."
5. Stay away from warez, porn, gambling, and other sleazy sites.
6. Never, ever buy anything advertised through popup ads thrown at you thanks to spyware. And the same goes for spam. If you really want to get industrious, contact the makers of said products and inform them you have declined to purchase their products thanks to their support of spyware and its infantile, bullying tactics.
Eventually we'll take control of our own computers back from those who would commandeer them for their own grubby intentions.
Product Download locations:
A Reader's response about Trojan Horses
From this response -- that mentions one should also run software to deal with Trojan Horses
You need one more critical, semi-free tool in my opinion: TDS-3 (http://tds.diamondcs.com.au). Just like adware/spyware/malware is a different class of software than viruses and worms, trojan horses (especially RATs, or Remote Access Trojans) are in a class by themselves, and they are far more dangerous. Trojan horses are typically concealed better, and are used primarily to steal data (your tax returns? your medical records? your online banking logins and records? proprietary company information? -- all are vulnerable) and passwords as well as to take over control of machines. Most spyware scanning tools like Spybot-Search & Destroy, Lavasoft's Ad-Aware, and Webroot's Spy Sweeper do a good job of adware/spyware/malware detection and removal but are unable to detect trojan horses. TDS-3 can detect spyware too, but it specializes in trojan horse detection and removal, and it works very well in my opinion.
I use Spybot-S&D, Ad-Aware, and Spy Sweeper when cleaning PCs at work, and between the three of them they do a good job of removing the vast majority of adware/spyware/malware, and each tends to catch a few things the others don't.
But I then follow up by installing TDS-3, manually updating its database (simple instructions on their web site; the auto update feature is available to those who pay and register), and running a full scan. TDS-3 is a pro level tool with tons of capabilities, hence the overwhelming interface, but the Help files are good and can step you through simple scanning operations. It takes a little longer than the other tools, but it is more thorough. It's a bummer there is no "nuke everything you found" option when it's done -- you have to right-click on each item in the list one at a time and select "Delete," but it's still an invaluable tool. (Maybe there is a way to set up automatic removal and I just haven't discovered it yet.)
After cleaning up with TDS-3, follow mreilly19's suggestion to carefully scrutinize the Program Files folder and the registry startup keys (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and the same key under HKEY_CURRENT_USER). If an exploit is running at startup you'll see a REG_SZ value pointing to the executable, so Google any suspicious entries to see if it is known spyware, etc. Track down the file being loaded and delete it, then delete the corresponding reg key.
If you can't delete the file it is because it is running in memory. Go into Task Manager -> Processes tab and End Process. Watch the list and the number of running processes in the lower lefthand corner. The number should decrease by one and stay that way. If after a few seconds another weird process name pops up in the list, you've got a particularly nasty exploit to deal with. Reboot your machine into Safe Mode (not available in NT4). Safe Mode loads Windows 2000/XP with only the core services/processes needed to boot the OS. This means the Startup folder and the registry's Run keys are ignored, and rouge processes are prevented from loading into memory. You can then delete the offending files followed by the reg keys that load them at a normal startup. Reboot normally.
After all of this, it still doesn't hurt to check running processes in Task Manager (Windows NT/2000/XP) one last time and Google any suspicious looking process names. It is still possible for an exploit to evade detection no matter how many tools you throw at it, and the authors are getting better at picking process names that look like they are part of the OS.
I spent most of last week at work cleaning machines. In each case, Spybot-S&D, Ad-Aware, and Spy Sweeper removed tons of garbage and the PC looked clean and performed much better. But a quick check of the registry and Task Manager showed unknown processes still being loaded. A full scan with TDS-3 revealed as many as 17 RATs still infesting the system. In one case an exploit remained even after scanning with TDS-3. That's why a careful inspection in necessary afterwards.
I don't consider my job done until I've covered all the known bases, and that includes trojan horses. Trojan horses are sure living up to their name. Not only are they evading detection and removal on millions of PCs, they are flying under the radar of the mainstream press as well.
Chris, waiting patiently for Symantec's newer corporate client tools that can remove and prevent this stuff...
SpyBot Search & Destroy - Free - PepiMK Software - PC Mag Editor's Choice
The Spyware that loved me April 8, 04 LINK
Spyware cures may cause more harm than good Feb 4, 04 LINK
Robs Useful List - what he did in 2004 Jan
I downloaded Spybot (http://www.safer-networking.org) which PC Magazine rated tops for finding and removing spyware. It worked like a charm – found 3 things and cleaned them out.
I also have installed a PC Magazine utility called Startupcop Pro. You get this by going to pcmag.com and subscribing to their utilities area for $15/year and then you can download it. It checks what all the programs are that have set themselves up to run everytime your computer is booted. It didn’t find anything bad after Spybot had cleaned things out but now startupcop lets me know whenever a new program is trying to install in the startup folder.
Lastly, I’ve found a more informative and powerful alternative tool than the Alt-Ctrl-Del “Taskmanager” for seeing what tasks and applications are running and what they are doing. It is at http://www.sysinternals.com and it’s called ProcessExplorer.
Creation date: Jan 31, 2004 4:00 pm Last modified date: Nov 8, 2005 5:01 am Last visit date: Jul 13, 2019 8:56 am