As you may or may not know, the secondary scum of the earth, next
to virus writers are spyware programs. These can do various things,
reset your homepage, popup unwanted pages, make multiple spam
popups, redirect you to other websites, make it impossible for
you to browse. One thing though, they will make your computer slower
and your overall internet experience suck.

Someone should really declare these things viruses, and then microsoft can
get off their ass and release a patch whereby browsers cannot be hijacked
simply by the act of going to a site

Please be aware that by following these instructions, you can possibly damage
your system. not in any major way really, but if you have additional hardware
you may lose the drivers for that hardware, which is probably an easy fix,
but something you should be aware of.

for the first step, you want to open control panel, go into add and remove
programs, and remove anything that you are pretty confident you did not
install. you want to keep things like codecs, device drivers, etc.
Some software, like kazaa, comes with loads of spyware. delete it all,
including kazaa. there is a kazaa lite version which you can get that is clean.

for the next step, kill all unnecessary processes press ctl-alt-del and click on
processes below is a sample screenshot of a fairly stripped system. you want
to nuke as much as possible, because any spyware that is running cannot
be deleted without restarting.

Probably a better program to use instead of taskmanager is process explorer
from http://www.sysinternals.com/ it gives more details about the processes
running and you can get a better idea of what is good or not.

get spybot search and destroy

spybot is at http://www.safer-networking.org/index.php

Update the definitions first and then run each. I think spybot is becoming obsolete,
since it no longer appears to be getting updated.

For running spybot, you want the advanced mode. Right click on your shorcut,
view properties, and delete the /easymode text

Once you update, run the program. You may need to reboot if there is a process
running that you did not delete.

Under the advanced spybot mode, there is a tools menu on the left. It includes the
internet plugins, activex controls, startup entries, web pages etc.

Review each item. Delete anything you are pretty sure that do not belong there.

Your sound card and video card will probably have installed utilities that are
running and are listed in the startup menu. Things like nwiz.exe, cthelper.exe...

You can type the name in google and search there, or try http://www.windowsstartup.com to see what they show.

Processes or startup programs with random seeming names are likely to be bogus crap that you want to delete if possible.

then it is time to get and run ad-aware.

ad-aware is available at http://lavasoft.element5.com/software/adaware/

download, update, and run.

at this point, you should be fairly clean. for startup intems that you
have deleted from the registry, you may want to go and delete
the corresponding programs on your drive. If you are worried about
doing that, make a folder, and drag them all there. Reboot, and if
your system works fine, delete them a week later.

Another note about things like realplayer, quicktime, realscheduler,
messenger. I don't need any of that crap running at startup, and you
probably do not either. you may want to nuke them from the startup
menu or disable the loading in the program settings. You can also
view startup items by clicking start - run and then typing msconfig.
this is a microsoft utility that allows you to make changes to your
startup programs. Useful if you don't have spybot, it shows other info also.

Once you have come this far, you will want to reboot, and repeat,
looking at your processes to see what is running, or if you have missed
anything. Some of the virulent programs will manage to redo everything
you have undone, so just be aware of those.

If you are still having issues browsing, and want to give up, then you
can try an alternative to internet explorer, firefox. In general it does
much more than internet explorer, but is a little bit slower. It does not
however suffer from the activex control crap that plagues IE. (and those
pages will not work, but really, who uses the feature for legitimate
purposes)

http://www.mozilla.org/products/firefox/

that's it. Please post your experiences, good or bad...

Originally posted by JIMINATOR@Jul 6 2004, 03:32 PM
Probably a better program to use instead of taskmanager is process explorer
from http://www.sysinternals.com/ it gives more details about the processes
running and you can get a better idea of what is good or not.
I have over 30 processes running all the time.

Wish me luck, I already downloaded the file. ;)

Awesome thread. :thumbs: :thumbs:

Hi Jim,

Very nice and very helpful series of posts........
I would like to add my like experience with spyware pukes. I got something, somewhere from someone don't know and Spybot and Adaware could not detect or remove it. But with a lotta luck I found this page that removed my crap. This guy works at home and developes software specifically for a number of spyware types.
If anyone has problems with removing spyware after trying Spybot and Adaware, try this site out. It may just work........ :thumbs:

:wave:


http://www.kephyr.com/spywarescanner/index.html

Oh by the way, you don't have to purchase the Bazooka software. Search the data base for your file and each file has removal instructions.

Worked for me............... :thumbs:

This deserves to be pinned, Nice work Jim :thumbs:

Great post Jim, Thanks.

These are all my running processes. I'm not sure about all the svchost stuff plus some others. Any suggestions?

i think you are fine. the svchost stuff is windows, the rest of your
stuff looks like it is dsl, virus and firewall related, although if you
are using zonealarm, you will want to turn off the windows firewall.
(alg.exe i think)

Thanks Jim ;)

I use this website to check the programs that are running in taskmon.

tasklist (http://www.answersthatwork.com/Tasklist_pages/tasklist.htm)

I use:

Spyhunter
Spybot search and destroy
Ad-aware

and after all these programs cleaned everything

Spy Sweeper found some more.

check it out :wave:

As a further note, sometimes in control panel, add/remove programs,
you will have programs that cannot be uninstalled.
To see these:

Run the Registry Editor (REGEDIT.EXE).
Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall

These are the entries that show up under add remove programs.

Click on each key under uninstall to see what it contains.
On the right hand side, there will be a "DisplayName" that shows up in the control panel,
and a "UninstallString" - this is the program that is run to do the uninstalling.

Many times the program will not run, or an uninstall may have halfway completed.

You can go and look for the program/directory shown in the UninstallString,
if it is obviously where the program installed, you can delete the entire folder.

To delete an entry from the registry, just click the key on the left and press the
delete button. It will then no longer appear in add/remove programs.

Note, that this is not a good way of uninstalling programs, and should only be used
to delete crap from your system that you want gone and cannot otherwise get rid
of. With the registry, if you delete the wrong key, bad things can happen. always
look to the left to see which folder is open before deleting.

A real nasty spyware to look out for is Ezula, hard to remove, I only found makin the directory read only, and hiding it work so far, no pop ups, cause you delete it, it comes back, its a nasty bug that buries itself deep into your comp, Jim is right, may they be claimed as viruses, then microsoft maybe will make something like that, but theres a program from a company yet who has helped microsoft, and netscape from what I heard, its MoZilla, I dont think that browser can be hijacked, and netscape hasnt been hijacked for me once...

i say the best way to get out of spyware is just a good clean reformat, it's pretty simple and only takes a few hours :thumbs:

yes, and then you surf for 5 minutes and one can prepare themselves for another couple hours of merriment

i say the best way to get out of spyware is just a good clean reformat, it's pretty simple and only takes a few hours :thumbs:
No way, just run Spybot and Adaware. If you are on dial up, you definately want a software firewall (such as Nortons) as well since dial up modems do not offer any hardware firewall protection like high speed does.

dial up is probably safer than dsl/cable, reason being that the latter are probably 24/7 connections, often with static ip, whereas dialup depends more on the actual usage patterns, and dynamic ip is the norm... cable will act as a dhcp server, i don't know how it handles forwarding, but people that connect to dsl using pppoe have no hardware protection...

dial up is probably safer than dsl/cable, reason being that the latter are probably 24/7 connections, often with static ip, whereas dialup depends more on the actual usage patterns, and dynamic ip is the norm... cable will act as a dhcp server, i don't know how it handles forwarding, but people that connect to dsl using pppoe have no hardware protection...
I disagree. When I was on dial up I got the most attacks (as many as 200 per day) and my Norton's software firewall was always alerting me of port scans taking place. Reason being is all your ports are wide open on dial up. In fact, crackers are able to find out the deticated range of ips that internet providers use for their dial up accounts and scan those the most because they know that most people don't run software firewalls.

I have had Zone Alarm for just over a week now

Current Blocked Accesses: 4,327

That number just increased by 2 in the time i wrote this.

I am total agreement with using Zone Alarm, Spybot S&D and adaware, but, user be warned. If you should remove something called a BHO, (Browser Helper Object) and you lose your internet connection, that means the BHO took your socket. In which case you will need to run WinSockFix to be able to get back online.

My suggestion is, find and download Winsockfix into your program folder and just sit on it. If you lose your internet connection just after running adaware, spybot or any other spyware type program, just jump into your program files and run WinSockFix to replace the socket and get you back online.

care to provide a link?

You can do a search on Google! I found several versions for each individual Operating system, but this one, http://www.tacktech.com/display.cfm?ttid=257 will work on most versions of windows. I've had to use it on four seperate/different operating systems. It can be a life saver.

Adaware Se ver 1.05 is out make sure you download it. It found 80 files on my hard drive that the first edition missed.

You guys should try out Spy Sweeper as well. I have always used Ad Aware SE editon and I decided to try out Spy Sweeper. It found tons of spyware that Ad Aware didn't and even a Trojan Horse.

I use that one frequently, but its a major resource hog to keep it up all the time...

Jim, What you think about these????

More excellent information:
http://www.dslreports.com/faq/8428

Link submitted by DiTomasso

Another note about things like realplayer, quicktime, realscheduler,
messenger. I don't need any of that crap running at startup, and you
probably do not either. you may want to nuke them from the startup
menu or disable the loading in the program settings. You can also
view startup items by clicking start - run and then typing msconfig.
this is a microsoft utility that allows you to make changes to your
startup programs. Useful if you don't have spybot, it shows other info also.
I didn't have any of those problems until I tried the programs you talked about, I think they are the oenes doing the harm.

I drew up this guide for Goober when he was asking me where I got my USB boot utilities. Thought it might be worthwhile to post this here as others might be able to benefit from it.

The USB trick was obtained from:
http://www.ultimatebootcd.com/
They're quote:
"Run Ultimate Boot CD from your USB memory stick. A script on the CD prepares your USB memory stick so that it can be used on newer machines that supports booting from USB devices. You can access the same tools as you would from the CD version."
It was a bit tricky to get working, but you should be able to get it.

Frankly I don't use it anymore as I found mroe effective tools at my disposal and all free. The best program in my arsenol right now is MalwareBytes:
http://www.malwarebytes.org/
This program packs quite a punch capable of gettin rid of even the nastiest of nasties. There are a few paryicularly persistant types that I then call in Dr Web CureIt for:
http://www.freedrweb.com/cureit/

My basic bug removal procedure goes along these lines:
1: Disconnect machine from net physically
2: Boot to safe mode with networking and disable system restore
2: Run Autoruns from a flash drive and look for weird entries such as random filenames or blank publisher entries. Most notably in the login, IE, Winsock, winlogon, and known DLL's tabs.
http://technet.microsoft.com/en-us/s.../bb963902.aspx
3: If bugs are suspected, take note of the file location and find it through My Computer to delete the file before deleting the startup entry (otherwise it will just come back) Repeat as necessary
4: Install CCleaner and remove all temp files
www.ccleaner.com
5: Connect to the net and install MalwareBytes, do a complete update then disconnect again and run a full scan
6: Open CCleaner again and clean the registry of invalid entries (there will be plenty when bugs are removed)
7: Through the control panel open Internet options and reset security to defaults, cookies to medium high, check that proxy options are disabled, and then restore advanced options to defaults. Also check that your homepage has not been changed
8: Reboot the system after removing any infections to normal mode and proceed with any additional cleanup deemed necessary
9: Once satisfied the virus has been removed reactivate system restore and create a fresh restore point.

Thats the simplified version pal, but I can't lie. There are a handful fo thigns I do consistantly every time, like autoruns, system restore, and a virus program. But it seems like the bugs are changin faster than the programs can keep up with them. Another trick i have is to buy a $20 USB IDE/SATA HDD adapter from newegg then attach the infected drive to a functioning system (with autoplay disabled on the expected drive letter) and run the scans externally. This has the highest kill ratio because nothing will be running on the drive to confuse the scanner or hide the files. Easiest thing to do pal if you know you have a bug and nothing is finding it, turn the computer off for a few days then come back and update you antivirus, the dat files should have adapted to the new bug and be capable of removing the bug.

Free AntiVirus Programs in order of rank by PCWorld.com:
Avira Free
Link
Avast Free
Link
AVG Free
Link