Anti-Spyware Strategies, Part 1: Clean Out Your System

Do you suspect that your system is infected with adware, spyware, or other malware? Here's how to get rid of it.

January 7, 2006

14 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Spyware is one of the most challenging — and frustrating — problems faced by today's computer users and administrators. Even the savviest Internet surfers have discovered their systems are riddled with unwanted software that display popup ads, modify their search engines or home pages, slow down performance or even make the system unstable.

One major problem is in defining just what spyware is. Because there is no official definition of spyware, it's not unusual to see a company claiming its download is "spyware-free," even though its setup program installs additional unwanted software. Depending on the specific actions that the software takes, it could be classified as a hijacker, worm, Trojan, adware, or a viral marketing program.

Whatever the intruder is called, it doesn't benefit the user or the computer. It's just there for the benefit — and profit — of the company that made it. And the longer that software stays installed, the more money that company makes. How?

  • Popup ads: After tracking your activities on the Internet, the software displays ads for similar sites or forces the browser to go to related Web sites.

  • Commission theft: The software rewrites cookies or links to steal ad commissions from sites that you visit and send them to the spyware company instead.

  • Search engine hijacking: Instead of showing search results from a site such as Google, the software redirects you to search results that are controlled by advertisers.

  • Blackmail: After installation, the software displays warnings that the computer is infected by spyware and offers ads or links to their own spyware cleaners.

  • Spamming: The software sends emails in your name, or appends messages to your outgoing emails, promoting their products.

Several common tactics are used by spyware to sneak onto systems and stay there:

  • Bundling: Spyware or adware is included with another program, but not clearly disclosed.

  • Drive-By Downloads: Spyware tries to load every time you visit a Web site.

  • Fake Utilities: The spyware is disguised as a viewer or other utility that you "need" to, say, read a greeting card or view a video.

  • Stealth: The spyware doesn't have a user interface to let you control how it works while it is running.

  • Aliases: Different names are used for the software when it's downloaded, when it displays pop-up windows, and in uninstall entries.

The first step in fixing the problem is to get rid of all of your unwanted software. Once that's done, I'll show you some steps to make sure that it won't come back in the second part of this series.

Step One: Back Up Your Data
Before trying to clean up a spyware infestation, you should always back up important data. Some spyware makes extremely invasive changes to system settings, and performing a cleanup may cause problems. The best course is to get a full backup of all the data on the drive, using a program like Norton Ghost or Acronis True Image. At a minimum, make copies of the files in your My Documents folder. Some programs like Spybot Search & Destroy will do some limited backups before starting, but making your own backup is a step you shouldn't skip.

Don't depend on Windows XP's System Restore feature, which allows system recovery — it can be a double-edged sword. System Restore may allow you to jump back to a point before the spyware was installed. However, if you perform a spyware cleanup and then use System Restore, you could end up putting the spyware back onto the system.

If you believe that spyware has been on your system for several weeks, it is probably better to clear out any restore points because they will also be infected. Some virus and spyware scanners may detect these infected restore points, but most will be unable to clean them.It's a simple process to clear all your restore points:

  • Right-click My Computer.

  • Click Properties, and select the System Restore tab.

  • Check the box that says "Turn off System Restore on all drives" and click Apply. It may take several seconds for Windows to remove all the restore points, so expect a delay and some disk activity.

  • Once you have finished cleaning up the system, go back to this dialog and clear the "Turn off System Restore" check box. That will enable SystemRestore but start with an empty slate of restore points.

  • To be sure that you have a good starting point should anything happen in the future, you should create a new restore point. Click Start, Help, and Support, and "Undo changes to your computer with System Restore." The System Restore utility will start and give you the option to create a new restore point.

(For a visual step-by-step explanation of how to clear your restore points, visit our Image Gallery.)

Step Two: Look Around

The first and easiest cleanup step is to go into Add/Remove Programs and take a look around. There are several reasons for dong this. First, this is especially important when diagnosing problems on an unfamiliar computer. The list of Add/Remove entries will tell you how the computer is being used and identify important programs that may require backup.

It can also identify common spyware and virus vectors like LimeWire or Kazaa — file-sharing applications that you may want to keep off your clients' machines, since they could be used for downloading dangerous software. There is no use in spending time to clean up a computer if the user is going to continue the behavior that got them into trouble in the first place.Finally, by examining the Add/Remove Programs list, you can find programs that were installed surreptitiously, either during the install of another application or when your client clicked on a Web link and/or ad.

The following is a list of items you may find on the Add/Remove list that you can safely remove. These represent programs that are unwanted visitors on 99 percent of the systems where they are installed. Most of them display ads and/or change browser behavior in undesirable ways.

  • GAIN

  • Media Access

  • Media Gateway

  • My Web Search

  • MySearch

  • Search Assistant - My Search

  • Secure Delivery

  • Select CashBack

  • Surf Accuracy

  • The Best Offers

  • WebRebates

  • Web Savings from eBates

  • WhenU Save

  • YourSiteBar

  • Zango

When some of these programs are removed, they may require a reboot to clear them fully. If the uninstaller asks whether you want to reboot, answer "No" and finish removing any other programs you find on the Add/Remove list. Then reboot as the final step.

Google can be a useful tool for determining whether something on the Add/Remove list should be removed. A search for the name of the entry will usually turn up some good information. If you know the name of a running program that is part of the software, for example from Task Manager, you can look it up on PC Pitstop's known software database. If you have any doubts about whether something should be removed, leave it alone for now. You'll have several chances to clean it up in later steps.

Step Three: Choose An Anti-Spyware App
If the system has only a mild case of adware, it often can be cured through Add/Remove Programs. For more serious infections, it's best to turn to anti-spyware programs. These programs can completely clean and remove most infections, and many can help to prevent reinfection.

Before even thinking about buying an anti-spyware app, you should try one or more of the free solutions that are available. Three very good options are Lavasoft's Ad-Aware SE Personal, Patrick Kolla's Spybot Search & Destroy, and Microsoft Windows AntiSpyware. Since they're all free, you might as well try them all. The Microsoft product is a beta — it's been in beta for more than year — but it's stable and works well.

Many antivirus and firewall vendors have belatedly gotten into the anti-spyware act as well, including McAfee, Symantec, and Computer Associates. However, it is often not part of their basic product offering; you may need to upgrade to their product suite or other bundle. If you already have products from one of these vendors and want to purchase more anti-spyware protection, the company's matching anti-spyware product will probably offer the best compatibility with your existing security software.

Note: Choosing anti-spyware applications can be dangerous in itself — especially for those of your clients who are unwary or easily panicked. Many programs sold over the Internet are ineffective, but are marketed aggressively through popup advertising and Google Adwords. Some programs are even sold using extortion tactics; they infect a system and then send you to the Web site where you can purchase their spyware cleaning solution.

It's a good idea to educate your clients to prevent them from falling for such tactics. Eric Howes' list of Rogue/Suspect Anti-Spyware Products & Web Sites is a good place to go for a reality check when faced with a possibly bogus anti-spyware product.

Step Four: Run Your Anti-Spyware
Anti-spyware products all operate in the same basic way. When you run them, they scan the running processes, files, and registry looking for undesirable programs and settings. Once the scan is complete, they provide a report of what they found and give you the opportunity to perform a cleanup. You could also have a chance to modify the recommendations before making the cleanup, or be able to select whether to permanently delete or simply quarantine the files in case you want them later.

Be conservative when using these tools — when in doubt about a file or process that has been identified as spyware, don't remove it. Remember that you can always do a second scan-and-remove later.In fact, each anti-spyware tool has slightly different abilities and criteria for determining whether a program is unwanted, which is another reason to use multiple scanners when you suspect trouble. For example, when I ran several anti-spyware apps on my system, neither Spybot nor Ad-Aware detected some remnants of 180Solutions' Zango, but Microsoft Antispyware did. Yet Spybot was the only one of the three to notice that the antivirus notification had been turned off in Windows Security Center.

Once your system in good working order, be sure to go back and re-enable System Restore if you turned it off. Create a fresh restore point as well. That will give you some insurance in case spyware re-infests the system.

A Word on Cookies

Most spyware scanners and cleaners report tracking cookies, sometimes called third-party cookies. Usually these types of cookies are associated with advertising that is displayed on a site, where the actual advertisements are delivered by a different site. Most large ad networks such as DoubleClick and TribalFusion use cookies, primarily so they can determine what ads have been displayed and so that they won't show the same ad to one user too many times. The privacy concern with tracking cookies is that they could be used to follow your computer across multiple sites if those sites all used the same advertising networks.

While cookies from networks such as DoubleClick aren't spyware per se, you might as well delete them.

The bottom line on third-party cookies is that they don't do you any good, so you might as well delete them. They are not really spyware — they are not even software — but they don't benefit you, so there is no reason to leave them around. Almost any time you go online, unless you have your browser set to reject all cookies (which could severely limit your browsing ability), you will accumulate a half-dozen tracking cookies after visiting a few sites. When a spyware scan detects them, just delete them.

Step Five: If All Else Fails
If several anti-spyware tools can't clean out the problem, the system may have problems that require an experienced spyware hunter to remedy. Or perhaps the spyware scanner is reporting results that are confusing. If you're using a commercial anti-spyware product, the best thing to do is contact the vendor through their technical support line. It's possible this is a new type of spyware that is not yet detected, and they may want you to send them a sample of the affected files.

The major anti-spyware vendors such Symantec, McAfee, and Computer Associates also offer detailed information about specific threats on their web sites. If you have a favorite vendor, you can simply research the malware using the site's database. You can also use Google to search within a site (for example gmt.exe site:symantec.com). Finally, if you want to find the most information quickly, simply enter the name of a suspect executable file into Google. Generally, the major sites will have results in the first page or two of results.

Spyware cleanup help is also available for free through several forums on the Internet. Two good places to look for help are the forums at Spyware Warrior and PC Pitstop. If you don't find your problem already posted, then post yours, making sure that you explain the solutions you've tried and the problems you're still seeing.

Dave Methvin is Chief Technical Officer at PC Pitstop, a security Web site.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights