PC Minute

Spyware/AdWare/Malware FAQ and Removal Guide

v2.0 - last updated 10/21/04 - changelog
copyright © 2004 Christian Wagner - cwagner@io.com

Table of Contents

• Introduction
• Section 1: How did this crap get on my computer in the first place?
• Section 2: The automated malware removal tools
• Section 3: When the automated tools haven't removed everything
• Section 4: Problems related to removing malware
• Section 5: How can I not get this crap again?
• Section 6: What can I do to help?
• Further reading
• Redistribution of this document
• Appendix: An extended explanation on why Internet Explorer is insecure

Introduction

When people talk about "spyware", most of the time they're talking about a whole range of malicious software, and not just software that actually spies on you. They usually mean anything that's installed on your PC without your knowledge or permission, and which has unwanted effects. The technical term for most of these things is usually "browser parasites", since most of them interact with Internet Explorer in some way, but in this document I'm going to call them by the catch-all term malware.

I'm going to steal a description of browser parasites from the excellent Doxdesk.com parasites page, which is one of the best references currently available on the topic. It's recommended reading, after this document.

"Parasite" is a shorthand term for unsolicited commercial software -- that is, a program that gets installed on your computer which you never asked for, and which does something you probably don't want it to, for someone else's profit.

The parasite problem has grown enormously recently, and many millions of computers are affected. Unsolicited commercial software can typically:

• plague you with unwanted advertising ("adware");
• watch everything you do on-line and send information back to marketing companies ("spyware");
• add advertising links to web pages, for which the author does not get paid, and redirect the payments from affiliate-fee schemes to the makers of the software (such software is sometimes called "scumware");
• set browser home page and search settings to point to the makers' sites (generally loaded with advertising), and prevent you changing it back ("homepage hijackers");
• make your modem (analogue or ISDN) call premium-rate phone numbers ("dialers");
• leave security holes allowing the makers of the software (or, in particularly bad cases, anyone at all) to download and run software on your machine;
• degrade system performance and cause errors thanks to being badly-written;
• provide no uninstall feature, and put its code in unexpected and hidden places to make it difficult to remove

I'm not going to be talking about actual viruses here, or traditional "trojan horse" backdoor packages. That sort of thing is adequately handled by existing anti-virus software. However, some of the automated anti-malware tools will also find and remove certain viruses and trojan horses, if present, and modern anti-virus software is just beginning to track adware and the like. If you're not currently running any antivirus software, you should run some sort of scan prior to attempting a spyware cleanup, and I'll suggest some free possibilities when we get to that section.

Also note that we're only talking about Windows here. Malware is not currently a problem for either the Mac or Linux/FreeBSD users, mainly because nobody bothers to write any of this crap for those platforms. If you're not on a Windows PC, none of this applies to you.

<- Back to the Table of Contents

Section 1: How did this crap get on my computer in the first place?

There's basically two "vectors", or methods for malware to get onto your PC: piggybacking on other applications, and "drive-by" installs through Internet Explorer.

Piggybacking and Bundling

There are two kinds of "ad-supported" applications. The benign kind has an advertising system built into itself, that shows you ads while the application is running, and which has no effect on the system when the application is not. The banner ads in the free versions of Eudora and Opera fall into this category.

The other kind of ad-supported application installs a separate advertising system onto your computer, that runs all the time whether the ad-supported application is running or not. These advertising systems have names like CyDoor, Gator (who have renamed themselves "Claria" to hide their tracks), TopText, etc. Sometimes the application will warn you about the bundled advertising system, sometimes they will not. Sometimes uninstalling the application will get rid of the bundled advertising system, usually it will not.

These advertising systems will show pop-up ads, sometimes when you're not even browsing the web. Some of them will change the banner ads or links on web pages. Often, they are are self-updating, and will sometimes install other advertising systems, or alter your system's security settings to allow for easier drive-by installs. (See below.) They are classic browser parasites.

Common piggyback sources of advertising malware are most popular file-sharing applications that aren't open-source (including Kazaa, iMesh, LimeWire, Morpheus, Xolox, Grokster, and others), old free versions of DivX Pro (which installed Gator), GoZilla (which has a veritable raft of crap), InternetWasher (ditto), and many "free" applications found on sites like download.com. Some of these apps are worse than others: the current winner is probably Grokster, which installs adware on your computer even if you cancel out of the installer.

Most add-on toolbars for Internet Explorer are malware sources. This includes (but is not limited to) MySearchBar, DashBar, Xupiter, HotBar, UCMore, and many others. The Google and Yahoo toolbars are safe.

There is another class of application which might be considered "ad-supported", if there was any functionality other than the advertising. Things like DownloadWare/NetworkEssentials, Comet Cursor, Bonzi Buddy, the Gator/GAIN "applications" (DashBar, PrecisionTime, DateManager, and eWallet), and Internet Optimizer are like this. They masquerade as useful applications, but provide no substantial functionality and are merely a ruse to get their advertising software onto your computer.

The latest and most dangerous trend is "anti-spyware" software that's actually just another source of malware. For example, Google searches for some of the common anti-malware software packages will turn up "sponsored links" (in other words, advertisements) for malicious software, linked to those keywords. This document will cover the packages that are known to be safe, and the ones that are known to be dangerous.

To sum up: pay attention to what you're downloading and installing. If it's free, there may be a reason for that.

Drive-By Installs

The second (and harder to deal with) method for acquiring malware is through "drive-by" software installs in Internet Explorer. This can happen because IE supports a technology called "ActiveX", which allows website creators to embed small programs in their sites (called "ActiveX controls"), which can then call larger programs (such as software installers). When this technology is used correctly, it lets you install software like Macromedia Flash or Apple QuickTime from a website without having to download a separate installer. It's also the technology that drives Windows Update.

When you give permission for a website to run an ActiveX control, it is exactly the same as if you had downloaded a program and run it. An ActiveX control can do literally anything to a PC; it can install software, it can change settings, it could even delete all the data on your PC. Many users do not realize that when they see an ActiveX control download prompt, they are essentially handing control of their PC over to a website (or in some cases, over to a banner ad).

An ActiveX download prompt looks like this on older PCs:

Microsoft made many positive changes to the way that Internet Explorer handles ActiveX controls in Windows XP Service Pack 2. Most of these changes were "under the hood", but a few of them are obvious, such as in the way that ActiveX download prompts have changed. You now see one of the Internet Explorer notification bars first:

If you click on the notification bar and tell it to download the control, you receive one more prompt:

(I chose Cult3D as an example because it sounds malicious, but is actually benign. You should get in the habit of treating all ActiveX controls as malicious by default, unless you know otherwise.)

Theoretically, as long as you never say "yes" to any ActiveX control that you don't recognize as safe, you will never suffer from any malicious drive-by installs. Unfortunately, this is not necessarily the case, because there are problems with the implementation of ActiveX. The problems boil down to this:

• There are security settings in Internet Explorer that can be set so that all ActiveX controls (including malware) can auto-install without prompting. One malicious application (or a careless user) can change these settings.
• Deceptively-named popups and ActiveX download prompts can lead uninformed users to install malicious applications, believing them to be important system updates, or software required to view a site.
• And the biggest problem: security holes have been found with great frequency in Internet Explorer that have been exploited by malicious website creators to install ActiveX controls (or other malicious software) without prompting.

This means that a version of Internet Explorer with the right security hole, or with incorrect security settings, can be infected with a huge amount of malware just by visiting a single website. No user intervention would be required; simply following a link to a website would be enough. (Many worms spread through instant messenger services by suggesting that people visit "cool sites", which then infect vulnerable PCs.) And even a correctly-configured and totally secured system can be infected if a user makes a single incorrect choice on the wrong website.

As of this writing (10/21/04), there are no unpatched security holes in Internet Explorer that are known to be in wide up by malware authors. However, such holes crop up with extremely high frequency, due to the insecure design of IE, and often the first sign that such a hole has been found is when the attacks begin. Microsoft sometimes takes months to patch those holes, during which time the browser is completely vulnerable. Windows XP Service Pack 2 has made a substantial number of low-level changes to Internet Explorer that will hopefully improve the browser's track record, but the final results remain to be seen. You can read a more extensive and more technical essay on why IE is fundamentally less secure than other browsers in the appendix.

There are also sites that try a very simple trick: they begin an automatic download of an installer (usually an EXE file), in the hopes that the user will either instinctively or accidentally hit "Open" instead of "Cancel". If the user hits "Save", then they'll have the installer sitting on their desktop or in their download directory, and they might accidentally run it later. This kind of attack isn't limited to Internet Explorer, and the only real defense against this sort of thing is to watch out for it (although Windows XP Service Pack 2 has made some changes to make it less effective).

Later in this document, I'll talk about ways to try to avoid these issues, either by configuring Internet Explorer to be somewhat more secure, or by switching to a browser that doesn't have these problems.

<- Back to the Table of Contents

Section 2: The automated malware removal tools

AntiVirus software

Before running any dedicated anti-malware software, you should first run a scan using whatever anti-virus software you have installed. If you're not using any antivirus software, or if your antivirus software has expired and is no longer updating its definitions, there are a few free scanners available. None of these scanners provide real-time protection.

• TrendMicro HouseCall - An ActiveX-based virus scanner/cleaner with TrendMicro's complete antivirus database. Highly recommended for those without installed antivirus software. Unfortunately, it may not work if Internet Explorer has been severely damaged by malware.
• McAfee Stinger - A small standalone download that finds and removes only the most common current worms and viruses. Fits on a floppy disk, and is almost foolproof.

Viruses are generally more directly dangerous than spyware or adware, since they have no other purpose than to wreak havoc. Adware and spyware require that your PC remain mostly functional in order to make their creators money; viruses have no such limitation, and may delete files or worse. It is strongly recommended that you take care of any viruses or worms before you move on to tackling any other malware problems.

Preparation for cleanup

Before you run any automated malware removal tool, you should first uninstall any of the malware sources that you've identified. Software like Kazaa, iMesh, and the like won't work after you remove their "ad-supported" components anyway. (DivX Pro has recently stopped distributing Gator with their "free" version, and instead switched to a six-month trial version. The Gator-supported version should be removed; versions 5.2 and later are safe.) You should uninstall them using Add/Remove Programs in the Control Panel.

You should also uninstall any of the malware that gives you the option to in Add/Remove Programs. In many cases, the uninstall will not be complete, but the automated tools will clean up the pieces, and you won't end up with phantom entires in your Add/Remove Programs list. Some of these items will have multiple uninstall steps (like MediaLoads), where a new item appears in Add/Remove after you uninstall the first one. Items to remove this way include but are not limited to:

• Active Alert
• B3D Projector
• BackWeb
• ClickTheButton
• CometCursor
• CommonName
• DownloadWare
• eXact Search
• Ebates Moe Money Maker
• Flingstone Bridge
• GoHip
• HotBar
• HuntBar
• IEDriver
• IEPlugin
• Internet Optimizer
• Interstitial Ad Delivery by n-CASE
• IPInsight
• MediaLoads
• MySearchBar
• NetworkEssentials
• New.net
• NewtonKnows
• PAD Lookups by n-CASE
• SaveNow
• SubSearch
• TopText
• WeatherCast
• WhenUSearch
• Win32 BI Application
• Xupiter

There are countless other pieces of malware that will show up in the Add/Remove Programs with seemingly innocent names. If you're not sure what it is, then it's usually safe to let the automated tools take care of it.

It is not recommended that you remove "BackWeb" from HP or Compaq machines that came pre-loaded with Windows, as it is part of HP/Compaq's automatic software update system. Similarly, "IPInsight" is used by SBC Yahoo's software.

The automated tools will also run much, much quicker if you empty the Internet Explorer cache and delete your cookies. From the Control Panel, go to the Internet Properties and click on Delete Cookies and Delete Files.

The general-purpose automated tools

The two most recommended malware removal tools are SpyBot and AdAware. These are general-purpose tools designed to scan for and remove a wide variety of malicious software (including spyware, adware, dialers, and other garbage). SpyBot is generally more powerful and more aggressive, but AdAware is easier to use. Both are good products, and can co-exist on a computer without problems (although AdAware may occasionally find items in SpyBot's quarantine). Sometimes, when one tool fails to remove all the malware on a system, the other tool will finish the job.

SpyBot's homepage is http://www.spybot.info and the latest version as of this writing is v1.3. It is freeware.

AdAware's homepage is http://www.lavasoftusa.com and the latest version as of this writing is SE v1.05. The "Personal" version is free for use, and has full scanning and cleaning functionality; the paid-for versions have more features, such as "inoculation" (which I'll talk at later) and extra customizability.

When running either tool, it is essential that they be updated to include the latest patches and scanning databases. Like anti-virus software, these tools can only scan for malware that they know how to identify. Updating AdAware is easy: click on the "Check for Updates" link when you first start it and then the "Connect" button. To update SpyBot, click on the Update button in the left-hand column. Then click on "Search for Updates", check the updates you want (which should be all of them), select an appropriate mirror from the list (which defaults to Europe), and click on "download updates". SpyBot may then restart, depending on what updates were retrieved.

Important note: You must upgrade SpyBot to v1.3 and AdAware to SE v1.05 or higher in order to receive updates. If you are running earlier versions, you must upgrade or you will not be able to download database updates. AdAware v5 and v6 are actually older than SE v1.05, so an upgrade is required.

To scan with SpyBot, click on the "Search and Destroy" button in the left-hand column, and then the "Check for Problems" button on the bottom. To scan with AdAware, click the "Start" button and follow the instructions. Once either application is finished scanning, it will present a checklist of items that it has found.

Here's a vastly incomplete list of stuff that it is always safe to let SpyBot or AdAware kill, in addition to anything you already tried to uninstall via Add/Remove Programs:

• Aureate
• CoolWebSearch
• Cydoor
• FreeScratchAndWin
• Gator/GAIN
• GonnaSearch
• Investigator
• Lop.com (aka C2.Lop)
• PerfectNav
• VX2 (and all variants)

There's one thing that you should watch out for that both SpyBot and AdAware will catch, and that's C_Dilla. C_Dilla (aka "CD Secure") is a copy-protection tool (created by Macrovision) used by a wide variety of software, including 3DSMax, that has an unfortunate tendency to "phone home". It would be great if one could get rid of it, but doing so will make the software that uses it stop working. Unless you're very sure that you don't need it anymore, don't let SpyBot or AdAware remove C_Dilla from your system, since it was probably installed by something legitimate.

You should also avoid removing Backweb or IPInsight under certain circumstances, as mentioned above.

Once you're comfortable with the checklist of items, you can tell SpyBot or AdAware to fix them. Make sure that all of your Explorer and Internet Explorer windows are closed when you do this, or else it may not be able to fix everything. If there is something that they cannot delete, they will ask to run again after you reboot. You can either choose to write down the items that it was unable to delete and delete them yourself after you reboot the system, or let the application do it for you (which will mean letting it re-scan the system again).

Both tools save a copy of everything fixed; AdAware calls this a "Quarantine", SpyBot calls it "Recovery". If problems show up after you reboot the system, you can undo the changes that were made and try again with a different list.

On some systems, SpyBot will continually remove and re-find an item called "DSO Exploit". This is a bug in SpyBot and is safe to ignore. It should be fixed in future versions.

If the automated tools are all crashing as soon as they start, then you've got CoolWWWSearch.SmartKiller, a particularly ugly version of CWS which attempts to stop SpyBot, AdAware, and CWShredder (see below) from running. An updated version of CWShredder should be able to take care of it, if you run it more than once.

Specialized tools

There are three specialized automated malware removal tools that can also be run. They are CWShredder, Kill2Me, and About:Buster. These tools are designed solely to remove variants of the "CoolWebSearch", "Look2Me", and "Home Search Assistant" varieties of adware, but they do a very good job of it and they are very small downloads. These three items are also very common pieces of malware, and are often difficult for more general-purpose tools to remove completely.

You can download CWShredder and Kill2Me from the creator's website; if you're being blocked by a piece of malware, here is a personal mirror of both programs maintained by the FAQ author. (Please only use this mirror if absolutely required.) They're both EXE files that require no installation, although they need some Visual Basic 6 libraries which should already be present on all modern Windows machines. (If by some chance you don't have them, you can download them here.) Running CWShredder and Kill2Me is extremely straightforward and will not be covered in detail here; just make sure you're running the latest versions, since they are constantly updated, and make sure that all of your Explorer and Internet Explorer windows are closed when you run them, or else they may not be able to fix everything.

If, after the standard tools are used, your homepage is still being hijacked to a page that begins with res:// and has a random .dll fill in the name, then it's very likely that you have the "Home Search Assistant" trojan. If this is the case, you should get the About:Buster tool from its homepage at http://www.malwarebytes.biz or from this personal mirror maintained by the FAQ author. (Please only use this mirror if absolutely required.) It requires no installation; just unzip the files to a directory.

It is extremely important that you update the database in About:Buster when you run it by hitting the "Update" button. (If there is no "Update" button, then you somehow downloaded a very old version; make sure you have version 3 or newer.) After this, run the scan and follow the instructions. About:Buster has a very good track record in removing res:// hijacks. It has no effect on other problems.

The other available tools

The other anti-malware tools fall into several categories: tools that don't compete with SpyBot and AdAware because they do something else, the ones that are not as good as SpyBot and AdAware, tools that are as good but aren't recommended for starting users for some reason, or ones that are actual frauds. This list is incomplete; for the definitive list, see the "Rogue/Suspect Anti-Spyware Products & Web Sites" page, maintained by Eric Howes.

• Spyware Blaster is not a scanner, but a "vaccine" tool. I'll cover it later.
• Bazooka Adware and Spyware Scanner is legitimate software, and freeware. It has an extensive database of threats, and is extremely fast. However, it has no removal capabilities; it is purely a scanner. Any malware it finds must be removed by hand. Because of this, it is only recommended for advanced users, when other tools have failed.
• Microsoft has released a tool for removing the "TV Media" malware package, which is known to interfere with the installation of Windows XP Service Pack 2. Since the usual automated tools should be able to take care of "TV Media", this link is included here just in case.
• Pest Patrol is one of the oldest anti-malware tools, and still a very high-quality tool. Its "Corporate" version offers features that no other available anti-malware software offers, and their "pest database" is extensive and easy to use. However, they do not offer a freeware or non-crippled version of their software, which makes it hard to recommend to users in the midst of a crisis. (The "anti-spy" features of the Yahoo toolbar are licensed from PestPatrol.)
• Ewido Security Suite is a newcomer, which appears to be legitimate but still in development. Time will tell if it turns out to be worth recommending.
• Webroot's SpySweeper has apparently undergone significant improvements recently; in testing, it comes in near the top of the pack in effectiveness. However, Webroot's "pay for malware detection updates" policy makes it difficult to recommend. Due to reports of problems with affiliates, it is recommended that you only download SpySweeper from Webroot directly.
• Out of nowhere, Giant AntiSpyware has been showing itself to be a surprisingly effective cleaner, outperforming old favorites AdAware and SpyBot in many tests. They have a very solid online database and their software provides very strong innoculation support as well. Unfortunately, they have no freeware version, only a fifteen-day trial download. Still, very much a piece of software to watch, since their v1.0 product is better than the "mature" ones from many other companies.
• SpyRemover and Aluria SpywareEliminator are legitimate but mediocre software packages that are also commercial. No reason to consider them. (AOL's anti-spyware software is licensed from Aluria.)
• Stop-Sign from eAcceleration has a checkered past. Previous versions had many of the hallmarks of malware; they installed themselves via drive-by, they collected user information, they attempted to uninstall competing software products, and other unpleasant things. Recently, the company appears to have undergone restructuring and the current versions of the Stop-Sign software are not malicious. However, the products are still not recommended, compared to better (and free) products like AdAware and SpyBot.
• SpyHunter is an anti-malware tool extensively advertised on sites like Download.com. It is a fraud; not only does it basically do nothing, but it wants your money to do nothing, and then will not uninstall properly. Avoid.
• SpyKiller, StopGuard, Privacy Tools 2004, XoftSpy, SpyCatcher, SpyGuard, Spyware Nuker, SpyHunter, Warnet, Virtual Bouncer, AdProtector, Spyware Remover (from BulletproofSoft), SpyFerret, SpyGone, SpyBan, SpyAssault, SpyBouncer, SpyDoctor, SpyBlocs/eBlocs, NoAdware, PAL Spyware Remover, Scan4Free, and SpyAssassin (aka "Ada-Ware") are all either of very dubious quality or known malware sources themselves. Stay the hell away.
  Note that searching on Google and other search engines for terms like "Spyware" will find a number of these fraudulent products, both in search engine hits and in "sponsored links" (i.e. advertisements). There's probably a few examples in the Google AdWords below, since filtering them out is next to impossible.

<- Back to the Table of Contents

Section 3: When the automated tools haven't removed everything

Unfortunately, the automated tools can only detect and remove malware that they know exists. And since malware is a money-making business, there's new stuff appearing every day. So sometimes, the automated tools can't clean everything off a system. That's where HijackThis comes in.

HijackThis isn't an automated scanner like SpyBot or AdAware. It's a system editor, from the creator of CWShredder. It's kind of like MSConfig or RegEdit, only specifically for finding browser parasites and spyware-related garbage. It shows you everything browser-related on your system, good or bad, and it's up to you to decide what's harmful and what's benign. It also makes backups of everything it changes, and can create a text logfile for analysis by others.

In the hands of an expert, it's an amazing tool. In the hands of a novice, it's less than useful, it's dangerous. So unless you're very, very sure of yourself, never make any changes in HijackThis without consulting others first.

You can download HijackThis from the creator's website; if you're being blocked by a piece of malware, here is a personal mirror maintained by the FAQ author. (Please only use this mirror if absolutely required.) It's an EXE file that requires no installation, although it needs some Visual Basic 6 libraries which should already be present on all modern Windows machines. (If by some chance you don't have them, you can download them here.) It will write its logfiles and backups to the same directory it's run from, so you should put it in its own subdirectory and not run it from within your browser or unzip application.

It's recommended that instead of trying to fix things yourself with HijackThis, you post a logfile to one of these forums. Please read their rules before posting to ensure that they can help you properly, since there is always a backlog, and if you ignore their forum-specific rules you will be ignored and/or have your thread deleted. Also make sure that you have at least v1.98.2 of HijackThis; some mirror sites have older versions which are not as effective, and you may be asked to get the newer version and start over.

• the Net-Integration forums - home of the SpyBot authors
• the AdAware support forums
• the Spywareinfo.com forums
• the Spywarewarrior.com forums
• the cexx.org forums
• the DSLReports security forum

Forum users experienced with the removal of malware can then recommend which items to fix using HijackThis, and what files and directories to delete from your system. They may also recommend mailing one or more files (along with the original HijackThis log) to the authors of one of the automated removal tools, so that they can update that tool's detection database.

<- Back to the Table of Contents

Section 4: Problems related to removing malware

Most of the time, malware can be cleaned off a system without side effects. But sometimes there are lingering issues, even after the malicious software has been removed.

Startup errors

If a program file is removed, but the startup entry for it is left in the registry, then an error will occur when the PC is restarted. A harmless but annoying error involving "CMD32.EXE" or "SYSTEM32" is not uncommon after cleaning up a heavily-infested machine. These startup entries for nonexistent programs can be found and removed using HijackThis.

Missing system files

Some particularly nasty pieces of malware will actually overwrite minor system files in order to keep themselves on your PC. The author of CWShredder has a list of files that versions of the CoolWebSearch malware software may damage, along with backup copies and instructions for replacing them. You can also replace these files with their original versions from the Windows installation CDs.

Damaged Winsock

The "Winsock" is the Windows networking system for TCP/IP, the Internet protocol. The design of the Winsock allows legitimate add-on software to plug itself into the system, in order to add or change network functionality. These "Winsock plugins" are called "LSPs". Unfortunately, this means that malicious software can plug itself into the Winsock as well.

Early versions of AdAware and SpyBot would sometimes damage the Winsock when removing malicious LSPs. Current versions are not known to have this problem, as great care is being taken to avoid it. If it appears that your Windows networking has been damaged by the removal of a piece of malware, the LSP-Fix site at CEXX.org has a discussion of the issue and a piece of software that may fix the problem. However, in some cases, the only way to fix a truly broken network system in Windows XP is to reinstall the OS.

<- Back to the Table of Contents

Section 5: How can I not get this crap again?

Be careful what you download.

As mentioned before, the most important thing is to pay attention to what you download. Whether it's through a site like download.com, a standalone website, or a file sharing application, unless you know exactly who wrote this application and what it contains, you might be getting more than you bargained for. Open-source applications are almost always safe, but there have been exceptions. (There's at least one company that took the open-source application "Gnucleus", ran a search-and-replace on the name, and added malware to the installer. The actual modified application was still open-source, but the installer was full of crud.)

Here are some safe alternatives to malware-laden applications:

• Instead of Kazaa and other commercial file-sharing applications, try DC++, Gnucleus, or BitTorrent.
• Instead of GoZilla or DownloadWare, try GetRight or wget.
• You probably don't need any other toolbar for IE other than the Google Toolbar, with integrated Google search and popup blocking.
• Instead of the dozens of malware-filled MP3 encoders on download.com, get CDex or Exact Audio Copy.
• Instead of WeatherBug (which is adware), try WeatherWatcher.

Harden your browser against drive-by installs

There's two ways to do this. The first (and recommended) way is the quickest and the most effective: switch to an alternative browser that doesn't support automatic installs of malicious software at all. Browsers in that category include Mozilla, Firefox, or Opera. (Debate as to which browser is "better" rages constantly; try them all out and pick which one you prefer.) The browsers Maxthon (formerly MyIE2), Crazy Browser, and Avant Browser are just shells on top of Internet Explorer, and inherit the same malware problems that IE has. They may provide new functionality, but do not solve the basic problems with ActiveX.

If you don't want to switch browsers, then you can take steps to harden Internet Explorer. (These same tips apply to Maxthon, Avant Browser, and Crazy Browser.) This is more complicated, and is not ever going to be 100% effective, because security holes in the browser will bypass whatever hardening you do. Hardening Internet Explorer is largely a process of making sure that all known, existing security holes are patched. The steps, in order of importance:

• First, make sure that you are running the latest version of your operating system and Internet Explorer. If you are running Windows XP, installing XP Service Pack 2 will update your OS and bring IE up to version 6SP2. (If you are on a dialup modem and can't download the hundreds of megabytes of data that XP SP2 requires, Microsoft may be willing to mail you a CD.) For Windows 2000, you should install Service Pack 4, and then download and install IE6SP1 separately. For any other version of Windows, you should download and install IE6SP1 separately.
• Make sure you have everything from "Critical Updates and Service Packs" installed from Windows Update. When they say "critical", they are not kidding.
• Set Internet Explorer's security settings to something more fundamentally secure. You should reset the Internet Zone security to the default setting, which is "Medium". Then go into the custom security settings and turn off ActiveX downloading for that zone, as shown in this screenshot.
  
  
  
  This will stop a huge amount of simple malware dead in its tracks. The next step is to go to the Trusted Sites zone and reset it to "Medium" security as well (it defaults to "Low"). Then you add microsoft.com to the list of trusted sites to make Windows Update continue to work; you can then add sites like macromedia.com (for Flash updates), apple.com (for QuickTime updates), and yahoo.com (for games and chat) at your discretion.
  
  Turning off ActiveX downloading for the Internet zone only prevents new software from being downloaded; it does not prevent existing plugins from working. For example, it won't prevent the Flash plugin from working on a site in the Internet zone, but it will prevent the Flash plugin from installing, unless macromedia.com has been added to the trusted sites list.
• Install the Sun Java Runtime, and have it be the default Java VM instead of the Microsoft one. Sun's Java implementation is much more secure than Microsoft's. Java exploits are rare (but devastating when they happen), and some versions of Windows XP don't have the Microsoft JVM at all, but it never hurts to be safe.
• Use an "inoculation" or "vaccination" tool, which acts much like a real-time virus scanner. SpyBot has one of these built into it, called "Immunize". There's also the popular Spyware Blaster tool, which does largely the same thing. The commercial version of AdAware has an inoculation feature as well. These tools can occasionally block legitimate software from working, however, and like scanners they can only catch malware which they know how to recognize.

If you choose to keep using Internet Explorer, it is recommended that you run SpyBot, AdAware, or both scanners at least once a week, because no current solution (aside from switching browsers) is going to give perfect immunity to the malware problem. Always make sure that your scanners are up-to-date (as outlined earlier) before running them, as new malware databases are released very frequently.

<- Back to the Table of Contents

Section 6: What can I do to help?

Donate

The free anti-malware tools are supported by donations. You can donate to the SpyBot authors, donate to Merijn (the author of CWShredder and HijackThis), or donate to to the author of About:Buster. You can also donate to the author of this FAQ:

Purchase

LavaSoft's AdAware is free, but it's the commercial versions, AdAware Plus and AdAware Professional that keep them in business. If you want to contribute to them, buy the commercial version, even if you don't need any of the extra features it offers.

Send a word

If you found this guide helpful, send the author a note. You can help me improve this guide by telling me how you found it, what parts you found useful, and what parts you thought needed work. (If you're another angry Belgian who's going to write me an email in ALL CAPS, you can skip it.)

<- Back to the Table of Contents

Further reading

• Doxdesk parasites article and listing - highly recommended
• The CWS Chronicles - Merijn's constant fight against the ever-evolving CoolWebSearch trojan, to keep CWShredder up-to-date (no longer updated but still amazing)
• Spyware Warrior blog - cutting-edge news and commentary on the fight
• Benjamin Edelman's spyware research - in-depth legal research on spyware and adware issues
• SimplyTheBest's spyware pages
• CounterExploitation's spyware pages
• Bazooka's adware database - endlessly browseable in a car-wreck kind of way
• Eric Howe's monster list of privacy & security resources

<- Back to the Table of Contents

Redistribution of this document

The permanent URL of this document is
http://www.io.com/~cwagner/spyware/
Feel free to redistribute this document, electronically or in print. Also feel free to modify it to suit the needs of your organization, or use it as the starting point for your own documentation. Just give me credit via name and linking back to this URL, and send me an email about it.

<- Back to the Table of Contents

 

 

Great Sites