Keith's Weblog: Comments on "Spyware, adware, crappy-ware removal software"

by Kayode Okeyode

Sun, 01 Feb 2004 09:47:54 +0000

I recently cleaned out a family friend's PC and was going to blog about it since there are some lessons to be learned.

In addition to Ad Aware and Spybot Search and Destroy, you want the following:

CWShredder to catch the Cool Web Search Spyware. Ad Aware and Spybot are unable to keep up with this kind of Spyware and I suggest running it first (it fits onto a floppy) - scroll down for the download information.
HijackThis gives a log of all spyware on the PC - should give you a starting reference - runs in seconds and fits onto a floppy.
If your friend is using Windows NT/2000/XP, then have a look at some of the tools from sysinternals I would start with autoruns which should give you a list of all applications starting up on the PC, then have a look at the following, if you wish: Process Explorer, File Monitor, Registory Monitor and TCPView which is GUI version of Netstat -ano
You also need an anti-trojan and an anti-virus, but I won't bore you with the details except to say that the Trojan Defence Suite can be tried for 30 days so you may wish to try it out on your friends PC and remove any trojans. For AV, I tend to use Avast which is free and auto-updates since the PCs owners are not willing to pay for an AV, but you can use AVG, EZ if they suite you (all free). By the way, I use F-Prot on my Home PC.
For a Firewall, I tend to use Kerio 2.1.5 (which is a rules-based firewall) because I think it is the best of the bunch, unfortunately, the last PC I cleaned, I just received an email telling me they had to uninstall it, it was too strict for them because I set it to allow IE to talk to the outside world on Ports 80, 8080 and 443 only - it seems IE needed to go somewhere outside those ports! - obviously, I wasn't allowed to install another browser so I locked down IE as best as I could.
Once the PC is clean, you may wish to look at Spyware Guard which alerts when IE's Home Page is changed and Spyware Blaster which prevents Spyware from being installed by setting killbits in the registry

Unfortunately, I cannot comment on WinPatrol, I have seen it discussed in the Security Newsgroups where I hang out but the tools I mentioned above are really the cool ones to have.

If your friend insists on IE, unfortunately, you will need to lock it down too - the PC I cleaned had those buttons on the keyboard for "Internet" and "Email" so I had to stick with IE (I locked it down without mentioning it though.)

You could also use the Hosts File to block some of the nasties - I have some URLs but I haven't shared them here, because I wanted to focus on tools I have used and can vouch for.

Hope the above helps.

by Keith

Sun, 01 Feb 2004 20:15:36 +0000

Whoa, thanks a lot.

by Sparticus

Tue, 03 Feb 2004 11:17:45 +0000

Lock down ie? That sounds like a good idea. How?

by Brian

Tue, 03 Feb 2004 14:44:31 +0000

I've found that some of the best software to use is the following:

- WebSweeper (use first)
- Search & Destroy SpyBot (use second to remove everything the sweeper missed.. this is a great program because it will ask to load at system start up before other utilities to remove any programs still in memory)
- Hijack this (this is great because it will scan all of your memory and report everything - most of the time it reports good things as bad but it's very powerful.)

With those three you shouldn't have any problems getting the system up and running as it was before. Good luck.

by Kayode Okeyode

Tue, 03 Feb 2004 15:23:24 +0000

Lock down ie? That sounds like a good idea. How?

I don't have access to my usual resources because I am not at home at the moment, but you may wish to have a look at the "Related Reading" section of an article I wrote over the weekend:

Hacking Internet Explorer's My Computer Zone

Basically, you lock down IE by tweaking the IE Security Zones and also the options on the "Advanced" Tab.

If you are not comfortable doing this, then you may wish to install Eric Howes' Enough is Enough or look at his IESPYAD

by Bruno Bord

Wed, 04 Feb 2004 00:48:40 +0000

I read somewhere that the "Ad aware" engine was in fact, stolen to SpyBot.
The Bulletproof Inc. did the same...

The genuine Spybot engine can be found at http://security.kolla.de/

by Sparticus

Wed, 04 Feb 2004 10:12:43 +0000

Sweet! Thanks very much

by Paddy

Wed, 17 Mar 2004 05:56:29 +0000

How do you feel about Spyhunter? I use Spybot S&D, but a friend suggests this is better...

Paddy

by Keith

Wed, 17 Mar 2004 06:06:43 +0000

I think both Spy Hunter and Spy Killer are themselves spyware. I was pretty surprised when I found that out. I'm not completely sure that they are, but I don't trust them.

by Mark Henly

Mon, 14 Jun 2004 06:11:33 +0000

We have added a removal feature for some of the symptoms you mentioned http://spyware.removal.nospyx.com/free/spyware-scan/ If anyone wants a free scan. This is a new product but its catching tons of spyware. I would love a review guys