Help removing and preventing spyware.
If IE keeps giving you errors, there are unwanted taskbars, (porn)popups seem unstoppable, you can't print anything you find on the world wide web or your startpage has been changed,
chances are big you have been infected with spyware.
This site consists of two parts:
- Remove spyware
- Prevent spyware
First of all, don't panic and install the first program that promises to relieve you of this misery.
Some programs that are being marketed as spyware-removers are spyware themselves or come bundled with it.
The worst examples being AntiVirGear, Personal Defender 2009 and all the other variants grouped as SmitFraud.
In earlier days we had SpyBan that installed Look2Me, a program that embeds itself in explorer in a way that requires brute force to remove it.
On top of that, it is so poorly coded, the symptoms in the worst cases, render the Windows Taskbar, including the Startbutton, completely inoperative.
Then there are a few, whose marketing techniques are only beaten by their lack of quality. They should be avoided, because they will report false positives, after which they will tell you, that only the paid version will remove them.
For a full analysis of all the imposters out there have a look at this site: Rogue/Suspect Anti-Spyware Products & Web Sites.
- Remove Spyware
A very nice program for those that know their way around the Windows registry is Bazooka Adware and Spyware Scanner.
This is a very small program that only reports the spyware it finds and links to their site where you will find excellent removal instructions.
Two outstanding free programs to remove spyware are: AdAware and Spybot S&D.
An excellent guide on the preferred AdAware settings can be found at the Lavasoft Support Forums.
A tutorial for Spybot S&D can be found at BleepingComputer.
Another option (only for Windows 2000 and XP) is Ewido, now sold as AVG Anti-Spyware.
If those three don't help you'll probably have found a new variant of known spyware or a completely new malware.
Chances are you will need one of the following tools:
- SmitFraudFix
Where you can find what it removes, how it works and where you can download it.
- HijackThis
Where you can find a downloadlink and what is expected of you when you post your log on a forum.
If you think you are computer-savvy enough to clean it up yourself, here are some tutorials about HijackThis:
Merijn's HijackThis tutorial
My tutorial
Understanding Spyware, Browser Hijackers, and Dialers
Beware. HijackThis is a very powerful tool and does not make it's own distinction between good and evil.
When in doubt, post your log at a board like GeeksToGo where you can get expert help.
Other boards that have a decent amount of experts:
CastleCops
SpywareInfo
WhattheTech formerly Tom Coyote
A number of helpful sites if you want to analyze your own log:
Unzy's list of CWS domains
BHO's and Toolbars CLSID's list
Pac's Portal list of startups
Zupe's list of LSP's (O10)
FBJ's list of protocols and filters (O18)
O20 AppInit_DLLs and Winlogon Notify
O21 ShellServiceObjectDelayLoad
O22 Shared Task Scheduler
List of services (O23)
ShellExecuteHooks
You can have an online check done along with a lot of descriptions and manual removal instructions here:
doxdesk.com
- Prevent Spyware
- SpywareBlaster
- IE-Spyad/ZonedOut
After ridding yourself of the misery it is now time to make sure it will not get its hooks in you so easy again.
This is an illustrated version of: this topic posted on several security sites by fellow MVP TonyKlein.
You usually get infected because your security settings are too low.
Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:
1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.
2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.
3) Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "prompt", and "Initialize and Script ActiveX controls not marked as safe" to "disable".
Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.
So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an ActiveX control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?
- SpywareBlaster
4) Install SpywareBlaster
It will protect you from all spy/foistware in its database by blocking installation of their ActiveX objects.
Download and install the program, then follow these steps to get protected 
Under 1 click on Download Latest Protection Updates and then hit Enable All Protection
Under 2 check if the settings are as recommended.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.
5) Another free program is now offered by Microsoft. It is a malware blocking and removal tool called Windows Defender (Not compatible with Windows 98 and ME.)
It also features real-time protection. Which means you get a warning if important changes are about to be made and the program holds them off until you approve.
- IE-Spyad/ZonedOut
6) Zoned-Out is a program that helps you to put sites in the "Resticted Zone" for Internet Explorer.
Experts have developed special lists you can import into the program.
One that is certainly worth your trouble, is the one by Eric Howes, who used to provide us with IE-Spyad.
All this to ensure that you can be safe on the deceiving, harmless looking sites, that would love to trap you.
Download Zoned-Out from the Funky Toad site.
Unzip the file to the folder where you want the program.
In that folder find ZoneOut.exe and doubleclick it.
You will notice the sites the protection already works for.
If you would like to add the professionally kept list by Eric Howes, download
IE-SPYAD for ZonedOut
Unpack it with the built-in WinZip to the preferred folder. In the below example it's the same one as ZonedOut, but that is not necessary.
Next, in Zoned click Menu > Import/Export Sites > Import from File en navigate to the folder with IESpyad files. Import ie-ads.txt
To install the full protection repeat this procedure for ie-nfe.txt and adult\adult.txt
After that you can check in IE > Tools > Internet options > Security Tab > Restricted Sites > Sites to check if it worked.
Incidentally, another site with an enormous amount of information on computer security, and which is well worth a visit is Wilders Security.
Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests.
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
In addition to Tony's recommendations I would like to add a personal favorite of mine:
RegProt by DiamondCS
By monitoring important locations and keys in the Windows system registry, RegistryProt will alert whenever a key is added or changed, and then give the option of accepting the key change, reverting back to the original key setting, or deleting the key.
And it certainly never hurt anyone to make backups regularly. My personal favorite is Acronis True Image.
Not only does it make images of your drives, but it also enables you to select certain files from those images to be restored without losing any other changes.
I want to bring some other great resources under your attention to help you keep the spies to a minimum.
Blocking Unwanted Parasites with a Hosts File
Helps you block a wide range of infecting sites without using any resources.
IE6 Advanced Settings
GetNetWise provides easy to use information how to block cookies using IE's Privacy settings.
AplusWebMasters site
Where he gives you his well-informed view about online security.
Webhelpers site
A spyware-researcher who gives CWS special attention.
For those of you who came looking here for my BFU-scripts,
you can find them listed at my page about dialers.
Other pages in this series:
HijackThis
Killbox
Unzipping with XP
Brute Force Uninstaller
Change IE's Homepage
I'm planning to update and expand this site whenever I can spare the time, so stop by some time to see how it is coming along.
Pieter Arntz aka Metallica.
hitandrun
The revenue of this site will be used to buy the tools I think will help me to help you better. If that means getting a 19" monitor and you don't want me to, please feel free not to donate. I will still be glad if I was able to help you.
