A couple of years ago, the worst thing that could happen to you while surfing the Internet was to get bombarded by pop up ads. Lately though, I feel like all I do is clean spyware. I have spent countless hours removing spyware from computers belonging to friends and family, only to have it re-appear a few days later. I try to help as many people as I possibly can, but the spyware problem has reached epidemic proportions and is only getting worse. I have seen recent statistics indicating that approximately 95% of the world’s PCs are infected with spyware. Unfortunately, removal techniques that worked just a couple of months ago are no longer effective in many cases and new types of spyware being released are more advanced than most computer viruses. In this article, I will discuss why the spyware problem has gotten so out of hand and more importantly, what you can do about it.
Why Is Spyware Such a Big Problem
Before I discuss methods for fighting spyware, I want to take a moment and talk about why spyware is such a huge problem to begin with. The problem can be traced to two main causes; the sneaky way that spyware gets installed and the lack of good preventative solutions.
Let’s begin by talking about the ways in which spyware gets installed. Spyware gets installed in a variety of ways. Some main stream companies offer free programs that come bundled with various types of spyware. When you install the application, you are also installing the spyware component. Such companies often disclose their intent in the software’s end user license agreement. However, the end user license agreement tends to be so long and chalked so full of legal jargon that almost no one bothers to read it prior to installing the software.
While some companies bundle spyware with applications, other companies trick users into installing spyware. What typically happens is that during the course of surfing the Internet is that a user will see a pop up window that is disguised to look like a Windows error message. The actual error message displayed by these windows differs widely, but the goal is the same; to get the user to click on a button. The user thinks that they are clicking a button that will fix the alleged error, when in reality they are initiating a spyware installation sequence.
Still other forms of spyware are designed so that you neither have to install an application nor click a button. What tends to happen is that a malicious Web page does a good job of baiting a search engine to make it look as though the page contains something interesting. As an alternative, a malicious page may also be placed on a Web site that is a common misspelling for a popular Web site. For example, there are countless malicious Web sites targeting those who misspell google.com.
In either case, a user must simply visit an infected page to become infected with the spyware. Such a page typically makes use of ActiveX controls and exploits weaknesses in Internet Explorer.
Spyware can also be spread through E-mail in a similar manner. Mail programs such as Microsoft Outlook and Outlook Express can receive messages either in plain text, rich text, or HTML. If a message is encoded in HTML, then the HTML document’s head may call a malicious script. A user doesn’t always have to read an infected message to have it infect their system. In some cases, just having the message displayed through Outlook’s preview pane is enough to cause the malicious script to execute. Fortunately, newer versions of Outlook allow you to block external HTML code.
As I explained earlier, the methods in which spyware spread are only a part of the problem. The other part of the problem is a lack of reliable methods for detecting and removing spyware. For some reason, the big anti virus companies have traditionally shunned spy ware. Over about the last year, more spyware detection and removal capabilities have been built into anti virus programs than ever before. Even so, the anti spyware capabilities built into anti virus programs tend to be mediocre at best. There is an interesting article on wired.com from last summer in which various anti virus programs were put to the test against spyware. I won’t bore you with all of the details since you can read the article for yourself at: http://www.wired.com/news/infostructure/0,1377,63978,00.html but I will tell you that in the test Symantec AntiVirus only caught four out of the nine pieces of spyware. The other anti virus products didn’t do much better. My point is that there are a lot of people out there who depend on their anti virus software to keep them safe while online, but do not realize that anti virus programs ignore the bulk of the spyware that’s out there.
Spyware Removal and Prevention
If spyware can creep into your computer without your knowledge or consent, and if your anti virus software will likely ignore the spyware installation, the real question is how do you clean up an existing infection and how can you prevent future infections?
Let me start out by saying that there are a lot of tools out there for removing spyware. Some of them are free while others are commercial. Unfortunately, almost all of these tools claim to be the best at removing spyware. It has been my experience though that no product exists that provides comprehensive protection against spyware.
I have found that the best defense against spyware is to thoroughly clean a machine and then take preventive measures against re-infection. Of course cleaning the machine in the first place can be really tricky.
Since no one piece of software will clean everything, I typically use at least two anti spyware programs. Typically I will install Lavasoft’s Ad Aware SE Personal Edition (www.lavasoftusa.com) and Spybot Search & Destroy (http://www.safer-networking.org/en/index.html) because both programs are free.
I generally have pretty good luck scanning a system with these two applications. What spyware one program misses, the other one will usually catch. Sometimes though, a machine will be so badly infected that neither application will be able to remove the infection. In such cases I have sometimes turned to commercial anti spyware programs. I have had pretty good luck with Spy Sweeper (http://www.webroot.com/products/spysweeper/) and Pest Patrol (http://www.pestpatrol.com/) , but I can’t honestly say that these products are much better than Ad Aware or Spybot.
If a machine is so badly infected that I can’t seem to remove the infection by using Ad Aware and Spybot, I will usually try to fix the problem while working in Safe Mode. The idea is that when you boot Windows into Safe Mode, Windows is running under a minimum set of drivers and services, and you are also isolated from the Internet. The reason why I do this is that most of the time when anti spyware applications are able to detect an infection, but can’t clean it (or when the infection comes back immediately after cleaning it), it is usually because some spyware component is currently in the system’s memory. Most anti spyware programs focus primarily on the contents of the hard disk rather than the memory and spyware modules in memory consequently often go undetected. However, by booting the machine into Safe Mode, you can usually prevent spyware modules from loading while you try to clean the system. Keep in mind though that you must initially boot Windows normally so that you can download the latest updates to your anti spyware programs. Only then can you effectively boot into safe mode and begin the removal process.
Hopefully, booting the machine into Safe Mode and running an anti spyware program will take care of the problem for you. Sometimes even this method fails though. There are some types of spyware that are so hard to get rid of that you will have to remove them manually. A good example of this is a type of Spyware called Cool Web Search. There are countless variations of Cool Web Search, but its main purpose is to hijack your home page and then load up your system with various Trojans. Cool Web Search is one of the most common types of Spyware, but there are so many different varieties of it that most anti spyware programs have trouble getting rid of it. There is a specialized tool for getting rid of Cool Web Search that you can download called CWShredder (http://www.majorgeeks.com/download4086.html) The problem is that newer Cool Web Search variants are immune to CWShredder. Fortunately, the link that I just provided you with will also allow you to download a utility called CoolWWWSearch Smart Killer, that is designed to remove newer variants of Cool Web Search.
While I am on the subject of browser hijackers, such as Cool Web Search, I want to take a moment and talk about another common problem with removal. It has been my experience that sometimes anti spyware programs will get rid of Cool Web Search and other browser hijackers. The problem is that in some cases, the spyware removal program never bothers to reset your home page to something safe. Therefore, the next time that you open Internet Explorer, you will instantly reinfect your machine. Even if you are running Windows in Safe Mode with no Internet connection, your machine can still get re-infected if files related to the current home page still exist within your browser’s cache.
Since this is the case, I recommend that after removing a browser hijacker that you refrain from opening Internet Explorer until you have run Hijack This (http://www.spywareinfo.com/~merijn/downloads.html). HiJack This is a utility that is designed to reset Internet Explorer back to its original state. Not only does it reset the home page and search page, but you can use it to remove spyware fragments that might have been missed. Hijack This can be a little complicated to use, but there is a good tutorial that will walk you through the process at: http://hjt.wizardsofwebsites.com/
Of course not all types of spyware are browser hijackers. There are other types of spyware that are also difficult to remove. If your anti spyware program detects a specific type of spyware, but is unable to remove it you might be able to find instructions on the Internet for manually removing the exploit. I have personally written several articles with detailed instructions on manually removing various exploits.
If you can’t find removal instructions for your specific exploit, then you will need to figure out how to manually remove it on your own. Fortunately, this is not quite as difficult to do as it used to be. While its true that there are about a zillion locations within Windows from which spyware can be launched, there are tools that can help you to track down the spyware.
I recommend starting off by booting the machine in Safe Mode and pressing CTRL+ALT+Delete to view the Task Manager. When you do, select the Processes tab and make a list of all of the processes that are running on the machine. Since the machine is running in Safe Mode, these should all be processes related to the Windows operating system. Now, boot Windows normally and check the processes again. Write down all of the processes that are currently running, and then cross off any processes that were also running under Safe Mode. What you have left is a list of higher level Windows processes, ad-on applications (such as anti virus software), and spyware. If there are any processes remaining on the list that you recognize, you should cross them off of the list as well.
Now, go to http://www.liutilities.com/products/wintaskspro/processlibrary/ or to http://www.processlibrary.com/ and research any processes remaining on your list. The process libraries are fairly new, so you may not be able to find everything on your list, but it should give you a good idea of which processes belong to Windows and which are potentially spyware.
Once you have figured out which processes are potential spyware, I recommend downloading a utility called StartupList (http://www.spywareinfo.com/~merijn/downloads.html) This utility will show you every program that is being launched when Windows boots. You can then use this information to remove the suspected spyware from your system.
Immunizing Your Computer
Now that I have talked about some techniques for removing spyware from your system, let’s talk about prevention. There are several good steps that you can take to render many types of spyware ineffective.
The first thing that I recommend is to install Windows XP Service Pack 2 (assuming that you are running Windows XP). The service pack fixes a number of Internet Explorer security holes and also provides a welcome pop up blocker. More importantly though, it contains a new add-on manager that allows you to see what programs have been linked to Internet Explorer and to disable those programs if necessary. There is a great article about all of Windows XP Service Pack 2’s new security features at: http://www.updatexp.com/windows-xp-service-pack-2.html You can download the actual service pack from: http://www.microsoft.com/windowsxp/sp2/default.mspx
The next step that I recommend taking is to configure Internet Explorer’s Security zones to block malicious sites. Internet Explorer allows you to classify Web sites as being trusted, restricted, local Intranet, or Internet. If you place a link to a Web site into the Restricted Sites category, Internet Explorer won’t stop you from visiting the site, but it will prevent that site from being able to harm your machine if you do visit it.
Spybot Search and Destroy contains an immunization feature in which it adds quite a few malicious sites to the Restricted Sites list in case you get hijacked and land on one of those sites accidentally. Another free tool that does an even better job is Spyware Blaster. This tool contains a list of thousands of sites that can be added to the Restricted Sites list. Spyware Blaster does not clean spyware infections. It’s entire goal is to prevent infections in the first place. There is even a feature that allows you to lock down your Internet Explorer home page so that it can’t be changed. You can download Spyware Blaster at: http://www.javacoolsoftware.com/spywareblaster.html
Finally, most spyware is designed to report information about you or about your computer to a server somewhere on the Internet. The Windows firewall will go a long way to preventing spyware from “phoning home” but there are other things that you can do as well.
My number one recommendation is to unplug your modem when it isn’t being used. Some spyware modules include dialers that silently cause your modem to dial 1-900 numbers or to call foreign countries. The end result is an outrageous phone bill. You can prevent this from happening though by simply unplugging your modem cord when your modem is not being used.
Another option is to install Spyware Blocker (http://www.spyblocker-software.com/spyblocker/sb.shtm) Although installing spyware blocker is no substitute for unplugging your modem, it does prevent spyware from transmitting information about you or about your computer to spy servers while you are online. I have never actually used this product myself (yet), but it has received very favorable reviews.
In this article, I have tried to give you a lot of good information about how to remove and prevent spyware infections. You can get a lot more information on the topics that I have discussed by visiting http://www.firewallguide.com/spyware.htm