In-Depth

Reader Tips: Do Away with Spyware

Many programs block spyware, but few know how to get rid of it. Redmond readers offer some clever ways to banish these nasties.

• By Doug Barney
• 03/01/2006

We all know spyware is bad stuff, the real question is: How to get rid of it. To find out, we went to the experts -- you, the Redmond reader. Dozens of you responded to our pleas. Here are the best bits of spyware removal advice, sprinkled with a healthy dose of anger and frustration.

Removing Aurora
Aurora is a nasty bit of adware/spyware that can be a real pain to root out. Redmond reader and IT Specialist Robert Butler knows. "I've discovered that Aurora changes the file names of the files it uses to re-infect the host. Aurora also apparently hijacks some legitimate running processes," Butler explains.

Butler has spent hours trying to clean Aurora out of sytems. "I've found that one needs to boot in command prompt safe mode and delete the file c:\winnt\ceres.dll. The file will not delete in normal mode and will regenerate the software if not deleted. No anti-spyware software will delete the file either."

Aurora also seeds confusion, says Butler. "Aurora is part of a group from Direct Revenue that includes: ABetterInternet, ABI Network, Ceres, Aurora, WinFixer, Direct Revenue and Search Assistant."

The confusion extends to Aurora Networks, a technology company that has nothing to do with the spyware, but finds itself mistaken for the malefactor. The firm has gone so far as to publish helpful updates and links for managing the Aurora spyware threat on its Web site.

That site includes a link to the Aurora authors' own removal tool. It would seem foolish to trust such a tool, but at least one reader, Scott Davidson, owner of ARX Computers, had good luck with the Aurora-built fix.

"In the effort to stay ‘legal,' many spyware purveyors offer uninstall programs. They don't make it easy to find, but they're out there on a regular basis," says Davidson. "You may be leery of using it, but I figure this company has already had its way with this computer, so going back for more shouldn't do additional damage. The uninstall program for Aurora works like a charm. However, remember the best tool for fighting spyware in general is System Restore."

Matt Yeager also tried the Aurora removal tool, after seeing positive feedback on a number of forums. He says the tool removed the pernicious spyware.

"A malware company you can trust? I don't think so," Yeager writes. "A malware company that's worried about prosecution is probably more like it."

A Bloody Irish Answer By Kevin Jordan How can IT professionals hope to put an end to the malware scourge? Kevin Jordan, of Belfast, Ireland, offers an idea. "Here in Belfast we have a shop called B&Q and it's a hardware/home/garden improvement type of place. Now in there they sell nice, handy lengths of timber. Sand one end until it's rounded and provides a nice tight grip, allowing both hands to hold roughly four feet of 6x4. Find out from the local authorities who the onion is that wrote the spyware code. Go around to his/her (you never know) workplace or home using transport of your choice -- preferably low-budget airline or bus because you're already out the price of the lumber. Apply the said piece of timber several times to the body of the numpty who's responsible for causing this irritation. Before he/she loses consciousness, try to find out anything about his/her contacts and pass this info on to like-minded people you know. Hopefully this will mitigate the cost of the timber and transport by spreading it about and eventually these people will give up their activities since it's hard to type with broken fingers. Incidentally, in order to comply with health and safety legislation, it may be prudent to wear some form of protective gloves and visor, just in case some loose splinters are flying about." Kevin Jordan is a presales IT consultant.

More Aurora Horror
Joey Heape ran into trouble after giving his 13-year-old children their own PC. The kids recently complained about slow performance, and Heape discovered the system was riddled with malware. Heape, who is director of media & technology for the South Carolina Bar, ran a host of free spyware killers, as well as Microsoft AntiSpyware, but to no avail.

"I learned about killing processes, HijackThis, etc. I tried CounterSpy (home version, I actually use the enterprise version at our office), Ad-Aware (I own a copy of this for my workstation), you name it, I tried it," Heape recounts. "Needless to say, I ended up reformating."

Stuffing Surf Sidekick
Another tough customer is Surf Sidekick, which can seem impossible to dispose of. But for the patient and technically adept, there is a removal procedure that can help you. (Scroll down to More Information for a direct link to the procedure.) This heads up comes courtesy of Ryan Carrier, ISA CCST III, and an IT pro at Fraser Papers Inc.

"My worst experience with spyware? How about spyware (or maybe it was a virus) that replaces the host file so you can't go to Microsoft, Symantec and other sites you need to remove it. If you repair the host file, it gets replaced again! Shuts down the browser when certain words are typed in Google (like ‘virus,' ‘spy,' etc.). And it disables Task Manager and any [other] program that looks like a task manager. I was eventually able to find one that wasn't recognized by the spyware," recalls Carrier.

"The fix ended up being a combination of spyware detection tools, a task manager not recognized by the virus, going into safe mode and a pinch of luck!" Carrier says.

Prevention Through Privileges
Many spyware problems result from users running Windows with full administrative privileges, says reader Rick Lobrecht. He urges IT managers to set up accounts with normal user privileges. "Your spyware problems will disappear," he says.

Paul Witting is emphatic in his agreement. "DO NOT RUN WITH LOCAL ADMIN PRIVILIGES," he writes. "I know it's a pain, as way too much stuff still insists on having admin rights, but the difference this one little piece of preventative maintenance makes is night and day."

Witting describes his company as having to deal "with the most nefarious corners of the Internet day in and day out." And yet, none of its PCs have suffered an infection. He credits restricting administrative privileges for the difference.

The Microsoft Way
Microsoft offers a number of tools, including spyware blocker Windows Defender (formerly known as Microsoft AntiSpyware). It also has a new tool to protect computers used by more than one person, which reader Byron Hynes is a fan of. Hynes suggests downloading the Microsoft Shared Computer Toolkit for Windows XP.

The free software helps keep users from changing settings and installing software, and it defines what changes can be made to hard drives. This tool is largely aimed at shared computers in public places such as waiting rooms and kiosks, but could be just the trick for the spyware sponges in your shop.

There's a similar third-party tool, as well, called Deep Freeze. This tool allows users to make whatever mischief they can get away with, after which the admin can restore the original system state. Some labs have the systems automatically rolled-back every night, to make sure everything will be working in the morning," says a senior systems engineer who asked not to be identified.

A Virtual Solution
Several readers suggested virtualization as a solution. "I use Virtual PC with undo on," says Dave Cline. He describes how "all changes to the virtual hard drive are dumped each time I reboot the machine," erasing infections from the previous session.

Reader J.D. Norman, who is CTO of PCS Enterprises Inc., says virtualization simplifies his life. "Turn on snapshots, and if there is a problem, roll back to a previous snapshot," he says. "Makes it easier to move the user to a different PC, too."

Charles Hodgkins uses what you might call manual virtualization to keep his kids' surfing from messing up his system. He describes two tricks: "One is to use a removable disk tray like those from Addonics. This way I keep a separate drive for the kids, which I can reformat as needed, and keep a drive for myself that I keep locked way from the kids. Another is once I get the machine set up the way I like, I create an image using Acronis True Image that I write onto several CDs or DVDs. That way, I can easily re-create a drive as required," Hodgkins explains.

"Of course, I also disable every service I can, as well as keep my computers behind a NAT router and enable software firewalls on all of them. This doesn't stop everything, but it helps."

Spyware Removal: The Unabridged Version Here is my standard removal procedure, up-to-date as of the new year: System Restore -- ask how long the problem has occurred and whether the user made any major changes to the system since then. If it's a new problem surfacing in the last few days, roll it back two weeks. This fixes some of the nastiest problems cold. Explain that System Restore does not affect data like documents and music, but any programs installed in the last couple weeks will need to be reinstalled. This is an overlooked and very useful tool for all problems, not just spyware. Boot into Safe Mode w/Networking, go to Control Panel then Internet Options. Delete temporary Internet files, cookies and clear history. Set Internet zone security back to Default if it's on "Custom." Check "Trusted Sites" zone and make sure it's clear (sometimes spyware will add their sites to it). Check Cookies setting, make sure it's Medium, not "Accept all cookies." Uninstall all known spyware programs you see in Control Panel Add/Remove Programs. Sometimes they demand Internet access to remove themselves, which is why we're using Safe Mode w/Networking. Make sure the user is not using these programs. I had a customer who was annoyed that I removed his Alexa toolbar. Run the latest CWShredder, owned by Trend Micro for the moment. Takes one minute, can help. OPTIONAL, only for severe infestations: Install and update Ad-Aware. Scan and clean. Install and update Spybot, without using their TeaTimer or active protection. Scan and clean. Run HijackThis and take out all suspicious-looking items, looking them up on Google if needed to make sure they're not legitimate programs. Reboot in normal mode and install Microsoft AntiSpyware, update, scan, clean. Reboot and browse the Web for a couple minutes, going to a few different sites, and see if you get repeated adware-style popups still. If you do, go back to HijackThis and be more heavy-handed, you probably missed something. While doing this, explain to the user how to avoid this problem in the future. "Be very skeptical of free programs, especially toolbars, search bars, shopping helpers, music download programs, bargain finders, screensaver programs, security applications, etc. Be wary of official-looking security warnings." List the legit anti-virus and anti-spyware programs and explain that for every legit one, there are 25 charlatans. "The same scumbags who put the spyware on your computer in the first place are the ones trying to sell you a bogus antivirus/anti-spyware program." Some of the worst kinds of spyware regenerate themselves. I've had to boot into Recovery Console to get rid of the root .DLL file, which regenerates the adware. Most should show up in HijackThis. If the cause does not show up in HijackThis and none of the free programs remove it, odds are it's one of the nastier kinds that are not removable without digging deep and spending too much time. I spend about one hour on spyware removal. Back up data, format, reinstall if it's not removable in that timeframe. What you want to avoid is spending three hours trying to remove a particularly nasty bug buried deep in the registry and then having to spend two to three hours backing up data, formatting, reinstalling because it's buried too deep. Davidson, owner of ARX Computers just northwest of Chicago, Ill., squishes spyware for a living.

Handy Tools
Today's anti-spyware tools usually do a great job blocking the nasties, and as such, you should have plenty of this software on hand (and installed!). Here's a few of the tools Redmond readers enjoy.

John Richardson, it seems, has used them all. He applied HijackThis, Spybot S&D [Search & Destroy], Ad-Aware, Microsoft AntiSpyware and Bullet Proof Soft on a customer's PC infected with more than 20 different Trojans and numerous spyware infections. Richardson, an MCSE BCNTS and BCCTS who is owner of Austin, Texas-based computer support firm BrainWerkz, also singles out EWIDO as an important tool.

"This was a slow process (taking three-plus hours to complete) that ran exclusively under Safe Mode and worked wonders. As there were two separate accounts on the Windows XP Pro system, I made sure to run the apps under both profiles to catch any lurking bugs," he says.

A good rule of thumb is a layered approach, just as with firewalls, anti-virus, and anti-spam. IT Specialist Charles Olin has a set of tools he likes to use when combating threats. "I generally use three or more spyware removal tools: SpyBot Search & Destroy, Lavasoft's Ad-Aware Plus, and Trend Micro's Anti-Spyware. I also use avast! antivirus software, which also finds malicious spyware. The company also has what they call their BART CD (Bootable Antivirus & Recovery Tools CD)," explains Olin, who also suggests switching to the Firefox Web browser.

"It is so much easier to keep spyware from ever entering the box than cleaning it up afterward," says Systems Administrator Eric Wallace. He urges people to use Javacool's SpywareBlaster, which uses the ActiveX "kill bit" to lock-out known spyware programs. He also tells users to never log on as an Administrator unless installing software.

"It's not a panacea," he says, "but just these two steps will probably make a huge difference in anyone's spyware arrival. Prevention is the key!"

Wallace goes a few steps further. "I only browse with Firefox with AdBlock extension and Filterset.G, which prevents ads and spyware-type content from loading. Then I run a couple of other anti-spyware programs, including Lavasoft Ad-Aware and Spybot S&D, both of which have some preventive measures as well. And I'm looking into downgrading my IE and Firefox process privileges, since I'm usually logged in as an administrator -- and domain privileges -- when at work."

Bill H. has also been hit with spyware, though to be fair, Bill deflects the blame. "It was my wife who caused the trouble ... lots of tension followed, of course!" Bill used HiJackThis and posted the results to a Web forum on the TomCoyote Forums Web site. "There are some very generous souls who patrol these forums and look to help the novice, spyware-infected unfortunates."

Joanna Lovett, IT support manager with Cambridge Systematics Inc. in Cambridge, Mass., says that Zone Alarm can help as well. "I just upgraded my home computer to the latest version on Zone Alarm. It has a spyware detector and real-time protector that work pretty well. The spyware scanner found things that Ad-Aware missed on my computer," she says.

Anti-Spyware Not Yet Perfect
While most readers run one or several anti-spyware tools, they are not a perfect solution. Stephen Nichols, IT analyst for International Truck and Engine Corp., Engine and Foundry Division, says that spyware packages like Ad-Aware often struggle to pull out spyware by the roots, in part because viruses and other grayware keep restoring the spyware. The ability of some malware to cripple virus scanner software complicates matters.

How can you clean out tough infections? Nichols plays a game of switcheroo with the malware. "I simply pop the case off the PC, plug in a hard drive of at least 4GB, make it the first bootable drive in the BIOS, and install a fresh copy of XP. After it comes up, I just need network drivers and then I can use Trend Housecall and download a fresh copy of Ad-Aware," Nichols explains. "I can get 99 percent of the junk off the system this way. After that I just remove the hard drive and voila, clean PC!"

Nichols takes the clean drive idea a step further, by preparing a BartPE boot disc with Ad-Aware and AVG Anti-Virus included. "I can just boot from CD to clean the hard drive," Nichols explains. "The only caveat with this is that I have to keep updating the patterns. I could pull it off the network or off of a floppy or flash stick. It will still be faster than cleaning the PC manually or popping the cover, and I will probably be able to update the pattern, even from an infected PC."

Spyware Silver Bullet?
A growing problem is malware that restores itself. Reader Greg Lara says you can sometimes break the cycle with a bit of preparation and quick click-work.

"Once I've identified the executable file that needs to be deleted, I open the Task Tanager and find it in the process list. In another adjacent Explorer window, I navigate to the file in question, highlight it, then press the Delete key. With the delete confirmation dialog box up, I move over to the task manager and end the process. Now I move the end process confirmation dialog box next to the file delete confirmation dialog, and in quick succession, click OK in the file dialog and then in the process dialog, usually with a combination of mouse click in one and the space bar in the other. With the timing just right, the file is deleted before the process can kick off again, and the cycle is broken," Lara says. "This won't work in every case, but it can jump start a cleaning session when the frustration level has reached a fever pitch."

Safe Mode, Safe Harbor
MCP Eric Hanner takes no chances with his clients' machines. "I have taken the approach of blast 'em and see what comes back. If I have any indication of an infestation, I start by booting into Safe Mode, update the files and run Microsoft Anti-Spyware and Ad-Aware. While I'm in Safe Mode, I also run a virus sweep. I have never had a case where I scanned later and I was still infected. I'm not saying there aren't some files lingering somewhere, but they apparently are not activated or are idle if they are there at all," Hanner says.

The Manual Approach
Mike Matteucci constantly sees spyware-infected PCs in his work with PC-Network Services in Bakersfield, Calif. "As an end user, I hate spyware. As a technician, I love spyware," he says.

Matteucci claims an over 90 percent success rate in removing spyware without having to wipe the drive. The cost, however, is time. "I advise my clients/customers that it is a minimum of three days for me to have their machine. I run my in-house anti-virus along with several free spyware utilities, plus use the Internet to trace the .EXEs and .DLLs that are causing the problems," he explains.

Matteucci offers some useful advice for PC users, including a switch to the Firefox or Netscape Web browsers, and setting up Windows Update so that it automatically kicks off in the morning, when the PC is most likely to be running, rather than at 3 a.m.

"Another thing I advise customers is to manually once a day use the Norton or McAfee auto update service for their anti-virus," writes Matteucci. "It seems that these companies -- if the update is not a major threat -- delay posting it on the scheduled update Web site for two to five days, and that's when you get hit."

Windows on Live CD: Solution or Illusion?
One reader would like to change the way that OSes, apps and data are intertwined. "Just an idea that nobody seems to be doing anything about -- how about booting a live CD of Windows, and using that as your boot volume. All data could be stored on the local hard drive, but the OS and necessary apps would reside on the CD, where they couldn't be harmed," suggests Dennis Barr, manager of Information Technology for the Larkin Group Inc. in Kansas City, Mo.

It's not a bad idea. Many Linux distros are available in "live" versions, which run entirely from a CD or DVD. The portability makes live distros a staple among IT professionals who use Knoppix and other live Linux packages as a system rescue and recovery platform. So, Barr asks, "if the penguinistos can do it with their OS, why can't it be done with Microsoft's?"