Reader Tips: Do Away with Spyware
Many programs block spyware, but few know how to get rid of it. Redmond readers offer some clever ways to banish these nasties.
We all know spyware is bad stuff, the real question is: How to get rid of it.
To find out, we went to the experts -- you, the Redmond
of you responded to our pleas. Here are the best bits of spyware removal advice,
sprinkled with a healthy dose of anger and frustration.
Aurora is a nasty bit of adware/spyware that can be a real pain to root
out. Redmond reader and IT Specialist Robert Butler knows. "I've
discovered that Aurora changes the file names of the files it uses to re-infect
the host. Aurora also apparently hijacks some legitimate running processes,"
Butler has spent hours trying to clean Aurora out of sytems. "I've found that one needs to boot in command prompt safe mode and delete the file c:\winnt\ceres.dll. The file will not delete in normal mode and will regenerate the software if not deleted. No anti-spyware software will delete the file either."
Aurora also seeds confusion, says
Butler. "Aurora is part of a group
from Direct Revenue that includes: ABetterInternet, ABI Network, Ceres, Aurora, WinFixer, Direct Revenue and Search Assistant."
The confusion extends to Aurora Networks, a technology company that has nothing to do with the spyware, but finds itself mistaken for the malefactor. The firm has gone so far as to publish helpful updates and links for managing the Aurora spyware threat on its Web site.
That site includes a link to the Aurora authors' own removal tool. It would seem foolish to trust such a tool, but at least one reader, Scott Davidson, owner of ARX Computers, had good luck with the Aurora-built fix.
"In the effort to stay ‘legal,' many
spyware purveyors offer uninstall programs. They don't make it easy to find, but they're out there on a regular basis," says Davidson. "You may be leery of using it, but I figure this company has already had its way with this computer, so going back for more shouldn't do additional damage. The uninstall program for Aurora works like a charm. However, remember the best tool for fighting spyware in general is
Matt Yeager also tried the Aurora removal tool, after seeing positive
feedback on a number of forums.
He says the tool removed the pernicious spyware.
"A malware company you can trust? I don't think so," Yeager writes.
"A malware company that's worried about prosecution is probably more like
Bloody Irish Answer
By Kevin Jordan
How can IT professionals hope to put an end to the malware scourge?
Kevin Jordan, of Belfast, Ireland, offers an idea.
"Here in Belfast we have a shop called B&Q and it's
a hardware/home/garden improvement type of place. Now in there
they sell nice, handy lengths of timber. Sand one end until
it's rounded and provides a nice tight grip, allowing both
hands to hold roughly four feet of 6x4. Find out from the
local authorities who the onion is that wrote the spyware
code. Go around to his/her (you never know) workplace or home
using transport of your choice -- preferably low-budget airline
or bus because you're already out the price of the lumber.
Apply the said piece of timber several times to the body of
the numpty who's responsible for causing this irritation.
Before he/she loses consciousness, try to find out anything
about his/her contacts and pass this info on to like-minded
people you know.
Hopefully this will mitigate the cost of the timber and transport by spreading it about and eventually these people will give up their activities since it's hard to type with broken fingers.
Incidentally, in order to comply with health and safety legislation,
it may be prudent to wear some form of protective gloves and
visor, just in case some loose splinters are flying about."
Kevin Jordan is a presales IT consultant.
More Aurora Horror
Joey Heape ran into trouble after giving his 13-year-old children their
own PC. The kids recently complained about slow performance, and Heape discovered
the system was riddled with malware. Heape, who is director of media & technology
for the South Carolina Bar, ran a host of free spyware killers, as well as Microsoft
AntiSpyware, but to no avail.
"I learned about killing processes, HijackThis, etc. I tried CounterSpy (home version, I actually use the enterprise version at our office), Ad-Aware (I own a copy of this for my workstation), you name it, I tried it," Heape recounts. "Needless to say, I ended up reformating."
Stuffing Surf Sidekick
Another tough customer is Surf Sidekick, which can seem impossible to
dispose of. But for the patient and technically adept, there is a removal procedure
that can help you. (Scroll down to More Information for a direct link to the
procedure.) This heads up comes courtesy of Ryan Carrier, ISA CCST III, and
an IT pro at Fraser Papers Inc.
"My worst experience with spyware? How about spyware (or maybe it was a virus) that replaces the host file so you can't go to Microsoft, Symantec and other sites you need to remove it. If you repair the host file, it gets replaced again! Shuts down the browser when certain words are typed in Google (like ‘virus,' ‘spy,' etc.). And it disables Task Manager and any [other] program that looks like a task manager. I was eventually able to find one that wasn't recognized by the spyware," recalls Carrier.
"The fix ended up being a combination of spyware detection tools, a task manager not recognized by the virus, going into safe mode and a pinch of luck!" Carrier says.
Prevention Through Privileges
Many spyware problems result from users running Windows with full administrative
privileges, says reader Rick Lobrecht. He urges IT managers to set up accounts
with normal user privileges. "Your spyware problems will disappear," he says.
Paul Witting is emphatic in his agreement. "DO NOT RUN WITH LOCAL ADMIN PRIVILIGES," he writes. "I know it's a pain, as way too much stuff still insists on having admin rights, but the difference this one little piece of preventative maintenance makes is night and day."
Witting describes his company as having to deal "with the most nefarious corners of the Internet day in and day out." And yet, none of its PCs have suffered an infection. He credits restricting administrative privileges for the difference.
The Microsoft Way
Microsoft offers a number of tools, including spyware blocker Windows
Defender (formerly known as Microsoft AntiSpyware). It also has a new tool to
protect computers used by more than one person, which reader Byron Hynes is
a fan of. Hynes suggests downloading the Microsoft Shared Computer Toolkit for
The free software helps keep users from changing settings and installing software, and it defines what changes can be made to hard drives. This tool is largely aimed at shared computers in public places such as waiting rooms and kiosks, but could be just the trick for the spyware sponges in your shop.
There's a similar third-party tool, as well, called Deep Freeze. This tool allows users to make whatever mischief they can get away with, after which the admin can restore the original system state. Some labs have the systems automatically rolled-back every night, to make sure everything will be working in the morning," says a senior systems engineer who asked not to be identified.
A Virtual Solution
Several readers suggested virtualization as a solution. "I use Virtual
PC with undo on," says Dave Cline. He describes how "all changes to the virtual
hard drive are dumped each time I reboot the machine," erasing infections from
the previous session.
Reader J.D. Norman, who is CTO of PCS Enterprises Inc., says virtualization simplifies his life. "Turn on snapshots, and if there is a problem, roll back to a previous snapshot," he says. "Makes it easier to move the user to a different PC, too."
Charles Hodgkins uses what you might call manual virtualization to keep his kids' surfing from messing up his system. He describes two tricks: "One is to use a removable disk tray like those from Addonics. This way I keep a separate drive for the kids, which I can reformat as needed, and keep a drive for myself that I keep locked way from the kids. Another is once I get the machine set up the way I like, I create an image using Acronis True Image that I write onto several CDs or DVDs. That way, I can easily re-create a drive as required," Hodgkins explains.
"Of course, I also disable every service I can, as well as keep my computers
behind a NAT router and enable software firewalls on all of them. This doesn't
stop everything, but it helps."
Removal: The Unabridged Version
Here is my standard removal procedure, up-to-date
as of the new year:
- System Restore -- ask how long the problem has occurred and
whether the user made any major changes to the system since
then. If it's a new problem surfacing in the last few days,
roll it back two weeks. This fixes some of the nastiest
problems cold. Explain that System Restore does not affect
data like documents and music, but any programs installed
in the last couple weeks will need to be reinstalled. This
is an overlooked and very useful tool for all problems,
not just spyware.
- Boot into Safe Mode w/Networking, go to Control Panel
then Internet Options. Delete temporary Internet files,
cookies and clear history. Set Internet zone security back
to Default if it's on "Custom." Check "Trusted Sites" zone
and make sure it's clear (sometimes spyware will add their
sites to it). Check Cookies setting, make sure it's Medium,
not "Accept all cookies."
- Uninstall all known spyware programs you see in Control
Panel Add/Remove Programs. Sometimes they demand Internet
access to remove themselves, which is why we're using Safe
Mode w/Networking. Make sure the user is not using these
programs. I had a customer who was annoyed that I removed
his Alexa toolbar.
- Run the latest CWShredder, owned by Trend Micro for the
moment. Takes one minute, can help.
- OPTIONAL, only for severe infestations: Install and update
Ad-Aware. Scan and clean. Install and update Spybot, without
using their TeaTimer or active protection. Scan and clean.
- Run HijackThis and take out all suspicious-looking items,
looking them up on Google if needed to make sure they're
not legitimate programs.
- Reboot in normal mode and install Microsoft AntiSpyware,
update, scan, clean.
- Reboot and browse the Web for a couple minutes, going
to a few different sites, and see if you get repeated adware-style
popups still. If you do, go back to HijackThis and be more
heavy-handed, you probably missed something.
- While doing this, explain to the user how to avoid this
problem in the future. "Be very skeptical of free programs,
especially toolbars, search bars, shopping helpers, music
download programs, bargain finders, screensaver programs,
security applications, etc. Be wary of official-looking
security warnings." List the legit anti-virus and anti-spyware
programs and explain that for every legit one, there are
25 charlatans. "The same scumbags who put the spyware on
your computer in the first place are the ones trying to
sell you a bogus antivirus/anti-spyware program."
Some of the worst kinds of spyware regenerate themselves.
I've had to boot into Recovery Console to get rid of the root
.DLL file, which regenerates the adware. Most should show
up in HijackThis.
If the cause does not show up in HijackThis and none of the
free programs remove it, odds are it's one of the nastier
kinds that are not removable without digging deep and spending
too much time. I spend about one hour on spyware removal.
Back up data, format, reinstall if it's not removable in that
timeframe. What you want to avoid is spending three hours
trying to remove a particularly nasty bug buried deep in the
registry and then having to spend two to three hours backing
up data, formatting, reinstalling because it's buried too
Davidson, owner of ARX Computers just northwest
of Chicago, Ill., squishes spyware for a living.
Today's anti-spyware tools usually do a great job blocking the nasties,
and as such, you should have plenty of this software on hand (and installed!).
Here's a few of the tools Redmond readers enjoy.
John Richardson, it seems, has used them all. He applied HijackThis, Spybot S&D [Search & Destroy], Ad-Aware, Microsoft AntiSpyware and Bullet Proof Soft on a customer's PC infected with more than 20 different Trojans and numerous spyware infections. Richardson, an MCSE BCNTS and BCCTS who is owner of Austin, Texas-based computer support firm BrainWerkz, also singles out EWIDO as an important tool.
"This was a slow process (taking three-plus hours to complete) that ran exclusively under Safe Mode and worked wonders. As there were two separate accounts on the Windows XP Pro system, I made sure to run the apps under both profiles to catch any lurking bugs," he says.
A good rule of thumb is a layered approach, just as with firewalls, anti-virus, and anti-spam. IT Specialist Charles Olin has a set of tools he likes to use when combating threats. "I generally use three or more spyware removal tools: SpyBot Search & Destroy, Lavasoft's Ad-Aware Plus, and Trend Micro's Anti-Spyware. I also use avast! antivirus software, which also finds malicious spyware. The company also has what they call their BART CD (Bootable Antivirus & Recovery Tools CD)," explains Olin, who also suggests switching to the Firefox Web browser.
"It is so much easier to keep spyware from ever entering the box than cleaning it up afterward," says Systems Administrator Eric Wallace. He urges people to use Javacool's SpywareBlaster, which uses the ActiveX "kill bit" to lock-out known spyware programs. He also tells users to never log on as an Administrator unless installing software.
"It's not a panacea," he says, "but just these two steps will probably make a huge difference in anyone's spyware arrival. Prevention is the key!"
Wallace goes a few steps further. "I only browse with Firefox with AdBlock extension and Filterset.G, which prevents ads and spyware-type content from loading. Then I run a couple of other anti-spyware programs, including Lavasoft Ad-Aware and Spybot S&D, both of which have some preventive measures as well. And I'm looking into downgrading my IE and Firefox process privileges, since I'm usually logged in as an administrator -- and domain privileges -- when at work."
Bill H. has also been hit with spyware, though to be fair, Bill deflects the blame. "It was my wife who caused the trouble ... lots of tension followed, of course!" Bill used HiJackThis and posted the results to a Web forum on the TomCoyote Forums Web site. "There are some very generous souls who patrol these forums and look to help the novice, spyware-infected unfortunates."
Joanna Lovett, IT support manager with Cambridge Systematics Inc. in Cambridge, Mass., says that Zone Alarm can help as well. "I just upgraded my home computer to the latest version on Zone Alarm. It has a spyware detector and real-time protector that work pretty well. The spyware scanner found things that Ad-Aware missed on my computer," she says.
Anti-Spyware Not Yet Perfect
While most readers run one or several anti-spyware tools, they are not
a perfect solution. Stephen Nichols, IT analyst for International Truck and
Engine Corp., Engine and Foundry Division, says that spyware packages like Ad-Aware
often struggle to pull out spyware by the roots, in part because viruses and
other grayware keep restoring the spyware. The ability of some malware to cripple
virus scanner software complicates matters.
How can you clean out tough infections? Nichols plays a game of switcheroo with the malware. "I simply pop the case off the PC, plug in a hard drive of at least 4GB, make it the first bootable drive in the BIOS, and install a fresh copy of XP. After it comes up, I just need network drivers and then I can use Trend Housecall and download a fresh copy of Ad-Aware," Nichols explains. "I can get 99 percent of the junk off the system this way. After that I just remove the hard drive and voila, clean PC!"
Nichols takes the clean drive idea a step further, by preparing a BartPE boot disc with Ad-Aware and AVG Anti-Virus included. "I can just boot from CD to clean the hard drive," Nichols explains. "The only caveat with this is that I have to keep updating the patterns. I could pull it off the network or off of a floppy or flash stick. It will still be faster than cleaning the PC manually or popping the cover, and I will probably be able to update the pattern, even from an infected PC."
Spyware Silver Bullet?
A growing problem is malware that restores itself. Reader Greg Lara
says you can sometimes break the cycle with a bit of preparation and quick click-work.
"Once I've identified the executable file that needs to be deleted, I open the Task Tanager and find it in the process list. In another adjacent Explorer window, I navigate to the file in question, highlight it, then press the Delete key. With the delete confirmation dialog box up, I move over to the task manager and end the process. Now I move the end process confirmation dialog box next to the file delete confirmation dialog, and in quick succession, click OK in the file dialog and then in the process dialog, usually with a combination of mouse click in one and the space bar in the other. With the timing just right, the file is deleted before the process can kick off again, and the cycle is broken," Lara says. "This won't work in every case, but it can jump start a cleaning session when the frustration level has reached a fever pitch."
Safe Mode, Safe Harbor
MCP Eric Hanner takes no chances with his clients' machines. "I have
taken the approach of blast 'em and see what comes back. If I have any indication
of an infestation, I start by booting into Safe Mode, update the files and run
Microsoft Anti-Spyware and Ad-Aware. While I'm in Safe Mode, I also run a virus
sweep. I have never had a case where I scanned later and I was still infected.
I'm not saying there aren't some files lingering somewhere, but they apparently
are not activated or are idle if they are there at all," Hanner says.
The Manual Approach
Mike Matteucci constantly sees spyware-infected PCs in his work with
PC-Network Services in Bakersfield, Calif. "As an end user, I hate spyware.
As a technician, I love spyware," he says.
Matteucci claims an over 90 percent success rate in removing spyware without having to wipe the drive. The cost, however, is time. "I advise my clients/customers that it is a minimum of three days for me to have their machine. I run my in-house anti-virus along with several free spyware utilities, plus use the Internet to trace the .EXEs and .DLLs that are causing the problems," he explains.
Matteucci offers some useful advice for PC users, including a switch to the Firefox or Netscape Web browsers, and setting up Windows Update so that it automatically kicks off in the morning, when the PC is most likely to be running, rather than at 3 a.m.
"Another thing I advise customers is to manually once a day use the Norton or McAfee auto update service for their anti-virus," writes Matteucci. "It seems that these companies -- if the update is not a major threat -- delay posting it on the scheduled update Web site for two to five days, and that's when you get hit."
Windows on Live CD: Solution or Illusion?
One reader would like to change the way that OSes, apps and data are intertwined.
"Just an idea that nobody seems to be doing anything about -- how about booting a
live CD of Windows, and using that as your boot volume. All data could be stored
on the local hard drive, but the OS and necessary apps would reside on the CD,
where they couldn't be harmed," suggests Dennis Barr, manager of Information Technology
for the Larkin Group Inc. in Kansas City, Mo.
It's not a bad idea. Many Linux distros are available in "live" versions, which
run entirely from a CD or DVD. The portability makes live distros a staple among
IT professionals who use Knoppix and other live Linux packages as a system rescue
and recovery platform. So, Barr asks, "if the penguinistos can do it with their
OS, why can't it be done with Microsoft's?"
More InformationTips and Tricks from the Spyware Trenches
By Phillip Bell
I have some suggestions that may or may not help you. First, Norton and McAfee
are not worth their weight in salt for spyware and malware detection and/or
removal. I had used more than 30 different products (trial versions) to remove
an Active X script my wife had contracted during a Web site visit. She knew
as soon as she clicked on the link that she was in trouble. Within seconds there
were numerous Trojans, spyware, and malware tools installed on her machine.
Keep in mind, running on this machine were Lavasoft (Ad-Aware), Norton Internet
Security (with updated definitions for viruses and spyware), and the new beta
that Microsoft has bought from the spyware detection company Giant. I thought
I was fully protected against getting some electronic disease and realized that
virus tools are great for virus detection but not spyware. I am still pondering
on the reason Giant allowed this type of activity when it’s supposed to
prevent it. All of the files found were listed as files that would be removed
by all of the majors previously listed.
The second is the fact that it takes multiple pieces of software to remove
all traces of different spyware and malware software. These are my recommendations
after six days of research and trial and error attempting to remove these "Utilities:"
- Ewido Security
is great at finding Trojans but nothing else.
finds most spyware and most Trojans, but not all.
Sweeper found all of the remaining spyware and Trojans. I assume it would
have found the same as Spybot but I am not willing to attempt a re-infection
to test this theory.
- This is a useless link
in my opinion but thought you might want to experience what software shouldn’t
- The last suggestion is to put something in place that will prevent this
type of malicious software from being installed in the first place. This last
link will provide some great utilities for prevention and detection as
well. This is the best of the best freeware and shareware and there are a
couple of really decent utilities that will help you prevent a reoccurrence
of your scenario. I hope you find these utilities as effective and useful
as I have found them.
Phillip Bell is an IT pro with Tim A. Risley & Associates.