Guides: Spyware Help & FAQ

When people talk about “spyware”, most of the time they’re talking about a whole range of malicious software, and not just software that actually spies on you. They usually mean anything that’s installed on your PC without your knowledge or permission, and which has unwanted effects. The technical term for most of these things is usually “browser parasites”, since most of them interact with Internet Explorer in some way, but in this document I’m going to call them by the catch-all term malware.

I’m going to steal a description of browser parasites from the excellent Doxdesk.com parasites page, which is one of the best references currently available on the topic. It’s recommended reading, after this document.

“Parasite” is a shorthand term for unsolicited commercial software — that is, a program that gets installed on your computer which you never asked for, and which does something you probably don’t want it to, for someone else’s profit.
The parasite problem has grown enormously recently, and many millions of computers are affected. Unsolicited commercial software can typically:
plague you with unwanted advertising (“adware”);
watch everything you do on-line and send information back to marketing companies (“spyware”);
add advertising links to web pages, for which the author does not get paid, and redirect the payments from affiliate-fee schemes to the makers of the software (such software is sometimes called “scumware”);
set browser home page and search settings to point to the makers’ sites (generally loaded with advertising), and prevent you changing it back (“homepage hijackers”);
make your modem (analogue or ISDN) call premium-rate phone numbers (“dialers”);
leave security holes allowing the makers of the software (or, in particularly bad cases, anyone at all) to download and run software on your machine;
degrade system performance and cause errors thanks to being badly-written;
provide no uninstall feature, and put its code in unexpected and hidden places to make it difficult to remove

I’m not going to be talking about actual viruses here, or traditional “trojan horse” backdoor packages. That sort of thing is adequately handled by existing anti-virus software. However, some of the automated anti-malware tools will also find and remove certain viruses and trojan horses, if present.

Also note that we’re only talking about Windows here. Malware is not currently a problem for either the Mac or Linux/FreeBSD users, mainly because nobody bothers to write any of this crap for those platforms. If you’re not on a Windows PC, none of this applies to you.

Step 1: How did this get on my computer in the first place?

There’s basically two “vectors” for malware to get onto your PC: piggybacking on other applications, and “drive-by” installs through Internet Explorer.

Piggybacking and Bundling

There are two kinds of “ad-supported” applications. The benign kind has an advertising system built into itself, that shows you advertising while the application is running, and which has no effect on the system when the application is not. The banner ads in the unregistered versions of Eudora and Opera fall into this category.

The other kind of ad-supported application installs a separate advertising system onto your computer, that runs all the time whether the ad-supported application is running or not. These advertising systems have names like CyDoor, Gator (who have renamed themselves “Claria” to hide their tracks), TopText, etc. Sometimes the application will warn you about the bundled advertising system, sometimes they will not. Sometimes uninstalling the application will get rid of the bundled advertising system, usually it will not.

These advertising systems will show pop-up ads, sometimes when you’re not even browsing. Some of them will change the banner ads or links on web pages. Often, they are are self-updating, and will sometimes install other advertising systems, or alter your system’s security settings to allow for easier drive-by installs. (See below.) They are classic browser parasites.

Common piggyback sources of advertising malware are most popular file-sharing applications that aren’t open-source (including Kazaa, iMesh, LimeWire, Morpheus, WinMX, Xolox, Grokster, and others), the free version of DivX Pro (which installs Gator), GoZilla (which has a veritable raft of crap), InternetWasher (ditto), and many “free” applications found on sites like download.com.

Most add-on toolbars for Internet Explorer are malware sources. This includes (but is not limited to) MySearchBar, DashBar, Xupiter, HotBar, UCMore, and many others. The Google and Yahoo toolbars are safe.

There is another class of application which might be considered “ad-supported”, if there was any functionality other than the advertising. Things like DownloadWare/NetworkEssentials, Comet Cursor, Bonzi Buddy, the Gator/GAIN “applications” (DashBar, PrecisionTime, DateManager, and eWallet), Internet Optimizer, and the infamous eAcceleration package (including “Stop Sign”) are like this. They masquerade as useful applications, but provide no substantial functionality and are merely a ruse to get their advertising software onto your computer.

The latest and most dangerous trend is “anti-spyware” software that’s actually just another source of malware. For example, Google searches for some of the common anti-malware software packages will turn up “sponsored links” (in other words, advertisements) for malicious software, linked to those keywords. This document will cover the packages that are known to be safe, and the ones that are known to be dangerous.

To sum up: pay attention to what you’re downloading and installing. If it’s free, there may be a reason for that.

AOL Instant Messenger v5.5.x

The most recent version of AIM (5.5.3591) will optionally install two pieces of software which are flagged by many spyware scanners (Weatherbug and WildTangent) and will stealthily install another (Viewpoint Media Player).

The WildTangent package is optionally installed to support the “AIM Games” site, and the Viewpoint package is automatically installed to drive AIM’s advertising systems (since the Viewpoint player allows for full-screen movies and 3D effects outside of the controlling application). Both of these packages are flagged by anti-spyware software because they have very poor privacy policies, and are known to collect the hardware information of their users.

The Weatherbug software is known to be adware when installed separately. It is not known if the AOL-customized version that comes with AIM v5.5.x is also adware, or whether it relies on the advertising systems built into AIM.

AIM functions normally if you don’t install with the Wild Tangent or Weatherbug packages, and uninstalling the Viewpoint Media Player from the Add/Remove Programs section of the Control Panel will not affect its operation either. AIM will not reinstall those items unless it is upgraded. The old v4.8 of AIM (which does not have these extra packages) can be downloaded here for the time being, for those who don’t want to deal with the issue at all.

Drive-By Installs

The second (and harder to deal with) method for acquiring malware is through “drive-by” software installs in Internet Explorer. IE supports a technology called “ActiveX”, which allows website creators to embed small programs in their sites (called “ActiveX controls”), which can then call larger programs (such as software installers). Theoretically, there are safeguards to prevent unauthorized code from being run on your machine when you visit a website; you should normally see a dialog box asking you if you want to install and run a given ActiveX control. When this technology is used correctly, it lets you install software like Macromedia Flash or Apple QuickTime from a website without having to download a separate installer. It’s also the technology that drives Windows Update.

Unfortunately, there are problems with the implementation of ActiveX. The problems boil down to this:

Security holes in some versions of Internet Explorer that can be exploited by malicious website creators to install ActiveX controls without prompting
One malicious application can change the security settings on Internet Explorer so that all ActiveX controls (including malware) can auto-install without prompting
Deceptive popups can lead uninformed users to install malicious applications, believing them to be important system updates, or software required to view a site

This means that a system with either an out-of-date version of Internet Explorer, or with incorrect security settings, can be infected with a huge amount of malware just by visiting a single website. And even a correctly-configured and up-to-date system can be infected if a user makes a single incorrect choice on the wrong website.

In addition to the problems with ActiveX, there are also other many other security holes in Internet Explorer that can be exploited to install malware. These include bugs in IE’s handling of MIME types, in the Microsoft Java implementation, and in Microsoft’s scripting languages. Many of these security holes have not been fixed, even in the most current versions of Internet Explorer. Exploits using these bugs are much rarer than ActiveX exploits, and are often only usable in specific circumstances, but are still a problem.

There are also sites that try a very simple trick: they begin an automatic download of an installer (usually an EXE file), in the hopes that the user will either instinctively or accidentally hit “Open” instead of “Cancel”. If the user hits “Save”, then they’ll have the installer sitting on their desktop or in their download directory, and they might accidentally run it later. This kind of attack isn’t limited to Internet Explorer, and the only real defense against this sort of thing is to watch out for it.

Later in this document, I’ll talk about ways to try to avoid these issues, either by configuring Internet Explorer to be somewhat more secure, or by switching to a browser that doesn’t have these problems.

Step 2: The automated tools

Preparation for cleanup

Before you run any automated malware removal tool, you should first uninstall any of the malware sources that you’ve identified. Software like DivX Pro, Kazaa, and the like won’t work after you remove their “ad-supported” components anyway. You should uninstall them using Add/Remove Programs in the Control Panel.

You should also uninstall any of the malware that gives you the option to in Add/Remove Programs. In many cases, the uninstall will not be complete, but the automated tools will clean up the pieces, and you won’t end up with phantom entires in your Add/Remove Programs list. Some of these items will have multiple uninstall steps (like MediaLoads), where a new item appears in Add/Remove after you uninstall the first one. Items to remove this way include but are not limited to:

Active Alert
B3D Projector
BackWeb
ClickTheButton
CometCursor
CommonName
DownloadWare
eAnthology/eAcceleration
eXact Search
Ebates Moe Money Maker
Flingstone Bridge
GoHip
HotBar
HuntBar
IEDriver
IEPlugin
Internet Optimizer
Interstitial Ad Delivery by n-CASE
IPInsight
MediaLoads
MySearchBar
NetworkEssentials
New.net
NewtonKnows
PAD Lookups by n-CASE
SaveNow
SubSearch
TopText
WeatherCast
WhenUSearch
Win32 BI Application
Xupiter

There are countless other pieces of malware that will show up in the Add/Remove Programs with seemingly innocent names. If you’re not sure what it is, then it’s usually safe to let the automated tools take care of it.

It is not recommended that you remove “BackWeb” from HP or Compaq machines that came pre-loaded with Windows, as it is part of HP/Compaq’s automatic software update system. Similarly, “IPInsight” is used by SBC Yahoo’s software.

The automated tools will also run much, much quicker if you empty the Internet Explorer cache and delete your cookies. From the Control Panel, go to the Internet Properties and click on Delete Cookies and Delete Files.

Running the tools

There are four automated malware removal tools that are recommended. The first two tools you should run are CWShredder and Kill2Me. These tools are designed solely to remove variants of the CoolWebSearch and Look2Me varieties of adware, but they do a very good job of it and they are very small downloads. CWS and L2M are also very common pieces of malware, and are often difficult for more general-purpose tools to remove completely, so they’re a good thing to run first. Running CWShredder and Kill2Me is extremely straightforward and will not be covered in detail here; just make sure you’re running the latest versions, since they are constantly updated, and make sure that all of your Explorer and Internet Explorer windows are closed when you run them, or else they may not be able to fix everything.

You can download CWShredder and Kill2Me from the creator’s website; if you’re being blocked by a piece of malware, here is a personal mirror of both programs maintained by the FAQ author. (Please only use this mirror if absolutely required.) They’re both EXE files that require no installation, although they need some Visual Basic 6 libraries which should already be present on all modern Windows machines. (If by some chance you don’t have them, you can download them here.)

The two other tools are SpyBot and AdAware. These are general-purpose tools designed to scan for and remove a wide variety of malicious software (including spyware, adware, dialers, and other garbage). SpyBot is generally more powerful and more aggressive, but AdAware is easier to use. Both are good products, and can co-exist on a computer without problems (although AdAware may occasionally find items in SpyBot’s quarantine). Sometimes, when one tool fails to remove all the malware on a system, the other tool will finish the job.

SpyBot’s homepage is
http://www.spybot.info
and the latest version as of this writing is v1.3 (which just came out). It is freeware.

AdAware’s homepage is
http://www.lavasoftusa.com
and the latest version as of this writing is v6.181. The “Personal” version is free for use, and has full scanning and cleaning functionality; the paid-for versions have more features, such as “inoculation” (which we’ll talk at later) and extra customizability.

When running either tool, it is essential that they be updated to include the latest patches and scanning databases. Like anti-virus software, these tools can only scan for malware that they know how to identify. Updating AdAware is easy: click on the “Check for Updates” link when you first start it and then the “Connect” button. To update SpyBot, click on the Update button in the left-hand column. Then click on “Search for Updates”, check the updates you want (which should be all of them), select an appropriate mirror from the list (which defaults to Europe), and click on “download updates”. SpyBot may then restart, depending on what updates were retrieved.

To scan with SpyBot, click on the “Search and Destroy” button in the left-hand column, and then the “Check for Problems” button on the bottom. To scan with AdAware, click the “Start” button and follow the instructions. Once either application is finished scanning, it will present a checklist of items that it has found.

Here’s a vastly incomplete list of stuff that it is always safe to let SpyBot or AdAware kill, in addition to anything you already tried to uninstall via Add/Remove Programs:

Aureate
CoolWebSearch
Cydoor
FreeScratchAndWin
Gator/GAIN
GonnaSearch
Investigator
Lop.com (aka C2.Lop)
PerfectNav
VX2 (and all variants)

There’s one thing that you should watch out for that both SpyBot and AdAware will catch, and that’s C_Dilla. C_Dilla (aka “CD Secure”) is a copy-protection tool (created by Macrovision) used by a wide variety of software, including 3DSMax, that has an unfortunate tendency to “phone home”. It would be great if one could get rid of it, but doing so will make the software that uses it stop working. Unless you’re very sure that you don’t need it anymore, don’t let SpyBot or AdAware remove C_Dilla from your system, since it was probably installed by something legitimate.

You should also avoid removing Backweb or IPInsight under certain circumstances, as mentioned above.

Once you’re comfortable with the checklist of items, you can tell SpyBot or AdAware to fix them. Make sure that all of your Explorer and Internet Explorer windows are closed when you do this, or else it may not be able to fix everything. If there is something that they cannot delete, they will ask to run again after you reboot. You can either choose to write down the items that it was unable to delete and delete them yourself after you reboot the system, or let the application do it for you (which will mean letting it re-scan the system again).

Both tools save a copy of everything fixed; AdAware calls this a “Quarantine”, SpyBot calls it “Recovery”. If problems show up after you reboot the system, you can undo the changes that were made and try again with a different list.

If the automated tools are all crashing as soon as they start, then you’ve got CoolWWWSearch.SmartKiller, a particularly ugly version of CWS which attempts to stop SpyBot, AdAware, and CWShredder from running. An updated version of CWShredder should be able to take care of it, if you run it more than once. Otherwise, grab delcwssk.zip from the SpyBot folks and use it.

The other available tools

The other anti-malware tools falls into two categories: merely not as good as SpyBot and AdAware, or actual frauds.

Spyware Blaster is not a scanner, but a “vaccine” tool. We’ll cover it later.
Bazooka Adware and Spyware Scanner is legitimate software, and freeware. It has an extensive database of threats, and is extremely fast. However, it has no removal capabilities; it is purely a scanner. Any malware it finds must be removed by hand. Because of this, it is only recommended for advanced users, when the automated tools have failed.
SpyRemover, SpySweeper, and SpywareEliminator are legitimate but mediocre software packages that are also commercial. No reason to consider them.
SpyKiller, XoftSpy, SpyCatcher, SpyGuard, Spyware Nuker, SpyHunter, Warnet, Virtual Bouncer, AdProtector, Spyware Remover (from BulletproofSoft), SpyFerret, SpyGone, Stop-Sign, SpyBan, and SpyAssault are all either of very dubious quality or known malware sources themselves. Stay away.
Note that searching on Google and other search engines for terms like “Spyware” will find a number of these fraudulent products, both in search engine hits and in “sponsored links” (i.e. advertisements). There’s probably a few examples in the Google AdWords to the right, since filtering them out is next to impossible.

Step 3: When the automated tools haven’t gotten everything

Unfortunately, the automated tools can only detect and remove malware that they know exists. And since malware is a money-making business, there’s new stuff appearing every day. So sometimes, the automated tools can’t clean everything off a system. That’s where HijackThis comes in.

HijackThis isn’t an automated scanner like SpyBot or AdAware. It’s a system editor, from the creator of CWShredder. It’s kind of like MSConfig or RegEdit, only specifically for finding browser parasites and spyware-related garbage. It shows you everything browser-related on your system, good or bad, and it’s up to you to decide what’s harmful and what’s benign. It also makes backups of everything it changes, and can create a text logfile for analysis by others.

In the hands of an expert, it’s an amazing tool. In the hands of a novice, it’s less than useful, it’s dangerous. So unless you’re very, very sure of yourself, never make any changes in HijackThis without consulting others first.

You can download HijackThis either from the creator’s website or from this direct link if a piece of malware is blocking you. It’s an EXE file that requires no installation, although it needs some Visual Basic 6 libraries which should already be present on all modern Windows machines. (If by some chance you don’t have them, you can download them here.) It will write its logfiles and backups to the same directory it’s run from, so it’s recommended that you put it in its own subdirectory.

It’s recommended that instead of trying to fix things yourself with HijackThis, you can send it to me at lori[at]zenfulcreations.com.

Step 4: Problems related to removing malware

Most of the time, malware can be cleaned off a system without side effects. But sometimes there are lingering issues, even after the malicious software has been removed.

Startup errors

If a program file is removed, but the startup entry for it is left in the registry, then an error will occur when the PC is restarted. An error involving “CMD32.EXE” is not uncommon after cleaning up a heavily-infested machine. These startup entries for nonexistent programs can be found and removed using HijackThis.

Missing system files

Some particularly nasty pieces of malware will actually overwrite minor system files in order to keep themselves on your PC. The author of CWShredder has a list of files that versions of the CoolWebSearch malware software may damage, along with backup copies and instructions for replacing them. You can also replace these files with their original versions from the Windows installation CDs.

Damaged Winsock

The “Winsock” is the Windows networking system for TCP/IP, the Internet protocol. The design of the Winsock allows legitimate add-on software to plug itself into the system, in order to add or change network functionality. These “Winsock plugins” are called “LSPs”. Unfortunately, this means that malicious software can plug itself into the Winsock as well.

Early versions of AdAware and SpyBot would sometimes damage the Winsock when removing malicious LSPs. Current versions are not known to have this problem, as great care is being taken to avoid it. If it appears that your Windows networking has been damaged by the removal of a piece of malware, the LSP-Fix site at CEXX.org has a discussion of the issue and a piece of software that may fix the problem. However, in some cases, the only way to fix a truly broken network system in Windows XP is to reinstall the OS.

Step 5: How can I not get this junk again? Be careful what you download.

As mentioned before, the most important thing is to pay attention to what you download. Whether it’s through a site like download.com, a standalone website, or a file sharing application, unless you know exactly who wrote this application and what it contains, you might be getting more than you bargained for. Open-source applications are almost always safe, but there have been exceptions. (There’s at least one company that took the open-source Gnucleus, ran a search-and-replace on the name, and added malware to the installer. The actual modified application was still GPL, but the installer was full of crud.)

Here are some safe alternatives to malware-laden applications:

Instead of using DivX Pro, use XVid for encoding videos, and the DefilerPak for decoding.
Instead of Kazaa and other commercial file-sharing applications, try DC++, Gnucleus, or BitTorrent.
Instead of GoZilla or DownloadWare, try GetRight or wget.
You probably don’t need any other toolbar for IE other than the Google Toolbar, with integrated Google search and popup blocking.
Instead of the dozens of malware-filled MP3 encoders on download.com, get CDex or Exact Audio Copy.
Instead of WeatherBug (which is adware), try WeatherWatcher.

Harden your browser

There’s two ways to do this. The first way is the quickest and the most effective: switch to an alternative browser that doesn’t support auto-installs of malicious software at all. Browsers in that category include Mozilla, Firefox, or Opera. (Debate as to which browser is “better” rages constantly; try them all out and pick which one you prefer.) The browsers MyIE2, Crazy Browser, and Avant Browser are just shells on top of Internet Explorer, and inherit the same malware problems that IE has. They may provide new functionality, but do not solve the basic problems with ActiveX.

If you don’t want to switch browsers, then you can attempt to harden Internet Explorer. (These same tips apply to MyIE2 and Avant Browser.) This is more complicated, and is not ever going to be %100 reliable, since there are many security holes in Internet Explorer that have not yet been fixed by Microsoft. The steps, in order of importance:

First, make sure that you are running the latest version of IE. If you are running Windows XP, installing XP Service Pack 1 will bring IE up to version 6SP1. For any other version of Windows, you can download and install IE6SP1 separately.
Make sure you have everything from “Critical Updates and Service Packs” installed from Windows Update. When they say “critical”, they are not kidding.
Turn off ActiveX downloading for the Internet zone

This will stop a huge amount of malware dead in its tracks. The next step is to go to the Trusted Sites zone and reset it to “Medium” security (it defaults to “Low”). Then you add microsoft.com to the list of trusted sites to make Windows Update continue to work; you can then add sites like macromedia.com (for Flash updates), apple.com (for QuickTime updates), and yahoo.com (for games and chat) at your discretion.

Turning off ActiveX downloading for the Internet zone only prevents new software from being downloaded; it does not prevent existing plugins from working. For example, it won’t prevent the Flash plugin from working on a site in the Internet zone, but it will prevent the Flash plugin frominstalling, unless macromedia.com has been added to the trusted sites list.

Install the Sun Java Runtime, and have it be the default Java VM instead of the Microsoft one. Sun’s Java implementation is much more secure than Microsoft’s. Java exploits are rare, and some versions of Windows XP don’t have the Microsoft JVM at all, but it never hurts to be safe.
Use an “inoculation” or “vaccination” tool, which acts much like a real-time virus scanner. SpyBot has one of these built into it, called “Immunize”. There’s also the popular Spyware Blaster tool, which does largely the same thing. The commercial version of AdAware has an inoculation feature as well. These tools can occasionally block legitimate software from working, however, and like scanners they can only catch malware which they know how to recognize.

If you choose to keep using Internet Explorer, it is recommended that you run SpyBot, AdAware, or both scanners at least once a week, because no current solution is going to give perfect immunity to the malware problem. Always make sure that your scanners are up-to-date (as outlined earlier) before running them, as new malware databases are released on a weekly basis, and sometimes even more frequently.

Step 6: What can I do to help?

Donate

The free anti-malware tools are supported by donations. You can donate to SpyBot, or donate to Merijn (the author of CWShredder and HijackThis).

Purchase

LavaSoft’s AdAware is free, but it’s the commercial versions, AdAware Plus and AdAware Professionalthat keep them in business. If you want to contribute to them, buy the commercial version, even if you don’t need any of the extra features it offers.

Send a word

Some of us don’t want or need donations. We’d just like a note now and then, letting us know that our work is doing some good.

Redistribution

The permanent URL of this document is:
http://www.io.com/~cwagner/spyware.html