Dealing with Spyware
Almost daily I have people telling me about their ailing home home computers. The common complaints I hear are: Running Slowly, Pop Up Ads, Strange error messages, and System lockups. Maybe you have had this same experience.
This problem is definately not limited to home users. Many business are now also plagued with dealing with the spyware epidemic.
I started to see the Spyware problem rear it ugly head about two years ago. Infected computers were so slow that they were almost unusable as all of the system resources were used up by these naughty programs. These programs are designed to run in the background to track your movements, give you advertisements, and sometimes even disguise themselves as helpful programs like browser search bars.
Rather than discuss what exactly spyware is and how it gets on computers I am going to cut to the chase and tell you my approach for removing this software from infected computers.
IMPORTANT NOTE: This software is becoming increasingly sophisticated and more difficult to detect and remove. The ONLY way to be certain that your computer is clean is to reload everything from scratch. Yes, that means backup your data, format your drive, reload your OS and application software, and restore your data. If you work for a company where security of your data is vital then I recommend that you develop an organized imaging program using a product like Symantec Ghost. I use this and it saves me an incredible amount of time.
With that caveat out of the way the following procedure may produce some good results.
Use a spyware cleaning utility -- My favorite is Spybot Search & Destroy because it seems to work well and it is free. Install the software and use it to scan and clean your computer. (Remember to Update and Scan frequently.) Spybot also includes an optional memory resident utility that monitors your registry changes and alerts you if any programs attempts to make modifications to your system. You can then decide to allow or deny the change. This is very useful if you are running a computer that is not locked down. (Note, there are many other spyware removal utilities that you can pay for, however, the free utilities seem to be on par with many of the commercial versions so I recommend that you save your money.) Honorable mentions should go to the spyware scanner tool Ad-Aware (free for personal use). Lastly, another good resource for performing a virus and spyware scan is called Housecall. This is a free online service provided by Trendmicro.
After you clean your computer with one of the above mentioned utilities you should reboot and run the scan again. Some spyware applications will hide components designed to reinfect the host computer upon reboot if the main application is removed.
Use a utility that shows all programs running in memory -- I have run across several of these utilities and my favorite is a program called Autoruns from Sysinternals which, by the way, is also free. This little gem will give you a list of every program that is running on your computer and allow you to turn them on and off, do a google search if you don't know what the program is, and allow you to completely remove the registry entries from your system that cause the programs to execute. Apparently this program knows to look in some undocumented places where spyware might like to hide.
Scan for rootkits -- An important item that warrants mention here is rootkits. If you are interested in detailed information this Wikipedia article is a good place to start. In a nutshell, these are very nasty pieces of software are virtually undetectable by normal antivirus and spyware scans. Yes, that means that your antivirus scan and your spyware scan can indicate that your computer is totally clean, yet you may still have an infection. There are several "rootkit detectors" available that can find these things. One that I have used is Rootkit Revealer developed by Sysinternals. This is freeware and can be used to scan your computer.
Lock down your computers and have your users log in as a restricted users -- If your computers are running Windows 2000 or XP you can restrict the user profiles so that they operate in a secured or "locked down" mode. This prevents users or other sneaky programs from installing themselves on your computer or changing the system configuration. Only log in to the computer as the administrator when you need to install software or make changes. This provides a much higher degree of system operating stability and consistently. I have seen this work wonders. (Windows 9x and ME users are out of luck on the locking down the computer front. Time for an upgrade)
Educate your users - Tell your users what to do and what not to do. A good guideline to start with may include the following:
Until my next installment...
This problem is definately not limited to home users. Many business are now also plagued with dealing with the spyware epidemic.
I started to see the Spyware problem rear it ugly head about two years ago. Infected computers were so slow that they were almost unusable as all of the system resources were used up by these naughty programs. These programs are designed to run in the background to track your movements, give you advertisements, and sometimes even disguise themselves as helpful programs like browser search bars.
Rather than discuss what exactly spyware is and how it gets on computers I am going to cut to the chase and tell you my approach for removing this software from infected computers.
IMPORTANT NOTE: This software is becoming increasingly sophisticated and more difficult to detect and remove. The ONLY way to be certain that your computer is clean is to reload everything from scratch. Yes, that means backup your data, format your drive, reload your OS and application software, and restore your data. If you work for a company where security of your data is vital then I recommend that you develop an organized imaging program using a product like Symantec Ghost. I use this and it saves me an incredible amount of time.
With that caveat out of the way the following procedure may produce some good results.
- Perform a virus scan using current definitions
- Perform a spyware scan
- Use a utility to see what is still running in memory
- Perform a rootkit scan
- Lock down the computer once everything is clean. (This is really important if you want to keep your machine clean.)
- Educate yourself and your users.
Use a spyware cleaning utility -- My favorite is Spybot Search & Destroy because it seems to work well and it is free. Install the software and use it to scan and clean your computer. (Remember to Update and Scan frequently.) Spybot also includes an optional memory resident utility that monitors your registry changes and alerts you if any programs attempts to make modifications to your system. You can then decide to allow or deny the change. This is very useful if you are running a computer that is not locked down. (Note, there are many other spyware removal utilities that you can pay for, however, the free utilities seem to be on par with many of the commercial versions so I recommend that you save your money.) Honorable mentions should go to the spyware scanner tool Ad-Aware (free for personal use). Lastly, another good resource for performing a virus and spyware scan is called Housecall. This is a free online service provided by Trendmicro.
After you clean your computer with one of the above mentioned utilities you should reboot and run the scan again. Some spyware applications will hide components designed to reinfect the host computer upon reboot if the main application is removed.
Use a utility that shows all programs running in memory -- I have run across several of these utilities and my favorite is a program called Autoruns from Sysinternals which, by the way, is also free. This little gem will give you a list of every program that is running on your computer and allow you to turn them on and off, do a google search if you don't know what the program is, and allow you to completely remove the registry entries from your system that cause the programs to execute. Apparently this program knows to look in some undocumented places where spyware might like to hide.
Scan for rootkits -- An important item that warrants mention here is rootkits. If you are interested in detailed information this Wikipedia article is a good place to start. In a nutshell, these are very nasty pieces of software are virtually undetectable by normal antivirus and spyware scans. Yes, that means that your antivirus scan and your spyware scan can indicate that your computer is totally clean, yet you may still have an infection. There are several "rootkit detectors" available that can find these things. One that I have used is Rootkit Revealer developed by Sysinternals. This is freeware and can be used to scan your computer.
Lock down your computers and have your users log in as a restricted users -- If your computers are running Windows 2000 or XP you can restrict the user profiles so that they operate in a secured or "locked down" mode. This prevents users or other sneaky programs from installing themselves on your computer or changing the system configuration. Only log in to the computer as the administrator when you need to install software or make changes. This provides a much higher degree of system operating stability and consistently. I have seen this work wonders. (Windows 9x and ME users are out of luck on the locking down the computer front. Time for an upgrade)
Educate your users - Tell your users what to do and what not to do. A good guideline to start with may include the following:
- Never click on a pop-up ad or message
- Never follow links in spam or any email that come from someone that you do not know
- Never agree to install a software program on your computer unless you know exactly what it is and why you need it.
Until my next installment...
Sweet Info! Steve really knows what he is talking about, everyone should take his advice!
Posted by
Anonymous |
12:47 AM