Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Spyware Scanners

They are the most simple and yet effective against almost all but the most complex spyware.  And that's why they should be tried first. There are two prominent free Spyware scanners (Adaware and  Spybot S&D).  Spybot S&D usage is discussed in a separate page.

The main problem with of the Spyware scanners is that Spyware is repeating the path of file viruses and newer variants are designed with the specific mechanism to avoid detection by the scanners (polymorthic spyware). One such example is  vx2 Spyware (SAHAgent, aka Golden Retriever, ShopAtHome and ShopAtHomeSelect). Another example is CoolWebSearch or ‘CWS’ as many refer to it.  With more the a hundred know variants CWS has surpassed a lot of other annoying hijackers such as Lop, Xupiter and Whazit etc  (see such sites as allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc ).  You might need to use a specialized software like CWShredder to remove CWS.

Never buy or download a commercial Spyware scanner without checking reviews on independent sites. Many such products are very questionable, some ask you to buy an expensive version after scanning, some can be classified as Spyware.  A very simple litmus test is to check a quality of the website. It you feel that an information on it sucks, the chances that the product sucks too are extremely high.

An attempt to hide Spyware under the disguise of Spyware scanner can be viewed as yet another example of deceptive advertising.  See for example Trustworthy Anti-Spyware Products.

Moreover often free tools are better that commercial.  As PCWorld.com - Poor Defenders  atricle stated "Some anti-spyware companies use confusing ads, and our tests show their $20-$60 products are less effective than free competitors."

Spyware scanners (Adaware and SpyBot) are traditional first level of defense, but like with AV scanners they have drawbacks: they cannot fight the most complex spyware engines and signature file may not contains a signature of spyware bug that bite you. Still they should be tried first.  You need to download the latest signature file separately (or via update feature if you still have internet connection on the infected computer) before using Adaware or Spybot S&D.

Scanner can be used even if spyware shuts down your internet connection: you just need to burn a CD with those tools and the latest signature file, install those two tools from a CD and run them one by one.

Note 2: Adaware can generally be used without reading any instructions ;-) Spybot S&D probably not. See  Spyware Removal Guidelines about how to use Spybot S&D as this tool has some important additional capabilities that might escape you without reading the manual...

Here are relevant recommendation from the Slashdot discussion (Every 5th Call At Dell Is Spyware-Related) about spyware (see some additional interesting posts from this discussion below):

At least 8 of the 10 computers that I fix follow this routine:

Update and run AV program, if possible.
Install Adaware, update, run.
Install Spybot S&D, update, run.
Run CWShredder.
Fire up a HijackThis! log and manually remove the leftovers.

I'm getting pretty damn good at filtering out the hijackthis logs, too. Seriously, if you familiarize yourself with spyware removal, you could make a killing on the home PC market. Manufacturers won't help you with spyware. It's getting to the point where the retail chains and PC shops won't deal with it either; they'll simply offer you a format/reinstall.

Most importantly, when it finds spyware it tells you requires a reboot to remove, you'll notice that it rescans everything during the system restart. The thing is, though, it isn't *removing* everything during this stage. It's only setting itself up so it *can* remove what it finds successfully, if you click to "fix problems" on its console window after everything finishes and the Windows desktop comes back up!

As always our AV heroes are slow to react and that's why Symantec, McAfee, and the other popular AV scanners don't track spyware along with viruses and worms.

Note 1: Never ever buy untied commercial antispyware products before you try free and tested tools.   Be very skeptical about tools from well known antivirus vendors (they usually sell junk ;-). Please note that like with antivirus scanners you need the latest signature file.

Free version of   Spybot Search and Destroy scanner Spybot Search and Destroy and/or Adaware provide results comparable with the commercial tools (in case you are using the most latest signatures) and are recommended for checking. Please note that before the scan you do need to download the latest signature file separately  (older signature files miss the most recent mutations of engines like SAHAgent).

Recently written Spyware Removal Guidelines use Spybot S&D as example, as it provides some additional useful tools, but old good Adaware is also an extremely useful tool  and can find and disinfect some Spyware variants that are missed by  Spybot S&D (see, for example its VX2 cleaner plugin that I mentioned before) .  You probably are better off using both.

Notes: Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected. This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books. The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link. Search Amazon by keywords:     Open directory Research Index

Old News ;-)

[Aug 24, 2005] What a great app! (Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):

Thanks for recommending this freeware -  I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!

What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.

... ... ...

Keep up the great work!

Regards

Peter

Peter,

There are several good free registry editors,  watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):

Often spyware is pretty primitive and removal of the component that is installed in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

registry key disinfects the PC.

To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:

1. Open your registry in regedit
   • Click "start" (bottom left of your screen)
   • Select "Run"
   • Type "regedit"  in the command line displayed
   • Click OK. 
2. In a tree that is shown select HKEY_LOCAL_MACHINE
   • then click on + sign for the key SOFTWARE
   • then click on + sign for the key Microsoft
   • then click on + sign for the key Windows
   • then click on + sign for the key CurrentVersion
   • then click on + sign for the key Run
3. Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
4. Print all entries (File, Print).  Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
5. Open Windows Explorer  Click on  Tools, Folder options , View and and Details View and
   • uncheck:
     • Hide extensions for know file types
     • Hide protected operating system files
   • check
     • Show hidden files and folders
     • Remember each folder view setting

   click apply to all folders and OK.
    

6. Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section.  If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
7. For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware  simply delete the key.
8. For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.

Trustworthy Anti-Spyware Products One basic tool in every user's toolbox of software ought to be an anti-spyware scanner. There are several excellent anti-spyware scanners available -- some free, some for pay. These include (but are not limited to): Ad-aware

1. Microsoft AntiSpyware
2. Pest Patrol
3. Spybot Search & Destroy
4. Spyware Doctor
5. Webroot Spy Sweeper

Microsoft Windows AntiSpyware (Beta) Home

Microsoft Windows AntiSpyware (Beta) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed. This helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up to date.

Lavasoft now proposes free VX2 cleaner Software - Lavasoft

Lavasoft’s new plug-in VX2 Cleaner detects the malware VX2 and offers you the ability to remove it from your computer. Some users have experienced a very difficult variant of VX2 which cannot be removed by Ad-aware. For those users which have this variant, we have developed a plug-in to help you remove this VX2 variant. This VX2 variant registers itself in a way, which gives it system privileges. It also prevents the user from viewing this information by removing the user’s rights to do so. Furthermore it constantly monitors the registry and prevents any attempts to remove its associated values. This makes it very difficult for the user to manually remove it. The VX2 Cleaner works with all editions of Ad-Aware 6 build 181.  

How to use Lavasoft’s VX2 Cleaner plug-in

 Close Ad-Aware 6 build 181 and Ad-Watch (if running)
 Download the free VX2 Cleaner here
 Install the VX2 Cleaner
 Start Ad-Aware 6 build 181
 Go to “Plug-ins”
 Select the VX2 Cleaner plug-in and click “Run Plugin”
 If your computer isn’t infected, click “Close”.

XoftSpy free spyware removal tool that looks like scam. I found the following strongly negative review Lavasoft - Webhelper Review Xoftspy:

Webhelper Review: XOFTSPY Don't buy and here the reasons why

I have installed xoftspy and reviewed it. Here is my findings and what my thoughts are

1. PARETOLOGIC is the website the software is installed from. However, any business IMO that registers their site under Domains By Proxy in order to keep their true identity a secret is not a company I want to give money to.

2. The site is big on ad hype and getting affiliates to sell for them.

3. Domain names that are advertising the xoftpsy are the same that I was collecting about 3 weeks ago and then they were advertising the Spyhunter.

4. The sites below are all registered under Domains By Proxy so the real owners are not shown. The IP's show they are either one or more virutal servers that can have multiple domain names per 1 IP address.

Bottom Line: Would you give your money to someone who you cannot find out about. There is no statements of who or how the reference file of adware is updated. And like any Pyramid scheme, the main push is to get affiliates to sell for you, so much of the ad hype is directed in that area instead of supporting the end user that buys the software.

IMO: This is a scam.

Another review

PC Magazine - Member Ratings

fentleglowhardy
August 17, 2004 <
This is a good, professional product. Unlike Paretologic's Xoftspy reviewed by DenComp1 - which seems to just look for tracking cookies and a few well known entries in the registry, and mostly comes up with false positives, 5 out of 15 on my machine - Spy Sweeper scans for and finds problems, shows you what they are & removes them. This is a useful tool & deserves its 4 stars. Steer clear of the other - if I'd followed Xoftspy's advice I'd have removed my video driver, Netscape configuration entries, and part of Visual Basic

Getting rid of spyware

For $12 you can purchase Ad-Aware Plus, which includes a utility called Ad-Watch. Ad-Watch runs in the background monitoring for spyware trying to install itself. When spyware is detected, Ad-Watch blocks the installation, runs Ad-Aware and alerts you.

Recommended Links

• PCWorld.com list of antispyware tools
• Pestpatrol provides a free Spyware scan PestScan – free online Spyware scanner from PestPatrol . This is probably the simplest way to scan your PC but please note that this not very accurate. Please not that the vendor was recently bought by  Computer Associates, the company that killed a lot of  software projects it bought so the quality of the commersial version is now suspect... PerstPatrol also has a nice spyware database at research.pestpatrol.com.

Adaware

• AD-Aware Scan your system for advertising Spyware This free utility scans your memory, hard drives, and your Registry for references to spyware like  Gator, Cydoor, DSSAgent, Alexa.
  http://www.lavasoftusa.com

Spybot S&D
 

• SpyBot It is am spyware scanner that is generally similar to ADaware, but contains some nice tools like process viewer and host blocking list
   
• Browser Hijack Blaster Pour être prévenu de la prochaine tentative de Hijack - gratuit
• Merijn.org home to several nice antispyware tools like  HijackThis
• CWShredder: (zipped) A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D tends to forget essential parts of the hijack, so until it updates, you can just this to completely remove the hijack. Updated to remove the new variants once they come out.
  Read my article with documentation on Coolwebsearch here.
  Updated very, very often
• KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. An update is being worked on. If you still want to use KazaaBegone, download LSPFix to fix your Internet connection (download it before you run KazaaBegone, of course).
  Currently at version: 1.10
   
• Pestpatrol provides a free Spyware scan PestScan – free online Spyware scanner from PestPatrol . This is probably the simplest way to scan your PC but please note that this not very accurate. Please not that the vendor was recently bought by  Computer Associates, the company that killed a lot of  software projects it bought. PerstPatrol also has a nice spyware database at research.pestpatrol.com.

Recommended Papers

PC Review - Spyware and Adware Removal

Tracking Cookies

If you are constantly prompted to remove 3rd party "Tracking Cookies" after scanning your machine with Ad-Aware or SpyBot then your IE  is not set up properly!

Many web pages write a cookie to your computer's hard disk to record when you visited their page and which pages you visited. The tracking cookie goes further and records details such as how long you stayed on a page, what you ordered, other pages you visited, and builds up a picture of your browsing. This information is reported back to the company that paid for this service.  Read Privacy pages of the companies you if you don't believe me. Or read an article by Keith Newman about it.

Mad about it? Don't get mad, get even. Put in Ad-Aware (it's free - click on 'Ad-Aware') and delete all tracking cookies regularly.

The HOSTS file and Restricted Zone (domains.reg) file both contain most of the "Tracking Cookies" listed in their database. The object is to prevent these (3rd party) Cookies from loading, not removing them "after the fact".

Netscape Navigator and Internet Explorer will still send out existing cookies even after disabling cookies in the browser settings. You must manually delete any/all cookie files on your system to eliminate being tracked by third-party ad networks or spyware or adware providers.

You can solve most of the tracking cookies problem with these two things: A malware-blocking hosts file and IE->Tools->Internet Options->Privacy tab->Advanced->Check "Override Automatic Cookie Handling", set Third-party Cookies (the ones used to track you across different web sites) to Block, and First-party to Enable or Prompt.

There are many arguments why cookies are not a bad thing at all.  Among their more benign uses are:

• Often cookies contain a unique code number so that website designers can see how many surfers return to their site, which pages in the site are the most popular, etc.  This allows them to improve the design of their website.
• Many sites such as portals and news providers such as Yahoo.com allow users to set preferences, for example selecting which categories of news they would like to appear on their homepage.  These preferences are 'remembered' by means of a cookie.
• Cookies are used to remember log-in names and passwords, so that users do not need to re-register every time they visit a site.  For example the New York Times website identifies users this way.
• Many shopping sites such as Amazon.com allow users to create a "shopping cart" of items they wish to purchase.  The computer remembers your purchase list by means of a cookie placed on your computer.

And, contrary to rumor, it is impossible for a cookie to transmit a worm or a virus. However, the opportunity to "personalize your web experience" by means of cookies recording your preferences and interests is a double-edged sword, because few consumers realize just how much information about themselves they are giving away as they surf the internet, and fewer still realize how easy it is for this "online profile" to be linked to their real identity.

Cookie Viewer [freeware] allows you to view information stored in a Cookie, delete unwanted Cookies on your hard drive. Note: when viewing Cookies stored on your drive if you discover any unwanted Cookies make a note of the server it is coming from (usually 3rd party) add that site to your "Always Block" list in the Internet Options | Privacy tab | Edit button. For home PC Patrol (Startup Manager) can help you manage Tracking Cookies.

See Usenet newsgroups for additional discussions about the removal of spyware from your system.

• alt.privacy.spyware
• Deja Usenet discussions about spyware

Last modified: June 02, 2008