Help me win the war against spyware
January 8, 2005 12:13 PM Subscribe
ComputerMoronFilter: At my wits' end in battle against spyware. More desperate pleading inside.
Response by poster: My username is Miko, and this is my story. Less than a year ago, I switched from Mac to PC format for my home computer. I was a complete naif when it comes to viruses, adware, and spyware. I was doing all right for a while -- successfully eradicted the Sasser worm, and regularly run MacAfee -- but even so, through some subtle little accident, my computer has become infested with the tech equivalent of cock-a-roaches. It became so loaded with spyware and adware that it slowed down a tremendous amount, and my browser became temporarily possessed.
Well, I mounted an aggressive campaign and got rid of most of it. Got my browser back, for the most part, and cleared out a lot of stuff that had installed itself. I now run Spybot, CounterSpy, and Ad-Aware, like, every day. It keeps a lid on things, but there are a few bits of this stuff that must be buried deeeeep on my hard drive. None of my present programs are completely cleaning everything. What's worse, I don't really have the skills to go monkeying around in the innards of Windows.
So here's my question. Is my best bet to 1) keep on as I'm keeping on, just regularly cleaning my system and updating my protection programs, or 2) to try reinstalling Windows? I would be willing to try #2, but I'm a little scared that my computer would no longer work as well afterward, or that I'd screw something up. In addition, I'm wondering if just reinstalling Windows is enough, or if there are more things I'd need to do to completely clean the hard drive.
As you can see, I'm a babe in the woods. But if I can avoid it at all, I'd rather not call in a pro computer service person, because I cannot easily afford it. I'm intelligent and reasonably able to think and follow directions, so if there were clear directions on a web site that I could follow, I would give the reinstall/hard-drive cleaning a try. Can anyone suggest a good resource?
In addition -- in future, should I just stop using Internet Explorer and go to another browser? Seems like IE is the biggest target for this garbage. Thanks.
posted by Miko at 12:22 PM on January 8, 2005
Well, I mounted an aggressive campaign and got rid of most of it. Got my browser back, for the most part, and cleared out a lot of stuff that had installed itself. I now run Spybot, CounterSpy, and Ad-Aware, like, every day. It keeps a lid on things, but there are a few bits of this stuff that must be buried deeeeep on my hard drive. None of my present programs are completely cleaning everything. What's worse, I don't really have the skills to go monkeying around in the innards of Windows.
So here's my question. Is my best bet to 1) keep on as I'm keeping on, just regularly cleaning my system and updating my protection programs, or 2) to try reinstalling Windows? I would be willing to try #2, but I'm a little scared that my computer would no longer work as well afterward, or that I'd screw something up. In addition, I'm wondering if just reinstalling Windows is enough, or if there are more things I'd need to do to completely clean the hard drive.
As you can see, I'm a babe in the woods. But if I can avoid it at all, I'd rather not call in a pro computer service person, because I cannot easily afford it. I'm intelligent and reasonably able to think and follow directions, so if there were clear directions on a web site that I could follow, I would give the reinstall/hard-drive cleaning a try. Can anyone suggest a good resource?
In addition -- in future, should I just stop using Internet Explorer and go to another browser? Seems like IE is the biggest target for this garbage. Thanks.
posted by Miko at 12:22 PM on January 8, 2005
Yeah, you should re-install. Backup your data and format the hard drive.
Before you reinstall the OS, though, make sure to download all the most recent service packs and burn them to CDs. Then apply them to the fresh OS install before connecting to the Internet for the first time with the new install.
Don't even think about using IE on this new install, too.
posted by cmonkey at 12:34 PM on January 8, 2005
Before you reinstall the OS, though, make sure to download all the most recent service packs and burn them to CDs. Then apply them to the fresh OS install before connecting to the Internet for the first time with the new install.
Don't even think about using IE on this new install, too.
posted by cmonkey at 12:34 PM on January 8, 2005
Miko, I agree that you probably need a solid reinstallation, and cmonkey's suggestion about getting the services packs and updates needed for windows before reinstalling is spot on as well. You'll find fewer problems with this sort of thing if you run Firefox instead of IE (http://www.getfirefox.com).
posted by annathea at 1:22 PM on January 8, 2005
posted by annathea at 1:22 PM on January 8, 2005
::gently chides cmonkey for not providing the alternate browser link::
On preview, what annathea said.
posted by kamylyon at 1:25 PM on January 8, 2005
On preview, what annathea said.
posted by kamylyon at 1:25 PM on January 8, 2005
An old joke among conputer techies is that the effective way of dealing with spyware is to run the restore disk which came with your computer. That way, only the spyware which may have come with the disk is "restored".
A number of manufacturers and internet providers will include programs from their various "sponsors", which have often turned out to be CometCursor, Gator, and Amazon's Alexa. To effectively deal with these, and any others which will take their place, updating regularly is the best safeguard.
posted by Smart Dalek at 1:32 PM on January 8, 2005
A number of manufacturers and internet providers will include programs from their various "sponsors", which have often turned out to be CometCursor, Gator, and Amazon's Alexa. To effectively deal with these, and any others which will take their place, updating regularly is the best safeguard.
posted by Smart Dalek at 1:32 PM on January 8, 2005
What, specifically, is still hanging around? You may not need anything so drastic as a re-install.
posted by Sparx at 1:32 PM on January 8, 2005
posted by Sparx at 1:32 PM on January 8, 2005
Agreed: do a reinstall. Back up all your stuff on DVD-Rs. And, though it's been said, definitely use Thunderbird for email and Firefox to browse. Also install BitDefender and/or AVG with your new OS.
If you have more questions, check out the Computer Cops forums--they're pretty helpful with even the most obscure virus-related problems.
posted by dhoyt at 1:37 PM on January 8, 2005
If you have more questions, check out the Computer Cops forums--they're pretty helpful with even the most obscure virus-related problems.
posted by dhoyt at 1:37 PM on January 8, 2005
If you have a broadband connection, you may want to get a cheap firewall/router that can do NAT/DHCP (if you don't have one already). That helps a windows machine avoid a lot of headaches (but by no means all of them...). And also run some AV software like AVG antivirus (free). And be sure you're running a software firewall too (either XP SP2's or maybe ZoneAlarm). Prevention is MUCH easier than curing. Also, you might check out "spyware blaster". It blocks a lot of ActiveX programs that IE gets infected with. And check out BHODemon, which will list any "Browser Helper Objects" you might have running. A lot of times those are the nasty, hiding bits.
posted by theFlyingSquirrel at 1:43 PM on January 8, 2005
posted by theFlyingSquirrel at 1:43 PM on January 8, 2005
Oh, and I forgot to mention, a lot of times malicious stuff hides in Windows Restore points. So, you may have to remove those (as a last ditch effort).
Right Click "My Computer" > "Properties" > "System Restore" tab > check the "Turn off System Restore" checkbox.
posted by theFlyingSquirrel at 1:46 PM on January 8, 2005
Right Click "My Computer" > "Properties" > "System Restore" tab > check the "Turn off System Restore" checkbox.
posted by theFlyingSquirrel at 1:46 PM on January 8, 2005
Don't even think about using IE on this new install, too.
Avoid using Windows Media Player if you can, too. It uses some of the same ActiveX crap that IE relies on.
posted by trondant at 1:55 PM on January 8, 2005
Avoid using Windows Media Player if you can, too. It uses some of the same ActiveX crap that IE relies on.
posted by trondant at 1:55 PM on January 8, 2005
You can disable ActiveX for hosts other than windowsupdate.microsoft.com (so that you can continue to run Windows Update).
posted by AlexReynolds at 2:10 PM on January 8, 2005
posted by AlexReynolds at 2:10 PM on January 8, 2005
If you *really* want to see what's running in the background, hijack this will show you. Note that it shows all the good stuff with the bad, so if you start deleting things randomly with it you will be sad.
posted by shepd at 2:17 PM on January 8, 2005
posted by shepd at 2:17 PM on January 8, 2005
Use hijack this very carefully. Use Google to make sure you're not deleting a registry entry or file for a useful or necessary service or component. Microsoft uses a very cryptic and inconsistent system for naming its services; you can easily delete/disable something that otherwise looks like spyware. Print out the hijack results so that you have a paper trail of how your system used to be.
posted by AlexReynolds at 2:21 PM on January 8, 2005
posted by AlexReynolds at 2:21 PM on January 8, 2005
(Even then, some things can hide from hijack, or get reinstalled upon restart of Windows, so it is more useful as a forensics tool, used to verify what caused a system compromise. You're better off going the clean install route if you can.)
posted by AlexReynolds at 2:23 PM on January 8, 2005
posted by AlexReynolds at 2:23 PM on January 8, 2005
Post the log from hijack this to a forum such as http://www.spywareinfo.com/forums/ or http://wilders.org and they'll tell you is anything nasty is resident on your machine and what to delete, if anything.
You could also try running Bazooka [ http://www.kephyr.com/spywarescanner/index.html ] and CWShredder [ http://www.spywareinfo.com/~merijn/downloads.html ]
For information on reformatting try http://www.cyberwalker.net/ they cover everything from win98 up to XP.
(sorry for the lack of markup but askme is refusing to display my marked up version of an answer.)
posted by squeak at 2:32 PM on January 8, 2005
You could also try running Bazooka [ http://www.kephyr.com/spywarescanner/index.html ] and CWShredder [ http://www.spywareinfo.com/~merijn/downloads.html ]
For information on reformatting try http://www.cyberwalker.net/ they cover everything from win98 up to XP.
(sorry for the lack of markup but askme is refusing to display my marked up version of an answer.)
posted by squeak at 2:32 PM on January 8, 2005
HKCU\Software
HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Windows\Current Version\Run
HKLM\Software
HKLM\Software\Microsoft\Internet Explorer\Main
HKLM\Software\Microsoft\Windows\Current Version\Run
If you know how to edit your registry, this is where spyware keys will need to be deleted from. If you don't know what to delete and what to leave alone, then stay out of the registry. If you don't know what to delete and what to leave alone, and you do it anyway, you will end up reinstalling your OS.
posted by pieoverdone at 3:10 PM on January 8, 2005
HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Windows\Current Version\Run
HKLM\Software
HKLM\Software\Microsoft\Internet Explorer\Main
HKLM\Software\Microsoft\Windows\Current Version\Run
If you know how to edit your registry, this is where spyware keys will need to be deleted from. If you don't know what to delete and what to leave alone, then stay out of the registry. If you don't know what to delete and what to leave alone, and you do it anyway, you will end up reinstalling your OS.
posted by pieoverdone at 3:10 PM on January 8, 2005
...Software\Microsoft\Windows\Current Version\Run
check RunOnce and RunOnceEx too.
another trick to see some of what may be hiding in the background is to just pull up your task manager and google any process names you don't recognize.
posted by juv3nal at 3:47 PM on January 8, 2005
check RunOnce and RunOnceEx too.
another trick to see some of what may be hiding in the background is to just pull up your task manager and google any process names you don't recognize.
posted by juv3nal at 3:47 PM on January 8, 2005
If you don't like Firefox, it is actually pretty easy to secure IE against spyware - the most important thing is to set ActiveX controls to disabled or prompt for all untrusted sites.
posted by TheOnlyCoolTim at 4:48 PM on January 8, 2005
posted by TheOnlyCoolTim at 4:48 PM on January 8, 2005
One other thing you can try is to use the new MS beta Anti-Spyware tool
Yes it is Microsoft product (not all of them are Bad)
No Microsoft is not the devil (profit motive is too banal to constitute elemental evil)
Yes it actually appears to be a pretty good tool. (Caught a few things the others didn't)
Going to a different browser is a good short term solution if nothing else works for you. However, vulnerabilities that allow similar exploits will eventually be found for any alt browser you use.
Reformatting/reinstalling will probably only get you some temporary relief as you are mostlikely picking up spyware through the sites you visit and the emails you receive. find a decent securing windows guide for what ever version of the OS you use and implement some best practices.
posted by ad hoc at 5:14 PM on January 8, 2005 [1 favorite]
Yes it is Microsoft product (not all of them are Bad)
No Microsoft is not the devil (profit motive is too banal to constitute elemental evil)
Yes it actually appears to be a pretty good tool. (Caught a few things the others didn't)
Going to a different browser is a good short term solution if nothing else works for you. However, vulnerabilities that allow similar exploits will eventually be found for any alt browser you use.
Reformatting/reinstalling will probably only get you some temporary relief as you are mostlikely picking up spyware through the sites you visit and the emails you receive. find a decent securing windows guide for what ever version of the OS you use and implement some best practices.
posted by ad hoc at 5:14 PM on January 8, 2005 [1 favorite]
I have been blissfully free of spyware for years. Here are my secrets:
Don't use IE unless absolutely necessary. (By "necessary", I mean stuff where spoofing the user agent doesn't help, like Outlook Webmail.) Either Mozilla or Firefox are probably the most practical replacement solutions. Either is easy to install and will load more or less any page that IE will load; for most of the exceptions, you can "spoof the user agent". Worry about that when the time comes, though.
NEVER run Outlook or Outlook express. Thunderbird 1.0 has gotten pretty solid; Mozilla Mail is good if you plan to use Mozilla instead of Firefox.
Get good software firewall and learn how to configure it. Here, I can't make recommendations, I'm afraid; I still use the several-year-old freeware version of Kerio, which has very low system overhead. I'm told MacAffee is now quite lean and mean. The firewall will allow you to do things like prevent Windows Media Player from communicating with outside websites to download extensions or launch web pages. (Again, the details on how are a subject for another time.)
Optional, but good things to do:
Get a NAT firewall. They're inexpensive ($50-$125, depending on whether you take the opportunity to get a wireless hub), and they provide an extra level of obfuscation between you and the attackers.
All that said, I think one of the major reasons I've done as well as I have is that I always install fresh from an MSDN version of Windows 2000...
posted by lodurr at 8:14 PM on January 8, 2005
Don't use IE unless absolutely necessary. (By "necessary", I mean stuff where spoofing the user agent doesn't help, like Outlook Webmail.) Either Mozilla or Firefox are probably the most practical replacement solutions. Either is easy to install and will load more or less any page that IE will load; for most of the exceptions, you can "spoof the user agent". Worry about that when the time comes, though.
NEVER run Outlook or Outlook express. Thunderbird 1.0 has gotten pretty solid; Mozilla Mail is good if you plan to use Mozilla instead of Firefox.
Get good software firewall and learn how to configure it. Here, I can't make recommendations, I'm afraid; I still use the several-year-old freeware version of Kerio, which has very low system overhead. I'm told MacAffee is now quite lean and mean. The firewall will allow you to do things like prevent Windows Media Player from communicating with outside websites to download extensions or launch web pages. (Again, the details on how are a subject for another time.)
Optional, but good things to do:
Get a NAT firewall. They're inexpensive ($50-$125, depending on whether you take the opportunity to get a wireless hub), and they provide an extra level of obfuscation between you and the attackers.
All that said, I think one of the major reasons I've done as well as I have is that I always install fresh from an MSDN version of Windows 2000...
posted by lodurr at 8:14 PM on January 8, 2005
hijack this has worked very successfully for me. Very.
posted by u.n. owen at 8:15 PM on January 8, 2005
posted by u.n. owen at 8:15 PM on January 8, 2005
Free software firewall: Zone Alarm.
Free anti-virus: AVG.
I was also a hardcore IE user until two months ago. I switched to Firefox and love it.
posted by deborah at 10:10 PM on January 8, 2005
Free anti-virus: AVG.
I was also a hardcore IE user until two months ago. I switched to Firefox and love it.
posted by deborah at 10:10 PM on January 8, 2005
Reinstalling is most likely overkill. I would recommend you go the HijackThis log post to a forum route.
posted by Onanist at 10:24 PM on January 8, 2005
posted by Onanist at 10:24 PM on January 8, 2005
DO NOT REINSTALL YET.
Crikey, if exterminators were tech support, they'd advise burning down your house if you called about a recurring ant problem.
I will second squeak's suggestion: hie thee forth to the forums at www.spywareinfo.com, read their FAQs.
What the process will boil down to is downloading and running a couple of the big anti-spyware utilities, Spybot S&D and/or AdAware, and then running a much smaller utility by name of "HijackThis!", which will generate a log of what will look like complete gibberish at first.
Post that log to the forums there, and dedicated anti-spyware gurus will guide you step-by-step through whatever your custom extermination situation is. I've had to do this for a couple of truly baffling infestations with shared workstations at my workplace, and the good folks at spywareinfo have fixed it both times--no reinstalls necessary.
posted by Drastic at 11:14 PM on January 8, 2005
Crikey, if exterminators were tech support, they'd advise burning down your house if you called about a recurring ant problem.
I will second squeak's suggestion: hie thee forth to the forums at www.spywareinfo.com, read their FAQs.
What the process will boil down to is downloading and running a couple of the big anti-spyware utilities, Spybot S&D and/or AdAware, and then running a much smaller utility by name of "HijackThis!", which will generate a log of what will look like complete gibberish at first.
Post that log to the forums there, and dedicated anti-spyware gurus will guide you step-by-step through whatever your custom extermination situation is. I've had to do this for a couple of truly baffling infestations with shared workstations at my workplace, and the good folks at spywareinfo have fixed it both times--no reinstalls necessary.
posted by Drastic at 11:14 PM on January 8, 2005
Response by poster: Wow -- this is awesome. I'll try all the fixes & forums you folks have recommended here, and I think I'm ready to switch to Firefox, as well. Only if I'm still plagued will I reinstall. Thanks so much for the advice -- you're all very generous with your knowhow. Wish me luck!
posted by Miko at 1:59 PM on January 9, 2005
posted by Miko at 1:59 PM on January 9, 2005
Hey Miko, there's a similar computer - grindingly slow, mundane processes hang and can't be stopped etc, that's already cost me 4 hours of free FAF support (friends and family support). Can you document what you did and post it here/ mail me if you're successful?
posted by Pericles at 1:07 AM on January 10, 2005
posted by Pericles at 1:07 AM on January 10, 2005
Response by poster: I'll do my best. The bad news is, this has already cost me at least 20 hours of my own time. Here's how I started - 1. Did a Virus Scan. This caught some stuff.
2. Went online with MSN Explorer, which was cleaner than IE.
3. Downloaded a free trial of CounterSpy and the free software SpyBot, AdAware, and Spyware Blaster.
4. Disconnected my cable internet.
5. Ran all of those programs repeatedly, especially after connecting to the 'net.
6. Changed all my Internet Options for maximum security using instructions that came with SpyBot and Spyware Blaster.
7. Came here and posted that I was still having problems. Part of it is that there's just new spyware everyday, , so every day I get new garbage from CoolWWWSearch. Keeping your protection programs updated is a necesssity.
Anyway, since i haven't got it all, I'll keep you posted as to what the suggested strategies do.
posted by Miko at 9:05 AM on January 10, 2005
2. Went online with MSN Explorer, which was cleaner than IE.
3. Downloaded a free trial of CounterSpy and the free software SpyBot, AdAware, and Spyware Blaster.
4. Disconnected my cable internet.
5. Ran all of those programs repeatedly, especially after connecting to the 'net.
6. Changed all my Internet Options for maximum security using instructions that came with SpyBot and Spyware Blaster.
7. Came here and posted that I was still having problems. Part of it is that there's just new spyware everyday, , so every day I get new garbage from CoolWWWSearch. Keeping your protection programs updated is a necesssity.
Anyway, since i haven't got it all, I'll keep you posted as to what the suggested strategies do.
posted by Miko at 9:05 AM on January 10, 2005
This thread is closed to new comments.
posted by juv3nal at 12:21 PM on January 8, 2005