Spyware is variously referred to as “Malware,” “Adware,” and “Scumware,” among other things. Basically, spyware can be defined as a class of software that is designed to take over various aspects of your computer. It does this in order to generate profit for unscrupulous people or businesses or to use your computer for various illegal or immoral reasons. Spyware is generally installed by you, the user, either wittingly or unwittingly. Trojans and Viruses are either installed by you or installed by taking advantage of security exploits that exist in Microsoft Windows. This article will focus on Windows, since spyware is not a phenomenon that has hit the Mac or Linux world yet.
ActiveX tricks
In order to truly understand spyware, and thus why it is so insidious, we must understand a little bit about how Windows works and how the internet works. A few years back, Internet Explorer gained the ability to run little programs called “ActiveX Controls” over the web. This was a boon to usability and created all kinds of neat ways to use the internet to interact with your machine – take WindowsUpdate, for example. You can connect to Microsoft’s WindowsUpdate site and it installs an ActiveX control that allows the website to scan your computer and tell you if you need any security or stability updates. This is an extremely helpful site that would not be possible without ActiveX. Sometimes computer manufacturers use ActiveX controls for a similar reason: They can tell you if your machine needs any updates that can help it run better.
However, somebody realized that they could use ActiveX to get you, the user, to install whatever software they wanted onto your computer. With home broadband use exploding, millions of computer novices now have high speed, always on connections to the internet, and no knowledge of how to keep them safe. Malicious and unethical software developers realized how easy it would be to tap into this huge pool of smiling consumers with relatively large disposable incomes. Spyware was born.
As I just mentioned, they had to get you to install it yourself. The easiest way to do that is to trick you into clicking the ActiveX installer.

You’ll notice that there is always the sentence ‘Do you want to install and run “……”?’ Spyware installers will often trick you into thinking that what you’re about to install is some magical piece of software that will make your life better. They may say things like “Do you want to install and run MegaCute Robot, a free and fun character for your desktop that will help make your web surfing more fun and productive by helping you find the things you need instead of things that just waste your time?” or “Do you want to install and run SuperClock, a free application that will always make sure your computer’s time is correct and also do neat things like show you the weather and help you find millions of free songs and games for your computer?”
So the average uninformed computer user thinks, “Wow.. That sounds neat!” and clicks it. Now, you have a free and fun character for your desktop that helps make lots of money for some company with a name like AffiliateNetwork GiantCorp. How do they make money? They take over your computer. They take it over so that if you go on the web and look for things, they prevent you from going where you intend to go and instead direct traffic to their search sites. Their search sites are usually affiliated with “clickthrough” advertising networks or CPC advertising (cost per click) and they will make a penny or two if you click on a link on their site. They try to keep you within their network by spawning popups that also contain clickthrough links. Some are so clever (and scummy) that it may look as if you are trying to close the windows by clicking the red “X” but even the “X” will lead to a clickthrough link. Now, pennies may seem frivolous, but if you have your spyware installed on hundreds of thousands or even millions of computers, you can see how it becomes profitable.
The other thing they can (and often will) do is open the floodgates for the manufacturers of OTHER malicious and unscrupulous software. Many spyware programs will take control of certain aspects of your computer and actually start installing other software, all of which is bad. Spyware can do many terrible things to your computer, including running tracking and logging software constantly in the background, thus reducing your computer and internet performance, tracking every single website you go to and report it to a central server somewhere, breaking critical parts of the Windows system so that they can’t be uninstalled through normal means, and even redirecting every single thing you type through their servers so that they know every single thing that you use your computer for.
Many spyware companies operate “offshore” – that means they operate from servers in places like Russia or China that cannot be governed by US law, and thus they have free reign to do whatever they want to your computer. The worst part? Many of the people who are actually profiting from this nefarious scheme ARE in the United States, but since the server itself is offshore, they are protected.
Get the tools to protect yourself
Now that you know what spyware IS, the most important thing to do is find out how to remove it from your system, and then how to protect yourself from ever getting it again.
Since I remove spyware so often as part of my day job, I have a toolkit of sorts. Removing spyware almost always requires a “cocktail” of spyware removal applications. The four that I use most often are:
HijackThis
CWShredder
Spybot Search & Destroy
AdAware
As you may know, Windows has the ability to launch applications upon startup. However, there are many “hooks” into the Windows startup system, meaning there are several ways to get things to run on bootup. Spyware installers make sure their software is put right into those hooks, often in multiple places, so that even if you delete it from the startup sequence in one place, the other will just keep it running and copy it back into the startup sequence for the next time around. The first program on my list, HijackThis, will show you exactly what runs on windows startup, as well as showing you all the programs that are “hooked” into Windows and into Internet Explorer.
Now, HijackThis is sometimes dangerous for the novice to use because it does not make any distinction between legitimate software such as your instant messaging program or your scanner’s control panel for example, and spyware. Its job is to show you what exactly runs when your computers starts, that’s it. You have to rely on the help of experienced computer users to know what belongs and what doesn’t. You can easily break your system by deleting the wrong item from your startup sequence. However, nothing works better to show you everything that is hooked into your system.
There is one particularly bad piece of spyware that has been grouped into a family known as “coolwebsearch”. CWS is an extremely well written, extremely hard to kill piece of spyware. It is so “hooked” into the system that until CWShredder came around, some people wrote it off as impossible to remove without breaking windows. CWShredder is a fantastic program that identifies (at the time of this writing) 30+ variants of the CWS engine and is able to remove them without destroying windows. CWShredder is updated almost weekly because of different variants of the spyware that come out. It is essential software if you have any of the pieces of spyware that uses the CWS engine to hook into your system.
Spybot S&D is one of the best all-around spyware removal applications. It is also updated quite often and has a pretty big library of known spyware programs and other privacy-invading bits. It acts quite like an anti-virus program in that you can update your “spyware definitions” from a server over the internet and then scan your system for spyware and kill any that you find. It finds and removes MOST spyware out there.
Anything that Spybot S&D misses can usually be found with AdAware. AdAware operates in much the same fashion as Spybot S&D, but sometimes catches things that S&D doesn’t, and vice-versa. If you have a seriously bad infestation, I recommend running both. Some people prefer one to the other, but I don’t get into those arguments.
Removing the spyware
We’ll get into the specifics of each application in a moment, but first let me explain my usual method of spyware diagnosis and removal.
First, I close all running programs and then I bring up the task list by clicking start –> run –> and typing in taskmgr (you can also hit ctrl-alt-delete and click “Task Manager”). Click the “Processes” tab, and you will see something like this:

Here you can see a list of things that are running on your computer. As you can tell, most of them run in the background, without putting anything on the screen, thus this is the only way you can see them. A clean windows system should only be running between 10-20 processes when it’s doing “nothing”. If you see something like “52 running processes” then you know right away that there’s a problem.
Two of the most immediate places I look for spyware startups are in the following locations:
C:/Documents and Settings/username/Start Menu/Programs/Startup
C:/Documents and Settings/All Users/Start Menu/Programs/Startup
Replace “username” with whatever name you use to log in (sometimes Default, for example).
Anything in those folders will run immediately. Many OEM computers (computers from Dell, Gateway, etc. – store bought as opposed to home-built) have many things in these folders right from the factory. Dell, for example, usually has their musicmatch jukebox application startup, the Dell Support connector, and if you have a Dell printer, the Dell Printer control panel. You have to use your judgment on what is legitimate here. You can always temporarily move things to a folder that you make on your desktop (or wherever) called “temp” or something, and reboot to see if anything important has been affected. If suddenly your scanner stops working, you know you deleted the wrong item.
Usually the first thing I do is run CWShredder. Here’s why: If a CoolWebSearch variant is indeed running on your system, it will actually stop you from running spyware scans. It is smart enough to detect efforts to detect it, and stop it from happening. After you run CWShredder to determine and kill a CWS infection, you should reboot and then run Spybot S&D.
Upon opening Spybot S&D for the first time, you should immediately check for updates. Download any of the updates it offers and then click “Check for Problems” under the “Search & Destroy” heading. It will run and if you have any spyware infections, it will list them in red. You might be surprised at just how many things you actually had running on there.
Check off the red items and click “Fix selected problems”. This will take care of the majority of your spyware problems.
I say “majority” because lately there are especially difficult removal problems with certain well written and prolific spyware installations. I have encountered some programs that actually break Windows’ ability to get on the internet without them, so that when you remove the spyware, you break Windows. Not to fear.
Here’s where HijackThis comes into play. Even after a Spybot S&D and AdAware scan, you may still have Browser Helper Objects and other creepy things installed. Browser Helper Objects (also referred to as BHOs) are basically little applications that run from within Internet Explorer and Windows Explorer (despite several lawsuits, Internet Explorer is still inextricably tied in with Windows) and have carte blanche as far as what they are able to do. BHOs can be installed in so many ways that I won’t even bother listing them right now. When you run HijackThis, you will get a list of all kinds of things – as I said before, many are legitimate. One thing to look out for is the entries that have “BHO” in them – I would venture to say that you don’t need ANY of the BHOs. Some of the few legitimate BHOs are the Yahoo Companion and the Google Toolbar, but some people even find those questionable. At any rate, you should delete any suspicious-looking BHOs from within HijackThis. One of the other key things to look for in HijackThis is the word “Search” – basically if the word “search” appears in a startup item, it’s generally a piece of spyware. “SearchHelper,” “CoolSearch,” “SearchCompanion,” “WebSearch,” etc. Get rid of them.
After you clean up BHOs with HijackThis, run Spybot S&D again, just for good measure.
Removing the trojans and viruses
At this point, your system should be fairly clean. At least, clean of spyware. You may still have trojans or viruses. For most people, these things go hand-in-hand with spyware. What I mean to say is, people who have spyware on their computers generally have a trojan or two as well.
What’s a trojan? It’s essentially the same as spyware, but it can differ in a few key ways. It doesn’t necessarily have to be installed by the user – trojans can install themselves on your computer utilizing security exploits and “backdoors” in an unpatched or unprotected Windows installation. While some trojans ARE installed by you (like the ones that come in email attachments), there are others that are installed by hackers or trojans on other computers (they propagate themselves with no human intervention.) Another way they differ is that they can serve no purpose other than to propagate themselves and give somebody else (the virus author or their friends) unrestricted access to your computer. They may not be for profit either. Take the MyDoom virus that came out in January of 2004, for example. It served two purposes; to log keystrokes and send them to the virus author, and to attack the website of the SCO company at www.sco.com on February 1st, 2004 so that the SCO website would go down.
Generally you need a commercial product such as Norton Antivirus to get rid of Trojans and viruses, although there are free alternatives such as AVG AntiVirus. Symantec, who makes Norton, also provides free virus removal tools for specific, individual viruses. However, you have to know that you are infected in order to run them, and they only kill that one particular virus. Antivirus software is a must-have on any computer system, so if you don’t have any installed, not only do you have any excuses, you are actually a part of the problem.
At any rate, after your spyware removal, you should definitely update your virus definitions and then run a full system scan.
After you run the virus scan, if you had any trojans or viruses, I would highly recommend running another Spybody S&D scan, just in case the virus reinstalled a spyware component before you killed it.
An ounce of prevention
Okay, now you should have a clean system. If you’ve got no spyware and no viruses, you are almost golden. The next order of business is to prevent infections from happening again.
1) Go to Internet Explorer and go to tools–>internet options. Under “temporary internet files”, click Delete Cookies, then Delete Files.
2) Choose the Security Tab. Click “Default Level” under “Security level for this zone”
3) Select the “Programs” Tab. Click “Reset Web Settings” to restore IE defaults.
4) Select the “Advanced” Tab. Click “Restore Defaults” and then under the “Browsing” header, UNCHECK the “Enable Install On Demand (Internet Explorer) button.
While you are still in Internet Explorer, go to windowsupdate.microsoft.com — you may be prompted with an ActiveX control from Microsoft called the WindowsUpdate control. You do need this, so go ahead an install it.
Once the screen says “Welcome to Windows Update” click on the button that says “Scan for updates”. It will go through the scanning process and then on the left hand panel you will see Critical Updates, Windows XP (or Windows 2000) and then Driver Updates. If there are ANY critical updates for your system, you should install them right now.
Make a habit of coming to this page on a weekly basis and installing the critical updates. This will close backdoor vulnerabilities and security exploits. Again, if you don’t do this on a regular basis, you are part of the problem because your computer will be used to propagate trojans and viruses to even more computers.
Other prevention measures
Here are some other things you can do to really make your computer safer:
1) Don’t use any file sharing (P2P) applications. This includes KaZaa, morpheus, iMesh, or grokster. Come on, admit it, you are not doing anything legal with it, and you are contributing to the spyware and trojan problem because many trojans propagate through the P2P networks. Plus, you might get sued by the RIAA or MPAA. It’s not worth it, just buy the CD.. In fact, use iTunes, it’s pretty cool.
2) Don’t use Internet Explorer as your browser. There are many alternatives, and in some cases the alternatives are better browsers. Of course, it’s a matter of opinion, but it is fact that IE is the most easily exploitable and vulnerable browser. If you don’t use IE, you will not experience ActiveX exploits or BHO infections any longer. I highly recommend Mozilla Firefox since it has integrated popup blocking and tabbed browsing, which is an amazingly helpful feature. Many people also recommend the Opera browser. It’s your call, but I would recommend against IE just because it is a common source of spyware infections.
3) Do not open any email attachments. I can’t stress this enough. If you would stop opening email attachments that had “funny jokes” or “cute screensavers” or “hot babes”, then the virus problem would be seriously reduced. Just don’t bother. And never, ever believe the sender of the email. If your Aunt Sally’s computer is infected with a virus, it will send you email, and it will look as if it is coming from her. “Oh, Aunt Sally would never send me a virus” you think, and so you open the cute screensaver that she sent you. Now you are infected, and you are a part of the problem. DON’T DO IT. I truly believe that the ability to attach files should be eliminated from email. There are better ways to transfer files. If you MUST open attachments, make SURE they don’t have the following file extensions: .EXE, .SCR, .BAT, .PIF, .ZIP, .COM .. Also, watch out for “fake” file extensions, such as .JPG.EXE or .GIF.PIF .. The first three letters are designed to trick you. It’s only the last three letters that count. If they are executable, you’ve just infected yourself.
4) Do not install any activeX controls. With the exception of a notable few such as WindowsUpdate control, Macromedia Flash, Macromedia Shockwave, products from McAfee or Symantec, or from your computer’s manufacturer (Dell, Compaq, etc.) there are no safe ActiveX controls. If you don’t use Internet Explorer, of course this won’t be a problem. But if you are married to Internet Explorer as your browser, please observe diligence and safe browsing habits so that you aren’t (say it with me now) part of the problem.
5) Don’t visit questionable websites. There is nothing free on the internet, don’t be fooled. Nefarious sites use porn, casino gambling, free games, free screensavers, free desktop backgrounds, free tools, free organizers, you name it. There is nothing free. Don’t believe it. If it’s free, then that means they want you to agree to giving up your privacy in order to partake. And generally, that means installing spyware. If you install a “free” game, you are generally installing spyware on your computer. If you visit porn sites, don’t be surprised when your computer starts getting porno pop ups all the time. I can’t tell you how many people I’ve had INSIST that they didn’t go to porn sites, but “magically” porn popups started appearing everywhere, along with porn sites in their favorites and porn site links on their desktops. If you visit porn sites, you should not be a computer novice, since your computer will get infected with spyware at some point. If you MUST visit porn sites, at the very least don’t use Internet Explorer, and make sure you run spybot and anti-virus scans when you’re done.
6) Don’t be a cheapskate. Go out right now and buy a commercial anti-virus product. You need it. I personally recommend Kaspersky AntiVirus.
7) Check for updates daily. If you have a bad spyware infestation, you probably have a high-speed network connection such as cable or DSL. If you do, there is no excuse. You must update your anti-virus definitions daily. It takes seconds. Just do it. Also, check for windows updates at windowsupdate.microsoft.com while you’re at it. Come on, you’re not that busy. If you’re stuck with dial-up, you have my condolences, but you still need to do it. Update virus definitions daily at the very least. Please.
8) Educate yourself. If you plan on spending a lot of time on the computer, you owe it to yourself and to the rest of the community to learn a bit more about the tools you are using, since computers can become a liability. You wouldn’t want to get into a car and start driving around if you’ve never done it before and are unlicensed. A computer can cause a lot of damage in today’s networked economy. You have the responsibility to keep yours from becoming “part of the problem”.
There you have it. If you follow this guide, and practice the eightfold path that I’ve laid out before you, you should become a safe citizen of the internet and prevent any insidious software from ever plaguing you again. Enjoy!
Last updated 03/12/2006


Articles RSS