What is Spyware?
-Well, in the words of Patrick Kolla, "In easy terms, spyware is software that transmits personally identifiable information from your computer to some place in the internet without your special knowledge."
What is Adware?
-Again, in the words of Mr. Kolla, "Adware is also often a side-effect of spyware, as both monitor you for a sole purpose – delivering you advertisement that is especially tailored to your habits."
What is Hijacking?
-In the words of Mike Healan, hijacking is where the browser settings of web surfers are being forcibly hijacked by malicious web sites and software which modifies your default start and search pages.
Spyware/Adware and Hijacking can harm you computer in various ways, such as annoying popups (that appear even after you disable windows messenger service
), browser hijacking, strange slowdowns, etc.
How can I check my system and remove spyware/adware from my computer?
-Please perform the following steps to clean your computer of spyware, adware and other hijacks. All programs listed are freeware, save adaware and spywareblaster which is free only for personal use and spywareblaster is also free for educational use.
Note: This guide assumes you are running Internet Explorer 6 SP1 with all updates and you have performed windows update and applied all critical updates. You need the Visual Basic 6 runtime libraries to run some of these programs. Most systems already have this, but should you get an error about MSVBVM60.DLL missing, get the libraries from Microsoft here
Make sure to delete your temporary internet files from IE and empty your recycle bin before you make these scans. Not doing so can increase the time needed to scan greatly.
The most popular files are available in their original form (i.e. you can use 'Run program from this location'), as well as a zipped form. You can open zipped files with a program like WinZip.
1. - Download LSP-Fix
and Winsock Fix
in case you cannot access the internet after removing certain pieces of spyware/adware.
2. - Run CWS smartkiller removal tool
Optional: I would recommend downloading, installing, and running the update utilities in the programs of steps 3 - 7, then restart your system into safe mode and unplug your NIC to run the scanners and fixes. I would then restart into normal mode and run them again before proceeding to step 7.
3. - Run CWShredder
4. - Run Spybot Search & Destroy
5. - Run Ad Aware
Note: Steps 6 - 13 are meant to prevent reinfection, not remove current infections!
6. - Run Spyware blaster
7. - Install IE-SPYAD
which is similar to spyware blaster, except its a registry patch, and serves to block many attempts at hijacking, unauthorized installation of spyware, script based popups and bad cookies. IE-SPYAD is updated about once a month, so check with them often. You should run both spywareblaster and SPYAD.
8. - Make sure your AntiVirus is up to date and do a full system scan. If you have no antivirus or your subscription has expired, you need to get AVG which is a freeware antivirus that some people say rivals NAV. If you don't wish to install an antivirus program, try using Trend Micro's free online scan
9. - Make sure your firewall is up to date (to test your firewall, visit http://www.grc.com
and run shields up!) and if you have no firewall, you need to get something like Zone Alarm.
10. - Check your IE explorer settings (Tools>internet options>privacy) to make sure privacy is set on at least medium and security setting (Tools>internet options>security) is likewise and reset your homepage manually.
11. - A good deal of spyware and other malicious programs including the coolwebsearch use exploits in the Microsoft Virtual Machine. MS, due to judicial reasons, has stopped updating the MSVM. You can avoid allot of spyware by moving to the the Java Virtual Machine by Sun from the MSVM. download Java Virtual Machine
, make sure you set it as your default virtual machine.
If you are still having problems, download HijackThis
and Please highlight all that is posted in this program after running it, and then copy and paste the contents into your Reply in the same post where you originally asked your question. After you run hijackthis, run startuplist
, and post it also. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
Note: Rember to keep all of these programs updated and run Spybot, Adaware, and CWShredder scans/fixes at least once a month. In the meantime try Firefox which is a great alternative to internet explorer that usually has less problems with spyware and hijacking.
We all need to thank Patrick Kolla (whose spybot database was stolen and turned into nonfreeware software by people who sought to make money off of his work), Merijn (especially this guy, since he gets blamed all the time for creating coolwebsearch), and others for creating and maintaining these excellent freeware tools.
Note to mozilla users
No need for life long mozilla/firefox users to perform steps 2, 3, 9.
If everything above fails,
MANUAL SPYWARE REMOVAL, the following steps were created by Ness.
First off, close any programs you have open. Copy this post to a text file and save it so you don't have to open IE while you are doing this. That could re-launch the spyware. Get a piece of paper (or in the same text file) and write down any names of programs, companies, urls... etc that are pissing you off.
Step One: Start >> Run >> MSConfig. Goto the "startup" tab, and uncheck anything you don't recognize or that you recognize as the offending progarms. It's okay if you accidently turn something off that you want, you can turn it on again later.
Step Two: CTRL + ALT + DEL. Select the processes tab, then click to sort by username. Kill any process you don't recognize running by your username. You should only have open explorer.exe, since I told you to close everything else. You might get two processes with the same name... if you close one, the other will open it back up. If you get this, restart and try it again.*
Step Three: Start >> Control Panel >> Internet Options. (DO NOT OPEN THIS FROM IE. YOU SHOULDN'T EVEN HAVE IE OPEN!!) Click "Delete Files" Then click "Settings" and then "View Objects". Delete any objects you don't recognize. If you delete something that is okay, it's alright, it will just download again next time you need it. While you are in here, type in the address you want for your homepage, but do not surf there to get it. If the URL is too long to type, just put it yahoo or something for the time being.
Step Four: Restart. At this point, you should have stopped the spyware from running all by itself. You should be able to restart without it starting up. If this is not true, start over. You missed something. When everything is good, move on.*
Step Five: My Computer >> (System Drive) >> Program Files. Delete the folders and files of anything you don't recognize, or anything you recognize as the offending program. At this point, you should be able to safely run IE, so if you don't recognize something, you can google the name and see if anything turns up about it.
Step Six: Start >> Run >> Regedit. Remember the list I told you to make? Search the registry for all of those terms and URLs. Delete any offending keys, or if they seem to have modified data (such as modifying the http:// prefix setting to be their URL) change it back to what it should be.*
Step Seven: Once again, restart. Again, you shouldn't have any spyware running and things should be fine now. There may be a few pieces of junk left over, but they won't do anything to you without the rest of their programs. *
For every step that ends with a "*", You MIGHT want to run spybot/Adaware/etc AFTER you complete the step, to save you a little work.
This is how you manually remove spyware (and many other programs, for that matter.)
If you have no idea what I mean at any point, you probably don't know what you are doing and you should learn about that before you try this.
This SHOULD work for all versions of windows 98 and above.