Spyware Protection (How do I remove & protect my computer from spyware?)

Download a Printer Friendly PDF version of this document (857 KB)

DISCLAIMER
Though this document represents an effective spyware removal process refined by the OIT Help Desk staff, we can make no guarantees that following these instructions will completely clean a system. The compendium of known spyware changes frequently and sometimes even the most heroic efforts may not fully clean an infected machine. In the worst cases, one may ultimately need to utilize a for-fee service center such as the OIT Service Department in order to effectively clean and secure the computer. The OIT is not responsible for problems that result or appear to result from following these instructions.

What Is Spyware?

Spyware, sometimes referred to as adware, consists of programs placed on your computer and used to do any or all of the following:

• Track your visits to various websites, cause advertisements to pop up on your screen, or use your computer’s processor to process data for third parties.
• Change your web browser’s default home page or even make it impossible to visit certain web sites.
• In extreme cases, spyware may render your computer so slow that it is virtually unusable.

How Does Spyware Get On The Computer?

Spyware can get on a computer in one several ways:

• Spyware may be downloaded and installed silently through security vulnerabilities in the Windows operating system or web browser. This may happen because the Windows’ critical security updates are not current.
• Spyware may be installed when you install other software, especially free games, free screensavers, free file-sharing programs, even free utilities that claim to protect you against spyware or ad pop-ups. Such software is often “free” to download only because of the spyware that is included with the program.
• Some spyware already on the computer may silently download and install other spyware onto your computer.

Spyware Removal & Protection Procedure Outline

This is the basic procedure to get rid of spyware and ad pop-ups. Each step will be covered in detail in subsequent sections.

1. Scan the Add/Remove Programs control panel for known or suspected spyware and uninstall whatever items can be uninstalled.
2. Boot computer in Safe Mode with Networking.
3. Disable spyware startup processes using the System Configuration Utility (Windows XP only).
4. Download, install and update SpyBot Search & Destroy and scan system for spyware and remove all objects that are found.
5. Download, install, and update Ad-Aware and scan system for spyware and remove all objects that are found.
6. Check for Windows Critical Updates and install any critical updates that are needed.
7. Install and/or update McAfee VirusScan 7 and scan system for known viruses.

Step One: Using Add/Remove Programs to Uninstall Known Spyware

1. Open the computer’s control panel and launch the Add/Remove Programs tool. Shortly, a list of installed programs will appear.
2. Starting at the beginning, search for known spyware items to uninstall, including but not limited to the following list.
3. Remove whatever items you can and let the spyware removal tools do the rest of the job.

Partial List of Known Spyware
B3D Projector	P2P Networking
Bargain Buddy	PAD Lookups by N-Case
Bonzi Buddy	Safe Surfing
Comet Cursor	SaveNow
Common Name	Search Assistant
DellFin Media Viewer	Spin4Dough
Enhanced MediaLoads	Webhancer Agent
Golden Palace Casino	Web Helper
Interstitial Ad-Delivery by N-Case	Wild Tangent
Lycos Side Search	Win Favorites
MediaLoads	Win32BI
My Web Search	XXXToolbar
New.Net Domains

 

Step Two: Booting Computer in Safe Mode with Networking

1. Start with your computer turned off.
2. When you turn the computer on, immediately begin tapping the F8 key and continue to do so until the Advanced Startup Options screen appears.
3. Using the arrow keys on the keyboard, select the option Safe Mode With Networking and press Enter.
4. Select the operating system (usually, there’s only one choice) and press Enter.
5. Login to Windows as usual when prompted.
6. Windows will display a dialog box explaining that Windows is running in safe mode. Click OK (Windows 2000) or Yes (Windows XP).

Step Three: Disable spyware startup processes using the System Configuration Utility (Windows XP only)

 

Step Four: Installing & Scanning With SpyBot Search & Destroy

Installation

One of the most effective spyware removal tools we have used is a freeware product called SpyBot Search & Destroy. SpyBot can be downloaded from the following URL:

https://oit.nd.edu/software/licenseinfo/

1. Download the SpyBot installer to a known location on your hard drive such as your Desktop.
2. Locate the installer and double-click it to begin the installation and choose English as the installation language.
3. Click Next at the Welcome dialog box.
   
4. Accept the license agreement and click Next.
5. Click Next when prompted to select the destination location.
6. When asked to select additional components, you may choose to deselect Additional Languages and Skins to change appearance. Click Next.
   
7. Click Next when asked to Select Start Menu Folder.
8. You may choose whether or not you want additional icons of the desktop or the Quick launch toolbar. We recommend that the Use Internet Explorer protection (SDHelper) option be checked. Click Next.
9. Click Install to install the program. When the installation is complete, leave the Run SpybotSD.exe option checked and click Finish.
   

 

Scanning with Spybot

1. When Spybot runs for the first time, you will receive a legal disclaimer. Read it and click OK.
   
2. The Spybot S&D Wizard will appear. Click the Create registry backup button and click Next when it is finished.
   
3. Click the Search for updates button and, when it becomes available, click the Download all available updates button. Click Next. (Note: If SpyBot will not update or indicates that there are no newer updates available, please see the Troubleshooting section at the end of this document).
   
4. Click the Immunize this system button. When Spybot confirms that your system has been immunized, click Next.
   
5. Click the Start using the program button. Spybot will launch.
6. In the left-hand pane of the Spybot window, click the Search & Destroy button and then click the Check for problems button. Spybot will scan your computer for known spyware.
   
7. When the scan is complete, Spybot will display the results of its scan. Click the Fix selected problems button and click Yes when asked if you want to continue.
   
8. Spybot will give you confirmation when it is finished. If Spybot finds spyware that it cannot remove, it may ask if it can run at the next startup. Click No. We’ll be running another spyware removal program shortly that may be able to remove items that Spybot cannot. Otherwise, click OK when Spybot tells you how many problems it fixed.
   

 

Step Five: Scanning with Ad-Aware

Spybot is best used in combination with another product called Ad-Aware. Ad-Aware is also available from:

https://oit.nd.edu/software/licenseinfo/

Installation

1. As you did with Spybot, download the Ad-Aware installer to a known location such as your desktop.
2. When it is downloaded, double-click it to begin the installation.
   
3. Click Next at all dialog boxes. There is no need to change any of the default installation options. Click Finish at the last installation dialog.

 

Scanning

1. Run Ad-Aware by double-clicking the Ad-Aware 6.0 icon on the desktop.
   
2. When Ad-Aware launches, click the Check for updates now link in the lower right portion of the window.
3. Click Connect in the Performing Webupdate… dialog box.
   
4. Ad-Aware should notify you that there is a “New reference file available….” and offer to download and install it. Click OK.
   
5. Click Finish when the Webupdate is complete.
6. Now, click on the Start button in the lower right of the Ad-Aware window.
7. Leave the option to Perform smart system scan selected and click Next.
   
8. Ad-Aware will scan your registry and system folders for known spyware components and will display the results when the scan is complete.
   
9. Click Next.
10. If all of the items listed are not already checked, right-click anywhere in the list and choose Select all objects from the contextual menu. Click Next.
11. Click OK when asked if you want to continue removing the items.
    
12. If Ad-Aware is unable to clean some items and offers to run at the next startup, click OK.

 

Step 6: Windows Updates

Because of the likelihood that spyware was installed on the system through exploited Windows or Internet Explorer security vulnerabilities, it is a good idea to check for missing Windows Critical Updates.

1. With the spyware now removed from the system, launch Internet Explorer and point the browser to http://windowsupdate.microsoft.com (or, using Internet Explorer, go to Tools > Windows Update).
2. You may be asked if you wish to install and run the Windows Update control. If so, click Yes.
3. After it is installed, click the Scan for updates link.
   
4. When the scan is complete, the update page will show you how many Critical Updates are needed in the left margin of the page.
5. Click on the Review and install updates link in the main browser frame and follow the instructions on the screen.
   

Note: There may be updates that must be installed separately from other updates (e.g. Windows XP Service Pack 1a or Windows 2000 Service Pack 4). Allow them to install and Restart if prompted to do so. After each subsequent restart, revisit the Windows Update site and scan for updates until the total required critical updates are at zero.

Configuring Windows to Automatically Update

In order to better maintain your computer’s security, both Windows 2000 and Windows XP have a feature called Automatic Updates. By configuring it as instructed below, you can ensure that these updates are installed regularly to prevent future security incidents.

Windows XP:

1. Right-click the My Computer icon and select Properties from the contextual menu.
2. Go to the Automatic Updates tab and check the option to “Keep my computer up to date…”
3. Select the configuration from the three options below. We recommend selecting the option to “Automatically download the updates, and install them on the schedule that I specify.” By default, install will schedule for Every day at 1:00am. However, if the computer is off during that time and new downloads are to have been installed, they will automatically install at the first opportunity regardless of time of day.

Windows 2000:

1. Go to Start > Settings > Control Panel and double click the Automatic Updates icon.
2. Change the settings as described in the Windows XP instructions above.

 

Step Seven: Scan For Known Viruses

It is also possible that a class of virus known as a “Trojan horse” was responsible for the installation of spyware on the system. For this reason, it is also a good idea to install and/or update McAfee VirusScan and scan for known viruses.

An installer for McAfee VirusScan is available from:

https://oit.nd.edu/software/licenseinfo/

1. Simply download the McAfee installer to a known location on the hard drive (e.g. Desktop), double-click the installer, and follow the instructions on the screen.
2. Near the end of the installation, McAfee will offer the option to run a couple of tasks after installation; AutoUpdate and On-demand Scan. Click Finish.
3. McAfee will check for available updates to the scan engine and virus definitions and install them. After it has been updated, it will initiate a scan of your system for known viruses.
4. If McAfee indicates viruses on the system that it is unable to clean, please contact your Departmental Computer Support person or call the OIT Help Desk at 631-8111.

 

Troubleshooting

Problem: Spybot or Ad-Aware will not update or tells you there are no updates available.

Possible Cause: Spyware has modified your computers hosts file to block access to anti-spyware and/or antivirus sites.

Solution: Use SpyBot’s Built-in Hosts File Management Tool

1. Open SpyBot and switch to Advanced Mode by going to the Mode menu and selecting Advanced Mode.
2. Click on the Tools button in the left margin of the Spybot window.
3. From the list of tools, select Hosts File. Spybot will show all of the entries in your computer’s hosts file. An unmodified hosts file will have only one entry (localhost) listed.
   
4. If your hosts file has been modified, there will be several more entries listed in addition to localhost. If so, select all of the additional entries and click the Remove selected entries button so that only the localhost entry remains.
5. Now, click on the Spybot-S&D button on the left margin.
6. In the main portion of the Spybot window, click on the Search for Updates button.
   
7. Spybot should now be able to check for updates and display a list of those available.
   
8. Place a check next to any available updates and click the Download Updates button. Spybot will download the updates.
9. After the updates are downloaded, this may be a good time to turn the tables on the spyware and add Spybot’s hosts list to your hosts file to block access to spyware sites and help prevent future infection. Return to steps 1, 2 & 3 and, this time, click on the button to Add Spybot-S&D hosts list.
   
10. Now, you can click on the Spybot-S&D button and then click the Check for problems button to begin scanning for spyware.

 

Other Preventive Measures

 

SDHelper & Tea Timer

You may recall that, during installation, Spybot offered to enable a feature called SDHelper. The SD Helper runs in the background and prevents the Internet Explorer web browser from automatically downloading spyware content from web pages you visit. If you did not enable this feature when you installed Spybot, you can do so now.

1. With Spybot running, switch to Advanced Mode by clicking on the Mode menu and selecting Advanced mode.
2. Now, click on the Tools button in the lower left of the Spybot window.
3. From the list of tools, click on the Resident icon.
   
4. Now, place a check next to the Resident “SDHelper” (Internet Explorer bad download blocker) active option.
   
5. In addition to the SDHelper feature, Spybot has another feature called “TeaTimer” that protects over-all system settings from being changed by spyware. To enable this feature, repeat steps 1 to 3 and then place a check next to the Resident “TeaTimer” (Protection of over-all system settings) active option.

 

IE Tweaks

As observed in the troubleshooting section of this document, one common trick of spyware programs is to modify your system’s hosts file to prevent access to sites that might help you get rid of spyware. In the same way, the hosts file can be used to redirect your system’s request for some sites to spyware-infected alternative sites instead. To prevent this from happening, Spybot can lock your hosts file to prevent its contents from being changed.

1. In Spybot, click on the Tools button.
2. Now, click on the IE Tweaks icon.
   
3. Now, place checks next to the “Lock hosts file….” and “Lock IE start page….” options. Since you may occasionally need to change other Internet Explorer options, we recommend against checking the “Lock IE control panel….” option.
   

 

 

Where To Go For Help

• The OIT Help Desk: (574) 631-8111
• The Resnet Help Line: (574) 631-7610
• The OIT Service Department: (574) 631-7689

Other Spyware Resources

• Spybot Search & Destroy Home
  http://www.safer-networking.org/en/index.html
• Ad-Aware Home
  http://www.lavasoftusa.com/

 

How to Stay Secure

• How to Stay Secure
• If Something Goes Wrong
• Information and Resources