Kevin's Junkware combat guide

Front Page \| Information \| Computer \| Router setup tips \| XP setup tips \| Address munging for newsgroups \| Junkware \| Alternate Data Streams \| Check, Credit or Debit?
Do you seem to be getting spam from my domain? Please see this note If you find a dead link, a typo or have a suggestion, there's a link at the bottom of the page that you can use to send me an Email.	I like and use Firefox. Which ever browser you use, make sure you keep it updated. That goes for all critical software. Date format is MM/DD/YYYY

Most of this page is seriously out of date, but I'm leaving it as is until I have time to clean it up, which will probably involve removing most of the links. Some of them still go to good companies, but a lot has changed since I wrote what's on here. Some links have almost certainly changed owners and may not be good anymore. Confirm anything you use. The nasties are nastier, they're easier to get, and much harder to remove. I'll add any current links right at the beginning.

4/19/2009 Avira AntiVir rescue disk. This will build a bootable CD with the latest definitions of Avira AntiVir on it, that can then be used to try and clean a computer. It's not updatable, you have to download and build a new version when you need it.

5/3/2009 Malwarebytes' Anti-Malware cleans most types of malware including viruses, trojans, spyware and more. The free version will scan and clean manually. Real time protection and other features are available by purchasing a license. For home users it's a one time fee.

07/24/2009 Insert is a complete, bootable linux system. It comes with a graphical user interface running the fluxbox window manager while still being sufficiently small to fit on a credit card-sized CD-ROM. INSERT contains a multitude of useful tools to be at your hand in a variety of situations

07/24/2009 The Ultimate Boot CD contains a plethora of utilities including Anti-virus software. Be sure to update the AV signatures.

10/01/2009 Microsoft has released their free for home or small business use Microsoft Security Essentials which provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software. The reviews so far are looking pretty good, and it seems to run without bogging down the computer. It uses Windows Update to get updates, but will apparently run and update OK even if you have Automatic Updates set to only notify you of actual Windows Updates. I haven't tested it myself yet, so I'm not sure of the settings. It does not scan email which is fine by me, but it does scan downloads and files being saved to the hard drive. You can read this review from PC Advisor UK.

10/21/2009 Techmixer.com has a FREE Bootable AntiVirus Rescue CDs Download List to choose from. To get any of the ISOs listed click on the How to Guide link below each listing, there's a download link at the beginning of the instructions. Confirm that the download is coming from the proper site for that vendor.

02/18/2010 TestDisk is OpenSource software and is licensed under the terms of the GNU General Public License (GPL). TestDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

02/20/2010 This "offline" Password and Registry editor will boot from a CD or floppy and allow you to access your registry on NT based systems. It's commandline and it defaults to password modifications. I've used it to recover access to a system when the Admin password was lost somehow. You can change or reset any password for any user. You can not see what the current password is.

03/14/2010 Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
It is possible to boot TRK in three different ways:

-as a bootable CD which you can burn yourself from a downloadable isofile
-from a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK cd
-from network over PXE, which requires some modifications on your local network (version 3.2). Version 3.3 has the ability to act as a network bootserver itself, without any modifications to your local network.

TRK is a complete commandline based distribution, apart from a few tools like qtparted, links, partition image and midnight commander.

05/02/2010 The VIPRE Rescue Program is offered for free by a partnership between Malwarebytes and Sunbelt Software.

The VIPRE Rescue Program is packaged into a self-extracting executable file (.exe) that prompts the user for an "unpack" or installation location, then starts the scanner and performs a deep scan. The user can start the program either by opening it via windows or from the command line.

The VIPRE Rescue Program is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily run.

07/19/2010 The Emsisoft Emergency Kit contains a collection of programs that can be used without a software installation to scan and clean infected computers for malware. Download the Emergency Kit, extract it to a USB drive, and run it from there.

Anything below this point is old and potentially invalid. Beware of new owners on old sites, they may not have the same intentions. Some old sites are still there, they're just old and out of date.

I'm putting this page together to help me clean up people's computers, but it can serve as a reference for anyone else needing information or tools to deal with junkware too. My main purpose is so that I have the links available to me when I'm out and about.

One very important thing to remember is that this is a really hot topic right now, and like anything that people need help with there are some who will take advantage of that fact. Some of the adware removers/scanners are pure scams. Some will install their own junkware, some will install even worse things. There are cases where someone has taken a free program like Spybot, renamed it, and sold it as their own. Beware of anything that has too much hype, or tries to scare you into buying their product. If you go to a web page and there are big flashing letters that say SPYWARE HAS BEEN DETECTED, DOWNLOAD OUR SCANNER NOW, go somewhere else fast. A good list of fake or problematic Spyware removers is the Rogue spyware list. Also check out their companion page on Family Resemblances. Please note that these are not my lists, I just reference them.

Many of the sites and programs listed here are provided by people who just want to help clean this stuff up. Often they started by working on cleaning one specific nasty, and things snowballed. Most of them provide their time and web space at no charge, but many accept donations to help them cover their costs. Please consider donating. Some programs have free and paid versions. The paid versions have more features. If you like and use the free one, consider buying the paid version to support them.

Junkware, adware, spyware, scumware, crapware, or parasites, whatever you call it, it's gotten totally out of control during the last half of 2003 and beyond. Some articles about it are at aumha.org, Eric Howes site and Eric's comments (1863kb PDF) to the FTC. And now there's a first anniversary follow-up by Eric and Ben Edleman. Ben has some excellent articles about how some spyware infestations are carried out.

An April 2004 Infoworld.com article about what percentage of computers are infected with some sort of malware. It's gotten worse since then, not better.

The Houston Chronicle printed a good article in 2004 with lots of information about spyware and tips on how to clean up. And more importantly, how to avoid it in the first place.

At least some of the crap that gets installed on people's computers earns money for college students. They get paid to post the bait that sucks people in. See this PCWorld article from June 2004.

An example of how much money is involved can be seen in the legal actions that New.net has been taking.

Arstechnica.com has a good article with descriptions of malware and some screen shots.

Forums and sites with information

SpywareWarrior.com is a good place to start. They have links to articles, forums, blogs and many anti-spyware sites.
A long list of tools is at one of Eric Howes' pages. I haven't even looked at many of them. let alone used them. But they're highly recommended by many people and there's something listed there for just about any nasty you'll come across. I have used most of the following at one time or another.
Merijn.org This link actually goes to the mirror at Spywareinfo.com since his pages are often unavailable due to the amount of traffic.
Spywareinfo.com (Also sometimes unavailable)
The Parasite pages at doxdesk.com.
Spywareguide.
Aumha.org forums.
Wilders Security forums.
Pest Patrol's (now Computer Associates) research center.
Instructions for manual removal of lots of pests are at PC Hell.
An excellent list of programs and methods to protect your computer are in this newsgroup post.
You can check running processes using What's Running or snapfiles.com. I haven't tried either one but they've been recommended by people I trust. I have used HiJackFree and Process Explorer plus other utilities from that second page.
Once you find out what's running, even just with Task Manager, you can check to see if it's legitimate at liutilities.com whatsrunning.net processlibrary.com

Software to help clean up a computer

Where it's appropriate, I've linked to the front pages of the companies providing free software. Generally the free software is only one of their offerings, and they hope that you'll like it and buy something else from them. So it seems fair to let people see what else they may have. You may have to poke around a bit to find the free version.

NIST.org has a list of online Virus and Spyware scanners.
Spybot Search and Destroy. Donations gladly accepted.
AdAware. Free and paid versions.
Setup instructions for both AdAware and Spybot.
Sunbelt Software has Counterspy which has a 30 day trial. Added 08/10/05
MS Anti-spyware is free from Microsoft. For XP only, and verification of having a legitimate copy of Windows XP is now required. As of March 2006 it has now been renamed Windows Defender and will work on Windows 2000 Service Pack 4. It has also been changed a lot. Added 08/11/05
A-Squared Anti-Trojan has free and paid versions. Added 08/11/05
Webroot Spysweeper. Added 08/11/05
Pest Patrol has an evaluation version.
Autoruns for monitoring startup items. Free from Sysinternals.
Sysinternals also has RootKitRevealer. It's still under development, and may find false positives. Sometimes lots of them. But it's a very powerful tool which may help spot something. But you have to decide what's a problem and what's OK, there's no guidance. It just does a scan and reports things that don't match. Help is available though from the RootKitRevealer Forums or many other online sites.
SilentRunners is a VBS script that looks up a lot of startup items and lists them in a text file. By default the text file is saved to the directory that SilentRunners is started in. See the page for instructions on how to change that and more.
HijackThis (part way down the page). Freeware with donations accepted.
Spywareinfo , Bleepingcomputer.com and Aumha.org have tutorials for HijackThis.
A web page that will do a basic analysis of your HijackThis Log. It's not perfect and will flag a lot of "questionable" entries, but it's a good place to start on a very complex list. NetworkTechs also has a HJT Analyzer. Use both and compare the results to increase your chances of spotting false positives.
Several tutorials for using different Spyware/Hijacker removal tools from Bleepingcomputer.com.
SortedPC.com has a list of online virus and parasite scanners. Always a good idea even if you think you only have adware problems. There's so much overlap in malware types these days that the lines have blurred. Added 08/13/05
There's a list of clean, free security related software at Respect2Glory's website.
Eric Howes has a list of Spyware/Adware/Hijackware Tools that is much more comprehensive than what I have here.

Cleaners for specific nasties:

CWShredder for Coolwebsearch was originally developed by Merijn Bellekom of the Netherlands. Because that whole site was often down due to DOS attacks, CWShredder could also be downloaded from Aumha.org which was an official mirror site. And still is, even with the ownership changes of CWShredder.

Merijn had to give up on trying to keep up with CWS, it morphed too fast. his program has been taken over by Intermute who now maintain and update it. And Intermute has now been absorbed by Trend Micro, but CWShredder is still free. It's also available as part of a for pay suite of software tools. Two other sites with information about CWS are Michaelhorowitz.com and Silentrunners.org.

Ways to protect yourself so it doesn't happen again.

Use common sense. There Ain't No Such Thing As A Free Lunch. If you're thinking about installing some free software, read the EULA closely. Often there are clauses in there about the "additional" software that will be installed. Many times that additional software doesn't uninstall when you uninstall the host software. Sometime the additional software installs even if you cancel out of the original installation. And the worst ones won't even mention anything extra, they just do it.

Stay up to date with patches and upgrades. If a software vendor releases a security patch or upgrade, it's almost certainly worth installing. For Windows and IE you can check Windows Update. For other programs you'll have to check the vendors site now and then unless they offer a mailing list to send notifications. Most don't due to problems with spam blocking.
Use a web filter like Proxomitron that will block a lot of the scripts and other methods that some of these things use to get installed.
Eric Howes' Enough is enough for IE.
IESPYAD is also for IE users.
Spyware blaster and Spyware guard. Freeware with donations accepted. Configuration guides for Spywareblaster and Spywareguard.
You can block a lot of ads and unpleasant sites using a hosts and/or PAC file. Sheryl Canter has information and instructions.
Use an alternate browser although that's not a guarantee either. I use Opera and Firefox.

Disclaimer:

Keep in mind that I am not responsible for any external sites linked to from my pages. They may look different to you, or even have effects on your browser or computer that are different than what I see due to different security settings and browsers. They could have also changed since I looked at them. To the best of my knowledge, they are all safe. But you surf at your own risk.

This document reflects the opinions of the author. This document is provided "as is" without any express or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the author/maintainer and/or contributors assume(s) no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

The only information that I collect is page hit counts. My web host Penguinhost.net keeps track of lots of things and makes the information available to me in pretty graphs and logs. I look at them occasionally, but there is no personally identifiable information there.

If you have questions, corrections or comments about the page please Email me.

Validated by HTML Validator (based on Tidy)

This page was last updated July 19, 2010.