Procedure for Removing Spyware
from Windows Systems

Terry Bollinger
terry at terrybollinger dot com
www.terrybollinger.com
Updated 2006-04-30 (Macromedia link, MS Defender)
Updated 2005-06-23 (miscellaneous changes)
Created 2004-12-01


Copyright 2005-2006 by Terry Bollinger, but unlimited rights to copy for free or for profit
are granted provided only that the document as a whole and this copyright remain
intact. Translation into other languages is also permitted, in which case the original
English version may be omitted. Please also read the legal disclaimers at the end of
this document BEFORE attempting any of the spyware removal methods given here.



Quick Start for Experts and Experimenters

If you are an expert at navigating the internals of your Windows operating system, and if are willing to take assume all risks of damage to your system, you can skip the rest of this document and go directly to the list of files in the downloaded toolkit. The filenames themselves provide a highly compressed summary of the spyware removal procedure. Note that the legal disclaimers given at the top of the file list still apply. This approach may also be appropriate if you simply wish to discover how much spyware is on a PC or laptop whose contents are irrelevant. The quick procedure is also summarized in the following table of contents for this document:

0. Read and Agree to the Disclaimer
1. (Optional) Prepare Your Computer
1-a. Read this Spyware Removal Procedure
1-b. Download the Spyware Removal Kit
1-c. Backup Important Data and Applications
1-d. Disconnect Your System from the Internet
1-e. Turn Off All Sharing of Printers and Folders
1-f. Kill (End) All Unnecessary Tasks
2. (Optional) Deinstall Web Programs and Virus Checkers
3. (Optional) Install Mozilla Firefox
4. (Optional) Install Adobe's Flash Player for Mozilla Firefox
5. Install and Use ToniArts EasyCleaner
6. Install, Update, and Use Trend Micro's CWShredder
7. Install and Use Sygate Personal Firewall
8. Install, Update, and Use SpywareBlaster
9. (Optional; not for 98 or ME) Install and Use Windows Defender
10. Install, Update, and Use Webroot Spy Sweeper
11. Install and Use Spybot Search & Destroy
12. Install and Use Lavasoft Ad-Aware SE Personal
13. If Tools Fail, Deinstall All, then Reinstall All
14. Update Windows
15. Perform an Online Virus Check
16. (Optional) Reinstall Your Virus Checker
17. Decide on Your Long Term Tool Selection
18. Consider Alternatives for High-Value and High-Security Work

Severity of the Windows Spyware Problem

It is astonishingly difficult to find and remove all spyware from a typical home or small business Windows system, especially if it is an older version of Windows with a wideband (that is, DSL or cable) Internet connection. For example, if you have such a system and are checking it regularly for viruses and spyware, the odds are nonetheless surprisingly high that you have one or more instances of the more dangerous forms of spyware hiding deep within your systems.

But how can that possibly be true, if you have good tools that look for such spyware and they keep telling you that your computer system is clean? Unfortunately, such deceptions are not as difficult as you might think. After all, a spyware checker is simply a program that is good at detecting and removing other programs that it deems dangerous. However, what if those dangerous programs have been designed to do the same thing to the virus and spyware checkers? The result is something more akin to a cyber war than to a simple scan, with either side potentially pulling ahead depending on which program gains the upper hand first. Nor is it all that hard technically to create aggressive spyware programs; it is really just a matter of how many rules of computer etiquette and real-world law a spyware designer is willing to break to get into someone else's computer. As of late 2004, there are far too many people and programs on the Internet that are willing not just to break such rules, but to shatter them into thousands of pieces.


Purpose of This Procedure

The purpose of this procedure is to give Windows users a fighting chance of removing all spyware from their systems, not just the easy-to-find "softcore" spyware that plays by the rules. The approach is to use diverse tools and make the best possible use of a critical advantage that you: Physical possession of your machine and control of its access to the Internet. With some effort, an intentionally diverse set of tools, and the ability to take physical possession of the system and its link to the Internet, it is generally possible to remove even the cleverest examples of totally unscrupulous "hardcore" spyware.


Detailed Spyware Removal Procedure


0. Read and Agree to the Disclaimer

Corresponding tool kit file:
0--PLEASE_READ_THIS_DISCLAIMER_before_doing_the_steps_below.html

This is the same disclaimer located at the end of this document.


1. (Optional) Prepare Your Computer

Corresponding tool kit file:
1--OPTIONAL-Download-Backup-Disconnect-SharingOff-KillTasks.html

While this step is important, it requires more understanding of your Windows system than the simple, standardized tool installations, and so is optional. Backing up your data is always recommended, however. This step is broken up into substeps 1-a through 1-f below.

1-a. Read this Spyware Removal Procedure

The most recent version of this procedure can be found at:
http://www.terrybollinger.com/spyware/spyware_removal_procedure.html

1-b. Download the Spyware Removal Kit

If you do not already have the spyware removal kit, you can download if from the following (limited capacity) web site:
http://www.terrybollinger.com/spyware/spyware_removal_kit.iso

The above image file can be burned directly into a CD, which is the easiest way to apply it to multiple computers.



Alternatively, you can download a zipped version of the toolkit from here:
http://www.terrybollinger.com/spyware/spyware_removal_kit.zip

Use the zipped version if you do not have a CD burner or prefer to place the tool kit directly on your disk.


When you burn your CD or create your folder, you will find three subfolders within it:

A--Use_this_folder_to_install_tools_and_remove_spyware
B--Use_this_folder_to_download_latest_versions_of_tools
C--Check_here_for_additional_advanced_tools_and_fixes

The spyware removal tool kit is located in the first folder. The numbering of this procedure corresponds to the names of the documents and installation files within the first folder.

The second folder can be used to download the latest version of the tool kit applications. If you are not sure you trust using the files in this tool kit (an attitude that I encourage, actually), you can use these links to find the original web sites for the applications. I also encourage looking for review of these and any other spyware removal tools you may try. Not all removal tools are ethical, so finding independent reviews is always a good idea.

The third folder provides advanced tools that are beyond the scope of this procedure. Look in that folder if you are having trouble getting any of the tools to run, or if you encounter spyware that you cannot remove.


1-c. Backup Important Data and Applications

Spyware is dangerous, and so is removing it. If spyware has replaced critical system files, removing may cause Windows to stop working, possibly resulting in a loss of data. You may also need to remove some files manually, and to deinstall applications that have been damaged by spyware.

If your system is functioning enough to allow it, please backup any data you would not want to lose. If your system has a USB port, one quick and easy way to back it up is to buy a large external USB disk and copy everything you want to save onto it. For permanent backups, write-once CDs and DVDs are usually the fastest and least expensive media.

Be especially careful if you remove any files manually, such as files from a TEMP directory. If you do not feel comfortable with any step that involves manual removal of files, it is better to skip that step entirely than take a chance on deleting the wrong files.

The second part of backing of your system is to make sure you can reinstall Windows and major applications on your system. When spyware has seriously undermined or damaged an application, the only reliable way to remove the spyware may be to deinstall the affected applications and reinstall them from original disks.

The most important software to recover is Windows itself. If you are one of the fortunate people to have bought or received a real CD with your computer, you are in good shape. Unfortunately, many low-cost mass production computers do not provide separate Windows disks, making reinstallation difficult. Other versions, such as XP, are difficult to reinstall even if you have separate media. Check your original instructions for details on how to reinstall Windows. For mass-produced systems, copies of the Windows installation files are sometimes sequestered away in a special region of your hard disk that shows up as C:\WINDOWS\OPTIONS\CABS. If all else fails, try to find a local computer expert who can help you reinstall Windows on your system.

Virus checkers and Internet-aware multimedia applications are examples of the kinds of application that can be infected by spyware. If at any point you have to removes such applications, always be sure first that you have the right CDs or files from which to reinstall them. Please note that it is always better to deinstall an expired virus checker than to allow it to keep running on your system. For spyware, an expired virus checker is roughly equivalent to a vacant building that is just waiting to be taken over by hardcore spyware.


1-d. Disconnect Your System from the Internet

Spyware uses the Internet to call in reinforcements, including in extreme cases real people who are intent on keeping your computer part of their network. After you have downloaded the spyware removal tool kit, disconnect from the Internet by unplugging it physically from its link. Don't rely on software disconnects, since they can be subverted by spyware. Until you have some confidence that you have detected and removed any hardcore spyware on your machine, connect only when necessary, such as when you are updating the spyware removal tools.


1-e. Turn Off All Sharing of Printers and Folders

One of the true horrors of Windows systems in terms of security is its early approach to sharing resources. The original default in Windows systems was to make locally shared resources just as visible on the Internet as they are to other computers in your home or business. To say that this was an invitation to mischief is a serious understatement. Even today, the single most common attempt to steal computer resources -- one that occurs every few seconds on most systems with DSL or cable connections -- is a query (Microsoft Directory Services, port 445) asking for the location of any shared resources in your PC.

While often inconvenient, it is almost impossible to keep spyware out if you are using shared resources. You should therefore find all shared resources on your local computer, including in particular folders and printers, and turn off sharing. Such sharing is usually indicated by a modification of the icon that shows a hand "sharing" the resource with others. Right-click on any folder or printer that you know of with such sharing, and turn it off.


1-f. Kill (End) All Unnecessary Tasks

This step is optional, but helpful if you are comfortable with trying it. The reason for doing it is to try to shut down any active spyware programs before installing new software.

Use Ctrl-Alt-Delete to bring up the task control menu, which is the same one that can also be used to shut down a misbehaving Windows system. For Windows 95 and 98 systems, use the End Task option on as many tasks as you can. Leave this one running:

Explorer

Explorer is the part of Windows that provides your screen interface, so if you shut that down, your system will shut down. Nearly any other task is fair game termination, however.

Windows 2000 and XP users have a more complicated menu that shows applications and tasks. Unless you are already familiar with the tasks and know what can be shut down, it is best just to shut down the applications.

Shutting down tasks can be a bit scary, but it is relatively harmless, since shutting down the wrong thing will generally just result in your system shutting down. Never do this while online, since some of the processes you are shutting down are likely part of your virus checking and any firewall you have.

Later, after you have GIANT AntiSpyware running, you can use one of its Advanced Tools to examine executing tasks and control executing tasks in much more detail. The GIANT tool also warns you of tasks that are known to be spyware.

Once you have a small a list of tasks as possible running, you are ready for the actual spyware removal process.


2. (Optional) Deinstall Web Programs and Virus Checkers

Corresponding tool kit file:
2--OPTIONAL--Deinstall_web_programs_and_virus_checkers.html

Read the above web page for more details on this. If you skip this step the first time and find that you have spyware that is detected but not removed, you should consider deinstalling your virus checker and trying again. In general, the more web-active and guard-related programs you can deinstall, the better your odds are for beating any spyware in your system. Before you deinstall any application you want to keep, though, be sure you have the CDs or files needed to reinstall it later.

If after a successful initial spyware removal you find that you are still getting reinfected by spyware, you may need to try shutting off or deinstalling programs that interact automatically with the Web, such as to download background photos. While most of such programs are harmless, they can unfortunately provide entry points for spyware.


3. (Optional) Install Mozilla Firefox

Corresponding tool kit file:
3--OPTIONAL--Install_Mozilla_Firefox_web_browser.exe

Download the latest version of this file from its original site:
http://www.mozilla.org/products/firefox/

Firefox is an excellent web browser that has received good reviews for its tighter security than Internet Explorer. Using Firefox does not eliminate spyware risks, but it does reduce them substantially.

While optional, installing Firefox at this early points in the overall procedure and making it your default browser allows safer updating of other tools in the toolkit. It also makes it possible for SpywareBlaster (below) to configure Firefox for even higher security.


4. (Optional) Install Adobe's Flash Player for Mozilla Firefox

Corresponding tool kit file:
4--OPTIONAL--Install_Flash_Player_for_Mozilla_Firefox.exe

Download the latest version of this file from its original site:
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

If you would like to have the Macromedia Flash Player for Firefox, use this file to install it. Flash Player is the plugin that is used to provide short animation-like displays on web sites, as well as some more complex interactive displays.


5. Install and Use ToniArts EasyCleaner

Corresponding tool kit file:
5--Install_EasyCleaner_then_Clear_Cookies_and_Clear_Files.exe

Download the latest version of this file from its original site:
http://personal.inet.fi/business/toniarts/ecleane.htm

Install this and use at least the following two buttons: "Clear cookies" and "Clear files". The latter refers to Internet Explorer files in the folder Internet Temporary Files, which is a notorious hiding spot for spyware. Don't rely on going into that folder with
"show all files" on and removing everything you see, since Windows has files that are hidden, and files that are really hidden. EasyCleaner removes both, including "superhidden" files and file folders within Temporary Internet Files. The superhidden files can grow enormous on a system that has spyware and never uses a tool like EasyCleaner. I have seen badly infected systems in which the superhidden files in Internet Temporary Files were using up nearly a third of the disk drive!

If you wish to see the superhidden files firsthand, do this: First,  with the "Show all files" option set on your folders, go into Temporary Internet Files (if you don't know where that is, you likely should not be trying this) and clear out all the cookies. In most system there will be hundreds to thousands of those if you use Internet Explorer and do not explicitly clear them now and then, so you want to do this first to make the next step go faster. Go back up one level to the folder that contains Temporary Internet Folders. Make copy of the entire Temporary Internet Folders directory. (If the copying process take a long time, be sure to run EasyCleaner after all of this, as it means you have a lot of risky superhidden files.)  You can now go directly into the copied folder and see all the superhidden files in Temporary Internet Files, which in the copy appear as ordinary files. When you are done, be sure to delete the "Copy of Temporary Internet Files" (not the original!) and then run EasyCleaner.

If you are familiar with the TEMP directories in your version of Windows and know how to remove files from them safely, it is also helpful to clear out all the files that can be removed from such folders. If you are not already familiar with how to do this kind of clean up safely, skip this step and go to the next one. Do not remove the TEMP folders themselves, as they are part of Windows!


6. Install, Update, and Use Trend Micro's CWShredder

Corresponding tool kit file:
6--Install_update_use_CWShredder.exe

Download the latest version of this file from its original site:
http://www.intermute.com/spysubtract/cwshredder_download.html

Install, update, and run CWShredder.

All of the virus checkers require a step of updating. Since you should be physically disconnected from the Internet at this point (you are, aren't you?), the best way to handle each such update is to reconnect your computer just before beginning the update and disconnect immediately after it the update completes. Keeping your computer disconnected the rest of the time greatly reduces the odds on spyware within your system being able to communicate effectively with other parts of its network. Since this is the only update done before installing your firewall, it is especially important to keep your online time down to a minimum for this one.

CWShredder finds and destroys the innocently named but notoriously hardcore spyware pest called Cool Web Search (CWS). While dedicating a removal program to just one hardcore spyware pest when hundreds exist may seem like overkill, the CWS spyware package is backed by an unusually active support group and tends to incorporate the latest in cyber warfare technology. All of this makes CWS almost uniquely difficult to detect and remove.

It is important to remove CWS early, since it can play havoc with spyware checkers. Some speculation about the origins of this pest can be found here: http://www.tampatrib.com/MGBVV09P51E.html


7. Install and Use Sygate Personal Firewall

Corresponding tool kit file:
7--Install_and_use_Sygate_Personal_Firewall.exe

Download the latest version of this file from its original site:
http://www.tucows.com/preview/213160.html

Install and setup the Sygate firewall, which is free for home use. This is highly effective firewall with many options and good defaults, but it requires a training period in which you must explicitly give applications permission to access the Internet. The general rule for this is that if you have just started up a program and get a request for permission from your firewall, you should tell the firewall to allow the access and to remember that permission for all future requests from that same application. Firewalls can be difficult to use in badly infected systems, however, and can be used against spyware checkers by spyware that is aware of them.


8. Install, Update, and Use SpywareBlaster

Corresponding tool kit file:
8--Install_update_use_SpywareBlaster.exe

Download the latest version of this file from its original site:
http://www.javacoolsoftware.com/spywareblaster.html

Install, update, and run SpywareBlaster. This is not a virus checker, but a program to tighten down a number of settings in both Windows and in various Internet browsers. It updates settings for both the standard Windows Internet Explorer (IE) and for the optionally installed Firefox browser. For updating this and all of the other virus checker programs, you should physically connect to the Internet only long enough to allow the update to complete.


9. (Optional; not for 98 or ME) Install and Use Windows Defender

Microsoft's free anti-malware tool can be downloaded for non-98, non-ME windows systems from this site:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Please note that unlike any of the other software listed here, you cannot download Defender unless you first download and run a Microsoft verification program. The Microsoft verification program inspects all of your hardware and software, and then makes a decision as to whether or not you are a legitimate owner of Windows. Physical evidence of ownership, such as one of those holographic labels with your Windows serial number on it, are not taken into account, and the scanner is not always accurate. In particular, the more you have changed the hardware of your system, the greater the chances are that the verification program will incorrectly conclude that you have pirated your copy of Windows. If the scanner does decide you are a pirate, it does not just block you from downloading Defender: It also permanently bans your system from ever receiving critically important Microsoft security patches in the future. In the current Internet malware environment, the absence of such updates typically amounts to a slow death sentence for Windows, since it results in malware infections so severe that you system will simply stop working (which is actually preferable to attempting to do any signficant work on such a severely compromised system).

10. Install, Update, and Use Webroot Spy Sweeper

Corresponding tool kit file:
a--Install_update_use_Spy_Sweeper--30_DAY_DEMO.exe

Download the latest version of this file from its original site:
http://www.webroot.com/downloads/

Install, update, and run the Webroot Spy Sweeper 30-day demo. Be sure to update to the latest software and signatures before scanning your system, connecting only as long as needed for the updates to complete. Choose the active shields, especially if you found significant problems with GIANT AntiSpyware. Having multiple shields (GIANT and Spy Sweeper) active at once can be annoying, but is helpful during the early stages of removing spyware. You can shut down some of the later, but you should always have at least one set of active spyware shields running. In this set of tools, three of the tools have similar active shields: GIANT AntiSpyware, Webroot Spy Sweeper, and Spybot Search & Destroy (the TeaTimer option). Spybot is free, so it is a good option for providing long-term shields if you do not buy GIANT AntiSpyware or Webroot Spy Sweeper.


11. Install and Use Spybot Search & Destroy

Corresponding tool kit file:
b--Install_Spybot_Search_Destroy_with_TeaTimer_update_use.exe

Download the latest version of this file from its original site:
http://www.safer-networking.org/en/index.html

Install and run Spybot Search & Destroy (S&D). As you install it, be sure to check the box to install the optional TeaTimer spyware shields. Check for updates, staying connected only as long as needed. Choose to apply the inoculations (fixes to risky settings) available, and finally, sweep your system.

12. Install and Use Lavasoft Ad-Aware SE Personal

Corresponding tool kit file:
c--Install_update_use_Ad-Aware_SE_Personal--HOME_ONLY.exe

Download the latest version of this file from its original site:
http://www.lavasoftusa.com/support/download/

Install and run Lavasoft Ad-Aware, which is free for home use. Check for updates, connecting only as long as needed, then sweep your system. Ad-Aware will usually find additional spyware not detected by the others. However, it also tends to hog the computer and cause mouse and keyboard inputs to lag badly. It thus is best not to use the computer for any other tasks while running Ad-Aware, since it can be a frustrating experience.


13. If Tools Fail, Deinstall All, then Reinstall All

Corresponding tool kit file:
d--OPTIONAL--If_tools_fail_deinstall_all_then_reinstall_all.html

This is the step that no one wants to hear, but which needs to be said:

If you encounter mysterious failures when installing or running any of the tools in this tool kit (that is, Easy Cleaner, CWShredder, Sygate Personal Firewall, SpywareBlaster, GIANT AntiSpyware, Webroot Spy Sweeper, Spybot Search & Destroy, and Lavasoft Ad-Aware Personal), the safest procedure is to deinstall all of them, including your virus checker, and then reinstall all of the tools in this toolkit. (Reinstalling the virus checker is optional; I suggest doing an online check first instead.)

The rationale for such a drastic approach is that too often, such mysterious failures are the direct result of hardcore spyware that is trying to subvert the installation of tools that would otherwise find and delete them. This is especially true if GIANT AntiSpyware or Spybot Search & Destroy hang, since they seem to be the most frequently targeted by hardcore spyware.

If you do this second round, it is particularly important that you experiment with deinstalling your virus checker. I have seen a number of cases where the spyware was resident in the virus checker itself. Because virus checkers often have special privileges in the operating system, the result is that even in Safe mode, the spyware can still affect your system and prevent you from finding or deleting spyware.

Less critically, if your tools installed and ran normally but you were you were still getting significant spyware hits by the time you reached the last (Ad-Aware) installation, it is also a good idea to perform repeat scans until you stop finding pests. Try using all of the scanning tools: GIANT AntiSpyware, Webroot Spy Sweeper, Spybot Search & Destroy, and Lavasoft Ad-Aware.

The reason for repeating scans is that spyware pests appear to suppress each other, so that removing one "crop" of spyware often cause another quite different crew of pests to show up. Usually, the rate of discovery of new pests will drop dramatically after the second round of scans. At that point, you can then assume you have sufficiently clean system.


14. Update Windows

Corresponding tool kit file:
e--Use_Windows_Update_for_Windows_and_Internet_Explorer.html

It is now time to update Windows, even if you have already done so earlier. Spyware can interfere with the update process, so checking for further updates is a good idea. Be sure to update Internet Explorer (IE) to the latest and most secure version, since it is a notorious entry point for spyware. Note that IE is tightly integrated with Windows (e.g., it is part of Quick Menus for some bizarre reason), and so represents a substantial security risk even if you only use Firefox for browsing.

[added 2005-06-23] Although it should be used with some care, an outstanding tool for seeing if you really updated Windows is the Belarc Advisor. Belarc tells you which patches either were never installed or failed to install properly (which happens more oftent than one might expect). Belarc is free for home use, and can be found at: http://www.belarc.com/free_download.html


15. Perform an Online Virus Check

Corresponding tool kit file:
f--Open_this_page_in_Internet_Explorer_to_check_for_viruses.html

Now that you have Internet Explorer fully updated, you can use it to check your system for viruses by going to the site: [updated 2005-06-23] http://housecall.trendmicro.com/housecall/start_corp.asp. This has the advantage of avoiding using a local virus checker that may have been taken over by spyware at some point.


16. (Optional) Reinstall Your Virus Checker

Corresponding tool kit file:
g--OPTIONAL--Reinstall_up-to-date_virus_checkers_if_desired.html

Surprisingly, you may find that using a free online virus checker plus shields and spyware checkers may be sufficient for your system -- and a lot cheaper. In systems I have seen, spyware pests typically outnumber viruses by huge ratios, with systems that have thousands of spyware traces often having no viruses at all.


17. Decide on Your Long Term Tool Selection

Corresponding tool kit file:
h--Decide_on_your_long_term_tool_selection.html

If you have gotten through all of this, you should find that your "old" PC is now working far better than you imagined was possible, particularly if you had a bad infection. Now you need to make some decision on how to keep what you have gained.

The first decision is what firewall to use. Sygate is not the only one possible, but is hard to beat in terms of user interface (very good), functionally (extensive), and cost (free).

In the case of the spyware checkers, please note that two of the checkers in the tool kit are demos with expiration dates. This means that after a week or so you will need to decide which one to use for your active shields, as well as for periodic scans.

Active shields are critical, since failing to keep up both a firewall and an active spyware shield can literally result in reinfection in a matter of minutes. For example, one friend of mine allowed his GIANT AntiSpyware shield to expire at the end of the trial period, and he did not have the free TeaTimer shield running. Within a single day his computer went into Safe mode and stopped reading CD-ROMs, almost certainly because of a rapid reinfection by spyware. Don't let it happen to you; keep what you have worked for by making sure you always have a firewall and an active spyware shield at all times. You can get both at no cost (Sygate + Spybot Search & Destroy).

Which ever spyware checkers you choose for the long term, be sure to keep them fully updated. Like viruses, spyware evolves rapidly, and spyware checkers need to be kept current on new threats.

If you buy only one tool, my recommendation is GIANT AntiSpyware. It has excellent guards and the best overall performance at finding the truly dangerous stuff.

Finally, depending on which (if any) of these tools you have found most useful, consider buying or donating to them to help ensure continued support. It also keeps the companies that provide such services trim and responsive, since their cash flow depends directly how well their product works.


18. Consider Alternatives for High-Value and High-Security Work

Corresponding tool kit file:
i--Consider_alternatives_for_high_value_high_security_work.html

"Better" is not the same thing as foolproof. The procedures just described will work well for getting rid of most if not all spyware on your system, detecting hidden hardcore spyware (shivas), and providing basic protection against ordinary forms of online break-ins. However, it will not prevent the more persistent forms of hacking whose goal is to plant new spyware on your computer. In a Windows system in early 2005, it is not uncommon for a system in which all of the measures in this procedure have bee taken to get serious attempts at break-ins every one to two weeks.

Unfortunately, if you use your home or small business to high-value information such as financial transfers, patent applications, confidential corporate data, or official-use-only government data, even such "occasional" break-ins by spyware are likely to be unacceptable. If you fall into one of these high-value categories, you should consider additional measures for bringing your security up to the highest level possible.

Alternative A: Switch to a Different Operating System
One such option is to abandon Windows and replace it with an operating system such as Macintosh, Linux, or OpenBSD, all of which are (at least at present) significantly less subject to spyware threats. A Macintosh, which uses the OS X operating system, is an exceptionally friendly alternative for users who want an easy-to-use, minimal-hassle computer environment capable of executing all major business software applications. OS X is based on Apple's open source Darwin operating system, which is in turn based on the popular FreeBSD, thus making OS X a distant cousin of OpenBSD.  Linux is a good option for those who want extensive support and prefer detailed control of their systems. OpenBSD, which its developers claim with good evidence to be one of the most carefully checked-over Unix-like operating systems in existence, is an option for expert Unix technophiles who want maximum security, even if it means greatly reduced application variety and a need for detailed knowledge of Unix internals.

One caution: While alternative operating systems typically have a good selection of firewalls, including some outstanding ones, they are usually much weaker on virus and spyware checkers, largely because they have had so much fewer problems with spyware. Ironically, this could mean that if one of these systems does get infected, it will be harder to detect than a comparable level of infection on a Windows system. Balancing this is the observation that if you make good use of firewalls on non-Windows systems, you can reduce your risk of spyware getting into your system to a level that nicely approximates zero.

Alternative B: Maximize Windows Resistance to Hacking
The other alternative is to maximize your Windows security by (1) ensuring that you are free of spyware, (2) fully updating Windows and Internet Explorer, (3) removing any unnecessary communication programs, (4) making sure you system is invisible, or stealthed, to anyone looking at it from the Internet, (5) adding active guards to watch for changes characteristic of spyware insertions, (6) maximizing firewall protection, and (7) ensuring that every system in your local network is comparably well protected.


Step 1 is provided by the spyware removal procedure you have just completed. Remember a simple once-over with a spyware checker is flatly not sufficient for this, since that will not remove the most deeply hidden forms of spyware (shivas).


Step 2, fully updating Windows and Internet Explorer, was completed earlier in this spyware removal procedure.


Step 3, removing unnecessary communication programs, is a bit of no-brainer for critical systems. Even simple, practical programs such as time synchronization programs can cause problems, as can widely used auto-updating programs such as automated screen savers with thousands of available images. Multimedia programs, which often include their own softcore spyware, can also be problems when used online. While harmless in themselves, such programs provide well-known forms of communication that a hacker can hijack and use for alternative purposes.

Another deeper form of removal is to use your firewall to block certain types of Windows services that are intended primarily for use between small groups of people who trust each other completely. Such trust is utterly unwarranted on the modern Internet, where such services are far more likely to be used against you than for you. Examples of services that show up in the Sygate firewall list and can be shut off unless you know specifically that you need them are listed under Applications. For a simple system that lacks any special software applications, examples of Windows services that can usually be shut off from the Internet without causing problems include Win32 Kernel core component, Spooler Sub System Process, Distributed COM Services, and WIN32 Network Interface Service Process.

An interesting problem area for communications is Virtual Private Networks, or VPNs. VPNs are a very popular technique for providing secure access to business networks while using only the public Internet. VPNs increase security by encrypting (indecipherably scrambling) the data that is over the Internet, but they can also provide holes by which determined hackers can break into a system -- e.g., by leaving a communications process running in your computer. The best general advice for using VPNs is to make sure you have the latest possible software, and that you do not leave such tempting targets running when you are not actually using them.


For Step 4, stealthing your system, I highly recommend the Shields Up! web site, a free service by the Gibson Research Corporation. Another very good site is Sygate Online Services (SOS), which is looks for many of the same issues as Shields Up! and adds testing for Trojans hidden within your system. Both of the Gibson and the Sygate testing sites look for tell-tale responses when your system is queried in various ways over the Internet. It's important to realize that until you achieve a perfect score on such tests, your system is still responding to remote software and remains acutely at risk of revealing itself to the wrong people at the wrong time. A non-stealthed answer is roughly equivalent to hiding behind a bush while continuing to answer anyone who asks you the right question. With automated break-in software, it's possible to ask a lot of questions in a hurry, making even a single non-stealthed response glaringly obvious to automated hackers. The full details of stealthing are beyond the scope of this procedure, but the above two web sites will provide powerful starting points for determining where your particular system may have problems, and on what steps you should take next to resolve them.


Step 5 was accomplished three times over by this procedure, since three of the spyware checkers you installed -- Spybot Search & Destroy with TeaTimer, GIANT AntiSpyware, and Webroot Spy Sweeper -- provide active spyware guards that look for the kinds of changes to your internal Windows setting that could indicate the insertion of spyware.  Since as of early 2005 these three guards are closely comparable in fundamental capabilities, it is only necessary to keep one of them running in your  system. I personally prefer to use multiple guards, but such an approach results in annoying repetitions of the same confirmation questions by all three guards whenever software changes are made to your system. The TeaTimer guard in Spybot Search & Destroy is free, and so is an easy choice for low cost. The GIANT guard is the most intelligent, figuring out many new answers based on your previous ones. While no longer available for purchase since Microsoft bought GIANT, its features should hopefully become standard in Windows XP and, hopefully, other versions of Windows in the near future. Finally, Webroot Spy Sweeper has fully effective guards, although its user interface s a bit more intrusive and annoying -- e.g., it leaves a window up even after you have have approved a change, rather than disappearing promptly as the other guards do.


It is Step 6, the choice of a firewall, that is the single most critical to bringing break-ins down to negligible levels. With a good to very good firewall such as the free Sygate Personal Firewall, partially successful attempts to hack hardcore spyware such as CoolWebSearch, a keylogger, or a RAT into your system can be reduced to once every week or so, which is still a frighteningly high rate for high-value targets.  Nightly scans can generally catch such break-ins, but not if the hacker manages to get enough control of your system to transform the spyware into fully stealthed shivas, you may not realize you have been hacked until the characteristic odd behaviors of keyloggers and RATs begin to show up. (An even more drastic partial solution is to temporarily hamstring Windows by shutting down the DLLs most often used when such break-ins occur. However, this makes a very poor long-term solution because it cripples the normal operation of Windows.)

A better approach is to find a firewall that closes even the briefest opportunities for attack, such as when the firewall is started or shut down. It also needs anti-hijacking features that confuse or identify attempts to take over your communications with a legitimate site.

Based both on features and the success I've seen so far at cutting down residual break-ins to my own systems, my recommendation for this particularly critical step is that high-value users download the 30-day demo version of Sygate Personal Firewall Pro, which is a for-purchase version of the Sygate Firewall that includes several critical features not available in the free version. After installing Pro, activate all of the features listed under the Options->Security tab. You may have to temporarily deactivate some of these features for performing tasks such as VPN, since, for example anti-IP spoofing is not compatible with some Cisco VPN login procedures. However, keeping such features active as your default results in much higher overall security and, from what I've seen so far at least, a very significant reduction in break-in attempts. If your experience with the 30-day demo version provides you with comparable results on a high-value system plagued by break-in attempts, the moderate cost (under US$50) of buying the full version of Pro be well worth it.

I would expect that other firewalls perform similarly well, but Sygate Pro is a cost effective way of getting features that directly address problem I've observed directly, such as spyware-related activities that occur during the security gap the firewall is starting up or shutting down.

(Examples? On multiple occasions I've seen well-cleaned Windows systems behave normally until the owner initiates a shutdown. Since during a full shutdown the firewall must also shut down at some point, a particularly "sticky" process hidden deep in the bowels of the Windows kernel can refuse to shutdown until all firewalls and all logging software are down. The hidden process can then dispatch a short burst -- say less than a tenth of a second -- of selected high-priority data to a remote receiver. The giveaway to this subtle ploy is that the Windows shutdown process hangs if your system has been disconnected from the Internet. If you reconnect it, you can then watch the activity lights see a short burst of data go out, followed by your system finally shutting down. Check your logs, though, and you will find nothing at all, because the event did not occur until all such logs were deactivated.)


Step 7 consists of ensuring that all of the systems on your local network -- that is, any computers you have in your home or small business that share access to each other, to printers,  or to the same Internet line -- have the same level of protections as your system. This step is needed because locally initiated attacks from nominally "trusted" local computers can be significantly more dangerous than ones launched from the Internet. If you have infected systems in your local network, they can become dangerous sources of repeated attacks against your system.



LEGAL DISCLAIMERS: This document is provided solely as a public service for computer users having problems with spyware. I have no direct, nor to the best of my knowledge any indirect (e.g., mutual funds), financial ties with any of the tools or applications listed or recommended within this document. The views presented in this document are entirely my own and do not represent the views of my employer or of any of customers of my employer. Removing spyware unavoidably entails risks that your computer will stop working or lose data. This procedure does not guarantee removal of all spyware. PLEASE NOTE THE FOLLOWING REQUEST FOR YOUR EXPLICIT CONCURRENCE BEFORE YOU USE ANY PROCEDURE DESCRIBED IN THIS DOCUMENT: By applying any spyware removal procedure originating either directly in this document or indirectly in documents referenced by this document, you are by your actions agreeing to the following two conditions: (1) You have sufficient legal ownership and/or administrative rights to apply operating system level changes to the computer or computers upon which you are performing any such procedure. (2) You accept all of the risks and responsibilities for any damage that could occur to your computer as a direct or indirect result of applying spyware removal procedures to the computer or computers. Please DO NOT apply any of the procedures in this document if you cannot or do not have sufficient authority to agree fully with the above two conditions.