Removing Adware, Spyware, and Malicious Programs

590 Farrington Hwy, #524-204

Kapolei, HI 96707

(808) 386-8026

computers@hawaii.rr.com

Removing Adware, Spyware, and Malicious Programs

· Introduction

· Definitions

· Summary

· Downloads

· Instructions

· Links

· Products

Introduction

A short note from your Computer Guy: Just so you don’t get intimidated by a another long document that may seem detailed and complicated, not knowing how far you will have to read to get to the real information you need, I am presenting this information in a series of sections with easy to use hyperlinks to jump around the document. Each section is designed to prepare you for the next, so you won’t be overwhelmed by technical details from the beginning.

Dale Powell

Let’s get started: The word “Spyware” means different things to different people. Sometimes the term is used to mean Adware, Browser Helper Object (BHO), Hijacker or Trojan, but in any case, they are referring to software they didn’t intend to download to their machine, didn’t want, and are now having trouble removing, because it is causing undesired side effects to their computer such as: slowing it down, pop-ups and errors. To keep things simple, lets just call it all..Spyware.

Spyware is often downloaded without the user’s knowledge or permission, because of having an unprotected computer, clicking on pop-ups, using P2P sharing, or accepting Software End User License Agreements (EULAs) giving them permission to piggy-back these unwanted programs onto programs you really do want. Of course you probably won’t see words like “spyware or adware” in the small print, but you can be sure there may be some sort of legal mumbo-jumbo that gives them the permission to do so.

By now, you probably know you have to buy or download something to try and fix the problem yourself. The problem is there are companies that will sell you rogue products that will just complicate the problem. Sure, they might detect and remove some spyware, but they will introduce their own for a sort of spyware monopoly.

The good news is that there are quite a few very reputable companies and individuals that will provide what you need for free. While I am not a “spyware removal expert” like the folks that research the problem and write these programs, I’ve had quite a bit of experience in using their programs and have developed my own opinion on what works and what doesn’t. So what you will be reading about here will be a collection of modified excerpts from these “heroes” that I have researched and use myself just about everyday with my customer’s computers.

To start, lets make sure you don’t already have one of these rogue products installed on your computer. I’m sorry to tell you, but even if you paid for it, one of the first things “I” would do is to remove it. But it is up to you since it is your computer and your money.

Here's a list of some rogue products from http://www.netrn.net/spywareblog. Some are borderline offenders, while others are quite flagrant:

· Spy Wiper

· AdWare Remover Gold

· BPS Spyware Remover

· Online PC-Fix

· SpyFerret

· SpyBan

· SpyBlast

· SpyGone

· SpyHunter

· SpyKiller

· SpyKiller Pro

· SpywareNuker

· TZ Spyware-Adware Remover

· xp-AntiSpy

· SpyAssault

· InternetAntiSpy

· Virtual Bouncer

· AdProtector

· SpyGone

· SpyAssault.

Definitions

Adware: "Software that brings targeted ads to your computer, after you provide initial consent for this task. Some Adware may hijack the ads of other companies, replacing them with its own. Adware typically will track your browsing habits and report this info to a central ad server."

Browser Helper Object (BHO): "A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." There are many exploits of this technology which search all pages you view in IE and replace banner advertisements with other ads, monitor and report on your actions, change your home page, etc."

Hijacker: "A trojan that may reset your browser's home page and/or search settings to point to other sites. Such sites are sometimes porn sites, often loaded with advertisting. Homepage Hijackers may prevent you from changing your browser's homepage or from visiting a particular site."

Spyware: "Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior. Many spyware products will collect referrer info (information from your web browser which reveals what URL you linked from), your IP address (a number that is used by computers on the network to identify your computer), system information (such as time of visit, type of browser used, the operating system and platform, and CPU speed.) Spyware products sometimes wrap other commercial products, and are introduced to machines when those commercial products are installed."

Trojan: "Unwanted software which runs in a user's machine, as an agent of the attacker, without user awareness. Unlike viruses and worms, trojans do not replicate (make copies of themselves.)"

Internet Intruders are here defined as unwanted software that is installed while surfing the Internet, and that typically uses the Internet in the process of exploiting the user and the user's machine. Typically such software is installed without the user's full awareness of the consequences of such an install (although the user might have been given some notice of what would happen). Such software is typically difficult to manually detect, and difficult to remove. It usually compromises some combination of the user's privacy, the confidentiality of the user's information, or the user's productivity. Productivity is compromised when frequent ads popup, when bandwidth and storage space is consumed, when pages load more slowly, etc. In this tabulation, 'Internet Invaders' are the aggregate of pests that are categorized elsewhere as Adware, AOL Pest, Browser Helper Object, Dialer, Downloader, Firewall Killer, Hijacker, Hostile ActiveX, Hostile Java, Hostile Script, IRC War, Key Logger, Notifier, Password Capture, P2P, RAT, and Spyware. Internet Intruders are all unwanted, and for a variety of reasons.

Spyware Removal Summary

This document will not delve into how to install and configure programs. If you aren’t even comfortable just installing the programs, I suggest you call a qualified technician to remove your spyware for you. A thorough job, which includes protection from re-infection, usually takes about 1 – 2 hours, but if you are severely infested with Spyware, you may also be infected with a virus as well.

For an average computer, a Virus scan alone can take about 30 - 40 minutes depending on how many files you have, and I’m not just talking about your personal pictures, documents and mp3s, this also includes Windows and Program Files. My custom-built computer takes nearly 2-1/2 hours. Virus removal may sometimes be relatively easy, but correcting the damage it “may” have caused can be more complicated and time consuming. That’s another story, for now lets talk Spyware.

Each program should come with some sort of Help or Tutorial section to aid you in setting-up the program. But since the default settings are usually adequate enough, you should be able to walk through each program with the brief steps outlined in each section of this document. Also, I only included screenshots of the primary screen you will be working with for each program.

Without doubt, the most important thing you can do is to take all action necessary to ensure you don't get infected in the first place. Once infected, it's going to be increasingly difficult in the future to remove the scumware from your PC.

So passive measures like disk scans with SpyBot are now second priority. Much more important is active prevention.

As a start you should minimize your chance of infection by fixing Windows vulnerabilities exploited by the scumware merchants. Stay current with all the Windows patches by visiting the Windows Update often. Better still, turn on automatic update notification. And don't forget to update MS Office and other software products on your PC. They can be exploited as well.

Another preventative step is to ensure your browser settings are safely configured. In Internet Explorer, select Tools/Internet Options/Security and make sure the slider control is set to at least "Medium." Then select "Custom” and set "Download signed ActiveX controls" to Prompt, "Download unsigned ActiveX controls" to Prompt or Disable and "Initialize and script ActiveX controls marked as unsafe" to Disable. Hit OK and exit.

Next you check your browser's current vulnerability to known exploits by running the security tests at these sites (Internet Explorer and IE based browsers only):

http://browsercheck.qualys.com/ or http://www.jasons-toolbox.com/BrowserSecurity/

Prevention also means using the active anti-infection measures offered in some anti-spyware products. Spybot has its "inoculation" option. The paid version of Ad-aware has something

similar.

One of the very best anti-infection programs is a freeware product called SpywareBlaster. It's not a scanner like SpyBot but rather a stand-alone inoculation routine. It provides protection against more than 1500 products that use ActiveX based exploits. That's about three times as many products as SpyBot's "inoculate."

A companion program to SpywareBlaster is SpywareGuard. Again, this is not a file scanner like SpyBot. It is a protective program that works like an anti-virus suite by checking programs before they are executed.

Both SpywareBlaster and SpywareGuard are quality freeware, are regularly updated and have active support forums. They should be on every PC. If you haven't got them, I strongly recommend you download and install them at the first opportunity. Get them here:

http://www.javacoolsoftware.com/spywareblaster.html

The next preventative step is to keep all your defenses current. In this cat and mouse game you are already at a disadvantage because the bad guys have the initiative. Spybot, Ad-aware, SpywareBlaster and SpywareGuard all have features that make updating easy. Make sure you use them.

Finally, only use reputable anti-spyware software products like the ones mentioned in the preceding paragraph. Do some research before installing any new product. Just how embarrassing would it be to get infected by a product you installed to protect yourself!

The following information will provide you with definitions, links, basic procedures, screenshots

· Spyware Removal Program Downloads

· Spyware Removal Program Instructions

· Start System in Safe Mode

· Manually Remove Programs using Control Panel

· CWshredder

· Spybot S&D

· AdAware

· MRU Blaster

· Spyware Blaster

· Norton WinDoctor

· Internet Explorer

· Msconfig

· Regedit

· Programs Startup Folder

· Disk Cleanup

· Qualys

· Spyware Information Sites

Spyware Removal Program Downloads

Download and install the following FREE programs to your hard drive:

Program	Direct Download	Description
CWshredder	download	Scans for and removes CoolWebSearch variants.
Hijackthis	download	Provides a log of items that may potentially contain browser hijackers and can also be used to removed confirmed hijackers
Spybot - Search & Destroy		Active Spyware scanner with limited immunization capability. Spybot is used to remove Spyware that is already on your computer.
AdAware 6		Active Spyware scanner used to remove Spyware that is already on your computer.
Spyware Blaster		Immunization program used to prevent Spyware from ever entering your computer.
MRU Blaster	download	Used to detect and clean MRU (most recently used) lists on your computer which contain information such as the names and/or locations of the last files you have accessed.
TDS-3 Anti Trojan System		TDS-3 has been widely accepted as being the worlds most comprehensive anti-trojan system with the largest anti-trojan database.
Zone Alarm Firewall	download	Zone Labs firewall stands between your computer and the outside world. Like the lock on your front door, it keeps strangers from coming in and getting access to your possessions.

Spyware Removal Instructions

Run the following Programs:

· CWshredder

· Spybot S&D

· AdAware 6

· MRU Blaster

· Spyware Blaster

· Qualys

· Regedit

· Norton WinDoctor

· Spyware Removal Program Downloads

· Spyware Removal Program Instructions

· Start System in Safe Mode

· Manually Remove Programs using Control Panel

· CWshredder

· Spybot S&D

· AdAware

· MRU Blaster

· Spyware Blaster

· Norton WinDoctor

· Internet Explorer

· Msconfig

· Regedit

· Task Manager

· Emergency Msconfig, Regedit, Task Manager Utility for WinXP

· Programs Startup Folder

· Disk Cleanup

· Qualys

· Spyware Information Sites

· Downloadable Products for Sale

Check these links for online virus scanners. It's recommended to run at least two of these.
Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
Panda ActiveScan--> http://www.pandasoftware.com/activescan/
McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
Stinger --> http://download.nai.com/products/mcafee-avert/stinger.exe

Start System in Safe Mode

If your computer is severely infested with Spyware, it may be running so slow, that you can’t even perform any of the procedures outlined so far. In this case, it may be an advantage to start Windows in the “Safe Mode”.

Safe mode is the Windows diagnostics mode. In the Safe mode, only the specific components that are needed to run Windows are loaded. Safe mode does not allow some functions, such as a connection to the Internet. Safe mode also loads a standard video driver at a low resolution. Due to the low resolution, your programs and the Windows desktop may look different than usual and the desktop icons may have moved to different locations on the desktop.

The advantage of Safe Mode comes because many of the annoying startup programs will not be automatically loaded as they did during a normal startup, which will help prevent errors, as well as freeing up valuable memory to return the performance you need to install and run programs for dealing with the Spyware. How to enter the Safe Mode varies for different versions of Windows.

This document provides two methods for starting the computer in Safe Mode. One method uses the F8 key during system startup, and the other method uses the System Configuration Utility, which is a feature of some Windows operating systems. Please note the following:

System Configuration Utility: If you try the System Configuration Utility and cannot start its dialog box, use the F8 method instead. If the System Configuration Utility method is not listed for your operating system, the utility is not available in that operating system.

F8 key: Using the F8 key can be more difficult than using the System Configuration Utility because you must press the F8 key at just the right time. If the F8 method does not work, repeat the steps, but press the F8 key more quickly, or press it several times. If the F8 key still does not work, use the System Configuration Utility method instead. On some older computers, the F8 key method does not work because the computer has disabled the F8 key for this purpose or the computer is designed to use a different key.

· Win 95 Win 98 Win ME Win 2K Win XP Win MultiBoot

WINDOWS 95

Windows 95 does not include the System Configuration Utility.

To use the F8 method

· Restart the computer.

· Watch the screen while it is black. When you see "Starting Windows 95," immediately press the F8 key. Windows starts in Safe mode.

WINDOWS 98/ME

Windows 98/Me includes the System Configuration Utility. If you can start the computer normally into Windows, this is the easiest--and the recommended way--to restart the computer in Safe mode.

To use the System Configuration Utility method

· Close all open programs.

· Click Star > Run. The Run dialog box appears.

· As shown in this illustration, type msconfig and then click OK.

· In the System Configuration Utility, click "Advanced." (Windows Me will look a bit different than the illustration.)

· In the Advanced Troubleshooting Settings dialog box, check Enable Startup Menu, as is shown here. Click OK. Click OK again when the System Configuration Utility reappears.

· You will be prompted to restart the computer. Click Yes. The computer will restart in Safe mode. (This can take several minutes.)

· Perform the troubleshooting steps for which you are using Safe Mode.

· When you are finished with troubleshooting in Safe mode repeat steps 1-6, but in step 5, uncheck "Enable Start-up Menu."

· Close all programs and restart the computer as you normally would.

To use the F8 method

· Restart the computer.

· As the computer restarts, press and hold down the F8 key until the Windows 98 startup menu appears.

· Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode.

Windows 2000WINDOWS 2000

Windows 2000 does not include the System Configuration Utility.

Note: Some IT departments or computer manufacturers may include the System Configuration Utility as part of a custom Windows 2000 installation. They could include either Windows 98/Me or Windows XP version as either will run on Windows 2000. (This use of the System Configuration Utility is not supported by Microsoft.) If you can start Windows 2000 normally, and the System Configuration Utility is installed on your computer, follow the instructions for Windows 98/Me or XP (depending on your version). Otherwise, continue with the instructions in this section.

To use the F8 method

· If the computer is running, shut down Windows, and then turn off the power.

· Wait 30 seconds, and then turn the computer on.

· When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.

· Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default. (If it is not selected, use the arrow keys to select it.)

· Press Enter. The computer then begins to start in Safe mode. This can take a few minutes.

· When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

Windows XPWINDOWS XP

Note 1: Due to the nature of Safe mode in Windows XP, it is not possible to install software while in Safe mode.

Note 2: When you finish the troubleshooting or removal procedure, if you are using the first (recommended) method, you must reenable Normal mode. Until you do this, the computer will continue to start in Safe mode.

Windows XP includes the System Configuration Utility. If you can start the computer normally and get into Windows, this is the easiest--and the recommended way--to restart the computer in Safe mode.

To use the System Configuration Utility method

· Close all open programs.

· Click Start, and then click Run. The Run dialog box appears.

· As shown in this illustration, type msconfig and then click OK.

· The System Configuration Utility appears, as shown in the following illustration. Check the "/SAFEBOOT" option, and then click OK.

· Click Restart when prompted.

· The computer restarts in Safe mode. (This can take several minutes.)

· Perform the troubleshooting steps for which you are using Safe Mode.

· When finished with Safe mode troubleshooting, repeat 1^st 5 steps, but uncheck "/SAFEBOOT"

· Close all programs and restart computer as you normally would.

To use the F8 method
Use this method only if Windows XP is the only operating system installed on your computer.

· Start Windows, or if it is running, shut Windows down, and then turn off the computer.

· Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.

· As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.

· Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

WINDOWS AS PART OF A MULTIBOOT SYSTEM

Use this method ONLY if you have multiple operating systems installed on your computer.

· When the Boot loader menu (list of the available operating systems) appears, use the arrow keys on the keyboard to select the version Windows what you want to safe boot into.

· Press Enter, and then immediately begin tapping the F8 key. The Windows Advanced Options menu appears.

· Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Manually Remove Programs using Control Panel

CWshredder

The folks at http://www.thespykiller.co.uk/ are pretty sure now that CoolWebSearch is part of a new strain of trojans that have recently been identified as having one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.

We strongly recommend you read Microsoft’s MS03-011 Security Bulletin for information on how to install the software patch. If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Information on removing the MS Java VM completely, and replacing it with the newer, safer Sun Java VM can be found here.

Also, some of the affiliates (such as Search-Meta) use another Java exploit to install their malware. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from Microsoft’s MS00-075 Security Bulletin.

As always, it's a good idea to keep your system up-to-date from WindowsUpdate!!

Spybot S&D

Once you have started Spybot-Search & Destroy, you can immediately start scanning.

After you have started the program, you will already see the scan screen. If not, please select Search & Destroy in the Spybot-S&D section in the toolbar to the left.

The search screen contains a toolbar with the most important options (you can move this toolbar between the top and bottom position if you want). Let's start a scan: please press the Check all button.

You will see the scan progress in the status bar at the bottom of the window (the right-most section displayed the estimated time left), and can stop the progress at any point by pressing the Stop check button that has just appeared (it will vanish again once the check has finished).

If the scan has found something, the list will show it. There are three basic kinds of results:

Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is pre-selected to be fixed.

Black entries are system internals. If you do not know what they mean, I would suggest to either keep your fingers from it or visit the support forum.

Green entries indicate usage tracks. It can do no harm to remove these.

For most problems more information is available. If you select a problem in the list, the button Description of this product should be available in most cases. Press it to read about what kind of threat you have found.

You can now select the problems you want to fix, by clicking the checkbox before it, or by selecting all using the button Select all problems (this button will only be able in advanced mode by enabling the expert button setting). More selection options are available if you look into the context menu (by right-clicking a problem). The context menu will also allow you to exclude single problems or whole products from further scans (you may later change the exclude settings from the Excludes section).

Once you are sure you have selected what you want to be removed from your computer, press the Fix selected problems button. You will see the fixing progress at the bottom status bar.

If problems cannot be fixed now (because they are still loaded and can't be terminated, for example), Spybot-S&D offers to run on next system start, so you can check and fix again.

Should you notice at any later point that you have removed more spyware than you wanted, you can always restore it from the Recovery section.

You can also fine-tune your scan options by selecting special filesets and changing some settings.

AdAware 6

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then Make sure the following settings are made and on -------"ON=GREEN"

From main window :Click "Start" then " Activate in-depth scan"

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

Now to scan, just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose "select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

then post a new hijackthis log to check what is left

MRU Blaster

MRU-Blaster is a program made to do one large task - detect and clean MRU (most recently used) lists on your computer. These MRU lists contain information such as the names and/or locations of the last files you have accessed. They are located ALL OVER your registry, and for almost ANY file type. By looking at these MRU lists, someone could determine what files you opened/saved/looked at, what their file names were, and much more! And, in many cases, the lists are displayed in drop-down menus automatically.

With additional plug-ins that allow you to clean out your Temporary Internet Files and Cookies, MRU-Blaster enhances the protection of your privacy!

MRU-Blaster is a privacy cleaning tool that quickly scans your computer for MRU (most recently used) entries, cookies and Internet cache files and removes unwanted files on request. Additional features include cookie cleaning with exclude option, secure file deletion, index.dat file deletion and more. Freeware. For Windows 98/ ME/ 2000/ XP.

Spyware Blaster

Norton WinDoctor

Internet Explorer

MSCONFIG

The System Configuration utility automates the routine troubleshooting steps that Microsoft Product Support Services Support Professionals use when they diagnose system configuration issues. When you use this tool to modify the system configuration, you can select check boxes to eliminate issues that do not pertain to your configuration. This process reduces the risk of typing errors that can occur if you use a text editor such as Notepad. You must be logged on as an administrator or as a member of the Administrators group to use the System Configuration utility.

To start the System Configuration utility, click Start, click Run, type msconfig in the Open box, and then click OK.

When you use Msconfig.exe, you can easily reset or change the configuration settings in Windows to include preferences for the following files and settings:

The System.ini file
The Win.ini file
The Boot.ini file
Programs that are set to load during the startup process (these programs are specified in the Startup folder and in the registry)
Environment settings
International settings

To prevent any of these items from loading when you restart the computer, use either of the following methods:

Click the General tab, and then click Diagnostic Startup - load basic devices and services only. When you use this option, device drivers and software are loaded interactively when you restart the computer.
NOTE: This method temporarily disables Microsoft services (for example, Networking, Plug and Play, Event Logging, and Error Reporting) and permanently deletes all restore points for the System Restore utility. Do not do this if you want to retain your restore points for System Restore or need to use a Microsoft service to test a problem.
-or-
Click the General tab, and then click Selective Startup. You can select the options that you do not want to load when you restart the computer. These options include:

Process SYSTEM.INI File

The following settings apply to these options:

If the check box is selected, the configuration file is processed when you restart the computer.
If the check box is cleared, the configuration file is not processed when you restart the computer.
If the check box is selected but is unavailable, some items are still loading from that configuration file when you restart the computer.
If the check box is not selected, but is unavailable, the configuration file is not present on the computer.
You cannot clear the Use Original BOOT.INI check box.

NOTE: Clearing the Load System Services check box disables Microsoft services (for example, Networking, Plug and Play, Event Logging, and Error Reporting) and permanently deletes all restore points for the System Restore utility. Do not do this if you want to retain your restore points for System Restore or need to use a Microsoft service to test a problem.

Before you begin a troubleshooting session, you can use the System Configuration utility to initiate a System Restore operation. To do this, click the General tab, and then click Launch System Restore. You can then create a restore point that you can use to restore your computer to a previous state.

To prevent individual items or lines form a specific configuration file from loading when you restart your computer, click the tab for that particular configuration file, and then click to clear the check box for the individual line or item that you do not want to load. Check boxes that are unavailable on the SYSTEM.INI and WIN.INI tabs indicate that the lines are temporarily removed by the System Configuration utility.

To change the currently active line or item, click a different line or item, or click Move Up or Move Down to move between items.
To create a new entry in any of the configuration files, click New.
To edit a line that is currently selected, click Edit.

NOTE: When you click to clear a check box for an item or a line, the Selective Startup option (on the General tab) is automatically selected.

After you make the selections that you want, click OK, and then restart the computer when you are prompted to initiate the changes.

To extract individual Windows files directly from the cabinet files, click the General tab, and then click Expand File.

To verify that all of the configuration files and all of the items that are listed in those files are loaded when you restart your computer, click the General tab, and then click Normal startup.

REGEDIT

The registry can be a very dangerous place for the inexperienced to dabble with. I only included a screenshot of it here just to remove some of the mystery about the registry. Although manually searching and editing the registry is a necessary step for thorough Spyware removal, it will be beyond the scope of this document to edit the registry. Please leave this to the Spyware Removal Programs, which will automatically do most of this for you anyway, otherwise call a qualified technician because a mistake here can be as bad as not being able to boot your computer to Windows.

The Microsoft Computer Dictionary, Fifth Edition, defines the registry as:

A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices.

The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used.

The Registry replaces most of the text-based .ini files used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows operating systems, there are some differences among them. Registry data is stored in binary files.

See Microsoft Knowledge Base Article 256986 for a Description of the Microsoft Windows Registry.

Manually delete items in msconfig:

· HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg

Deleting Stubborn Desktop Folders

· HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace

Manually Remove Programs from the Add/Remove Programs List:

· HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

· HKCU\Software\Microsoft\Windows\CurrentVersion\Run

· HKLM\Software\Microsoft\Windows\CurrentVersion\Run

· HKLM\Software\Microsoft\Shared Tools\MSConfig\startupfolder

· HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg

· HKCR\Applications

TASK MANAGER

EMERGENCY MSCONFIG, REGEDIT, and TASK MANAGER

As I mentioned before, when your computer is severely infected with Spyware, you are probably infected with a virus or trojan as well. Unfortunately, this can sometimes cause a Catch 22 if you are infected with a virus that disables Msconfig, Regedit, or Task Manager, three very important System Utilities that viruses often target, utilities that you need to manually clean things up with.

The symptoms are that when you open the System Configuration Utility (msconfig), Registry Editor or Task Manager, they flash for a second and then quit. Even extracting new copies of these files with the same name will not help. One quick workaround is to rename the files and run them, or you can download the Emergency Msconfig, Regedit, Task Manager Utility for WinXP from Doug Knox.

The following viruses are known to cause some or all of these problems, and one even disables Norton Antivirus.

· W32.HLLW.Kefy

· W32.HLLW.Cydog@mm

· Backdoor.IRC.Yoink.A

· W32.Petch.B

· W32.Klez

· W32.Yaha

DOUG KNOX’s EMERGENCY MSCONFIG, REGEDIT, TASK MANAGER UTILITY

This small VB 6 utility will create a usable backup copy of Taskmgr.exe, MSConfig.exe and Regedit.EXE in a new folder, called C:\EmergencyUtils. The new copies will be named Taskmgr1.exe, MSConfig1.exe and Regedit.com.

These programs are extremely helpful, and usually necessary in helping to rid your computer of a viral infection. Many virus programs will intercept these programs, based on their original file name, and prevent them from running. The alternate copies will not encounter this problem. Simply navigate to the C:\EmergencyUtils folder and double click the file you need to run.

To use: Download the xp_emergencyutil.zip file and save it to your hard drive. Double-click the xp_emergencyutil.zip file and extract xp_emergencyutil.exe to your hard disk. To run the EXE just double click it, there is no installer. You will have the option of running the programs automatically, after the copies are created.

Operating Systems: Windows^® XP and Windows^® Server 2003 only. Requires VB 6 Runtime Libraries, included in Windows^® XP.

http://www.dougknox.com/xp/utils/xp_emerutils.htm (download web page)

http://www.dougknox.com/xp/utils/xp_emergencyutil.zip (direct download)

Programs Startup Folder

Disk Cleanup

You might also clear out your TEMP folders...
Click Start->Run->%TEMP% <ENTER>
This is your profile's temporary folder location. All files can be deleted here, but not the containing
folder. Some files may be in use, so an error may be generated but can be ignored.
Repeat the process with %SYSTEMROOT%\TEMP as well.

Qualys

Qualys' Free Browser Checkup is a series of audits designed to test and fix your browser's security vulnerabilities. Qualys services hundreds of companies—including Adobe, Apple, Bank of the West, British Telecom, HP and Tower Records—for their Network Security.

This application supports only Microsoft Internet Explorer on the Windows operating system. To Get Started, click Qualys Browser Checkup and then click the “Get Started” button to see what intruders could learn about you through your browser. These tests automatically assess your browser for selected vulnerabilities, and then offers you the most up-to-date patches from Microsoft, when available.

Links to Spyware Information Sites

· Windows Startup Online Repository

· Cookie Central

· The SpyKiller

· PC Hell

· Spychecker

· Spyware Warrior

· Spam Inspector 4

· Qualys Browser Checkup

· Microsoft Trustworthy Computing - Spyware and Deceptive Software

· Microsoft Security – Protect Your PC

· Microsoft Knowledge Base Article 827315 - Unexplained computer behavior may be caused by third-party software

· Black Viper's Windows XP Home and Professional Services Configurations

Downloadable Products for Sale

Rounded Rectangle: Pest Patrol
PestPatrolTM is a powerful security and personal privacy tool that detects and eliminates destructive pests like spyware, adware, trojans and hacker tools. It complements your anti-virus and firewall software, extending your protection against non-viral malicious software that can evade your existing security and invade your personal privacy.

$39.⁹⁵

Click here to order

You will be able to download the product immediately after ordering!

Personal Experience: If you have been persistent in your search for free software to deal with the Adware and Spyware objects that are causing you to be barraged by Pop-Ups, hopefully you found out about Spybot Search and Destroy and AdAware 6. Although I highly recommend and still use them myself, they only detect a fraction of what Pest Patrol does. On the other hand, you might even pay more for another product that makes bold claims, but buyer beware, there are several rogue products on the market.

Dale Powell

Note: You can download a free evaluation version to see for yourself how effective Pest Patrol is, but it will only detect pests currently hidden on your system, if you want to remove them, you need to purchase a license for the full-function software.

$49.⁰⁰

Click here to order

You can download the product

immediately. Registration code

and instructions will be

delivered to you by e-mail.

Personal Experience: I’ve been using Norton AntiVirus for years and never once did it detect the Password Recovery Utilities I have on my hard drive (which should have been detected as trojans). I use these utilities for a legitimate purpose to help my customers recover forgotten passwords. Some website owners abuse such programs and introduce them into your computer as a Trojan without your knowledge to steal your passwords when you are online. TDS-3 is the only program that was able to find such difficult to detect Trojans. Try TDS-3 free for 30 days, but I highly recommend purchasing the full registered version of this product.

Dale Powell

Note: The evaluation version of TDS is time-limited to 30 days and missing some features.

$19.⁹⁵

Click here to order

You can download the product

immediately. Registration code

and instructions will be

delivered to you by e-mail.

Personal Experience: I am constantly searching for, editing, and deleting keys in the Windows Registry, especially for keys associated with malicious programs. This program automates what I used to do manually and even has a built-in backup feature to setup up different startup profiles.

Dale Powell

Note: The evaluation version of Advanced Startup Manager is time-limited to 30 days.

$29.⁹⁵ (Standard)

Click here to order

$39.⁹⁵ (Professional)

Click here to order

One major difference

between Standard and

Professional is the

Professional edition has the ability to create custom scripts to automate the process of optimizing the use of important resources

(IE prioritizing).

Personal Experience: While I like the simplicity of the Advanced Startup Manager, WinTasks 4 Professional goes above and beyond by actually providing information about the running processes. As a technician, I’m familiar with many of the required processes for numerous applications, but it sometimes takes some internet research with websites such as Pacman’s Portal or the Windows Online Startup Repository to find out what these processes are. You really need to know if they are necessary or not, so you can decide whether to end, or not to end.

Dale Powell

$29.⁹⁵

Click here to order

GLOBAL LEARNING NETWORK & AUTOMATIC SPAM DEFINTION UPDATES

Based on the over 200,000 users currently using the Spam Inspector, the Spam Inspector Spam Learning Network is a global response system to stopping new spam and virus attacks.

FOREIGN SPAM BLOCKING

Allows you to select what senders to accept email from, blocking up to 40 foreign charactersets, and 200 foreign country domains.

PROTECT YOUR COMPUTER AND EMAIL PRIVACY

Spam has changed from a simple annoyance to a computer and privacy threat. Recent studies have estimated that over 90% of all spam includes tracking bugs, that watch and notify the sender when you read their mails. Spam Inspector's intelligent protection agent automatically removes all tracking and privacy bugs, allowing you to handle your email with confidence you are not being watched.

GET INVOLVED IN THE FIGHT AGAINST SPAM
With the click of a single button Spam Inspector will analyze the email message and routing information and notify up to 10 different Email and ISP administrators whose email servers or networks were abused by the spammer, and over 10 different government and spam abuse organizations that actively track and prosecute illegal and offensive email activity.

BOUNCE SPAM EMAILS BACK TO WHERE THEY CAME FROM

Get spammers to take you off their lists by tricking them into believing your email address is INACTIVE, and NOT A VALID EMAIL ADDRESS.

Simply installing Spam Inspector gives you the power to CLEAN YOUR INBOX, PROTECT YOUR FAMILY AND COMPUTER, AND FIGHTBACK AGAINST SPAM. Download a free copy today and learn why Spam Inspector is the most recommended product available for fighting spam.

Note: The FREE trial will provide you with the complete Spam Inspector™ functionality in order for you to demo the product for 15 days before making your purchase decision.