Home > Parasites & Security > Here

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
Last Updated November 21, 2008 (Version 10.2)
Hold mouse here for list of most recent changes.



We are in an ongoing parasite epidemic! Adware, spyware, hijackers, badvertising, automatic diallers, betrayware, social network exploitation, and a variety of other web-delivered invasions and exploits — they represent today a much larger security threat than viruses, and cause a lot more general computer problems. You need to know what’s out there, how to identify it on your computer and remove it, and how to protect yourself against more in the future.


RESULTS NOW, THEORY LATER?

Did you come here to get rid of parasites quickly, and really don’t have time to sort through a lot of background information and the fine points of parasite fighting? Jump immediately to the Anti-Parasite Quick Fix section. (Then come back here for depth and finesse at your leisure!)


WHAT ARE PARASITES?

Call it what you may, depending on small differences in the function of the malicious code — adware, spyware, hijackers, automatic diallers — some of it intentionally if misguidedly installed, some of it foisted on you without your awareness — these invaders don’t qualify as viruses but, at least in a few cases, they are more destructive and compromising of your privacy and your computer security than actual viruses.

What can they do? Some of them just try to foist pop-up adds at you, or redirect your browser to pages of their choosing. Some of them track your Web movements or, more seriously, capture other information from your computer and “phone home” to their creators with the data. Some of them offer you free enhancements to your operating system or browser — extra toolbars, special buttons, “enhanced” search capabilities (translation: the right for them to foist paid advertising on you). Most of them are badly written so they end up compromising the performance of your computer and, especially, of browser and email functions. Diallers take over the dial-up function on your computer and call a long-distance number of their choosing instead of the ISP dial-up connection you have chosen — and then charge you for the long distance phone call!

The formal name for these invaders is unsolicited commercial software — the spam of downloads! The most useful one-word label to distinguish them from viruses is parasites. Most of the time, I prefer to call them scumware.

Certainly compromised privacy is the most threatening feature of these programs. However, the most noticeable problem in most cases is impaired computer functioning. If there is a serious browser problem not related to a bad or damaged browser install, interrupted connectivity, failing hardware, or user error, 90% of the time the problem will be the result of one of these parasites. If you’ve ruled out the obvious in troubleshooting browser failures or sudden (in contrast to gradual) serious slowing of your computer, checking for parasites should probably be your next diagnostic step.

Consider this: Whenever a new error condition appears on your computer, it is almost certain that there was some change to the computer soon before the problem began. It might be a change to hardware, to the operating system, or to software. The change might be an addition or installation, a removal or uninstall, or a configuration change — but there is almost certainly something that changed. End-users, when asked what they changed on their computers just before a problem appeared, often will insist that they didn’t change anything — they didn’t add or remove software, add or remove hardware, etc. Sure, they could have forgotten or there could be an unsuspected hardware failure. Generally, though, the fair question is:

If you didn’t make any changes to your computer, then... who did?

The answer, much of the time, is that there was an involuntary change caused by a virus or parasite.

One powerful description of the horrid effect of this scumware on an end-user was written by Terry McDermott, a decorated veteran news writer specializing in international terrorism. He took up the topic of scumware in a front page Los Angeles Times article, Breaking, Entering Your Computer, on spyware in general, and the efforts of Aumha.org / Windows Support Center in battling it.


SPECIFIC PROBLEMS FROM PARASITES

In its first major endeavor to address the parasite problem in its Knowledge Base, Microsoft, in April 2004, published KB article 827315, Unexplained Computer Behavior May Be Caused By Deceptive Software. Though the article takes a naive and limited approach to identifying and removing parasites, it does provide a superb list of some of the problems that have been definitely traced to scumware:


PROTECT YOURSELF

A sound basis for personal computer security rests on the following five points:

  1. User education. The best security measures begin on the space-bar side of your keyboard. Equip yourself with basic security information. As a start, see the links in the “Security Links” section of my Parasites, Viruses & Other Security Issues page.
  2. Security patches & other critical Windows and MS Office updates. Be sure you are up-to-date on security patches. Microsoft rolls out new patches (when warranted) on the second Tuesday of every month. On current versions of Windows, you can set your computer to automatically notify you of any new Windows updates; otherwise, check manually on the second Wednesday of every month. Install all CRITICAL UPDATES immediately — the risk of a rare bad update is much less than the security risk of not installing.
  3. Antivirus protection. A top-grade anti-virus program, with frequently updated virus definition files, running in real time should be basic to every computer in use today. (You do not need to have the virus checker monitor email, and I recommend you turn this feature off. The antivirus program will identify any virus at the time you open the email, and having it check all email going in and out not only is unnecessary and relatively fruitless, but often will slow down or hang your computer.)
  4. Firewall protection. Every PC with Internet access should have a personal firewall installed and running. It should be bidirectional, tracking both outbound and inbound traffic. Unless you have a hardware firewall in place, install and run personal firewall software.
  5. Parasite protection, which is the subject of this present page.

Most people have learned to protect themselves from viruses, and more people are seeing the wisdom of a firewall all the time. Now, finally, more people are also taking those further steps necessary to protect themselves against the nonviral malware that I’m calling parasites or scumware.

In addition to increased awareness, common sense, and general prudence, here are the steps I recommend for protecting your system from these bugs:


IE-SpyAd — Wear a condom!

Add prophylactic protection to filter your computer from catching something in the first place. Several products purport to do this. Enthusiastically, I recommend Eric L. Howes’ free IE-SpyAd as a primary supplement to the necessary antivirus and firewall protection you already should have to fight viruses.

How effective is it? On my Windows XP computers, it is the only software prophylaxis I personally use against scumware, and my system is almost 100% parasite-free. That means that more than 99% of the time, my system is 100% parasite free. (A rare new parasite sometimes may find its way onto my computer before I update.) If I want to test a new anti-parasite tool, I have to remove IE-SpyAd or it is a waste of my time to test the other tool — that’s how good it is.

IE-SpyAd is a simple Registry patch that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted Sites zone of Internet Explorer. No matter what security settings you prefer in IE in general, your browser will automatically switch to maximum security mode when it wanders onto pages that are known to be “high risk” Web environments. I think this has enormous advantages over similar fixes which rely on customizing the Windows HOSTS file, because (1) IE-SpyAd doesn’t really keep you from getting to most pages, it only bars unsafe behavior on those pages, and (2) it leaves the HOSTS file unmolested so that it can be used more effectively for its original uses.

IE-SpyAd is updated a few times a month, and you can edit it as you see fit to add or remove specific items.


SpywareBlaster

SpywareBlaster by Javacool Software is a highly-regarded parasite blocking program. I don’t personally use this (except on a test box), but many regard it as the best protection program currently available.

SpywareBlaster provides three types of protection:

  1. It prevents installation of known malicious ActiveX programs – without restricting ActiveX program execution in general.
  2. For IE 6 or later, it blocks browser cookies from known malicious sites – without interfering with desirable cookie use on other sites.
  3. It adds certain known malicious sites to the browser Restricted Sites zone, just like IE-SpyAd – but for a much smaller list of sites.

If you use IE-SpyAd, as I recommend above, then the only SpywareBlaster feature which adds further protection is the first one mentioned: blocking installation of known malicious ActiveX programs. There is no need to enable the other features. However, most people report that there is no problem (for example, no negative performance impact) from running both.

However, one important advantage in SpywareBlaster arises if you routinely use a Mozilla-based browser such as Firefox. The Mozilla group refused to implement the extremely valuable Restricted Sites zone feature of Internet Explorer (making the Mozilla browsers much less secure, in my opinion), so standard tools such as IE-SpyAd will have no effect. In contrast, SpywareBlaster adds at least limited (cookies-based) protection for Mozilla-based browsers.


Backup Your Computer

Another layer of protection, too infrequently mentioned, is a comprehensive backup of your entire computer. Backups remain pretty unpopular among personal computer users, and full system backups are sadly rare outside of professional IT environments. Nonetheless, the ability to fully restore your computer to an earlier state can be an enormous advantage.

There are many different ways to backup the contents of your computer’s hard drives, though imaging software such as Norton Ghost and Drive Image are the most popular. The important points are (1) to backup often – perhaps weekly for most users, more often if you have rapidly-changing valuable content on your computer and (2) backup everything, not just (for example) your data files.

Ultimately, regular full-system backups are the only way I know to protect everything valuable to you on your computer.


What Not To Do

There are some prophylactic things I recommend you not do. Such tools (mentioned below) as Ad-Aware and SpyBot have not only scanning capabilities, but also immunizing or ad-blocking features. I recommend you leave these turned off. This recommendation is based mostly on a “convenience of computer use” point of view. Tools that are excellent for scanning for malware do not necessarily serve as well the separate function of protection. The immunize, ad-blocking, and similar protective features of these programs mostly aren’t needed, don’t do much that is really helpful, and sometimes unnecessarily get in the way of how you use your computer. (If you are running Windows XP Service Pack 2, they really are unnecessary, at best!) There are so much easier and less intrusive ways to protect your computer, that I recommend you not risk making your computer life harder with features that don’t really help.

Similarly, when I go to Canter’s Deli — the finest Jewish delicatessen west of Manhattan — I don’t order the enchiladas, even though they are on the menu. I order a corn beef Reuben and a bowl of soup. Just because some place is the best of its kind doesn’t mean you want to order everything on the menu — and the same applies to use of software!

In contrast, the real-time protections in Windows Defender have none of the above problems. This program is included in Windows Vista as a native tool, and can be downloaded and installed on Windows XP — see below.


Other Resources for Protecting Yourself

Here are a few links concerning other steps you can use to keep yourself safe:


Avoid Betrayware!

An honest opponent to your face is one thing — but an enemy masking as a friend and stabbing you in the back is quite another.

In the ever-escalating Scumware War, one of the more insidious classes of weapons are programs that put themselves forth as anti-parasite programs — but, in fact, deploy adware and/or spyware themselves! Sometimes this software is free — sometimes they actually charge you money for it! — but all programs in this class lead you to believe they are making you safer, while actually invading your computer as insidiously as any other scumware. If the “Trojan horse” metaphor hadn’t already been adopted to refer to a long-existing category of virus, it would apply to these unfaithful, double-dealing imposters.

I call these programs BetrayWare. I encourage the wide adoption of this candid and indicting term. In the escalating struggle to identify and publicize these Quisling-apps, I recommend Eric L. Howes’ Rogue/Suspect Anti-Spyware Products & Web Sites list of fake spyware removers as the best BetrayWare catalogue.

These treacherous programs play on a prevailing sense of fear and insecurity that has gripped much of America in particular, and somewhat the rest of the world, in recent years. Whether it is fear of invaders of your country on the one hand, or of your computer on the other, the same need for heightened awareness and fear of unsuspected vulnerability has a strong grip on many. One unfortunate reaction to this has been the widespread belief that “you can never have enough protection.” To speak plainly: Bullshit! Layered protection is valuable, but the goal should be to find the least number of steps that will give you maximum protection. There is no such thing as perfect protection. Betrayware spreads by leveraging the belief that maybe adding a few more security programs will close that final gap and make you completely safe. It simply isn’t going to happen. On the other hand, most computer users taking a few basic, well-selected steps will never contract a serious viral or parasitic invader.

Besides, one sure way to slow or strangle your computer is to keep adding and running unnecessary programs. Save your system resources for what you really want to run!

My goal in this page isn’t to encourage you to install and run every single thing I mention. My goal is to inform you of the underlying problem and help you find the fewest and most effective steps that will let you use your computer with a very high degree of comfort and security. Some of you will apply the exact steps I recommend — others will mix-and-match with other people’s recommendations. But I hope you will at least take away this underlying approach of identifying those few steps that are most effective in keeping your computer sufficiently save and improving your overall computer-using life.


SCAN YOUR SYSTEM REGULARLY

Scan your system regularly — say, once a week, or anytime you suspect a problem — with a high-quality parasite detector. Each of these programs should be updated (just as you would update your antivirus program’s definition file) before each use, including before your first use — they all are frequently adding new information about new parasites. There are three parasite detectors and cleaners that I happily recommend, depending on the sophistication of the person using them. (There are other cleaning tools — these are the only tools for which I’m able to vouch for their safety if used as directed below.)


Ad-Aware SE — recommended for all users
This is one of only two general-purpose parasite detector and cleaner that I can unconditionally recommend to users of all levels. Not only is it a great program, it is also safe. I have never known Ad-Aware to seriously damage a computer except one time on a highly compromised computer, and then the damage was easily reversible. I can’t say that about other similar programs.

Every one of you should download Ad-Aware, install it, update it, and run it now if you don’t already have it. (On Windows 2000 or XP you will need administrator privileges to run it.)

NOTES FOR USING AD-AWARE: Check for updates every time you run it, including the first time. Make a one-time customization: Click the gear icon at the top, then click Scanning, then click “Scan Within Archives” so that it is green instead of red. Then, to activate this deeper scan feature, when you run Ad-Aware select the option to “Use custom scanning options.” On the same screen, set “Serach for negligible risk entries” and “Search for low-risk threats” to be red — I recommend (as a general rule, which might have rare exceptions) that you not remove anything except the critical items found — it would be undesirable to remove some of the negligible objects. In my experience, it is always safe to let Ad-Aware remove any Critical Objects it finds.

FURTHER NOTES: The latest version, Ad-Aware SE, no longer works with Windows 95. Also please note that Ad-Aware, like any cleaning software, at least has the potential of causing serious problems. Though I haven’t encountered such problems, minor issues (such as temporary loss of network or Internet connectivity) have been reported by others in older versions (which you shouldn’t still be running anyway). In the unlikely event that some such problem occurs on your system, open the quarantine list and selectively restore quarantined items.


Windows Defender — recommended for all users
Formerly titled Microsoft Antispyware (in an early Beta version), Windows Defender has emerged as one of the most reliable tools for protecting your system from parasites. I recommend it enthusiastically.

The program is a native component of Windows Vista. It can (and, I think, should) be installed on every Windows XP machine. (Service Pack 2 for Windows XP is required, and you already should have the SP2 update in place for maximum system security.) It is the first and (so far) only program of its kind with complex real-time protection features which I have not found to be invasive and disruptive of my normal computer use. On Windows Vista it is practically invisible. On Windows XP it is noninvasive and nondistruptive in my experience.

Based upon a published study by Eric L. Howes, GIANT AntiSpyware (which Microsoft bought in order to turn it into what is now Windows Defender) was already way ahead of every other similar product in detecting parasites. Subsequently, Microsoft improved it quite a lot.


HijackThis — use with respect and caution!
Not for beginners, but an awesome tool in the hands of an expert that knows his or her way around this subject. HijackThis pulls data from Windows Registry areas that can be used by legitimate and illegitimate programs alike. Therefore, if you just remove everything it finds, you’re almost guaranteed to trash something on your system! But the comprehensive list it generates finds things that none of the other detection tools will find. (HijackThis is also pretty useful in seeing what else your computer is running without your knowledge.)

So, I repeat, I recommend HijackThis only for advanced users. But all users may use it for scan-only. When the previously recommended tools haven’t found the problem, helpers on the AumHa Forums often will ask a visitor to run HijackThis and post the log into the forum for a more detailed analysis. Download a fresh copy of HijackThis periodically. Save it to your Windows Desktop or another convenient permanent location.

NOTES FOR USING HIJACKTHIS: Be sure you have downloaded HijackThis fully (click Save rather than Run on the download box). If you download it as a zip file, unzip it before use (you should be running HijackThis.exe, not HijackThis). Save it to your desktop or another specific location. Close all browser, messenger, mediaplayer, mail client, and Office windows/applications — in fact, close everything that is running — before scanning with HijackThis.

If you want to learn more about what HijackThis is showing you, consult the HijackThis experts’ tutorial on this site, based largely on Merijn Bellekom’s excellent original. Building on this, a more patient beginners’ tutorial on using HijackThis is offered by BleepingComputer.com.

Don’t miss the excellent supplemental tools built into recent versions of HijackThis. Click Config | Misc Tools for a process manager, HOSTS file manager, a tool to delete a troublesome file on the next reboot, and another to delete an NT service. The HOSTS file manager replaces the now defunct stand-alone HOSTS File Reader utility and makes it easy to find, read, and fix the Windows HOSTS file, which is a custom DNS table local to your computer. Many types of parasites hijack this file. Check the HOSTS file if, when you try to go to one Web site, you end up going to another instead! The HOSTS file manager is also helpful with some parasite versions that try to keep you from accessing anti-parasite Web sites — they use HOSTS file manipulation to do this. NOTE: The location of your default HOSTS file is stored in your Windows Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in the value DataBasePath. The value should be %SystemRoot%\System32\drivers\etc in Windows 2000/XP, and %SystemRoot% in Windows 95, 98, or ME.


Other Free Tools to Consider

Plenty of other freeware tools are available to supplement the foregoing. As security-awareness grows among computer users, particular programs are developing their own strong followings. For a list of freeware that I don’t use, but which site visitors have recommended, see my Other Recommended Freeware page — see the Security heading in the menu at the left.


MORE SPECIAL TOOLS

In addition to the foregoing list of primary tools, there are “tools of the trade” that are helpful in particular situations. Most require some discrimination, so don’t be reckless. Here are some especially useful ones:

About:Buster
A specialty tool for the About:Blank or Home Search Assistant parasite family. (Many old versions are floating around — be sure you have the current version.) You will need this tool only in one particular situation: if your HijackThis log has R0 or R1 entries in the form of res://C:\WINDOWS\somename.dll/sp.html#number (the .DLL filename and the number at the end will vary). If this occurs, do the first two steps of the QuickFix Protocol below then boot to Safe Mode and run About:Buster. Say yes to everything it asks to do. Keep running it until it stops finding things to remove. Finally, do all other cleanup (usually via HijackThis) which is warranted for your situation. If the HijackThis log has se.dll entries instead of the sp.html form mentioned above, you need to use a slightly different tool instead: SpSeHjfix. Download this zip file and extract it to your desktop. Go off the Internet and close all running programs. Run SpSeHjfix, then run the latest version of CWShredder. Follow with general HijackThis cleanup. (If you are getting assistance on a forum, provide the SpSeHjfix log.)
ADSSpy
By Merijn Bellekom. Identifies, and allows you to remove, Alternate Data Streams (ADS), a variety of hidden information attached to many types of file which are not visible in Windows Explorer; nor does Windows report the space they take up as file size. Many parasites are now using ADS but other current tools don’t reliably identify them. Additionally, there will surely be legitimate ADS use in many files on your computer, so you should use the Remove feature of this tool cautiously.
Advanced Process Manipulation (APM)
By Diamond Computer Systems. An extremely sophisticated freeware tool for viewing and manipulating processes running in Windows NT, 2000, or XP, including tracking all modules running secondary to a given process. Useful for unloading stubborn and hidden files in some of especially difficult antiparasite and antivirus recovery situations.
CWShredder
Originally by Merijn Bellekom, now owned by Trend Micro. It targets many variants of the widespread CoolWebSearch adware/hijacker. (Many newer variants of CWS exceed the reach of this older tool). Learn about CoolWebSearch in The CoolWebSearch Chronicles by Merijn Bellekom. If you have the CWS variant that removes the General tab of Internet Properties, remove the parasite then use MS-MVP Kelly Theriot’s patch to restore the tab. If CWShredder freezes or hangs, clear your Temp and Temporary Internet Files caches and try again; if the problem persists, use the CWS.SmartKiller utility below.
DelDomains
by MS-MVP Mike Burgess. This deletes all entries in the Trusted Zone and Restricted Zone lists. To run it, download it to your desktop, right-click on it, and select Install. That’s all. NOTE: If you are using IE-SpyAd as I recommend above, you will need to reinstall it after running DelDomains.
IBProcMan
The name stands for Itty Bitty Process Manager. This tiny stand-alone tool by Merijn Bellekom is the same one he built into HijackThis. However, it is harder for smart Trojans to detect and defeat it because of certain coding precautions. Very useful in tough cases!
Killbox
Another highly regarded tool for deleting stubborn files. Allows you to specify a file to be deleted (or replaced) on next reboot.
RestrictApp
By MS-MVP Ramesh Srinivasan. Blocks a program from loading at startup if it is launched from a Run or RunOnce Registry key. A crucial tool for removing (for example) TV Media — block TVM.EXE then reboot and delete the TV Media folder in Program Files.
RootkitRevealer
By SysInternals. RootKits are a new, emerging type of “Super Spyware” which affect both Windows and Linux operating systems, hide themselves efficiently, impact the operating system kernel directly, and usually carry a more serious secondary payload. Read more about them here or in the RootKits section of my Parasites, Viruses & Other Security Issues page. Basically, use this tool when you have done all other reasonable cleaning, have also checked for viruses, and you are sure your system is still seriously infested with malware even though no tool is showing it.
ToolbarCop
By MS-MVP Ramesh. This handy tool finds many of the same items (such as toolbars and BHOs) as HijackThis, but makes it easier to identify what they are — making it easier to decide what to remove.

The following are also worth listing. Some are older tools that, in most cases, are superseded by newer and more effective ones, but every now and then you want the old specialty app. Others listed below are highly specialized and will be of lesser interest to most users:

BHOList
Merijn Bellekom’s front-end utility for accessing the Browser Helper Object (BHO) list by MS-MVP TonyK. Unzip the single file, launch it, and press F5 to refresh contents against the most recent list. Double-click any item to get information on it. Useful in conjunction with HijackThis. (See also Tony’s BHO & Toolbars list.)
CWS.SmartKiller
A specialty tool to remove the CoolWebSearch.SmartSearch variant which can disable CWShredder and other leading antiparasite programs. (Current versions of CWShredder take care of CWS.SmartSearch more effectively than this utility, so generally it won’t be necessary; but it is still useful to know about it.)
FINDnFIX (alternate link that sometimes work)
For Windows 2000 and XP only. Not a tool most people will find themselves using, and not a “one click fixes all” miracle worker. Nonetheless, this ingenious-if-cumbersome utility helps track and remove some of the most sophisticated stealth-parasites. Originally created for cracking the likes of Look2Me, its primary component (!LOG!.bat) generates a catalogue of usually unavailable launch information that may uncover deeply-hidden malware files.
KazaaBegone
By Merijn Bellekom. Guess what this one does? That’s right — it removes Kazaa thoroughly. One small problem: The present version of KazaaBegone is likely to break your Internet connection. Therefore, before running it, download LSPFix so you can repair the damage from the repair from the damage of having installed Kazaaa! <whew!>
Kill2Me
By Merijn Bellekom. An old tool to remove the Look2Me parasite — sometimes still useful.
PeperFix
A specialty tool for removing the Peper Trojan. The Peper Trojan has a randomly generated file name (like most Trojans) — specifically, a random 14-character program name in HijackThis, starting with a number from 1 to 6, and a randomly-created file-name having the .EXE file extension. After cleaning with this tool you may need to do some final cleanup with HijackThis. (Thanks to AumHa Forum participant Nirvana for this summary.)
Silent Runners
By Andrew Arnoff. Generates a list of what is loading at startup — has proven sometimes useful in tracking stealth code. More detailed and convenient than most manual examination, not as exhaustive as FINDnFIX.
SpyBot Search & Destroy
By Patrick Kolla. No longer recommended by this site — especially for non-specialist users — due to its false positives, generally poor performance, and questionable recommendations. If you follow the steps I recommend on this page then SpyBot, at best, is unnecessary. This popular program does still have value in the hands of experienced specialists.
Zone Labs Security Scanner
An online scanning service to determine whether your computer has tracking cookies resident — from the people who make ZoneAlarm.

MORE PARASITE-FIGHTING RESOURCES

Identifying, removing, and protecting yourself from parasites is a relatively new field. Plenty of new information centers are popping up, mostly arising from a small group of researchers — people that has been building tools and gathering information for some time. I am tempted to say that it is impossible to completely keep up with what’s happening in the field — and I try! You need good information resources for this purpose. Here are links to a few other sites that will add to your knowledge and resources:


ANTI-PARASITE QUICK-FIX PROTOCOL

No “quick fix” is as good as a thorough fix. However, sometimes you need it quick! If you came to this page to get rid of parasites as quickly as possible, use the following six-step protocol.

IMPORTANT NOTE: So far as possible, do these steps in the order listed. Nonetheless, if you have a problem with any one step, skip it and go to the next — then come back. Some parasites block one mode of attack but are vulnerable to another removal approach.

  1. SHOW IT ALL! Be sure that Windows is set to show hidden and system files and folders. In My Computer, at Tools | Folder Options | View, set Hidden files and folder to “Show,” and uncheck Hide protected operating system files. (In Windows Vista, find these in Computer at Organize | Folder & Search Options | View.)
  2. HOUSECLEANING. Especially if your computer’s performance is heavily compromised, clean out the Temporary Internet Files and Temp folders first. Detailed instructions are given under Step 4 of my Computer Health page here.
    NOTE: The easy, efficient way I recommend is to use KillBox to do this: click Tools | Delete Temp Files. Mark the boxes for the categories of items you want to delete (or accept the default), then click the “Delete Files” button at the bottom. Repeat for all profiles using hte pulldown list. (Clean at least the Temp and TIF folders and Cookies.)
  3. REMOVE PROGRAMS. Some parasites can be easily and effectively removed from the Add/Remove Programs applet in the Windows Control Panel. (Others will be present here, but will not effectively uninstall. Many others simply won’t show here. A few are booby-trapped so that removing them in Add/Remove Programs actually makes matters worse.) A few troublesome programs — such as the common trio of Wild Tangent, Weatherbug, and Viewpoint — should be removed here first (so as not to break the uninstall capability by using other cleaning tools). A very serious invader (especially on Dell Computers) that other cleaning tools may not touch may show in Add/Remove Programs variously as MySearch, MyWay, MyWeb, MyWebSearch, etc. Get rid of them!
  4. DOWNLOAD YOUR TOOLS. Download Ad-Aware SE (one direct link is here). Save it to your desktop. When you have it downloaded, installed, and updated it, go to the next step. For Windows XP (SP2 or later), you may also want to download, install, and update Windows Defender.
  5. RUN AD-AWARE and (for Windows Vista and optionally Windows XP) RUN WINDOWS DEFENDER. Update each before running it. See Notes For Using Ad-Aware. In each case, let the program remove everything it finds. (For more details on Ad-Aware, see Ad-Aware – recommended for all users.)
    NOTE: For parasites that are currently running, Ad-Aware may not be able to remove them on the first pass. It may only be able to disable the auto-launch which activates them at computer start-up. Usually it will ask you if you want it to try again after a reboot. Say yes, then reboot. Even if it doesn’t ask, rebooting and running it again is a good idea.
  6. IF THERE IS STILL A PROBLEM... If you still believe you have a parasite infestation, download and run HijackThis (ver. 2.0.4). Most users should use this only to scan, not to fix. Save the log and post it to a new thread on the AumHa HijackThis Logs forum or on another forum or newsgroup where you trust the regular participants. (For more details on this step, see Notes For Using HijackThis.)

IF THE QUICK FIX DOESN’T WORK

Parasite assaults have started coming in the waves. At present, many kinds of exploitative malware have learned to disable most standard cleaning tools, hide themselves more effectively, and generally becoming more stubborn and resistant. As with biological infections, it is likely that sometimes the germs will have the advantage and sometimes the antibiotics. If the Quick Fix steps above (including examination of a HijackThis log) don’t solve your problem, there are tougher steps to take. Here are my present recommendations. (These will be evolving to meet the changing nature of threats.)

  1. SAFE MODE Reboot to Safe Mode. Then rerun the “screening and cleaning” steps above.
  2. PATCHES. Be sure you have your Windows and IE patches up to date. Go to Windows Update (also usually available on your Start Menu or on the Tools menu of Internet Explorer) and install all critical updates. (Other updates are not necessarily recommended. Install them for specific issues; but install all the critical ones as soon as they come out.)
  3. VIRUSES. Your problem may not be parasites — it may be viruses instead. This usually requires a different set of steps for protection and cleaning (though virus and parasite creators sometimes deploy them in tandem). Run a thorough virus scan with a quality antivirus program with definition files updated just before you run it. Since some viruses are able to disable or impede an antivirus program on your hard drive, in addition to your installed (local) antivirus program you may want to run one or two of the excellent free online virus scanners. These can be slow, but they work! Click on “Free Online Virus Scanners” on my Parasites, Viruses & Other Security Issues page.
  4. SCREEN FOR COOLWEBSEARCH Run CWShredder to screen for CoolWebSearch malware. Read more about it here. (This tool was once one of our front-line defenders, but no longer catches many variations of CWS in circulation. Nonetheless, it’s worth a check in tough cases.
  5. CHECK YOUR HOSTS FILE. In HijackThis, click Config | Misc Tools | Open HOSTS File Manager. Read more about this issue here.
  6. SCREEN FOR A.D.S. Run ADSSpy to screen a channel of exploitation that most screening/cleaning tools don’t identify. Use this cautiously. Read more about it here.
  7. SCREEN FOR ROOTKITS Run RootkitRevealer to screen for Rootkits.
  8. OTHER TOOLS. See the More Special Tools section for possibly relevant tools that I may not have mentioned in this section.

Now, relax! Take a break. At your early leisure, go back through this page more thoroughly for more information and recommendations about identifying, removal, and protecting yourself against parasites.


Visit Microsoft.com

  Top of Page   Home   Site Map   Search   Forums   Feedback   Donate