THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
Last Updated November 21, 2008 (Version 10.2)
Hold mouse here for list of most recent changes.
We are in an ongoing parasite epidemic! Adware, spyware, hijackers, badvertising, automatic diallers, betrayware, social network exploitation, and a variety of other web-delivered invasions and exploits — they represent today a much larger security threat than viruses, and cause a lot more general computer problems. You need to know what’s out there, how to identify it on your computer and remove it, and how to protect yourself against more in the future.
Did you come here to get rid of parasites quickly, and really don’t have time to sort through a lot of background information and the fine points of parasite fighting? Jump immediately to the Anti-Parasite Quick Fix section. (Then come back here for depth and finesse at your leisure!)
Call it what you may, depending on small differences in the function of the malicious code — adware, spyware, hijackers, automatic diallers — some of it intentionally if misguidedly installed, some of it foisted on you without your awareness — these invaders don’t qualify as viruses but, at least in a few cases, they are more destructive and compromising of your privacy and your computer security than actual viruses.
What can they do? Some of them just try to foist pop-up adds at you, or redirect your browser to pages of their choosing. Some of them track your Web movements or, more seriously, capture other information from your computer and “phone home” to their creators with the data. Some of them offer you free enhancements to your operating system or browser — extra toolbars, special buttons, “enhanced” search capabilities (translation: the right for them to foist paid advertising on you). Most of them are badly written so they end up compromising the performance of your computer and, especially, of browser and email functions. Diallers take over the dial-up function on your computer and call a long-distance number of their choosing instead of the ISP dial-up connection you have chosen — and then charge you for the long distance phone call!
The formal name for these invaders is unsolicited commercial software — the spam of downloads! The most useful one-word label to distinguish them from viruses is parasites. Most of the time, I prefer to call them scumware.
Certainly compromised privacy is the most threatening feature of these programs. However, the most noticeable problem in most cases is impaired computer functioning. If there is a serious browser problem not related to a bad or damaged browser install, interrupted connectivity, failing hardware, or user error, 90% of the time the problem will be the result of one of these parasites. If you’ve ruled out the obvious in troubleshooting browser failures or sudden (in contrast to gradual) serious slowing of your computer, checking for parasites should probably be your next diagnostic step.
Consider this: Whenever a new error condition appears on your computer, it is almost certain that there was some change to the computer soon before the problem began. It might be a change to hardware, to the operating system, or to software. The change might be an addition or installation, a removal or uninstall, or a configuration change — but there is almost certainly something that changed. End-users, when asked what they changed on their computers just before a problem appeared, often will insist that they didn’t change anything — they didn’t add or remove software, add or remove hardware, etc. Sure, they could have forgotten or there could be an unsuspected hardware failure. Generally, though, the fair question is:
If you didn’t make any changes to your computer, then... who did?
The answer, much of the time, is that there was an involuntary change caused by a virus or parasite.
One powerful description of the horrid effect of this scumware on an end-user was written by Terry McDermott, a decorated veteran news writer specializing in international terrorism. He took up the topic of scumware in a front page Los Angeles Times article, Breaking, Entering Your Computer, on spyware in general, and the efforts of Aumha.org / Windows Support Center in battling it.
In its first major endeavor to address the parasite problem in its Knowledge Base, Microsoft, in April 2004, published KB article 827315, Unexplained Computer Behavior May Be Caused By Deceptive Software. Though the article takes a naive and limited approach to identifying and removing parasites, it does provide a superb list of some of the problems that have been definitely traced to scumware:
A sound basis for personal computer security rests on the following five points:
Most people have learned to protect themselves from viruses, and more people are seeing the wisdom of a firewall all the time. Now, finally, more people are also taking those further steps necessary to protect themselves against the nonviral malware that I’m calling parasites or scumware.
In addition to increased awareness, common sense, and general prudence, here are the steps I recommend for protecting your system from these bugs:
Add prophylactic protection to filter your computer from catching something in the first place. Several products purport to do this. Enthusiastically, I recommend Eric L. Howes’ free IE-SpyAd as a primary supplement to the necessary antivirus and firewall protection you already should have to fight viruses.
How effective is it? On my Windows XP computers, it is the only software prophylaxis I personally use against scumware, and my system is almost 100% parasite-free. That means that more than 99% of the time, my system is 100% parasite free. (A rare new parasite sometimes may find its way onto my computer before I update.) If I want to test a new anti-parasite tool, I have to remove IE-SpyAd or it is a waste of my time to test the other tool — that’s how good it is.
IE-SpyAd is a simple Registry patch that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted Sites zone of Internet Explorer. No matter what security settings you prefer in IE in general, your browser will automatically switch to maximum security mode when it wanders onto pages that are known to be “high risk” Web environments. I think this has enormous advantages over similar fixes which rely on customizing the Windows HOSTS file, because (1) IE-SpyAd doesn’t really keep you from getting to most pages, it only bars unsafe behavior on those pages, and (2) it leaves the HOSTS file unmolested so that it can be used more effectively for its original uses.
IE-SpyAd is updated a few times a month, and you can edit it as you see fit to add or remove specific items.
SpywareBlaster by Javacool Software is a highly-regarded parasite blocking program. I don’t personally use this (except on a test box), but many regard it as the best protection program currently available.
SpywareBlaster provides three types of protection:
If you use IE-SpyAd, as I recommend above, then the only SpywareBlaster feature which adds further protection is the first one mentioned: blocking installation of known malicious ActiveX programs. There is no need to enable the other features. However, most people report that there is no problem (for example, no negative performance impact) from running both.
However, one important advantage in SpywareBlaster arises if you routinely use a Mozilla-based browser such as Firefox. The Mozilla group refused to implement the extremely valuable Restricted Sites zone feature of Internet Explorer (making the Mozilla browsers much less secure, in my opinion), so standard tools such as IE-SpyAd will have no effect. In contrast, SpywareBlaster adds at least limited (cookies-based) protection for Mozilla-based browsers.
Another layer of protection, too infrequently mentioned, is a comprehensive backup of your entire computer. Backups remain pretty unpopular among personal computer users, and full system backups are sadly rare outside of professional IT environments. Nonetheless, the ability to fully restore your computer to an earlier state can be an enormous advantage.
There are many different ways to backup the contents of your computer’s hard drives, though imaging software such as Norton Ghost and Drive Image are the most popular. The important points are (1) to backup often – perhaps weekly for most users, more often if you have rapidly-changing valuable content on your computer and (2) backup everything, not just (for example) your data files.
Ultimately, regular full-system backups are the only way I know to protect everything valuable to you on your computer.
There are some prophylactic things I recommend you not do. Such tools (mentioned below) as Ad-Aware and SpyBot have not only scanning capabilities, but also immunizing or ad-blocking features. I recommend you leave these turned off. This recommendation is based mostly on a “convenience of computer use” point of view. Tools that are excellent for scanning for malware do not necessarily serve as well the separate function of protection. The immunize, ad-blocking, and similar protective features of these programs mostly aren’t needed, don’t do much that is really helpful, and sometimes unnecessarily get in the way of how you use your computer. (If you are running Windows XP Service Pack 2, they really are unnecessary, at best!) There are so much easier and less intrusive ways to protect your computer, that I recommend you not risk making your computer life harder with features that don’t really help.
Similarly, when I go to Canter’s Deli — the finest Jewish delicatessen west of Manhattan — I don’t order the enchiladas, even though they are on the menu. I order a corn beef Reuben and a bowl of soup. Just because some place is the best of its kind doesn’t mean you want to order everything on the menu — and the same applies to use of software!
In contrast, the real-time protections in Windows Defender have none of the above problems. This program is included in Windows Vista as a native tool, and can be downloaded and installed on Windows XP — see below.
Here are a few links concerning other steps you can use to keep yourself safe:
An honest opponent to your face is one thing — but an enemy masking as a friend and stabbing you in the back is quite another.
In the ever-escalating Scumware War, one of the more insidious classes of weapons are programs that put themselves forth as anti-parasite programs — but, in fact, deploy adware and/or spyware themselves! Sometimes this software is free — sometimes they actually charge you money for it! — but all programs in this class lead you to believe they are making you safer, while actually invading your computer as insidiously as any other scumware. If the “Trojan horse” metaphor hadn’t already been adopted to refer to a long-existing category of virus, it would apply to these unfaithful, double-dealing imposters.
I call these programs BetrayWare. I encourage the wide adoption of this candid and indicting term. In the escalating struggle to identify and publicize these Quisling-apps, I recommend Eric L. Howes’ Rogue/Suspect Anti-Spyware Products & Web Sites list of fake spyware removers as the best BetrayWare catalogue.
These treacherous programs play on a prevailing sense of fear and insecurity that has gripped much of America in particular, and somewhat the rest of the world, in recent years. Whether it is fear of invaders of your country on the one hand, or of your computer on the other, the same need for heightened awareness and fear of unsuspected vulnerability has a strong grip on many. One unfortunate reaction to this has been the widespread belief that “you can never have enough protection.” To speak plainly: Bullshit! Layered protection is valuable, but the goal should be to find the least number of steps that will give you maximum protection. There is no such thing as perfect protection. Betrayware spreads by leveraging the belief that maybe adding a few more security programs will close that final gap and make you completely safe. It simply isn’t going to happen. On the other hand, most computer users taking a few basic, well-selected steps will never contract a serious viral or parasitic invader.
Besides, one sure way to slow or strangle your computer is to keep adding and running unnecessary programs. Save your system resources for what you really want to run!
My goal in this page isn’t to encourage you to install and run every single thing I mention. My goal is to inform you of the underlying problem and help you find the fewest and most effective steps that will let you use your computer with a very high degree of comfort and security. Some of you will apply the exact steps I recommend — others will mix-and-match with other people’s recommendations. But I hope you will at least take away this underlying approach of identifying those few steps that are most effective in keeping your computer sufficiently save and improving your overall computer-using life.
Scan your system regularly — say, once a week, or anytime you suspect a problem — with a high-quality parasite detector. Each of these programs should be updated (just as you would update your antivirus program’s definition file) before each use, including before your first use — they all are frequently adding new information about new parasites. There are three parasite detectors and cleaners that I happily recommend, depending on the sophistication of the person using them. (There are other cleaning tools — these are the only tools for which I’m able to vouch for their safety if used as directed below.)
Ad-Aware SE — recommended for all users
This is one of only two general-purpose parasite detector and cleaner that I can unconditionally recommend to users of all levels. Not only is it a great program, it is also safe. I have never known Ad-Aware to seriously damage a computer except one time on a highly compromised computer, and then the damage was easily reversible. I can’t say that about other similar programs.
Every one of you should download Ad-Aware, install it, update it, and run it now if you don’t already have it. (On Windows 2000 or XP you will need administrator privileges to run it.)
NOTES FOR USING AD-AWARE: Check for updates every time you run it, including the first time. Make a one-time customization: Click the gear icon at the top, then click Scanning, then click “Scan Within Archives” so that it is green instead of red. Then, to activate this deeper scan feature, when you run Ad-Aware select the option to “Use custom scanning options.” On the same screen, set “Serach for negligible risk entries” and “Search for low-risk threats” to be red — I recommend (as a general rule, which might have rare exceptions) that you not remove anything except the critical items found — it would be undesirable to remove some of the negligible objects. In my experience, it is always safe to let Ad-Aware remove any Critical Objects it finds.
FURTHER NOTES: The latest version, Ad-Aware SE, no longer works with Windows 95. Also please note that Ad-Aware, like any cleaning software, at least has the potential of causing serious problems. Though I haven’t encountered such problems, minor issues (such as temporary loss of network or Internet connectivity) have been reported by others in older versions (which you shouldn’t still be running anyway). In the unlikely event that some such problem occurs on your system, open the quarantine list and selectively restore quarantined items.
Windows Defender — recommended for all users
Formerly titled Microsoft Antispyware (in an early Beta version), Windows Defender has emerged as one of the most reliable tools for protecting your system from parasites. I recommend it enthusiastically.
The program is a native component of Windows Vista. It can (and, I think, should) be installed on every Windows XP machine. (Service Pack 2 for Windows XP is required, and you already should have the SP2 update in place for maximum system security.) It is the first and (so far) only program of its kind with complex real-time protection features which I have not found to be invasive and disruptive of my normal computer use. On Windows Vista it is practically invisible. On Windows XP it is noninvasive and nondistruptive in my experience.
Based upon a published study by Eric L. Howes, GIANT AntiSpyware (which Microsoft bought in order to turn it into what is now Windows Defender) was already way ahead of every other similar product in detecting parasites. Subsequently, Microsoft improved it quite a lot.
HijackThis — use with respect and caution!
Not for beginners, but an awesome tool in the hands of an expert that knows his or her way around this subject. HijackThis pulls data from Windows Registry areas that can be used by legitimate and illegitimate programs alike. Therefore, if you just remove everything it finds, you’re almost guaranteed to trash something on your system! But the comprehensive list it generates finds things that none of the other detection tools will find. (HijackThis is also pretty useful in seeing what else your computer is running without your knowledge.)
So, I repeat, I recommend HijackThis only for advanced users. But all users may use it for scan-only. When the previously recommended tools haven’t found the problem, helpers on the AumHa Forums often will ask a visitor to run HijackThis and post the log into the forum for a more detailed analysis. Download a fresh copy of HijackThis periodically. Save it to your Windows Desktop or another convenient permanent location.
NOTES FOR USING HIJACKTHIS: Be sure you have downloaded HijackThis fully (click Save rather than Run on the download box). If you download it as a zip file, unzip it before use (you should be running HijackThis.exe, not HijackThis). Save it to your desktop or another specific location. Close all browser, messenger, mediaplayer, mail client, and Office windows/applications — in fact, close everything that is running — before scanning with HijackThis.
If you want to learn more about what HijackThis is showing you, consult the HijackThis experts’ tutorial on this site, based largely on Merijn Bellekom’s excellent original. Building on this, a more patient beginners’ tutorial on using HijackThis is offered by BleepingComputer.com.
Don’t miss the excellent supplemental tools built into recent versions of HijackThis. Click Config | Misc Tools for a process manager, HOSTS file manager, a tool to delete a troublesome file on the next reboot, and another to delete an NT service. The HOSTS file manager replaces the now defunct stand-alone HOSTS File Reader utility and makes it easy to find, read, and fix the Windows HOSTS file, which is a custom DNS table local to your computer. Many types of parasites hijack this file. Check the HOSTS file if, when you try to go to one Web site, you end up going to another instead! The HOSTS file manager is also helpful with some parasite versions that try to keep you from accessing anti-parasite Web sites — they use HOSTS file manipulation to do this. NOTE: The location of your default HOSTS file is stored in your Windows Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in the value DataBasePath. The value should be %SystemRoot%\System32\drivers\etc in Windows 2000/XP, and %SystemRoot% in Windows 95, 98, or ME.
Plenty of other freeware tools are available to supplement the foregoing. As security-awareness grows among computer users, particular programs are developing their own strong followings. For a list of freeware that I don’t use, but which site visitors have recommended, see my Other Recommended Freeware page — see the Security heading in the menu at the left.
In addition to the foregoing list of primary tools, there are “tools of the trade” that are helpful in particular situations. Most require some discrimination, so don’t be reckless. Here are some especially useful ones:
The following are also worth listing. Some are older tools that, in most cases, are superseded by newer and more effective ones, but every now and then you want the old specialty app. Others listed below are highly specialized and will be of lesser interest to most users:
Identifying, removing, and protecting yourself from parasites is a relatively new field. Plenty of new information centers are popping up, mostly arising from a small group of researchers — people that has been building tools and gathering information for some time. I am tempted to say that it is impossible to completely keep up with what’s happening in the field — and I try! You need good information resources for this purpose. Here are links to a few other sites that will add to your knowledge and resources:
No “quick fix” is as good as a thorough fix. However, sometimes you need it quick! If you came to this page to get rid of parasites as quickly as possible, use the following six-step protocol.
IMPORTANT NOTE: So far as possible, do these steps in the order listed. Nonetheless, if you have a problem with any one step, skip it and go to the next — then come back. Some parasites block one mode of attack but are vulnerable to another removal approach.
Parasite assaults have started coming in the waves. At present, many kinds of exploitative malware have learned to disable most standard cleaning tools, hide themselves more effectively, and generally becoming more stubborn and resistant. As with biological infections, it is likely that sometimes the germs will have the advantage and sometimes the antibiotics. If the Quick Fix steps above (including examination of a HijackThis log) don’t solve your problem, there are tougher steps to take. Here are my present recommendations. (These will be evolving to meet the changing nature of threats.)
Now, relax! Take a break. At your early leisure, go back through this page more thoroughly for more information and recommendations about identifying, removal, and protecting yourself against parasites.