KRC Anti-Spyware Tutorial

Last Updated - May 12, 2008

NOTE: This tutorial was compiled to help remove spyware. As with everything you do when fixing your computer, always backup your data if you can. I can't stress this enough. Backups should be made frequently anyway if your data is important to you. So with that said, if something does go wrong, at least you still have your data.

Spyware, also known as adware or malware, are programs that can cause many problems. These include pop up advertisements on your computer, browser hijacks, search engine hijacks, website redirections, personal information being logged without your permission, preventing you access to certain sites or the whole internet and other computer problems (like slowdowns, lockdowns, etc.). Some spyware are worst than viruses, in my opinion. They are becoming more and more common these days. This section was created to help you detect and remove any suspicious activity that may be going on your computer. Also included is a section on how to prevent future spyware installations. Please read and follow the steps below to help make this process much faster and easier.

Just to let you know ahead of time, all the programs that you are asked to get should be free. We don't ask you to buy any programs. There may be some programs that have a paid version and you may buy them if you wish to have some additional features (read the sites for more information if interested). If you do intend to buy some programs outside of what's listed here, I suggest asking first before you buy. I say this because there are a lot of these questionable anti-spyware programs (aka rogueware) that actually do more harm than good. If you want a list of these rogueware programs, go to Spyware Warrior for their huge list. You will see some that were known to be rogueware in the past (but have "changed their ways" since then) and you might still see us asking users to remove them. I personally think that they still can't be trusted.

Please follow ALL the instructions in the order listed below. They are all required to be ran unless it specifically says Optional next to them.

Download ATF Cleaner
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All.
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click Opera at the top and choose Select All.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Optional - If you don't have any antivirus programs installed, then I suggest getting a free one called AVG Anti-Virus Free Edition. It has an antivirus and antispyware scanner built into one program. Download and install it. Go with the Stanrdard Installation and follow the on screen instructions. It should automatically install the updates for you during the process. Once that's done, double-click on the AVG icon on your desktop to run it. Then click on Computer scanner tab on the left. Click on Scan whole computer to let it begin the scan. Once the scan is complete, click on the blue link that says Export overview to file .... Give it a filename and save it to your desktop. Open up that file and copy/paste the entire contents of that log file here.

NOTE: AVG Anti-Virus Free Edition is ONLY for Windows 2000 or higher Operating Systems. If you have Windows 95/98/ME, then use Avast Home Edition instead (see below).

Optional - If you don't have an antivirus program installed and have an older version of Windows (95/98/ME), then try using Avast Home Edition. Download and install it using the default install settings. Restart the computer when prompted. Then run Avast and check for any updates. Once that's done, click on the folder icon on the bottom right of Avast and select the drives you have there to be scanned (usually C: drive and other hard drives if you have additional ones). Then click on the Play button on the far left to start the scan. Remove any infected files found.

Optional - Another program that you should have on your computer (if you don't have one installed already), is a firewall program. A firewall program is like a wall between your computer and the whole internet. It controls what is allowed to come it and go out. A firewall is definitely needed these days because there is just so much spyware and trojans that communicate to the internet without your knowledge. By having a firewall installed, you will know precisely what program wants to go online. So if you see a program trying to access the internet and don't recognize it, you should probably Deny it access. But if it's something you recognize (and also something you want to go online), click Allow, otherwise that program won't be able to go online. Notice I said also something you want to go online. I mention that because there may be some programs which you recognize and it shouldn't be trying to go online. It may be legitimate, but then again it may not. So unless you are expecting a new update or something, deny it. Most of these firewall programs also have a option for you to remember the settings. If you are 100% sure that something is good/bad, then you may check that box. Otherwise, leave it alone. One free firewall that I recommend using is ZoneAlarm. Look for the free download link. They bury it somewhere in there.

If you don't want to install a third party firewall to do the job, you can always enable the Windows Firewall program if you have Windows XP or higher. It's accessible via the Start->Settings->Control Panel->Windows Firewall settings. Enable it there. Keep in mind that the Windows Firewall will only block incoming traffic. If you want to block outgoing traffic also, you might need to check your router (if you use one) and enable the firewall option (if included). That will block your outgoing traffic.

Download Malwarebytes' Anti-Malware (Windows 2000 and higher). Double-click on mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Full Scan, then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & paste the entire report into your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Download and install SUPERAntiSpyware.

Run SUPERAntiSpyware and click the Check for Updates button.
Once the update has finished, click the Scan your Computer button.
Click on Perform Complete Scan and then click Next.
SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
Make sure that they all have a check next to them, and then click Next.
Click Finish and you will be taken back to the main interface.
It could be possible that it will ask you to reboot your computer in order to delete some files.
I'll need a log afterwards of what has been found.
To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
Post the results of the SUPERAntiSpyware log file in your next reply.

Perform an online virus scan at Panda ActiveScan:

Click on Scan your PC button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
Click Check Now and a pop-up window will appear.
Enter your Country, State and E-mail Address and click Scan Now - begin downloading Panda's ActiveX controls.
Begin the scan by selecting My Computer.
If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
Click on see report. Then click Save report.
Post that log in your next reply.

It's always important to make sure you keep Windows up-to-date. Without the security updates, you are prone to infections. If you use Windows 2000 or Windows XP, you need to install Service Pack 4 (Windows 2000) and Service Pack 1a (Windows XP). All other old Windows version may just do their regular updates. For Windows XP, do NOT install Service Pack 2 (SP2) yet if you are having major problems. XP SP2 is very picky and can cause major problems if installed on a unstable computer. The same applies to XP Service Pack 3. If you already have the proper Service Packs installed, you may skip this section on Windows updates.

ALL Windows Updates - All versions of Windows can go here for the updates.
Windows 2000 Service Pack 4 - ALL users using Windows 2000 should have some Service Pack installed. I recommend getting all the way up to Service Pack 4.
Windows XP Service Pack 1a - ALL users using Windows XP should have at least Service Pack 1 or 1a installed (hold off on SP2/SP3 until your computer is clear of any spyware/viruses).

Optional - Download and install Spybot S&D. Spybot S&D has a feature that can help block Internet Explorer immunities (these include installation of known spyware, bad ActiveX controls, etc.). Just go into Spybot->Immunize (on the left panel) and click on the Immunize button. Do this everytime you update Spybot since it may also have updates for the Immunize feature. You should see it listed in the updates though. Run Spybot S&D by double-clicking on it.

Close ALL windows except Spybot S&D
Click the button to Search for Updates and download and install the updates.
Next click the button Check for Problems.
When Spybot is complete, it will be showing RED entries, BLACK entries, and GREEN entries in the window.
Put a check mark beside the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.
After removing those files, close Spybot.

Optional - Download a free version of Ad-Aware and install it. Once the install it finished, it should run Ad-Aware by default. It should also prompt you to download a new update if one is found. If it doesn't do this, click on the Update button under Update Status on the main page. You will get another message saying that there are new software updates available. Just choose NO on that screen. If you have the latest updates, it will tell you so and you may then continue on to the next step.

On the left panel, click on Scan and select Full Scan. Click the Scan button on the bottom right to begin the scan. Once the scan is completed, you can right click on any of the entries and choose Select All Objects. Then click on the Remove button. Go to the next tab (Privacy Objects) and do the same thing. That should be done now. Don't post the log in the forum unless we request for it.

You had to perform the steps above to make sure that all the common spyware are found and removed. By using the above programs we will usually eliminate a handful of spyware/adware related files, which leaves less work for us to do in the end. By running those virus scans, it will help eliminate any possible viruses/trojans and maybe other malware files as well. Before we continue, go to Start->Run, type in msconfig and hit OK. Then go to Startup tab and make sure everything is checked and click OK. We want to see if there are any malware/spyware programs running at startup. You may disable these startup programs again when your computer is clean. If you need help with this, you may ask us to help you disable them at the end. Note: some version of Windows don't have msconfig so you can just skip this part to enable everything.

Things to do before running HijackThis:

Close any applications you have running currently. These include any programs running in your system tray near the clock (unless they are virus and firewall protection programs).
Go to Start->(Settings)->Control Panel->Folder Options->View and select Show hidden files and folders. Next uncheck Hide file extensions for known file types. Also make sure that Display the contents of System Folders is checked (if this option is available).

Download HijackThis and save it on your desktop. Run the HijackThis tool and click on Do a system scan and save a logfile. This should take a few seconds. A log file should open up. Copy and paste the entire log file in one of the following forums so someone can assist you:

KRC Forum
Tech Support Forum
GeeksToGo Forum

DO NOT remove/fix anything in HijackThis without a properly trained helper since more damage may be done if you removed anything improperly. Most of those entries listed are not harmful.

Forum Guidelines - When posting in the forums, make sure to indicate what problem you are having. Be somewhat specific, but try not to make it too long because we have other logs to work on also. If you don't have any problems but just want to see if your log file is clean, then just call the subject HJT Checkup or something similar to that. When you get a reply with a fix to your problem, I suggest that you either print it out or save the fix on Notepad. Before you do that, make sure you download any programs that the helper asked you to get. I have seen too many cases where a user will say the link doesn't work when I type it in (so they didn't get the program first). The problem is that most forums WILL cut long web address (aka URL) to shorter versions. For example, let's just say http://www.greyknight17.com was a really long URL. You can tell when it's cut short if it becomes something like http://www.grey...t17.com instead. See the 3 periods there? So whatever is in between there was just cut short and you will NOT get the link properly. So make sure you download all the programs ahead of time.

Please do NOT post your log file in another person's thread. Create your own new thread to avoid any confusion. Checking these log files take time, so be patient if you don't get a response immediately. And NO bumping. A bump is when you post a reply to your own thread/topic just to move it to the top. This will not speed up your response. If anything, it will delay it further since we work from the oldest logs to the more current ones. Another thing you shouldn't do is create duplicate topics/threads. There's no point of you doing this and it's another way of wasting forum space (and the Moderator's time) when you do this. If you do not get a reply after 24 hours, then and only then may you give your topic/thread a bump. We might have missed it. We usually get to most users within a day or two.

Make sure you subscribe to the topic you created so you don't lose track of it. Different forums call this feature differently. Subscribe/Track/Notify should all be the same thing. So look for that option before or after you make the post (there should be a button or box to check) so that you get notified for any new replies to your topic.

Wait for a response on what to remove in HijackThis. After your log is clean, you will be giving instructions to install the Spyware Prevention programs/tools.

For those using Windows 98, after you are clean, go to Start->Run and type in scanregw and hit OK. Choose to scan the registry and then make a backup. Repeat this procedure for four more times (total of five times) so that you have a clean registry (prevents accessing an older spyware registry).

Other Misc. things about HijackThis (HJT):

- You should always run a HijackThis scan in Normal Mode (that's where you are now) if you want us to take a look at it. Running a scan for us in Safe Mode and giving us the log will not be wise since Safe Mode will disable programs from running and we might not see them listed in the HijackThis log. So always run the scan in Normal Mode, unless we ask you to fix it (see below).

- If we ask you to check and fix something (the entries) in HijackThis (HJT), what we mean is you should run a scan and let it load up all the entries. When it's ready, just check all the entries we listed for you to check. Then when you're ready, hit the Fix checked button at the bottom left. This is probably the only time when you should be running a HijackThis scan in Safe Mode...when fixing. In all other cases when we ask for a new log (see below), it should always be in Normal Mode.

- If we ask you to give us a new HijackThis log, what that means is run a new HijackThis scan and then choose to save the log (notepad should open up). Copy and paste the new log in the forum. Again, make sure you are in Normal Mode when doing this, if not, restart to get back to Normal Mode first before running the new scan.

Spyware Prevention

There are many ways to help prevent spyware from installing in the first place. The most obvious is to make sure to read the fine print on some "free" programs that are available online. While some say that they will collect information or install some software in the End User License Agreement (EULA), there are others that will install it without your knowledge. These are considered spyware programs. There are also other ways you may have spyware installed. This includes something as simple as visiting a site that has malicious scripts downloaded on your computer (behind the scene). To help prevent this, there are different methods that are currently being used. Remember, these methods only help prevent spyware from being installed and not remove them. Use the above instructions in the Anti-Spyware Tutorial to run the spyware scans for detection and removal.

Optional - Get SpywareBlaster and SpywareGuard at JavaCoolSoftware. Running these two programs should prevent most of the common and current spyware programs from being installed in the first place. These two programs should do most of the work already. Just make sure to get the updates if they are available. For SpywareBlaster all you have to do is check for updates and then Enable All Protection. After that you may close the program. If you use Spybot S&D and use the Immunization feature, you might want to avoid using SpywareBlaster as the entries for them may have identical entries. For SpywareGuard, you should keep that program running in the system tray at all times for real-time protection.

ZonedOut (formerly known as IE-SPYAD) is a tool that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once this list of sites and domains is "merged" into your Registry, most marketers, advertisers, and crapware pushers on the Net will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on you. This only works for Internet Explorer. Get the ZonedOut tool and extract the contents. Then get the files for it here. Extract those files directly into the ZonedOut folder that you extracted earlier so they will all be together. Now run ZonedOut and go to Menu->Import/Export Sites->Import From File. You should see all files listed from the ie-spyad_zo extraction. You want to import ie-ads and ie-nfe. Press OK to check for Failures, Cancel to ignore. Just press OK. Click on Close when it says No Failures. If you want to filter out adult sites as well, go into the adult folder and import the adult text file. After that, just close out ZonedOut and you should be all set now.

Use the HOSTS file to block ads, banners, cookies and most web hijackers. This file should have no extensions at all. It's just called HOSTS. Depending on what Windows version you are using, the location to copy it to will be different. Read the information on that site to see where the location of the HOSTS file is located on your version of Windows. You may replace your current HOSTS file with this modified one. That's all you need to do. You may want to check back on the site from time to time since they update that HOSTS file frequently.

If you can, try to steer clear of using Internet Explorer as your internet web browser. You shouldn't use any variations of it also. Use another alternative browser like Opera or Firefox instead. They have less security issues/exploits than Internet Explorer. Unless a specific site you visit requires Internet Explorer to work properly (ex: http://windowsupdate.microsoft.com), use Firefox as your default web browser. It has tabbed browsing and also a built-in popup blocker. If you want other neat features, Firefox has these add-ons called extensions which you may install by going into Firefox->Tools->Extensions and then look for ones you like. You can actually search for an Add-on called IE Tab which will allow you to use Firefox as if it was Internet Explorer. This should allow you access to those sites that only work properly with Internet Explorer without you actually using IE.

None of these methods are fool-proof, but by using them together it will help prevent most spyware programs from being installed. Get the updates if they are available because it will help protect you against newer spyware that are discovered.

I get this question a lot. You asked me to download a lot of programs. Which programs can I delete? To answer that briefly, you really shouldn't delete/uninstall any of the ones listed here. All these are good programs to keep in the growing spyware dilemma we have today. There should be no problems having these programs since most of them don't require you to have them running all the time anyway. For Anti-Spyware programs, you can probably run them weekly if you want. Make sure to check for updates first. For the antivirus program, check for updates daily (usually have this done automatically) and try to run a virus scan every month (maybe less) to make sure you don't have any viruses/trojans. The firewall programs usually don't have lots of updates, so you should be set most of the time. ZonedOut and the HOSTS file also have udpates, so check the main sites to see if they have updated versions from time to time.

That's it for now. Everytime you have some problems, especially after you install some new programs, you should follow the steps outlined above (before the Spyware Prevention section). By doing them in that order, we will get this done faster. Just make sure to update the software if they have updates available. You should also upgrade (to a newer version) if any of the above programs have one available.

If any errors are found, please feel free to point them out to me. If anything is outdated here, tell me about that also. All the information compiled here was created to the best of my knowledge and should help remove most (if not all) spyware/viruses you may have.