Adware: The Art of Removal
by Patrick Madigan
Working at a computer repair store where people bring in PCs for anything from a simple memory upgrade to the most complicated data recovery, I think it's O.K. to say that I have seen the condition of a majority of personal computers.
As you may or may not know, if you get caught by a virus or if your hard drive ever crashed there is some software out there to help you fix your specific needs, either for data recovery or anti-virus. But another major computer problem has virtually no one single repair tool: adware.
Close to half of all the computers that pass through the shop contain some form of advertisement annoyance stored on the person's disk without them even knowing; and who would?
Most of the software is secretly downloaded, or bundled in an install file, and secretly executed in the background when the computer turns on. Without some knowledge of the registry, a user data file that contains vital system information like program locations and what to load when the computer turns on, most people wouldn't even know where to look to find and disable these annoyances.
This lesson on computer power usage should give you the tools and knowledge to clean your system to proper working order and also a better understanding of how the computer works.
Let's first assume that you have adware or some other performance block on your machine and you want to find it and remove it.
You will need to download some free software from the Internet that will help you locate and remove these programs. There are a few programs that seem to have the same purpose and they are best used together. Redundancy is the best policy when using ad removal software because what one program passes over the other will pick up.
An important thing to remember is, if possible, they should be configured to work together, not against each other. If you can connect to the Internet then skip down past this next section.
If you know you are connected to the Internet but are having trouble viewing web pages or a strange home page has appeared and won't let you go anywhere, then you probably have a host file type of hijack.
The host file, located at C:\Windows\System32\Drivers\etc\HOSTS, is a local Internet phone book that lists certain IP numbers to specific web addresses.
There should only be one entry in this file unless you have specifically put something else in there.
The only line in there should be: 127.0.0.1 localhost
These entries can point you in the wrong direction to a web page. A program called CWShredder (see below) will automatically clean most invalid entries in there if you are unsure as to what should be there.
Further troubleshooting might require a hardware replacement or some other software problem that can't be resolved with this article. If you would like to troubleshoot this connectivity problem yourself, have a look at Microsoft Knowledge Base article number 241344.
When you get online or if you have another computer that is connected to the Internet and a way to transfer files to the broken computer, like a CD burner, then you can navigate to the following locations or type the name of the program in Google and it will take you there:
Ad-Aware / www.lavasoft.de
Home of Ad-Aware, one of the best spyware detection and removal tools.
Download the newest version of the program and don't forget to download the newest reference file so the software can remove the most current adware.
Spybot Search & Destroy / www.safer-networking.org
Search & Destroy can clean up some extra things that Ad-Aware doesn't find. Remember to check for updates and check out a feature called TeaTimer. This program monitors the system preferences like home pages and toolbars and will prompt you if they are to be changed.
After using Ad-Aware and Spybot Search & Destroy you should have cleaned up around 99 percent of the problem. These two programs do an awesome job together. Continue to use the rest of these programs to completely rid your computer of junk.
HiJackThis
HiJackThis is a more advanced tool.
It allows you to directly delete BHO's (browser toolbars and pop-ups), and clean up the system start-up locations, but be careful as deleting the wrong things in this program might make some software not function properly. It's a good idea to post the list on a support site and allow professionals to assist you.
Since they are giving you a free service you should be polite and respectful and, most of all, patient.
CWShredder
CWShredder is a quick automatic utility that removes browser relocating pages and variants of the CoolWebSearch hijack. Have no fear using this great little tool.
Norton Anti-Virus 2005 / www.symantec.com
Normally virus removal programs work to keep your machine free of malicious viruses, but some of these adware programs border on being a virus.
Despite this, Norton has the ability to remove most adware when the newest virus definition list is installed. Also it has a strong anti-virus feature and the new Internet Security 2005 comes bundled complete with firewall, anti-spam, adware removal, and anti-virus.
Burn all these programs and the latest updates, patches, and reference files to a disk and install them on the broken machine.
Reboot the machine and start up in Safe Mode. Safe Mode will allow you to bypass all the start-up programs, which is where most of the adware loads from, and work with the ad removal software that will clean them up while they are not running.
To get into Safe Mode turn off your computer then turn it back on. Directly after the memory check or the manufacturer's splash picture displays but before the Windows loading screen comes on, tap F8 repeatedly. Remember: In Safe Mode you won't have access to the CD-ROM or floppy, just so you don't think your machine is broken. If you need to access your CD-ROM drive but still bypass the start-up files use MSCONFIG.EXE. Then reboot and you should have access to the CD-ROM.
This is important: You must run the removal software while the program isn't running because Windows doesn't allow you to delete a program that is running in the background. If you are trying to delete a file and for whatever reason it won't delete, chances are the file is running. Press Ctrl-Alt-Del and see if it's a running process and, if so, end it. Then try the delete again.
If your computer is severely infected you might have to manually skip over all start-up files in order to have any access to the computer.
To skip the start-up files you can use a tool to read the specific part of the registry where the start-up files are located. To run this program go to Start -> Run then type msconfig.
MSConfig is used to temporarily disable start-up items. If you want to manually and permanently delete the item open REGEDIT and navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
(Be careful! Damaging the registry will break your PC!)
Inside the Run key is a list of programs. Click to highlight and then press Delete. The other location is: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
After they all have been run and you are confident you have a machine that is running much better than before, you need to put up a permanent block so that they won't come back. A big part of the reason why you got spyware and adware in the first place is because you weren't protected.
Follow these steps to build a strong block to that junk:
S&D TeaTimer
Part of the program you downloaded before (Spybot Search & Destroy) has a feature called TeaTimer that will actively monitor your system preferences. Enabling this feature will prompt you when these programs are trying to change things like the home page and adding itself to the system start-up list.
This is an optional component that should be installed with Spybot Search & Destroy. It's not part of the default install so you must select it during the installation of Search & Destroy otherwise it won't work.
SpywareGuard and SpywareBlaster / www.javacoolsoftware.com
Two more active monitors of the system preferences. They basically have the same ability as the TeaTimer, except I have found that redundancy is the best policy when dealing with this free software. Some things that manage to slip by the first block will be picked up by the second.
Pop-Up Stopper Free Edition / www.panicware.com
This free tool kills all those annoying windows that pop up when you are surfing or when you leave the computer for a while. Download and install and let it do the work.
MSN Pop-Up Stopping Toolbar / www.msn.com
Another method to block those annoying pop-ups. Remember, two is better than one in this cyber war to keep your machine clean.
ZoneAlarm Firewall / www.ZoneLabs.com
The connection you have to the Internet contains many doors of access. A firewall puts a lock on all the unused doors so an intruder can't just walk in. Also, it monitors all the doors you do use so an attacker can't come in there either.
Windows Critical Updates and Service Packs
No matter what operating system you have or what condition the computer is in you should have all the available updates and service packs installed.
Most of these updates would have prevented the problem in the first place if they were installed.
To download them, open Internet Explorer, then on the File menu click Tools, then Windows Update. This will bring you to the Windows Update web page so an Internet connection is needed. Download and install all of the critical updates and service packs. This might require more than one reboot after a component has been updated.
These tips should keep your computer running better and clean for now - until the next security hole is uncovered.
A few things to remember: These new monitoring programs are going to prompt you for every system change. Read what it is telling you and decide what to do. If you are installing/uninstalling something or performing some other system maintenance it is a good idea to temporarily disable the monitoring software so you don't get prompted a hundred times.