Spyware FAQ and download list.

[PapaZeb]

Well, we've all accidentally done it. Clicked on a popup accidentally, and now you've got some sneaky program advertising when you're not around, just lurking for you to go searching for things on the internet so they can redirect you somewhere else... Buggers.

ZeroSignal adds:
I think it's also worth mentioning in this sticky that if you use a browser other than Microsoft Internet Explorer then the chance of being infected with spyware/adware is much lower.
--Alternate browser choices are pretty varied these days. Many folks check out Mozilla at www.mozilla.org more than any other alternate browser so that might be a place for y'all to get your check-on.

Griever adds:
http://www.mozilla.org/products/firefox/ solved all my problems



Spyware Removal and Detection Tools

Check out the following tools before asking for help - they might be exactly what you're looking for.


AdAware
http://www.lavasoftusa.com/
They're a biggie in the business. Remember to update this and any other SpyWare removal tools


SpyBot Search and Destroy
http://www.safer-networking.org/
Also another biggie. Update and run, should remove most known spyware programs


HijackThis!
http://www.siena.edu/antivirus/Spyware/hijackthis.htm
Hijack This is an interesting tool that examines every aspect of your startup files and items linked to Internet Explorer. I'd recommend updating, then running this and posting the log to either www.spywareinfo.com ' s forums or here for someone to look over it


BHO Demon
http://www.definitivesolutions.com/bhodemon.htm
http://www.siena.edu/antivirus/Spyware/bhodemon.htm (Cheers GreatKingRat)
BHO Demon is a tool used to remove programs that have installed themselves to your Internet Explorer toolbar - similar to Google or Yahoo's search bar, except not as wanted.


CWS Shredder
http://www.spywareinfo.com/~merijn/downloads.html
An uninstall tool for CoolWebSearch or other spyware programs that hijack your browser whenever you try to search on say... google.com - Updated often, pretty handy, pretty specific.


Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html
You've probably gotten sick by now of constantly defeating the problem AFTER it's become an annoyance. Spyware Blaster (and most up to date anti-virus programs) will keep you relatively free of the little buggers installing themselves.

Microsoft's Spyware Detection Tools
http://www.microsoft.com/downloads/d...DisplayLang=en
It's currently in Beta as of 05/01/05 and can be somewhat buggy, but it's nice to see that MS is pushing ahead for its customers.

If you've tried to use some of the tools here and not had much luck, or want a step-by-step bit o help, feel free to post up requests. Plenty of helpful folk around here from time to time.

GoddamnElectric adds:
Pest Patrol:
http://www.evildomain.freeserve.co.uk/Pest.exe

Ace Utils:
http://download.com.com/3000-2086-10224157.html




Specific Spyware Removal Instructions

Jody adds:
If you're getting grey messenger boxes advertising spam, you can disable this type of advertising by turning off the Windows NT Admin Messenger Service. (Note, this is different from the Messenger chat client from MSN.) Messenger Service is an old NT background service program. It's usually used by Network Administrators on corporate networks to communicate with employees.

To remove the grey messanger boxes on windows you..

1. Go to Start » Settings » Control Panel » Administrative Tools » Services, This could vary depending on your computer, On my computer it is Start » Control Panel » Administrative Tool » Component Services

2. Click on Services (Local) on the left panel, Then on the right panel scroll down til you see "Messenger" and double click on it. You should then get a popup like the one below.. Under Service Status click Stop, Then under Startup Type select Disabled in the drop down menu then press ok.
--You can also get a free tool that disables this for you at grc.com
http://www.grc.com/stm/shootthemessenger.htm

GreatKingRat adds:
I've noticed a very common problem is Spyware from IncrediFind.com which hijacks your browsers error page. So if your "Page cannot be found..." page has been changed to an incredifind.com alternative, here's some removal instructions..

Quote:

Originally Posted by http://www.kephyr.com/spywarescanner/library/incredifind/index.phtml

1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
2. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
3. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
4. Exit the registry editor.
5. Restart your computer.
6. Start Windows Explorer and delete:
   %ProgramsDir%\IncrediFind\BHO\incfindbho.dll
   Note: %ProgramsDir% is a variable. By default, this is C:\Program Files.
7. Start Microsoft Internet Explorer.
8. In Internet Explorer, click Tools -> Internet Options.
9. Click the Programs tab -> Reset Web Settings.

--I'll try to update this thread with more common spyware programs and their removal tools/methods. Other member contributions go in Italics and the like. If I add any notations after it, will be followed with a --
And I'm not infallible - if something posted here is bumf, call it out so we can all get on the same page.

[PapaZeb]

Questions/comments/additions more than welcome here.

[adrenalize]

And i was gonna ask for some help with a couple of things that keep popping up on my pc as well.

Ah well, as soon as i get home ill run em and see if it helps.

[GreatKingRat]

I've noticed a very common problem is Spyware from IncrediFind.com which hijacks your browsers error page. So if your "Page cannot be found..." page has been changed to an incredifind.com alternative, here's some removal instructions..

Quote:

Originally Posted by http://www.kephyr.com/spywarescanner/library/incredifind/index.phtml

1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
2. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
3. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
4. Exit the registry editor.
5. Restart your computer.
6. Start Windows Explorer and delete:
   %ProgramsDir%\IncrediFind\BHO\incfindbho.dll
   Note: %ProgramsDir% is a variable. By default, this is C:\Program Files.
7. Start Microsoft Internet Explorer.
8. In Internet Explorer, click Tools -> Internet Options.
9. Click the Programs tab -> Reset Web Settings.

[AWESOMEUS MAXIMUS]

Um i got a problem.

I use SpySweeper , Spybot S+D, and Adaware.

All updated and none have found any spyware recently.

Although now and again i get a pop up saying "free sex chat click go here" etc etc when i go to certtain websites. Sometimes i get it while browsing here. but yet ive searched my windows and system32 folders for anything suspictious and cant see anything.

So no idea what is causing it and where im getting it from or how to get rid of it.
As i siad its INfrequent but is annyoing none the less.

Help?

[Largest of Gregs]

nothing to worry about chris, thats me thats offering you free sex chat

[AWESOMEUS MAXIMUS]

You lieing fuck you have no meeting today.

yer sitting in yer house tickiling yer arsehole.

[PapaZeb]

Chris - is that a grey windows messenger box popping up (not a website, but rather what looks like an error box in Windows)

[AWESOMEUS MAXIMUS]

Do you mean the messenger pop ups that used to say like go to "www.gay.com check it out" and you clikced ok to get rid of it?

If so - then no. Its a pop up window
its an I.E window.

[GoddamnElectric]

Good idea for a sticky, I was starting to sound like a broken record in a lot of threads around here. People can avoid getting these problems to begin with if they show a little web-savy. You shouldnt be wandering around 'iffy' websites without a firewall up for starters, and always make sure Internet Explorer is updated fully to patch security holes, which are neither virii nor spyware, and so dont get stopped by any of these programs.
PestPatrol will remain on my webspace for the near future if anyone prefers to use it, I find it better than adaware and the rest. As an extra idea, people might want to check out a program such as Ace Utilities that scans your startup processes, and then compares them to online databases to advise you what is starting up that isnt needed or may be deeply rooted spyware.

[PapaZeb]

Got links Sam? Both to the copy of PP on yer webspace and Ace Utilities...?

[GoddamnElectric]

For pest patrol see
http://www.evildomain.freeserve.co.uk/Pest.exe

I dont have a full version of Ace Utils, im using a cracked trial of 2.1 You can find the trial at http://download.com.com/3000-2086-10224157.html and the crack isnt hard to find, but for legal reasons i'll avoid linking it directly.

[Zero]

I think it's also worth mentioning in this sticky that if you use a browser other than MSIE then the chance of being infected with spyware/adware is much lower.

[PapaZeb]

*left as open topic for more info*
The more info the better - I'll probably add them all into one big thing with contributors notes at the top later on this week. But right now its my Sunday dammit, and to hell with that sort of thing

[Jody]

You can disable this type of advertising by turning off the Windows NT Admin Messenger Service. (Note, this is different from the Messenger chat client from MSN.) Messenger Service is an old NT background service program. It's usually used by Network Administrators on corporate networks to communicate with employees.

To remove the grey messanger boxes on windows you..

1. Go to Start » Settings » Control Panel » Administrative Tools » Services, This could vary depending on your computer, On my computer it is Start » Control Panel » Administrative Tool » Component Services

2. Click on Services (Local) on the left panel, Then on the right panel scroll down til you see "Messenger" and double click on it. You should then get a popup like the one below.. Under Service Status click Stop, Then under Startup Type select Disabled in the drop down menu then press ok.