Posted: January 2, 2003
Written by: Dan "Tweak Monkey" Kennedy
Introduction
At least once a week I am called to fix someone's computer. It comes with the role of being a "computer guy" I suppose. I am used to it, so I rarely complain when I end up at a friend's house trying to figure out why their PC is slow and unstable, or why they are constantly receiving pop-up messages telling them to buy diplomas or check out the latest XXX site. The repair procedure is getting easier all the time though, and I'll explain in this guide how I go about repairing a PC in this condition.
Before following the steps in this guide, be sure your PC is virus-free. If you don't have a virus scanner, check your PC online or download a scanner!
Symptoms and Causes
Slow PC - If your PC is running much slower than you remember it running in the past, it might have spyware or adware installed.
Internet toolbars or homepages have changed - If your PC has new, strange toolbars that you don't remember installing or your homepage constantly changes back to some site you don't intend to visit, you almost definitely have some form of adware/spyware installed.
Strange pop-up Internet windows - If you see weird pop-up ads while surfing the Internet on sites that usually don't have pop-ups, or the pop-ups are adult related on non-adult sites, you probably have adware installed. These are Internet sites though, not Windows Messages (see below)
Windows Messages (from the "Messenging" service) - If randomly ads appear offering diplomas or pornographic sites and the windows look like the example shown below, your IP address has been subscribed to a messenging service.
What is Adware? Spyware? Messenger Service?
Adware - Designed solely to make money at your expense, Adware will pop random ads up when you least expect it. You'll be visiting Yahoo.com and all the sudden a porn banner will pop-up. Your child will be reading something on National Geographic's site and a bright blinking banner advertising an Internet Casino will appear.
These programs are hidden within Windows, but will do major damage. Granted they rarely hurt your PC permanently, but they will slow it down and make it almost unusable most of the time. The programs are often memory and CPU hogs and are poorly coded, so your PC usually becomes unstable.
Spyware - Most people use "Adware" and "Spyware" synonymously, but I consider Spyware to be a more intelligent version of Adware. Spyware is the nastier of the two, and will collect personal data about your PC and your habits in order to make even more money. Advertisers make more money when you are interested in the ads, so Spyware collects information about your Internet browsing habits in order to sell this information for more dough. For example, if you visit car sites a lot, the random ads will be car ads. This way they'll also seem more fitting so people won't question the ads as much. It's believed that Spyware designers also sell these habits to retailers in order to gather demographics.
Spyware and Adware can both hide themselves many ways. The most common is to load at Windows' startup and stay resident in system memory. Some Spyware will appear on the navigation bar in Internet Explorer and since most people cannot figure out how to remove it, they will be stuck with it even if it's right in front of them. Still, other users won't even notice the navigation bar. This type is generally the worst when it comes to slowing a PC down.
Messenger Service - The Messenger service is enabled by default within Windows 2000 and XP, and will allow network users to communicate with one another. Unfortunately, advertisers have figured a way to profit from this and the best solution is to disable the service entirely, as you'll read later.
Where do they come from? How can I fight back?
Adware and spyware usually come to your PC three ways, listed from most common to least:
1) File sharing programs such as KaZaA, Morpheus, Bearshare, Grokster, and Limewire. Almost any free file sharing program out there will install Adware on your computer except a few (such as a stripped version of "Kazaa Lite").
2) Internet sites that attempt to install plug-ins or extra features. It's hard to decide which of these are bad and which are actually beneficial, but for the most part, if you're reading a site you know is not as well established as another (comparing a Geocities hacking site to Microsoft.com, for example), be careful about installing add-ons. When you first visit the site, boxes might pop-up telling you to install the "Comet Cursor" or "Gator advertising Network". Some users either accidently click "Yes" or just click it to make it go away. Be very careful if the corporation is not one you haven't heard of!
3) Installed with legitimate programs. I have seen Spyware install with software that appears to be legitimate, including game demos and ISP software. Be careful of what you install and always choose "Custom" installs to see what kind of crap people package with their software.
How can I fight back?
It's not easy. The best thing you can do for now is remove the Spyware, Adware, and Messages. You probably will not be able to find the original source of the problem so nobody will be held responsible. Boycott the file sharing programs that install these backdoor programs or download Lite versions. Help others remove Spyware and be careful in the future with your PC.
Know Your Enemy
Windows 95/98/Me: Just hit CTRL-ALT-Delete and scan for the Spyware types mentioned below.
Windows 2000/XP only:
In order to conquer Spyware, you must first know the names of the programs. Close any program you can in your system tray (bottom right corner) and close any programs you have open except this Window (unless it's printed). Now hit CTRL-ALT-Delete and click the "Processes" Tab. With everything closed, you should have less than 20 programs open, even less if you have disabled your virus scanner for this test.
The programs you should see include:
-taskmgr.exe
-explorer.exe
-iexplore.exe
-spoolsv.exe (maybe)
-svchost.exe (even 4 or 5 of it)
-winlogon.exe
-lsass.exe
-services.exe
System
System Idle Process
A nice clean list.
Other programs running are fine as long as you know what they go to. For example a file that begins with "NV" is probably an Nvidia display driver or application and any program that begins "NAV" is probably Norton Antivirus.
If you see many other programs such as "Dialer", "Freeaccess", "Offer", "Save*", "GATOR", "Newdotnet" (or New Net, New.net), "Xupiter", "Shop*", "Ad*", "Bargains", "NewsUPd", prepare to nuke them.
Now, let's remove this junk!
Removing Spyware and Adware
First, go to ad-aware.com and download Ad-Aware from Lavasoft. Install it and run it. Check the "My Computer" box on the left to select every option for scanning. Then choose "Scan Now". This program will eliminate just about every Spyware/Adware program you'll encounter, so it's a good tool to keep around. It will even remove Spyware that was uninstalled a long time ago. It will also remove advertising cookies. It is a good idea to back-up your files (the program includes a back-up utility) before you remove them.
Of course, after it's done its job you could always uninstall the program, but you might want to download it again later. I recommend checking for Adware once a month (minimum) in order to stay clean or again whenever your PC seems slow.
Second, disable 3rd party browser extensions in Internet Explorer. This will prevent some Spyware from contaminating your PC in the future and stop those annoying Gator and New.Net shell extensions from taking over.
To do this, start up Internet Explorer and go to the "Tools" tab at the top. Then choose "Internet Options". Move to the "Advanced Tab" at the right. Uncheck the box "Enable third-party browser extensions (requires restart)". Choose OK until you're out of this menu. Don't restart until you're done with this guide, though, as you'll need to restart again anyway.
Third, choose "Start", "Run", and type "msconfig". Hit OK. Move to the "Startup" tab.
This is the list of programs that launch when Windows starts. Scroll through your list and be sure there aren't any extra programs you don't want to run, such as Gator or those mentioned earlier. I also turned off "qttask" (Quicktime's taskbar component) and "ADGJET" (some Sound Blaster Live utility). Once you're finished here, choose OK and then "Exit without restart".
Finally, enter the registry editor ("Start","Run", "Regedit", OK). Navigate to HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run. Here are the programs set to run when Windows starts. This list should be basically the same as the MSCONFIG list we just saw. If you see any additional programs that appear to be out of the ordinary, delete the entry (backup first!) and close the registry editor.
Nuke the Windows Messenger Pop-ups
Fortunately, these are very easy to fix. Head back to the MSCONFIG utility ("Start", "Run", "msconfig", OK). This time click the "Services" tab. Scroll down until you see "Messenger". Uncheck this box.
Choose OK. Then choose "Exit without Restart". Close all your programs, reset your PC, and you'll probably never see those messages again.
Once your PC reboots, you can test to see if the messages still work by doing the following:
Choose "Start", "Run", then type "net send * test". If a message pop-ups saying "test", you have not disabled the service correctly.
Conclusion
Now your PC should be free of Adware, Spyware, and those annoying pop-up messages that were stopping you from playing your favorite games. Enjoy your new freedom and be careful to avoid these annoyances in the future. Thanks for reading!
Want to return to the normal guide? Click here!
All Content Copyright ©Dan Kennedy; 1998-2002