Kennedy Software & Systems Ltd

  What's New

    ReBuild OE
  Contact us

 Anti-Spyware / Anti-Virus Suggestions

The following suggestions have evolved over a few years, and are based on real experience of clearing infected PCs, attempts to formulate procedures which prevent infection, and reviewing excellent advice from many others in similar situations. It'll never be complete! Every day, new threats arise, or new tools are available, or some established tools are improved significantly or have become out-of-date.

I'm using the term Spyware in a "general" sense - covering Trojans, Worms, Keyloggers, etc.

And if you run a 'net search seeking anti-spyware tools, it's likely that the majority of the resulting tools are ACTUALLY Spyware. They'll masquerade as Clean-up tools, etc, and they may even remove some Spyware, but they'll infect your system in the process... For super info on this matter, review  the Spyware-Warrior site.

The suggestions are geared towards users of stand-alone PCs, or PC usage in small organisations. They also assume these PCs are running under Windows/DOS. These notes are very brief - seek assistance from your IT support folks, as needed. You'll observe that it's usually adequate to have just ONE Anti-Virus product running. However, no single Anti-Spyware product addresses all infections, and you'll need to use perhaps 3 or 4 or 5 products to clear out an infected PC, and/or prevent Spyware infections. With many of the products listed below, you'll probably need to check all the configuration options, and you may need to activate some of the more "aggressive" ones.

Some products conflict with others. Frequently, multiple Anti-Virus products will not tolerate each other, and, indeed, their web-sites usually advise you about this. In some tests, I had very major problems trying to run "Protector Plus 2000" and "AVG" in the same system. My tests indicated that PP was very upset, and caused serious random re-boots. But, I did not run exhaustive tests to establish who disliked whom. I've run NAV and AVG in the same system, with no issue whatsoever - apart, perhaps, from wasted CPU cycles!

Many of the recommended products are free. Some are free for personal use, and chargeable for commercial use. You must establish (and meet) the terms which apply to your intended use of each product.

Some other interesting sites have excellent info on many of the products and procedures listed below, and indeed on a few products which I've never used. Similarly, I've listed a few products below which are not mentioned on the other sites:
   - CoU (Calendar-of-Updates)
   - ASAP (Alliance of Security Analysis Professionals)
   - Arjan
   - SomebodyHelpMe
   - DefendingYourMachine (Jim Byrd)
   - BleepingComputer
   - TechSupportAlert
   - Sponge's Security Solutions!
   - Wng_z3r0
   - SpywareData
   - MalwareHelp
   - JS Technology
   - MalWare-Removal (including Nick's Computer Security blog)
   - A-V comparisons
   - www.Virus.GR
   - Malware Test

If any of the links below don't work for you, you might try MajorGeeks - most products are available there also, as are updates to Anti-Virus definition files, etc.

I welcome feedback.

Last update: Aug, 2006.

The following products are referenced later, and are recommended:

General Cleanup:

  Crap-Cleaner Excellent and very popular utility.
  CleanUp New Product. Well supported, highly recommended.
  JV16 PowerTools Highly recommended set of utilities from Juoni Vuorio. There's an older free build (v. of these tools here, here, here or here. There's a free build of his RegCleaner product here.
  RegSeeker Highly recommended set of tools; free for personal use.
  EasyCleaner Recommended, but don't activate options unless you're aware of the consequences.

Spyware Removal/Prevention:

  Ad-Aware SE Personal Very Highly Recommended. Definitions should be updated prior to each Run. "Ad-Watch" available for background monitoring. Must be run manually, as needed, or scheduled. After installing, you should review the "options", and activate any which might be beneficial. The Lavasoft website may also have "Add-Ons". Check these (especially this one), and install any that seem appropriate.
  SpyBot Very Highly Recommended. Definitions should be updated prior to each Run. Background "watcher" available. Full scans must be run manually, as required, or scheduled.
  MS Anti-Spyware Runs only under Win-2000/XP. Not Win98. Was initially highly recommended, but ... that was initially!! It's now slated to be excessively tolerant of some products - MS does not flag them as Spyware, whereas other Anti-Spyware tools do. Currently free. Includes background monitor. Either activate the option to automatically download the latest definitions, or manually check for any updates frequently.
  CounterSpy Very highly recommended in recent tests (2005. 2006). Does run on Win98SE, etc. 15-day Trial period, and then costs about 20 USD per Client per year. Slated to be extremely similar to the MS-AS product, because it's supposed to use the same internal "engine" (but it may be better; it runs on W98, etc; and it's not free!). The scanner is fast.
  CWShredder Old link, and newer link. Designed to remove a specific family of Spyware (CoolWebSearch); check for program updates before running it. Also, if CWShredder seems to ignore a request to run it, you might need to run a supplementary tool (some notes here).
  HomeSearch Similar to CWS, focuses on specific Hijacks.
  ADSSpy "A tool to List, View or Delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems"

Repairs after Spyware Removal:

  LSPFix "Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access"
  Winsock2 Fix Similar to LSPFix, Win 98/98SE/ME.

Virus Removal/Prevention: (It's probably adequate to choose just 1 from NAV, AVG, McAfee, NOD32, or Others)

  Norton AntiVirus Very Highly Recommended. Chargeable. Later versions and builds (eg, NAV-2005) include additional Firewall facilities, "Parental Control" lists, etc. If you cannot run the "Live-Update" option, you should retrieve and install the most recent "Definitions" file regularly - perhaps from MajorGeeks. NAV should be carefully "tuned": Eg: use Smartscan in the background normally; scan ALL files when a manual scan is activated; don't scan emails; etc (IMO!).
  AVG Highly recommended. Some versions are free for personal use. Ensure definitions are updated very frequently.
  McAfee AntiVirus Highly recommended, though I don't use it. Ensure definitions are updated very frequently. A brief effort to boot a highly infected PC from CD didn't succeed, even after much wandering around the website.
  NOD32 Highly recommended by many.
  (Others) Eg, Sophos, Avast, AntiVir, CA eTrust, etc...
  Kill2Me Removes "Look2Me".
  Stinger Highly recommended. Free. Anti-Virus tool from McAfee. Handles (removes) about 50 viruses only, but these are very nasty ones! Download the latest version before running it.

Removal Verification:

  ShieldsUp! (etc) Steve Gibson's service to check some of your Internet Security settings - for INCOMING vulnerabilities. Specific link here. Steve has many other useful tools also: shut down dcom, messenger service and upnp, etc. Check out his site, and decide what tools suit your setup.
  Leaktest Another test from Steve, but checking for OUTGOING vulnerabilities.
  Port Scan TCP/UDP Port scan at BroadbandReports.
  HijackThis For Techies only! Check for program updates frequently. Use this utility to check on what's running in your PC, but do not take any action unless you know what you're doing!! If in doubt, send the list to some experts, and follow their advice. One site which might help with analyses is here.

Preventive Actions:

  HOSTS Replaces your standard HOSTS file. Excellent tutorial, etc, on this subject available here. Get the latest version frequently, and replace your existing HOSTS file with it. Various versions available: This site contains a frequently-updated HOSTS file, instructions, and many excellent pages on many security issues (blocking pop-ups, configuring IE, etc); This site has a smaller one. You might even combine these HOSTS files!!
You might use the HOSTS File-Manager utility here to assist.
Another HOSTS file (and instructions) is available here.
And another HOSTS manager and excellent related info is here.
A new "manager" is available from http://www.abelhadigital.com. It looks very impressive.
  No-Ads Follow the instructions. The PAC file contains extensive notes on how to install it. If using IE, you may need to update the registry using the REG file here.
  IE-SpyAd This utility inserts ill-intentioned sites into the "restricted zones" list in IE (or into AOL's web browser). Tutorial, etc, available here. If you use this utility, you should plan on checking for updates regularly - perhaps every few weeks.
  BugOff! Disables some IE Browser Hijacks.
  SpywareGuard Provides real-time protection against spyware installation, browser hijacking, etc.
  SpywareBlaster SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
  SpySweeper Chargeable, but has faired very well in many recent tests.
Update (based on personal experiences, and on general comments on the 'net): Version 4 was good, stable, etc. Version 5 may have many extra features, etc, but does not run well (sometimes?). Early builds of ver 5 consumed a lot of CPU power. Webroot indicate that ver 5.0.7 (1608) has resolved the CPU usage issue, but it is still NOT recommended, IMO. The product is unstable:
  - Sometimes it loads correctly at boot, sometimes it does not. When it does not, it prevents other apps from loading also.
  - It sometimes clobbers other harmless apps - which can initially suggest that the other apps themselves are problematic.
  - If its behaviour leads to crashes/hangs, and the PC has to be reset, then very many corrupted temp files (from SpySweeper) will be thrown up by ChkDsk/ScanDisk, which suggests that SpySweeper is leaving temp files "open"...
These issues were not observed in version 4. They may be caused by conflicts with other AntiSpyware or A-V tools. I've not tried to contact Webroot on these matters - it seems unnecessary when very many other folks have publicised similar issues already
  Spyware Doctor VERY highly rated in some Reviews. A restricted free version is available.
Update: I bought it; tried it; was NOT impressed; had problems trying to log issues with PCTools; got no useful feedback; and I do NOT recommend it. Web and NG searches suggest many others have had similar issues. Maybe it works OK in an empty XP system, with no other A-S nor A-V apps installed! Maybe the favourable reviews were run on "lab" PCs, rather than typical user PCs... Maybe the tests concentrate on Spyware identification/removal, but miss out on other real-world issues...
  Zone-Alarm Very Highly Recommended "firewall", etc. A free version is available - with reduced functionality. Requires some technical knowledge to configure it accurately. Alternatives: Kerio, Sygate, BlackICE, etc. Good Firewall reviews here.
  Comodo New firewall; very popular; recommended... And free! The supplier has a range of security products - Anti-Virus, Anti-Spyware, etc.
  Kerio Generally highly recommended, but I've not used it. Personal and Chargeable builds available.
  PestPatrol Highly rated in tests, and highly recommended. Shareware.
  WinPatrol Highly recommended tool to manage startup tasks, running tasks/services, Cookies, etc.
  FireFox Use FireFox as your Browser! Some advice here. Some highly recommended add-ons are also available, especially NoScript.  See some good notes from Mighty-Joe on FireFox add-ons here and here (the latter link has very good notes on many freeware products, etc).
  MSN Windows Service Ordinarily, to reduce unwanted SPAM, ads, messages, etc, you should ensure that the "Windows Messenger Service" is Disabled. Please GOOGLE for lots of info on this matter. Microsoft has KB articles on this subject, including this one, and this one. If in any doubt, you might run Steve Gibson's Shoot-The-Messenger utility.

["Windows Messenger Service" is not to be confused with "MSN Messenger", "XP Messenger", "Windows Messenger", nor with any other IM/chat (Instant-Messaging) system. To investigate/disable "XP/Windows Messenger", you might check Doug Knox' notes here and here, Marc Liron's notes, or AXCEL]
  Anti Spam / Thunderbird I've not used many AntiSpam products extensively. I've seen great reports for Cloudmark's SafetyBar. Some of the ZoneLabs products include highly recommended Anti-Spam features.

I've been using Thunderbird recently (for email), and using it's Spam-Filtering options, and the entire package seems excellent.

Recommended Removal Procedure:

1 Decide which tools you need, and download them in advance. You may have to use an uninfected PC; or maybe ask an IT "friend" to compose a CD for you. In general, you should ensure you have the latest version of the software, and, if possible, the latest "Definitions" file - where appropriate. Ensure you're running behind a Firewall - at least one!!!
2 If you're using an OS with Restore-Points (eg, XP), you probably should disable this facility at this point, and remove all saved restore-points. Otherwise, all infections which might have been saved within the restore-points will need to be cleaned out (which might be quite difficult), and you may need to ensure that old restore-points are not "restored" - in case any old infections are re-activated.
3 Boot to Safe-Mode.
4 Run Stinger.
5 Some smart viruses will prevent the popular Anti-Virus programs from Installing and/or Running. If you suspect major a Virus infection, then you'll probably have to Boot your PC from an Anti-Virus CD. The procedure is documented on the Anti-Virus documentation. If you do not need to Boot from the A-V CD, then boot to Safe-Mode, ensure your A-V definitions are up-to-date, and do a full (and deep) scan. Ensure your A-V program is properly (optimally) configured - you do not need to "Scan All Files" normally, and you probably do not need to scan all emails as they are being sent and received - assuming that all emails will be scanned if any attempt is made to open them. If Viruses are identified (and removed), you should repeat the scan - until you get a "clear" run.
6 Re-boot "Normally".
7 Install the relevant tools from the above list. As you install, you should  also download/install the latest definitions - where appropriate. Do not RUN them.
8 Boot to Safe-Mode.
9 Run Crap-Cleaner, and/or Clean-Up.
10 Run a full AdAware scan. (Download the latest Definitions, if needed). If spyware is removed, repeat the scan until you get a "Clear" run.
11 Run a full SpyBot scan. (Download the latest Definitions, if needed). If spyware is removed, repeat the scan until you get a "Clear" run.
12 If using Win-2k or later, run the MS-AntiSpyware program (Update Definitions). If spyware is removed, repeat the scan until you get a "Clear" run. Under Win98SE (etc), it might be useful to run a copy of the old "Giant Anti-Spyware" product - especially if you happen to have a purchased build of that product. However, if you have not already purchased the Giant version of that program, it was available only in a 30-day trial build, the trial build is no longer supported, and up-to-date definitions may not be available for it.
13 If running Win98SE (and, maybe even if you're running W2K/XP), apply all CounterSpy updates, and run it.
14 Run CWShredder.
15 Under Win2k or later, run ADSSpy.
16 Run Kill2Me.
17 Run BugOff!, to configure your PC for safer online usage.
18 If any of the above products removed any spyware, then run AdAware, Spybot and MS-AS / CounterSpy again, until you get a Clear run of them. (This re-running is required, because some spyware is concealed behind other spyware...)
19 Reboot "normally".
20 If you've lost Internet access, you might try LSPFix or XP-TCP-Cleanup.
21 Install a HOSTS file. You should check your existing HOSTS file, before replacing it, and copy any non-matched entries in your old file to the new one. Before updating HOSTS, you should make a backup copy. Then, after updating, check for any entries in your old file that are not in the new one, and copy these across (or, if you're using the utility, copy these into the HOSTS.CST file for automatic appending to the new HOSTS).
22 Run IE-SPYAd
23 If you've lost Internet access (again!), you might try LSPFix or XP-TCP-Cleanup.
24 Run "SFC  /SCANNOW", to check the integrity of your Windows sub-systems. Follow any repair advice that's presented - you may need to have your Windows-CDs available. (In a DOSBox, type SFC to get some info on the utility. If it's not installed in your system, you may be able to install it from a MS-Win CD, or download from the MS site). SFC may undo some Windows-Updates, so ensure you run that step after SFC has ended (next item!).
25 Check for, and install, any relevant "Windows-Updates".
26 Install SpyWareGuard, check for updates, activate all precautions, etc.
27 Install and run SpyWareBlaster, check for updates, activate all precautions, etc.
28 Run full scans of your Anti-Virus and Anti-Spyware products.
29 Disable MSN, unless you have a pressing need to keep it running. See reference above to Steve Gibson's tools.
30 Ensure all "normal" users of all PCs do NOT normally use "Admin" access. Ensure all passwords are not in any "Dictionary", and are not "guessable". Long random strings are best, obviously. As a compromise, you might consider using at least 2 dictionary words, perhaps joined with digits or other characters - eg: Night58Life.
31 If Restore-Points were disabled above, they should now be re-enabled.
32 If your system has a "Restore-Point" option, take one now.
33 Maybe run a DeFrag, etc.
34 Use "FireFox" instead of Internet-Explorer? Most reviews indicate Firefox is more secure and faster (overall) than IE; repairs are quicker; etc. Seems to be a "no-brainer"!

Home ] What's New ] Contact Us ] Referrals ] Feedback ] Products Summary ] DownLoads ] Orders ] Links ] [ Anti-Spyware ]