I have a problem on my system with spyware that keeps re-appearing after I remove it. The offending program produces pop-up ads, usually when I go to sites (such as my own) which do not even spawn pop-ups themselves. My pop-up killer doesn’t zap these ads, either. Every time I see this program depositing its feces on my computer screen I go to Task Manager and sure enough, there it is, save.exe :mad: , at which point I immediately end the process. While I can deal with the problem in the short-term, it’s annoying as hell to keep seeing it come back again and again.
How can I determine where this spyware is coming from and how can I get rid of it once and for all? I suspect it may come from one of the web sites I regularly visit (probably not this one, though). I use Lavasoft’s Ad-Aware, and it finds and kills the offending spyware (it’s in the registry and in cookies) every time it resurfaces, but I’m getting tired of having to keep removing it. As far as I know, Ad-Aware can only detect spyware when you run it and have it scan the hard drive, but is there something that will alert me right away that some rogue process is attempting to install spyware on my system and have the attempted installation intercepted? Anyone who can help would be much appreciated.
This may be a rather technical solution if you’re using Windows NT, 2000 or XP. Most of these Ad programs install themselves by putting an entry in the registry under HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVerson/Run. I’ve used RegEdt32 (Note: Not RegEdit) to deny the user(s) I normally log in as permissions to write to this key. This stops anything from installing itself in this way.
So far I haven’t encountered any software that gets around this.
You can also counter by denying your usual user write access to the files Win.ini and System.ini just in case the adware is trying to be sneaky (though this may cause other problems as valid programs try to save their settings). Then just keep an eye on the StartMenu/Programs/Startup submenu to make sure nothing’s sneaking in there.
Of course, all this only works on NT based OSs that have the fine-grained security that 95/98/Me lack.
Spybot Search and Destroy will usually catch the stuff that Ad-Aware misses. Also make sure you’re using the newest version of Ad-Aware. The last two updates were siginificant.
Similar to Armilla’s solution - if you’re using NT, 2000, XP or 2003, create a logon for yourself that doesn’t have administrative privileges (this is the case by default). Get in the habit of using that logon, and only “powering up” to Administrator when you really need to. I think non-administator ids aren’t allowed to install software (I haven’t tried this). It is a recommended security practice in any case to habitually logon as a regular user, only using the administrator logon when necessary.
Some programs (Kazaa, for example) at least have the good grace to inform you they are about to install spyware and give you the option to cancel the install.
Others install it, change your network settings and pull all sorts of other tricks without so much as a by your leave.
What’s the legal position on this? Say, for instance, your computer crashed badly because of their interference (quite likely) and you lost important and valuable data as a direct result. Have any states or countries passed legislation which would enable you to sue them?
SpywareBlaster is an excellent program that pre-emptively blocks spyware from being installed by malicious web sites. It does this by creating dummy entries in the registry for all known spyware programs. It won’t, however, block spyware that comes with programs like Kazaa.
Thanks for the help, guys. I was gone for most of yesterday and didn’t have a chance to reply then.
Armilla: I have Windows 2000 at home (where I am seeing the problem). I don’t like to tinker with un-foolproof methods such as changing the registry, but I will keep your information on file and use it if necessary.
Athena and Sxyzzx: I’ll look into the apps you suggested. I first downloaded Ad-Aware about six months ago but have not updated it since then, so I will probably do this first.
NoGoodNamesLeft: I’ll see if save.exe is uninstallable. I thought Ad-Aware was zapping it every time I scanned for it. I’d just like to know where it keeps coming back from and if I am actually deleting it when I run Ad-Aware.
Several of you mentioned Kazaa as a possible culprit, which I don’t use, so we can rule that out. Ditto for Bearshare. I do use WinMX, however. Does anyone know if this could be the guilty culprit?
I’ve started using Spybot and it’s saved me a lot of headaches (I do IT work for a living). Whatever you use I highly recommend a cleaner/blocker rather than doing this stuff manually, it’s an enormous PITA.
You can check out doxdesk.com, he has a good library of adware/spyware and manual removal instructions.
Note that a lot of this junk comes from:
a. Filesharing apps like Kazaa (so you’re actually installing it yourself, although they like to hide that info).
b. Insecure ActiveX settings in IE, so these things can be pushed to your PC without you even getting a notification.
You’ll save yourself some troubles if you pay attention to all those little installation dialog boxes in (a), you might catch something that they are hiding in the boilerplate, and for (b) either increase your security settings in IE or just go with another web browser altogether - ActiveX stuff is no longer a problem, and you will probably find much greater control over unwanted popups and other such annoyances.