# Spyware



## Geronimo (Mar 23, 2002)

While in the process of monitoring my network and my kids computer usage I discoverd a TON of spyware and even trojans on their machine. I have run Spybot and Norton Anti Virus but I ssupect that I have not gotten it all. 

Any suggestions for good cleaning. It may well be too late.


----------



## JBKing (Mar 23, 2002)

Adaware is a good program.

http://www.lavasoftusa.com/


----------



## jrobo (Jan 23, 2004)

What I would suggest is to go to add/remove programs and remove any program that you do not recognize. Before restarting, I would run msconfig and disable all startup commands.

Then rerun your virus scan software. You should be in good shape after that.

If you want constant protection, re-enable your virus software in startup.

Hope this helps.

John


----------



## SAEMike (May 29, 2004)

I run spybot, spy sweeper and ad aware, usually what one doesn't get rid of, the others will.

Spy Sweeper can be found at: http://www.webroot.com/wb/products/spysweeper/index.php


----------



## cdru (Dec 4, 2003)

jrobo said:


> What I would suggest is to go to add/remove programs and remove any program that you do not recognize. Before restarting, I would run msconfig and disable all startup commands.


Both of these are not exactly great advice. Just because you don't recognize what the program is doesn't necessarily mean it shouldn't be there. A better suggestion is to figure out what the programs are, then determine if they should be there. With most programs, all you have to do is get the executable name and do a google search for them. There is a site out there that will tell you what all the different commonly found programs do...although I forget it right off hand.

I recommend 3 differnet spyware removal programs, AdAware, SpyBot:S&D, and SpySweeper. Pick one, run it repeatedly until nothing comes up. Reboot. Run another the same way, reboot. Run the last. All 3 will find something the others didn't...and rebooting often brings more out of the woodwork.


----------



## Geronimo (Mar 23, 2002)

Adaware is running. I have also disableda lot of startup programs. Thanks for the spy saweeper recommendation Mike. I will try it. I will report back to you gusy.


----------



## Cyclone (Jul 1, 2002)

I hate to say it, but I've had a real struggle with spyware over the summer. I luckily have been able to keep my systems clean by using Firefox instead of MS:Internet Explorer, running Adaware, and not clicking on any pop up windows. But my two brothers and some co-workers have been really hit hard, and I've spent many hours trying to disinfect their systems.

The first thing that you need to know when hunting down spyware is that they automatically get started when Windows starts. It does not do this in the "startup" folder like many programs, but instead they start via entries in the registry. The registry is powerful, and you can cause problems if you starting removing things carelessly in there, so be deliberate. Look in the following area of your registry to see what programs will be started when Window starts.

From the Start Button, select run and type regedit and run it. This will open a program that lets you browse the registry. Navigate to:

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Each entry that you see is a program that windows will automatically start. Some are legit, others are spyware. I have found that Many spyware removal programs fail to remove the respective spyware entries here. Then when you reboot, the spyware runs, and re-installs itself and other spyware programs.

If I suspect that a entry is spyware, I will take the filename and put it in google and search for it. If its know spyware, then you will likely come accross discussions about it on the net. You will then know to remove it. Other legit programs are also in here. You might find 'qttask' or 'realsched' for Quick Time or Real Player, they like to insert themselves in here. I often have to remove them. If you use a ATI or Nvidia graphics card, then you might find a atitech entry or nwiz.exe.

When you finally learn which are good and which are bad, then you will be well on your way. If you have Windows XP, use the system restore feature and create a restore point before making any changes. That will allow you to revert back if needed.

Finally, Keep in mind that Spyware and Adware software do not want to be removed. They will try to stay on your system any way that they can. They are not polite and they do not take your wishes into consideration. I have found that if I see a spyware package in my "Add/Remove" progams, and I choose to remove it, there is a good chance that it will reinstall itself (and perhaps additional spyware packages) as part of the removal.

Its a frustrating battle.

oh, and please don't call me gusy. ;D


----------



## cdru (Dec 4, 2003)

Cyclone said:


> The first thing that you need to know when hunting down spyware is that they automatically get started when Windows starts. It does not do this in the "startup" folder like many programs, but instead they start via entries in the registry. The registry is powerful, and you can cause problems if you starting removing things carelessly in there, so be deliberate. Look in the following area of your registry to see what programs will be started when Window starts.
> 
> From the Start Button, select run and type regedit and run it. This will open a program that lets you browse the registry. Navigate to:
> 
> My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


This is where stuff is kept, but there are other places as well. MSConfig is a better utility then running regedit. It will allow you to check and uncheck individual lines from running. This way you can (attempt) to not run a program on start up to see if there are any ill effects before permanently removing them.


----------



## FTA Michael (Jul 21, 2002)

I want to agree with and emphasize one of Cyclone's main points:

Find the name of the process or file you don't recognize, then Google it. You may find it's part of the normal Windows messaging system, or you may find it's malignant. One way or another, you should be able to tell quickly after a decent Google search.

As a bonus, for any malignant files, Google will often yield step-by-step instructions for the often complicated process of removing a package that doesn't want to leave and won't play nice.


----------



## Geronimo (Mar 23, 2002)

I agree that google is a great way to identify the nasty processes.

As for Msconfig it is great for discovering what runs but I ahve found with spyware that it oftemn manges to "re-check" itself even after it is disabled in msconfig. That si true even before a reboot.


----------



## CoriBright (May 30, 2002)

CWShredder - lots of download locations available:

http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

I used it on nearly all clients PCs and it will seek and destroy about 85% of the time!


----------



## Geronimo (Mar 23, 2002)

First of all thanks Mike foir the Spy Sweeper recommendation. It found a lot more than the spyware programs I was using. 

Second I think things have improved significantly. There are a lot fewer processes running than before and the firewall si not going crazy over allowing programs to access the internet. 

But I have three unidentified processes, psxujdey.exe, packetthsvc.exe, and cpqdfwag.exe.

But I definitely thank you all.


----------



## CoriBright (May 30, 2002)

cpqdfwag.exe

"Diagnostic software" proprietory to Compaq

http://hardware.mcse.ms/archive17-2004-7-50454.html

Not required unless the PC is still under guarantee.

Never come across the other two though.


----------



## Geronimo (Mar 23, 2002)

I suspect that psxujdey.exe is malware of some kind. Packetthsvc.exe I just cant figure out.


----------



## cdru (Dec 4, 2003)

Geronimo said:


> I ssupsect that psxijdey.exe is malware of some kind. Packetthsvc.exe I just cant figure out.


Some malware just creates random names, so you might not ever be able to correctly identify them. Find the location where the files are kept. That may give you a clue as to what program they are from. Also renaming them to something to prevent them from automatically running might indicate something (especially if an error message comes up).


----------



## SimpleSimon (Jan 15, 2004)

If you mean packethsvc.exe (one "t"), it's probably:
http://www.answersthatwork.com/Tasklist_pages/tasklist_p.htm

Maybe double-check the spelling on the other one? Maybe search the machine for it and right-click, "Properties" (maybe there's a Vendor), or if all else fails, drop it into Notepad and see if any text strings jump out at ya.


----------



## ERSanders (Apr 24, 2002)

Ger, I would recommend using the security tango process which has been setup by our local computer guru Nick Francesco in Rochester, NY. This guy is really respected in our community and has a weekly radio show as well as being the systems person at RIT. The tango can be found at www.securitytango.com. Look for the link entitled "Let's Dance". Follow the directions exactly respecting the pre-downloading and sequence of events. Much of is is parallel to what others have said already in the thread. Good luck!


----------



## ERSanders (Apr 24, 2002)

PS: I have also started using Spyware Blaster available from http://www.javacoolsoftware.com/spywareblaster.html. This program requires manual (in free version) or automatic (in paid version) updates to be downloaded. It is an "always-on" program which PREVENTS known spyware from being download...far beyond the after-the-fact REMOVERS that most s/w uses.


----------



## Selenna (Jun 18, 2004)

I like that task list site Simon... here's another that I use
http://www.windowsstartup.com/wso/index.php


----------



## SimpleSimon (Jan 15, 2004)

Thanks Selenna - it's now bookmarked. 

ERSanders: Yeah - I use Spyware Blaster along with Spybot S&D and AdAware. The new versions are sweet - Spybot S&D's new trapping method is especially nice.


----------



## Geronimo (Mar 23, 2002)

SimpleSimon said:


> If you mean packethsvc.exe (one "t"), it's probably:
> http://www.answersthatwork.com/Tasklist_pages/tasklist_p.htm
> 
> Maybe double-check the spelling on the other one? Maybe search the machine for it and right-click, "Properties" (maybe there's a Vendor), or if all else fails, drop it into Notepad and see if any text strings jump out at ya.


Both are spelled as they appear in task manager. it beats me what they are.


----------



## Jacob S (Apr 14, 2002)

It would be nice to have a program that would tell you all the new items that were installed on your system since last startup. Perhaps that would find a lot of items, spyware, and viruses on the system that you would not want on there and search only those new files for the spyware and viruses so that it will be quicker and narrowed down to fewer areas in which it may be.


----------



## Mike123abc (Jul 19, 2002)

A local dentist was caught trying to use spyware on a competetor:

http://www.ardmoreite.com/stories/090504/loc_0905040061.shtml


> The charges are the result of a case investigated by the Springdale, Ark. Police Department. Harris Goldman is named as the victim in the case. The charge alleges than on March 3, 2003 Bulard sent Goldman an e-mail containing an attachment. The attachment was represented as a document but was instead "executable which installed a spyware program," on Goldman's computer. The charge states evidence indicates Bulard purchased the program from Spectorsoft on Feb. 28, 2003.


----------



## SimpleSimon (Jan 15, 2004)

Jacob S said:


> It would be nice to have a program that would tell you all the new items that were installed on your system since last startup. Perhaps that would find a lot of items, spyware, and viruses on the system that you would not want on there and search only those new files for the spyware and viruses so that it will be quicker and narrowed down to fewer areas in which it may be.


Programs like that exist - but sorry, I don't remember any specifics right now.
Maybe you could Google it and post back?


----------



## Geronimo (Mar 23, 2002)

Spy Sweeper and some others monitor installations. Would that help?


----------



## HappyGoLucky (Jan 11, 2004)

Geronimo said:


> Spy Sweeper and some others monitor installations. Would that help?


AdAware Plus and Pro versions have AdWatch, which monitors your computer at all times and can prevent "infection" from spyware/trojans and tracking cookies. The Plus version of AdAware is great, it suits most home users just fine and is well worth the small price. I've run AdAware, SpyBot S&D, and Spysweeper and have found that AdAware is the most efficient and thorough without being extreme. Spyboy and Spysweeper tend to "find" things that really aren't spyware or trouble, which inflates their findings, making them appear to be "better". But I consider that fearmongering and unproductive.


----------



## Geronimo (Mar 23, 2002)

Actually I found that while Ad Awsre finds a lot there are quite a number of trojans it just does not find. Sadly I think that complete protection comes only from combining products. I woudl not leave more than one shield running but I found that runningf scans with all 3 was very effective.


----------



## HappyGoLucky (Jan 11, 2004)

Geronimo said:


> Actually I found that while Ad Awsre finds a lot there are quite a number of trojans it just does not find. Sadly I think that complete protection comes only from combining products. I woudl not leave more than one shield running but I found that runningf scans with all 3 was very effective.


AdAware has been tested by all the leading computer magazines and found to detect all known trojans/spywares. Some of the things the others are reporting are harmless cookies or trash entries that, while taking up a miniscule amount of space on your computer, are doing no harm to the system nor your privacy. It is more of a marketing tactic than one for safety, they can advertise "we find more stuff!". Doesn't matter that the "stuff" is essentially just harmless trash.

But if it makes you feel better, go ahead and use what you like.


----------



## ERSanders (Apr 24, 2002)

Happy, Nick in his article here: http://securitytango.com/tango.php, clearly states in steps 4 & 5 that AdAware and SpyBot are complementary, each covering some areas that the other does not do completely.

Your choice, your risk...


----------



## HappyGoLucky (Jan 11, 2004)

ERSanders said:


> Happy, Nick in his article here: http://securitytango.com/tango.php, clearly states in steps 4 & 5 that AdAware and SpyBot are complementary, each covering some areas that the other does not do completely.
> 
> Your choice, your risk...


The new version of AdAware does a very thorough registry scan, as well as harddrive. It also scans NTFS-specific alternate data streams.  Nick is behind the times.


----------



## ERSanders (Apr 24, 2002)

Happy, do you mean its available in v1.03 or v1.04? I ask because v1.03 is the highest FREE version; v1.04 beng only available to the PAID versions.


----------



## HappyGoLucky (Jan 11, 2004)

ERSanders said:


> Happy, do you mean its available in v1.03 or v1.04? I ask because v1.03 is the highest FREE version; v1.04 beng only available to the PAID versions.


All of the AdAwareSE versions do thorough registry scans plus NTFS Alternate Data Streams.


----------



## Jacob S (Apr 14, 2002)

Leo Laporte from TechTv has mentioned SpywareBlaster as being a wonderful program to use. It helps prevent them from coming into your system. I have EarthLink ISP so it helps with that as well.


----------



## Geronimo (Mar 23, 2002)

I have been using Adaware for some timne now. My sons till manged to accumulate a number of trojans and spyware programs. Ad Awre caught many but the firewall still kept telling me that ahost of programs were trying to access the net. Spybot and SpySweeper both causght some that Adaware did not. 

It took awhile and tons of reboots (sometimes into safe mode) but the PC seems clean now.


----------

