Letter to the Editor: A spyware battle that took six tools to win
by Bruce Hevner
Six months ago one of my company's business machines started getting pop-up ads. Although this machine was scheduled to be replaced with a new one, it was given a clean Windows XP install. Pop-ups should not have been a big problem.
Some time later I was using Spybot-Search & Destroy to scan the machine. This is a good tool except for the fact that it relies on user input to keep up with the latest adware definitions. Sure enough, I Spybot had not been updated on this particular machine since the previous month. I ran the update, did a sweep and found a few applications that it promptly removed. However, the user continued to get pop-up ads even when he was offline. Spybot said the system was clean, but problems were still apparent.
Three months later I installed Webroot's Spy Sweeper. It found several applications Spybot had missed, clearing up the pop-up problem -- temporarily. Spy Sweeper identified some annoying applications (SEP and ESyndicate) and tried to remove them, but they came right back.
I then installed Microsoft AntiSpyware, which identified the same applications but could not remove them. The tool constantly alerted me that SEP was trying to install again (not news to me).
Next I installed Sunbelt Software's CounterSpy, which was able to remove ESyndicate but could not get SEP.
Then I ran Hijack This and removed all references to SEP. The application finally stopped running (at least no pop-ups appeared), but AntiSpyware continued to warn me that SEP was trying to reinstall.
Finally I ran Lavasoft's Ad-Aware SE. It turns out the adware had been removed, but a registry entry was triggering a warning to say it was still trying to install. Ad-Aware found the registry entry that was triggering the warning. (This was one of the few good experiences I had with Ad-Aware.)
I now run any and every antispyware application to sweep every night. Only then does the user get used to seeing the balloon in the morning showing the sweep results and what to do if there's a problem. This has worked well for the most part. We still have users who continue to click through the pop-up even if it shows a problem. For some folks there's just no hope!
My best antispyware solution from start to finish: Set up a clean install of Windows XP. Before connecting the machine to the Internet I update it with XP SP2, and install Spybot and any other antispyware tools I will use from a USB drive. Then I connect to the Internet and immediately update the antispyware tools. Finally I run the Windows updates and away we go. Doing it this way has proven to be the best method to save time and still end up with a clean, protected machine.
I am also now trying another application that is supposed to block the installation of adware: Javacool Software's SpywareBlaster. A big part of staying clean is not letting spyware install in the first place. Of course this only works on uninfected machines.
For more about Bruce's story, click for his letter to the editor.