Do I Have Spyware?
Article by Rick Leinecker, June 7, 2006
It has gotten to the point now that anytime a computer is slow or malfunctions that a Spyware infection is blamed. And while a Spyware infection is probably responsible for about 75 percent of the issues that surface, you can spend a lot of time going down a dead end if you're not careful. In this column, I'm going to give you some common sense advice that'll help you know whether you have Spyware, or if you need to look in another direction.
Last week I had a situation in my lab where two computers weren't operating optimally. They were both slow, and their Internet connections were sluggish. These are classic symptoms of Spyware infection. The students at each computer were frustrated and asked what was wrong with their computer. As it turns out, one had been infected by Spyware while the other had a hardware malfunction. Since I almost always go down the path of Spyware infection detection and removal, I could have wasted a lot of time looking for Spyware on the computer with the hardware malfunction. But with the right approach, I was able to determine the right path of diagnosis and remedy for each system.
The first step is running a Spyware removal tool such as Spybot or Ad Aware. This takes about 10 minutes, and will give you a list of items that were found. Now bear in mind that these programs report advertising cookies which are not actually Spyware. You might run Spybot, for instance, see several items listed, delete them, and think you're in the clear. If all you did was delete some advertising cookies, you haven't done anything to "fix" your system since the cookies don't affect its behavior.
You can, however, drill down in the list that the anti-Spyware software finds and get details for each item by clicking on the "plus" symbol. If the detail information says cookie, you can delete it but realize that this remedy won't affect the behavior of your system. What you're looking for are files with .EXE and .DLL extensions. You're also looking for registry entries, and these will start long, mangled names such as HKEY_LOCAL_MACHINE or HKEY_USERS. When the Spyware detection program finds files with .EXE and .DLL extensions, or it finds a suspicious registry entry, you definitely have Spyware and it must be removed once the scan is complete. My rule of thumb is that if an item isn't a cookie, it's probably a threat that was affecting my computer. Spybot and Ad Aware have buttons that let you kick off the eradication process once the scan is complete.
There is one variety of Spyware that is notoriously difficult to get rid of, even if Spybot or Ad Aware finds it. It falls into the category of CoolWebSearch. There is a Spyware program named CWShredder that will get rid of it. As a matter of fact, that's the only Spyware variety that CWShredder gets rid of since it's the specialty of CWShredder. If you want to get and install CWShredder I recommend you go to download.com and search for it, or go to www.intermute.com and find the download link.
After running anti-Spyware software I have 10 minutes invested. I know whether I've fallen victim to a Spyware infestation or not. If I have, I clean it up and make sure everything is working properly. If Spybot only found some cookies, then I have to take additional measures to correctly diagnose the problem. At this point the suspicion balance tips away from Spyware, although there are cases that I'll mention later where you still might be infected.
If you didn't find any Spyware and your system is still misbehaving, you need to go to plan B. What I recommend is restarting your computer in safe mode. To do this you follow the normal shutdown procedure and select the "Restart" button instead of the "Turn Off" button. When the computer first comes alive, you must press the F8 key to enter safe mode. If you don't press F8 early enough, the normal startup process will occur. If you somehow missed it, restart and try pressing F8 as soon as you see the boot up screen. I usually press F8 several times until I'm sure I'm in safe mode. You'll get a prompt asking which type of safe mode you want to enter, and you need to select "safe mode with networking".
Once in safe mode, you need to see if your system behaves as it should. Notice if it's slow, or if it does strange things. In safe mode, most Spyware won't run. That means that safe mode gives you a chance to see how the system operates with almost no chance that Spyware is running. If the system is still not functioning as it should, you have a problem with your system files or a piece of hardware. And to further check things out, try to access the Internet. If everything works well but your Internet connection is slow, you might have a network issue such as an intermittent network card, or a bad hub or router.
Please note that Spybot, Ad Aware, and CWShredder don't catch everything. It's possible that there's a Trojan or worm that is still infecting your system. Trendmicro.com has a free online scan that catches most Trojans and worms. If your Spyware definitions are old you could miss something as a result. I almost always check for updates before running anti-Spyware software.
There you have it, an approach to differentiating between Spyware and system problems. And while my proposed approach doesn't cover all situations, it covers roughly 90 percent of all situations. This is the approach I take, and it has saved me many hours over the years since it eliminates many dead ends.
The two computers in the lab illustrate my point. One had Spyware and it was found and fixed in 10 minutes. The other was plugged into a bad hub port, which was found and fixed in about 25 minutes (10 minutes for the anti-Spyware software and 15 minutes to examine the system's functioning). I could have spent hours trying to find nonexistent Spyware on the second computer that was just plugged into a bad hub port.
Those are the basics of knowing if you have Spyware.