How Can You Tell if You Have Spyware?
Article by Rick Leinecker, September 30, 2007

It has gotten to the point now that anytime a computer is slow or malfunctions that a Spyware infection is blamed. And while a Spyware infection is probably responsible for about 75 percent of the issues that surface, you can spend a lot of time going down a dead end if you're not careful. In this column, I'm going to give you some common sense advice that'll help you know whether you have Spyware, or if you need to look in another direction.

Awhile back I had a situation in my lab where two computers weren't operating optimally. They were both slow, and their Internet connections were sluggish. These are classic symptoms of Spyware infection. The students at each computer were frustrated and asked what was wrong with their computer. As it turns out, one had been infected by Spyware while the other had a hardware malfunction. Since I almost always go down the path of Spyware infection detection and removal, I could have wasted a lot of time looking for Spyware on the computer with the hardware malfunction. But with the right approach, I was able to determine the right path of diagnosis and remedy for each system.

The first step is running a Spyware removal tool such as Spybot or Ad Aware. This takes about 10 minutes, and will give you a list of items that were found. Now bear in mind that these programs report advertising cookies which are not actually Spyware. You might run Spybot, for instance, see several items listed, delete them, and think you're in the clear. If all you did was delete some advertising cookies, you haven't done anything to "fix" your system since the cookies don't affect its behavior.

You can, however, drill down in the list that the anti-Spyware software finds and get details for each item by clicking on the "plus" symbol. If the detail information says cookie, you can delete it but realize that this remedy won't affect the behavior of your system. What you're looking for are files with .EXE and .DLL extensions. You're also looking for registry entries, and these will start with long, mangled names such as HKEY_LOCAL_MACHINE or HKEY_USERS. When the Spyware detection program finds files with .EXE and .DLL extensions, or it finds a suspicious registry entry, you definitely have Spyware and it must be removed once the scan is complete. My rule of thumb is that if an item isn't a cookie, it's probably a threat that was affecting my computer. Spybot and Ad Aware have buttons that let you kick off the eradication process once the scan is complete.

After running anti-Spyware software I have 10 minutes invested. I know whether I've fallen victim to a Spyware infestation or not. If I have, I clean it up and make sure everything is working properly. If Spybot only found some cookies, then I have to take additional measures to correctly diagnose the problem. At this point the suspicion balance tips away from Spyware, although there are cases that I'll mention later where you still might be infected.

If you didn't find any Spyware and your system is still misbehaving, you need to go to plan B. What I recommend is restarting your computer in safe mode. To do this you follow the normal shutdown procedure and select the "Restart" button instead of the "Turn Off" button. When the computer first comes alive, you must press the F8 key to enter safe mode. If you don't press F8 early enough, the normal startup process will occur. If you somehow missed it, restart and try pressing F8 as soon as you see the boot up screen. I usually press F8 several times until I'm sure I'm in safe mode. You'll get a prompt asking which type of safe mode you want to enter, and you need to select "safe mode with networking".

Once in safe mode, you need to see if your system behaves as it should. Notice if it's slow, or if it does strange things. In safe mode, most Spyware won't run. That means that safe mode gives you a chance to see how the system operates with almost no chance that Spyware is running. If the system is still not functioning as it should, you have a problem with your system files or a piece of hardware. And to further check things out, try to access the Internet. If everything works well but your Internet connection is slow, you might have a network issue such as an intermittent network card, or a bad hub or router.

Please note that Spybot and Ad Aware don't catch everything. It's possible that there's a Trojan or worm that is still infecting your system. Trendmicro.com has a free online scan that catches most Trojans and worms. If your Spyware definitions are old you could miss something as a result. I almost always check for updates before running anti-Spyware software.

There you have it, an approach to differentiating between Spyware and system problems. And while my proposed approach doesn't cover all situations, it covers roughly 90 percent of all situations. This is the approach I take, and it has saved me many hours over the years since it eliminates many dead ends.

The two computers in the lab illustrate my point. One had Spyware and it was found and fixed in 10 minutes. The other was plugged into a bad hub port, which was found and fixed in about 25 minutes (10 minutes for the anti-Spyware software and 15 minutes to examine the system's functioning). I could have spent hours trying to find nonexistent Spyware on the second computer that was just plugged into a bad hub port.

Those are the basics of detecting Spyware.