Getting rid of adware

I've been a serious computer users for years but until a few days ago I'd never been bothered by, or even particularly aware of, adware. If you are in a similar state of blissful ignorance, adware is (according to www.webattack.com):

"is a product that is available for free and in exchange displays advertising banners within the software interface. Instead of you having to pay for the software, the company creates revenue by selling advertising space in the software product.

Adware will usually install additional third party components on your system and may exchange statistical data with a remote location over the internet."

This makes it sound fairly innocuous. However, there's another variety of adware: the kind that manages to install itself on your computer without your consent and does some stuff you didn't ask it to (like changing your home page and stopping you changing it to anything else) and does other stuff you are unaware of (like using your internet connection to register hits on pay-per-click websites you've never heard of.

Internet Explorer, being the most widely used browser, is the browser that is most prone to attack by this type of adware. You can pick it up by clicking what purports to be a Close button on a web pop-up (usually a little advert or a fake Windows message box that appears when a web page loads). There are lots of other similar ways you can pick up these things. They can't get onto your machine without some action on your part, but the makers of adware (just like the makers of viruses) put a lot of thought into coming up with ways of tricking you into making that click that will install their software on your machine.

I use Mozilla's Firefox as my default browser. Firefox is less prone to attack, partly because of the way it was written but mainly because it offers a smaller target for the creators of adware, so they tend to focus their attention on Internet Explorer. Although I don't use IE, other users of my computer do, and I occasionally have to use it for annoying sites that insist you "upgrade" your non-IE browser to the latest version of IE.

I was listening to some radio-on-demand from the BBC's website last week (because the BBC radio player doesn't work properly on Firefox) when I noticed that there were a whole raft of entries in my Favorites that I didn't put there (including a category labelled "Adult Entertainment"). I was annoyed, but I just deleted them and continued. A while later I opened IE again and noticed that my Google toolbar had gone and in its place was a search toolbar I'd never seen before. When I looked in my Favorites, lo and behold, there were all the entries I'd previously deleted.

I deleted the rogue Favorites again, but I couldn't figure out how to get rid of the toolbar, so I ended up just hiding it and redisplaying the hidden Google toolbar. However, next time I opened IE, guess what, the toolbar and Favorites were back again. This time I also got a search toolbar across the bottom of my Windows desktop. When I closed IE I discovered I'd also got another IE window, behind everything else, with an advert in it. It was time to sort this out.

After quite a lot of digging around, I discovered that I'd picked up one of the many so-called "Cool Web Search" adware programs (CWS for short). These programs try to get you to use a search engine which clocks up pay-per-click counts for whoever it was that wrote the adware. Someone, somewhere is making money out of you.

The first thing I tried to get rid of this was a little application called CWShredder, which you can download from:
www.spywareinfo.com

Unfortunately, for me, this didn't work.

I then tried Lavasoft's Ad-Aware. You can get this by going to www.download.com and doing a search of the Windows category for "ad-aware".

Like CWShredder, Ad-aware is free. Unlike CWShredder it is a full-blown application, and a very slick, professional one at that.

I updated the reference files and scanned my entire machine. Ad-aware found 38 potential problems. I chose to remove them all and when I opened up IE again: no more toolbar, no unwanted Favorites, no Windows search bar and no pop-up advert. Success! Or so I thought.

A few days later and none of these annoyances had returned, but I noticed that if I typed an incorrect URL into the address bar, instead of going to the usual "The page cannot be displayed" page, I went to a horrible-looking search page that resided on a temp directory on my local machine. The URL of this page was:

C:\Documents and Settings\\Local Settings\Temp\Dart deaf list.htm#URLyouwanted.html

The bit after the # always contained the URL you had typed in.

At first I thought this was something to do with IE's autosearch facility. There are plenty of adware programs out there that exploit the default IE search page. If this is your problem, see:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;179402or
http://www.geekgirls.com/net_hijacked.htm

The adware trick here is making changes in the Windows Registry settings for IE. However, when I looked, my settings were all okay.

After some more reading and experimenting (e.g. disconnecting from the internet and trying to reach a known website) I figured out that every time I went to any page via IE, I was in fact going first to this page and then on to my requested destination. However, the devious part was that this happened covertly, and in between going to this page and the page that actually got displayed, I also invisibly visited lots of other sites – again to clock up hit counts for someone.

I tried updating CWShredder and Ad-Aware and running them again. Ad-Aware found more adware – but just tracking cookies this time. It didn't get rid of the problem.

I then tried Spybot Search & Destroy. You can get this from:
www.safer-networking.org

I scanned my whole machine and it picked up a handful of threats, which I removed, but my IE problem didn't go away.

I continued to read more on the subject and I realised that my problem was an IE extension. I tried going into Tools > Internet Options in IE, clicking the Advanced tab and clearing the checkbox labelled "Enable third-party browser extensions (requires restart)". Sure enough, after the restart, my problem was gone. However, so was my Google toolbar, which I really wanted to keep because I use it all the time.

Eventually – and yes, there is a happy ending to this long tale – I downloaded and ran ToolbarCop. You can get this at:
www.mvps.org/sramesh2k/toolbarcop.htm

Again, the base version of this app is free. It's not as professional-looking as Ad-Aware, but it's a very useful, very clever tool. It shows you all the Registry entries for IE extensions: toolbars, toolbar buttons and "browser helper objects" (BHOs). My problem wasn't a toolbar or a toolbar button, so I check the list of BHOs.

Clicking on each hex key gives you a description of the BHO and the path to the related file. I had seven keys. Six of them had seemingly legitimate related files. The other one had the description "Web Ace" and the related file:
C:\PROGRA~1\64bows\IntraAmok.dll
I went to the C:\PROGRA~1\64bows directory (which, in fullname format is C:\Program Files\64bows and found three files:
  23635.exe
  IntraAmok.dll
  nounboltspam.bin

That last one if a binary file that, judging by its name, probably generates a variety of names for the dummy search page it puts in C:\Documents and Settings\\Local Settings\Temp\. So the name I got was "dart deaf list.htm" but you might get something completely different. Incidentally, the beauty about generating the search page in this directory is that it gets deleted when you close IE, making it much harder to detect.

ToolbarCop lets you to disable a Registry key, allowing you to see what effect that has. Sure enough, when I disabled the "Web Ace" key, my problem was solved. For good measure I also deleted the 64bows directory.

The moral of the story is be vigilant: watch out for adware. Don't think a firewall or anti-virus software will protect you – it won't. I have a dedicated firewall machine, running Smoothwall, and I have ZoneAlarm on my PC. I also keep Norton AntiVirus up to date. None of this stopped me picking up several covert adware programs.

I thoroughly recommend Ad-Aware and, for getting rid of unwanted IE extensions, ToolbarCop. These are free programs and they are extremely useful – but, like any software you download off the internet, be careful where you get them from. Something purporting to be an adware or spyware remover may be something nasty in disguise. Watch out.

Finally, make regular system backups as well as data backups. Before you use ToolbarCop, or before you edit the Registry by any other means, always use the Windows System Restore tool (usually in Start > Programs > Accessories > System Tools > System Restore) to make a restore point.

I hope, if you've been affected by adware, that reading this article has prevented you spending the hours and hours that I spent scouring the internet for help.