By Michael Guyett
There's a good chance you already have some malware on your system so it is a good idea to use a free scan tool periodically. The quickest and easiest way to remove spyware is with 2 free programs. Adaware and SpyBot's Search and Destroy work great and will catch almost everything. Adaware from Lavasoft has Plus and Professional versions that allow you more control and customizations, but they are retail products. Also, Spybot has a feature that will immunize your computer against around 500 known spyware programs. It also comes with a hosts file that will stop your computer from connecting to most known spyware websites. More on that below:
This is when you type in www.yahoo.com and you end up at something like www.coolsearch.com. What's happening is that whatever webpage attacked you, managed to change your hosts file. The hosts file is located in C:\%windir%\system32\drivers\etc. You can open this file in notepad and see if there are any entries for websites you visit. SpyBot has a hosts.sbs file that will automatically fix entries in your computer's hosts files and add entries that will redirect known spyware sites back to your computer. So whenever your computer tries to access those sites, it just sees itself.
Clue: DNS redirects are also a fun way to trick your friends into visiting your webpage! Here's and example of what a modified hosts file looks like:
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft # TCP/IP for Windows. # # This file contains the mappings of IP addresses to # host names. Each entry should be kept on an # individual line. The IP address should be placed in # the first column followed by the corresponding host # name. The IP address and the host name should be # separated by at least one space. # # Additionally, comments (such as these) may be # inserted on individual lines or following the # machine name denoted by a '#' symbol. # # For example: # # 18.104.22.168 rhino.acme.com # source server # 22.214.171.124 x.acme.com # x client host 127.0.0.1 localhost # Entries inserted by Spybot - Search & Destroy 127.0.0.1 images.real.com 127.0.0.1 real.com 127.0.0.1 ct5.hypercount.com 127.0.0.1 acme.bfast.com 127.0.0.1 ads.bfast.com 127.0.0.1 affiliates.bfast.com
Notice that all the sites have the same 127.0.0.1 address. The 127. address range is actually the computer's local loopback address, which will lead their web browser to nowhere.
Most of these attacks should be fixed by Adaware and SpyBot, but there has recently been one active that they aren't able to update against as regularly as needed. This is Coolwebsearch. Unfortunately the author of this hijack program works constantly to update it and keep it from being recognized by spyware removal programs. Luckily there is a program to remove it: CWShredder, that is updated as soon as they find out about a new version. Also at this site is the 'HijackThis' program, that is useful for resolving other homepage hijacking issues.
AdAware - Spyware Removal Tool from Lavasoft
Search and Destroy - Spyware Removal Tool from SpyBot
Google Toolbar - Pop-Up Window Blocker
Article last reviewed: 02/17/2005