Your generous donations help keep this site online! Click here to support cexx.org.
Neutering Ad/Spyware

General Strategies for neutering Spyware....

Block the advertising domains!

You don't even need special software to do this. All you need to know is the name of the adserver(s) being contacted (you can find this out using Netstat in your \Windows\ directory). With some of the dedicated adware (that doesn't connect to the internet for any *legitimate* purpose, only to download banners and trade private information) the servers involved are listed in the Adware descriptions.

Don McCuiston shares a useful tip on using the Windows Hosts file. Look in your Windows directory for a file named Hosts - No file extension, just Hosts (this file is analogous to Unix's /etc/hosts file). (On Windows NT/2000/XP systems, this file is located in %SYSTEMROOT%\system32\drivers\etc\).
If the file doesn't exist, create it. Open the file in your favourite text editor, and add lines like the following:

127.0.0.1 ad.server.com
127.0.0.1 junk.factory.com
127.0.0.1 adspam.com

using the names of the actual ad-servers you don't want connections to. Be sure the first thing on the line is 127.0.0.1 (this is a reference to your own machine) and save the file. Now when the adware goes looking to download more ads, or share information it has collected on you, it will make a connection back to your own machine instead of the adserver it's trying to access. Obviously it will not find what it is looking for ;) The program will no longer drain your bandwidth by downloading ads--in fact, it will not be accessing the internet at all! I've heard you can also use the address 0.0.0.0 in place of 127.0.0.1; this is said to increase performance but cause problems under some configurations. On further inspection, this is probably not a good idea in some circumstances; I am told 0.0.0.0 is the default gateway on many Win/Linux machines. Those running Web services (Personal Web Server, etc.) on the system should be reminded that an agressive piece of spyware hammering 127.0.0.1 with invalid requests can slow it down.

A similar procedure works for Macintosh machines. For Mac users, the Hosts file is Hosts in the Preference folder (case sensitive). The format of the file is also a bit different:

ad.server.com          CNAME 127.0.0.1
junk.factory.com       CNAME 127.0.0.1

Of course, if you already have blocking/filtering software installed, feel free to use that to block access if you can get the adware to route thru the ad-filtering proxy. Many software products use MSIE components to display ads/HTML, so they will be stuck with whatever ad-blocking proxy is in your MSIE Proxy setup :)

Note that the Hosts trick does not work for some adware products, such as Free ISPs, which bypass the Windows Hosts file and use their own name servers.

See Stephen Martin's page and Gorilla Design Studio's page for more info on the Windows Hosts file and some ready-made, ad-blocking Hosts files. Web Ad Blocking has info and a ready-made Hosts file for a variety of OSes, including Mac and BeOS. Peter's adserver list has a large list of the buggers, and will spit out a ready-made Hosts file at the click of the button. They are currently looking for someone to host a nameserver which uses the list to block no-good domains. Sponge's Anti-Spyware Page also has host files for Kerio Personal Firewall, DNSKong, and C:\Windows\Hosts.

If you haven't already heard of it, the ZoneAlarm personal firewall (FREE for personal use) allows you to permit or deny individual programs' Internet access.

Spyware Server Spoofers and Dummy DLLs
Some software exists that will mimic the servers spyware calls home to (meaning the spyware-enabled software will still run), but resides on your own PC and blocks the spyware from calling out. SpyBlocker boasts the ability to spoof Timesink/Conducent, Aureate/Radiate, Comet, Web3000, and Cydoor. You can also try my list of dummy files for neutering spyware. These are drop-in replacements for the real spyware files that, to the sponsored programs, look and feel like the spyware components they know and love--but they don't make any Internet connections, simply returning bogus values when queried by the sponsored app.

Try deleting a few files...
Makers of adware seem to assume that users are pretty stupid. Hence, they name their advertising modules something really stupid and obvious, such as ad.dll, advert.dll, etc... sometimes, they assume the user is SO stupid that he or she would never think to try deleting/replacing one of these files. Some adware, and even a couple of those "free internet access" apps, make these infinitely helpful assumptions. So, if you're being bothered by some dumb banner, nuke (rename or move) the advertising module and see if the program still works. If not, you can always put the file back to restore normal operation. But often, the program still works....

Resource Editors
A Resource Editor can be used to modify/remove/hide resources such as advertising windows in 'Drug Dealer Ware' applications. An editor I know of is Resource Hacker.
For more temporary modification of ad windows, try Windows Sniper (shareware, but cheap).


Cleanse your system of adware Startup entries
Adware will often dig its hooks into your StartUp folder or system registry so that it loads everytime you start the computer. Getting rid of these entries can keep the adware at bay and let your computer boot faster. Note that using the program associated with a particular ad-trojan may reinstall these references, and even the ad-trojan itself. PKZip is notorious for this. (For this reason, it is important that you zap the associated adware program as well, or at least make sure nobody runs it.)

Under some versions of Windows 98 and higher, there is a program called MSCONFIG that allows you to view and enable/disable StartUp applications. This can be used (usually) to turn off auto-loading spyware conponents. (To run MSCONFIG if you have it, click on Start > Run, and type msconfig in the Run box.)

 "Kill Bit" prevents ActiveX pestware from installing

Many newer malware products are written using ActiveX, a Microsoft technology that's about as secure as Bill Clinton's undershorts. These pests are commonly installed by underhanded methods including "drive-by download". Fortunately, there is a security feature allowing you to set a "kill" bit for a known ActiveX program, effectively blacklisting it from your system. SpywareBlaster is a program that systematically sets the kill bit for a long list of known ActiveX spyware.


 Use an automated SPYWARE UNINSTALLER
Since adware companies are so reluctant to offer the ability to uninstall the spy apps, 'Netizens have taken the initiative and written comprehensive multi-adware removal programs. To get one (or more!), see the Adware Uninstaller page.
Up (Adware)
HomeE-mailCopyrights and Disclaimers


 

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)