Ars-Technica has a new article/review on spyware removers.
http://arstechnica.com/reviews/apps/spyware-removal.ars
As good as the article is, I think the following post in the discussion area at the end of the article is excellent.
From Derek...
"I have to deal with this crap every day. I have made up a CD with all the good programs and do them in a certain order.
Here are the steps I use to get rid of spyware on most machines. This is a repair shop environment, so we see it all. You may not need all this. It takes a long time, until you do it enough...
Make sure computer is disconnected from internet!! Super important!
1. Install adaware, use a bat file to load updated defs, install vx2 cleaner plugin.
2. Install spybot and manual updates.
3. Install spyware blaster
4. Run DSO stop
5. Run CWShredder, run it again until it comes up clean.
6. Run hijackthis for the first time. Sometimes you take things out and they come back. This is an advanced program, so be careful what you take out. You can kill norton by taking out the CC files.
7. VX2, there are 2 tools, Kill2ME and VX2 finder. VX2 finder is only for NT systems. I use Kill2ME on 9x, and sometimes if the other things can't remove it. VX2 is hard to clean.
8. LSPfix to check networking layers. You can remove spyware all day long but if you have new.net or LSpack, or whatever else, your internet will not work. This is an advanced tool, and will make a mess if you do not know what you are doing.
9. Run spyware blaster.
10. Run adaware and remove all, in full scan mode. May need to re-run in safe mode.
11. Run spybot and remove all. May need to re-run in safe mode.
12. If all spyware is clean now, rerun hijackthis to make sure nothing got put back.
13. Delete offending folders from:
C:\program files
C:\temp, C:\temporary,
C:\Docs and Settings...\user\local settings\TEMP
C:\Docs and Settings...\user\local settings\temporary internet files
Also, if you had ISTbar, there is a folder called Wintools. Search for it and delete.
Check in C:\, and C:\windows for suspicious exe files.
Anything you can check after the spyware scans identify the folders will help, but is not critical. I just like to get rid of all I can. NO spyware removal program is 100%. Many entries are still in the registry after S&D and Adaware declares it clean.
14. Internet explorer > Tools menu > Internet Options
Set your home page, delete cookies, temp int files, go to security tab and set defaults on all zones. Check trusted sites for spyware URLs. Delete them from there. VERY IMPORTANT!!
Privacy tab, set cookies to default.
Content tab, clear auto complete.
Connections tab, check for dialers and delete all but your ISP.
Advanced tab, set defaults.
15. Now, you can plug in your internet connection, and update adaware, spybot, and spyware blaster. Re-run adaware and spybot in full modes. Immunize in Spybot, and double check spyware blaster for block status.
16. Now, you should be clean. Get a good firewall, I use kerio 2.1.5. I use Proxomitron for an ad/spyware filter. I also use a host blocking file. You must put the host file in last, because some spyware will delete/change it, and redirect searches. Install XP SP2, but ONLY AFTER the spyware has been removed, or else you run the risk of killing the installation, and getting a blue screen. Make sure to have an up to date AV program. Norton 2003 is very good, keep it updated. I do not like Norton 2004-2005 at all.
17. A few final notes. Kazaa. If you have it, back up your music, and use the tool kazaabegone. It deletes Kazaa from registry, and all files on the HD, including your shared folder. DO NOT REINSTALL KAZAA. If you must, use K-lite.
Hotbar, there is a tool called hotbaruninst, I think I got it from them. It helps to kill the process to assist in removal.
There is also a program called startup list that lists all startup entries. Hijack does a good job, but sometimes there is something hiding that even that cannot find.
Here are some useful links, I omitted the obvious:
DSO Stop:
http://www.nsclean.com/dsostop.html
CWShredder:
http://www.intermute.com/spysubtract/cwshredder_download.html
A Few utilities are here:
http://www.spywareinfo.com/~merijn/downloads.html
VX2 Finder:
http://www.pchell.com/downloads/vx2finder.exe
Hosts file:
http://www.dozleng.com/hpguru/
Proxomitron:
http://www.proxomitron.info/
Process explorer: I forgot to mention this very useful tool. Use it to kill stubborn spyware processes and watch them restart themselves. With this, you will know what is running, and what company made it. VERY VERY USEFUL!
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
This is about all I can say. I have not seen any thread that even comes close to this level of removal. If you do not do every step, you are wasting your time. You really should do them in this order. It may save time to just start in safe mode. Between scans, and updates, this is easily a 2-4 hour job for me, being experienced. It is an all day affair for most people. Most users cannot do all of this. This is a huge problem, and I cannot think of a good solution. It feels like I am wasting my time everyday, when it is so easy for someone to download one "free" program and to wipe out all the work."
wow!
