• PC - Hewlett Packard Pavilion
• Operating System - Windows XP Service Pack 2 (all critical updates were installed at the time, some optional one were missing)
• Processor - Intel 800 mhz
• Memory - 512 mb
• Boot Time - 5 Minutes and 33 Seconds
• Programs Used - AVG Free (tutorial coming soon), Ccleaner, Ewido, Firefox, SmitRem (tutorial coming soon), Spy Sweeper, and Zone Alarm Free Firewall (Installing and configuring Zone Alarm free is the same as the paid version for the suite. The differences are that the free version acts ONLY as a firewall. When you purchase the Zone Alarm Suite you receive spyware, virus, and trojan protection as incentives to purchase.)

Upon first booting the PC, we felt that we should show everyone what to immediately look for first. We took a snapshot of the programs currently installed that are visible in the "Programs" folder. Essentially we want to see what's installed so we know what to immediately look for and uninstall. Not surprisingly enough, we found known spyware contributors such as Kazaa, Gain, Web Search Tools, Pacific Poker, Absolute Poker, Casino-on-net, Block Checker, and Filetopia. For those that are not aware, P2P (Peer 2 Peer) file sharing applications are using the beginning of spyware. This is what we can see, so we can safely assume that it is much deeper than that.

Our next move would be to run the Windows configuration utility known as, Msconfig. This configuration utility allows you to edit several of it's resources and allocations on start-up. For this exercise we will be using Msconfig to eliminate items from starting when windows first loads. This will help us tremendously when we have to reboot. In order to execute Msconfig quickly, you can hit the "Windows" button on your keyboard and then the "R" key as well. There is a keyboard button on the bottom left, that resembles the Windows logo. It will prompt you with the "Run" window. You can also launch the "Run" window by clicking on the "Start" button, and then navigating to "Run". In the Run window, please type in "msconfig" and hit enter, or click the or box with your mouse.

Before we could even get this far, pop-ups began to bombard our work space. This is a sure fire sign that there is spyware currently installed on the PC. After closing all the pop-up windows, we then clicked on "OK" to launch the Msconfig screen so we can edit the start up processes.

Some of these are so good that they look like they might even be coming from Microsoft to the untrained PC user.

Upon clicking "ok" the Msconfig window will appear. For this exercise we are only interested in the "Startup" tab across the top. Notice in the next few screen shots the amount of items in the startup. This drastically affect PC performance and slows your computer to a crawl at times when booting up and while operating.

Msconfig print screen number 2.

Msconfig print screen number 3. There are A LOT of items in start-up. For a computer that has hardware similar to this, it is contributing to the almost 6 minutes of boot time.

Pop-ups just will not quit.

We will now begin to remove programs from the computer that we know and or suspect cause spyware. "Suspect" programs, would be programs what we do not know the origin of its installation and after little research, found it to be a program we could certainly live without. Please click on the "Start" button and navigate to the "Settings" icon. Keeping your mouse over it for about a second will open a box directly to its right. Please move your mouse over to the "Control Panel" icon and click on it. The screen shots shown here were from a modified "Start Menu". Traditional Start Menu's will have the icon for the Control Panel visible after clicking on "Start".

Once the Control Panel is open, double click on the "Add or Remove Programs" icon. Please note that your Control Panel could look different. Although it may look different the options are all the same. To display all of the Control Panels options simply click on the "Classic View" text to display all. If is displays "Category View" on the left hand side, it is because you are already in "Classic View".

Classic View

Category View

A screen will appear after clicking on the Add or Remove Programs icon. Now being that this PC is a bit older it will take a little longer to populate the information. While this is going on, the PC Tools Anti virus application is notifying me of a Trojan file that is making an attempt to execute. So now I can assess that there is spyware and definitely trojans located within this computer.

Here are the screen shots of the Add/Remove Programs window. From memory alone, I can pick out almost every single one here that should not be. Never mind the suspects that fall into the category. I have listed all of my suspects and definites below.

• Absolute Poker - Suspect - There are viable online poker gaming companies, but this name I do not recognize. Then again, I'm not much of a gambler.
• Stop Block Checker 1.0 - Suspect - Never heard of such a program
• Casino-on-net - Suspect - Online gambling
• Command - Suspect - Never heard of such a program
• DH - Suspect - Never heard of such a program
• Filetopia Client - Suspect - File sharing application
• Freeprod Toolbar - Suspect - Never heard of such a program
• Internet Lottery Engine - Suspect - Online gambling
• Kazaa Lite K++ v2.4.3 - Suspect - File sharing application
• Network Monitor - Definite - Spyware monitoring program
• New.net domains - Suspect - I have heard of it, but can't remember it being associated with anything good
• Pacific Poker - Suspect - Online gambling
• PC Tools Anti virus 2.0 - We are personally not familiar with this type of anti-virus utility. Therefor I am going to un-install it and stick to using the ones that we know. For this exercise we will be using the free version of AVG.
• Quick Links - Suspect - Never heard of such a program
• Surf Sidekick - Definite - Known spyware
• System Process - Suspect - Never heard of such a program
• TSA - Suspect - Never heard of such a program
• UC More - The Search Accelerator - Suspect - Never heard of such a program
• Viewpoint Manager - Suspect - I have never been sure what exactly it is that this program does, but it has never served a purpose that I am aware of. It usually finds it's way to your PC when you never remember installing it. If it doesn't serve a purpose for use, un-install it.
• Viewpoint Media Player - Read above
• Viewpoint Toolbar - Read above
• Web Nexus - Definite - Knows Spyware
• WebHancer Customer Companion - Definite - Known Spyware
• Yazzle Soduku - Definite - Remember the pop-up from before? PC Tools Anti virus had just warned us that this was a trojan.

Add/Remove Programs Program List

Add/Remove Programs Program List Screen Shot #2

Add/Remove Programs Program List Screen Shot #3

Okay, we are now going to proceed with the un-installation of the programs that are suspected and definite. Although these pop-ups just will not quit. Do you see the one I have here? This is becoming a nuisance. Let's see if we can temporarily shut these off so that we may accomplish the task at hand. Let's cut the internet connection before we remove the programs. Although some of these programs will require us to connect to the internet because they are such a nuisance. We will worry about this later after we remove as much as we can and then reboot. Note that if you use dial-up you may not experience this. We are correcting these issues with the PC hooked into our network.

One of the spyware programs is even trying to get us to install ANOTHER casino program.

Let's disconnect the PC from the internet now. Please navigate to the Start button again. Once there make your way to Settings icon again and click on "Network Connections". For those of you with the traditional XP Start Menu, simply navigate back to the Control Panel (which may already be open, check the task bar), and click on the "Network Connections" icon.

Once the Network Connection window is open you will not notice that the screen before you displays your dial up connection and your LAN or High-Speed Internet. Please right-click on the "Local Area Connection" and click on the "disable" option that is presented to you. Hopefully this will resolve the issue temporarily while we work on removing as many spyware applications as possible.

To un-install most programs follow the prompt boxes and make sure you read them carefully. Spyware programs are VERY tricky to un-install at times, and their options look generic but they really are backwards to trick you into leaving the spyware installed. Some of them even ask you if "You are SURE" you want to un-install. Click yes and read them all very carefully.

Some of them may also ask you to reboot your computer after you have un-installed. For the time being we want to un-install as much as possible at first and then we will reboot.

Some spyware programs are so difficult to remove that they make sure it is you choosing to uninstall and not a spyware removal program such as: Ad-Aware Pro, Ad-Aware Free, Ewido, Spybot S&D, and Spy Sweeper. Just to name the one's we have already highlighted in our Tutorials section.

The programs installed on the PC that required an internet connection to disconnect were: Command, DH, Freeprod Toolbar, and Web Nexus. Here you can see the pop-up that Web Nexus brought up when I clicked the "Remove" button within the Add/Remove Programs. Speaking of pop-ups, we haven't had any since we shut down the internet connection. Our little trick seems to have worked. We were able to uninstall every program on the list above in approximately 45 minutes. Not bad, but note this does not always work. Although it's so easy to try it's worth the 10 seconds of effort.

After un-installing the slew of spyware and malicious programs installed we are ready to reboot. But before we do let's take a quick look at the Program folder to see what is there now. You will notice that some of the program folders were not removed from the Start menu. You can simply place your mouse over them, right-click and then click on the delete to remove the program folder from the program menu within the Start menu.

Before we reboot let's see if we can get to the internet. First we need to go back into the Network Connections window if it is still open, or re-open it by navigating to it from the Start menu again. This time you will right-click the Local Area Connection and click on enable, where before we click on disable. If you open Internet Explorer, attempt to navigate to www.google.com , by typing it into the address bar. We didn't have any luck. So we wanted to see if we were still able to access the internet but were just prevented from doing so because of viruses, trojans, and still lingering spyware.

How do you do this you ask? Simple. Let bring the run menu back up, "Windows" button + "R". Now type in "cmd" and hit enter or click OK. This will bring up a MS-DOS prompt box. First I want to check to see if we are pulling an IP address from the router. IP stands for Internet Protocol, routers assign individual numeric addresses to each computer on any given network. In order to check this let's type in "ipconfig" into the MS-DOS prompt box and press enter. Well we were receiving pop-ups with internet pages so we do not see a reason while we shouldn't be pulling an IP address. After you have verified that you are pulling an IP address that does not start with 169, we will be pinging a web site to see if we get a response back. A 169 address is a windows default address that it assigns to computers that do not have an active internet connection but have an ethernet adapter installed.

Our next command will be "ping www.google.com". Please type that into the MS-DOS prompt box and press enter. Your computer will now proceed to ping Google's web site to see if there is a response. Ping means: Packet Internet Groper. A utility that forwards data packets to check the quality of a link or verify the connection of a machine to the Internet. If your internet connection is valid you will receive replies like we did.

We pushed our luck a little bit this time around. Before we rebooted we are going to install Ccleaner and AVG Free. In order for one to do this you will need to have the programs and the updated definition files for AVG burned onto a cd prior. Luckily here we have a slew of computers we can do this on. However you may not, but what are good neighbors for? Install these programs and reboot the PC into Safe Mode.

Upon rebooting into Safe Mode please login to the admin account if there is one and run the AVG Free virus and trojan removal software. Not so much to our surprise, AVG found and cleaned a great deal of viruses and trojans. What a great tool that is available for free. Also AVG uses a small amount of system resources making it an application that you should include in your collection if you require and anti virus utility and are on a limited budget. Once done reboot your PC again and let it log into Windows normally.

When Windows completed loading we had the system configuration utility notify us that changes were made to the way Windows starts. We are well aware of this. You can check the box off that reads "Don't show this message..." and click on OK. We also notice that we received a DLL error. Since Windows was operating fine before hand, we assume that this DLL error is due to removing programs that were holding spyware, viruses and trojans. This can also be directly linked to viruses an trojans. You can click OK for the time being.

Here is where our experience will help you have an easier time. At first we installed Ewido to remove spyware and any known trojans it may find. We ran Ewido and then we installed CCleaner and ran it to clear all of the cache. We tried to get out to the internet again were now able to do so. However the pop-ups were still there. We quickly checked the Add/Remove Programs window located within the Control Panel. Noticed that we still had Command, DH, Freeprod Toolbar, and Web Nexus installed. Now that we were able to get to the internet, we dealt with the pop-ups for a short while and un-installed the programs. While successful in un-installing the said applications, the pop-ups continued.

Here we were determined to try everything we had knowledge of to remove the rest of the spyware, viruses and trojans. This unfortunately cost us some time and we didn't get very far at all. After pondering what to do next, we purchased a copy of Spy Sweeper, updated the definitions and watched it pick up a slew of what Ewido already claimed to pick up and clean. When Spy Sweeperwas done we rebooted and to our delight found the machine to be operating at it's very best.

Once rebooted we proceeded to install Zone Alarm Free Firewall. Once we installed Zone Alarm, we then installed Firefox. We then used the PC to do generic tasks such as check email, surf the web, and open applications. Our mission was successful. While we were not able to entirely remove every nook and cranny of spyware, viruses, and trojans with free applications, I think anyone would see what a bargain Spy Sweeper truly is.

Keep in mind once you are done clearing the PC of all spyware, viruses, and trojans, you are not done yet. Do not forget to run Windows Updates on the machine. Windows Updates are a key element in attempting to prevent spyware, viruses, and trojans. Other elements to keep in mind for updating are: Java, Macromedia's Flash, and hardware updates. All hardware updates can be found in the respective creator's web site. For example if you own a Dell, go to www.dell.com and into their downloads section. Check for BIOS updates along with other hardware resources including but not limited to audio, sound, and hard drives.

In the end we were able to reduce this customers boot time from 5 minutes and 33 seconds to 3 minutes and 30 seconds. Not at all bad for a PC that is several years old. Their computer was now functional again and we didn't have to break their bank account. It cost them a mere $30 for the Spy Sweeper subscription and we only charged a nominal fee for the amount of work performed. We hope you found this Case Study useful and if you did support this web site by making a donation or by purchasing your online security applications through our affiliate links.