Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Spyware Removal Guidelines

Dr. Nikolai Bezroukov

Introduction
Installing Spybot
Running Spybot
Main settings
Autorun settings
Expert Settings
Running a Spybot Scan
Additional Spybot Tools
System Startup Menu
Using Spybot Immunization
Webliography
Feedback

Introduction

Warning: This document is mainly oriented on helping home PC users. Users generally should not install this software on their corporate PC...

Spyware is usually infects the computer when you browed infected or rogue sites. You can also get it via email disguised as a useful free utility and picturesque presentation of Paris, London, Moscow, etc. Even more nasty cases are when spyware distributors run fake antivirus utility or some rogue site pretends to be a spyware fighting site and offer infected downloads. As they often want money for disinfecting from the spyware they infected you with, this is as close to extortion as one can get.

Sometimes fake disinfection or diagnostic utility/procedure (you TCP connection is running slow, click to fix this problem) that was suggested on a pop-up screen in reality is a spyware that infects your computer. This trick is directed to users who do not understand much about windows and TCP/IP. any program that has a hidden functionality is a spyware. Often those programs are tracking program (which reports your activities to the advertising providers' web site for storage and analysis, the 'spyware' agent) or "advertizements substitution programs, which replace legitimate advertizements in web page with thier own, siphing advertizinf revenue to specific sites.

Not only those additional modules are installed on your system without any warning or approval they are often designed in such a way as to be difficult to detect and remove. They often contain "deletion resistance" mechanism typical for viruses.

Even though the name may indicate so, spyware currently is not an illegal type of software if the functionality that it contain is adequately explained in the "fine print" and there is a removal capability. But the fact is that even if you agree to the "terms and conditions" what the adware and Spyware providers do with the collected information and what they're going to 'feed' you with, is beyond your control. That makes it a highly undesirable activity and it should be banned from the Internet and/or your computer system. There is a huge awareness problem that needs to be dealt with as for educating users about Spyware. Right now this kind of education is usually connected with the user attempt to remove accidentally installed Spyware from your PC: after such an experience users become more conscious and usually suspicious about 'free gifts" from the Internet.

Often this is a non-trivial takes as this kind of software contains special mechanism to make remove difficult or impossible for a regular user. In a sense it hijacks the user PC.

As with anything, an ounce of prevention is worse pound of cure: using non-standard browser for example Opera, using disposable virtual machine or "public PC" mode in Windows.

In IE in private browsing, setting cache deletion after each session and checking Tools/Managed add-ons are also useful precautions.

More general procedure includes baselining you Windows directory, sensitive parts of the registry and list of process just after booting before you open any application.

General Procedure

The first thing you can do is to install several useful antispyware utilities to detect what kind of infection you have, so that you can browse Google or Bing to find the best way to disinfect it. You can just run Adaware and Spybot S&D on you PC and see what they will say. That does not mean that they necessarily will be able to disinfect you PC.

If this does not help then you need to switch into investigative mode and try to understand what new components were recently installed on your PC. In this case having full backup of you C drive is the most useful service for yourself you can imagine (and if you get tired playing the role of computer Sherlock Holmes you can just restore the image from Ghost of Acronis backup).

First you need to print five lists about your computer:

The list of your current registry entries in several parts of registry (starting with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runsection of the registry (using HijackThis)

The list of current processes and their association with files on the disk Using free Process Explorer or other free Windows Process Viewers

The list of files installed in your Windows directory (or WinNT directory).

Your currently opened network connections using netstat, or more specialized utility, like Microsoft Network Monitor 3.3. Version 3.3. has a new feature called ‘Process Tracking’ which helps to identify any scamp applications sending network data. You can also view all the network traffic generated processes on your machine and view the frames associated with each process by using the conversation tree.

The list of processed that use Svchost, using, for example, free Svchost Process Analyzer 1.0

Generally you should have a baseline that provides you possibility to compare your current state with the previous. If you don't them similar PC can serve as a baseline if you can find it (that's easy in corporate environment with its "semi-standard PCs ;-)

The simplest and most popular baseline utility is HijackThis. After you create baseline you usually will find suspicious entries. Check them with Google and you will find some additional information. Create a HijackThis log and post it on one of the Webforums that help with such problems, for example Web User Forums. The map looks like this.

this is myLogfile of HijackThis v1.97.7
Scan saved at 7:20:03 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
.. ... ... ...

Do not jump to conclusions and be careful before removing suspicious entries. Windows is a mess and often such entries belong to a legit software. Also Web is a mess and a lot of sites that write about spyware belong to enthusiasts who do not have necessary qualification. That means that Google search results can mislead as much as it can provide useful information. If some site states that particular DLL or SYS file is a Trojan this is not necessary true. Such an information should always be verified.

Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications.

Google search can mislead as much as it can provide useful information. Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications.

When analyzing the process your PC is running you also can use processes/services information databases, for example ProcessLibrary.com

You can also use some information from the spyware program to find it. For example if it accesses a specific IP (visible in netstat ) you can Google this IP and find useful information about disinfection.

Or if you browser home page is resetting to some page then this page can be user to search Google to find links to information from people who already dealt with this problem.

Stage 1: Using Off-the-shelf Spyware Fighting Utilities

Installing Spybot

Spybot is one of two most popular free programs for fighting Spyware and adware (the other is Adaware). It is a donation-ware. That means you don't have to pay for it, unless you want to.

First you need to download the latest version of Spybot from the Spybot Web site. It contains several useful free products:

Spybot - Search & Destroy Protect yourself against spyware 1.6.2
RunAlyzer Shows all the spots where malware tries to hide 1.6.1.24. This utility is intended to be a replacement of Spybot -S&D Tools section currently integrated into Spybot-S&D.
- Autostart entries -- RunAlyzer shows a bunch of places applications use to get themself started upon Windows start. This is good for tweaking your system as well as finding spyware, viruses or other malware.
- Analysis -- RunAlyzer comes with a database of known entries and can do an online lookup to get the newest classifications of entries from our servers. Simple colors - green for good, red for bad - will give you the quick overview needed. Our detectives will even classify any unknown entries you submit to us through an easy function integrated into the application.
- Log functions -- Should you want to get help from another place, RunAlyzer can export log files as would be created by Spybot-S&D or HijackThis - formats that many experts all over the world prefer.
FileAlyzer Understand files by analyzing their structure 1.6.0.4
RegAlyzer Browse and search the registry

Download the installation file for Spybot and Runalyser, to a temporary directory on your hard drive, and you're ready to go.

To install Spybot, double-click on the self-extracting archive and follow the prompts in the Setup Wizard. Spybot installs like a typical Windows program. Once the installation is complete, you can start using it. No reboot required.

Before using the utility please print and read help pages for Spybot after the installation.

Scanning you computer with Spybot

To scan the computer with the Spybot, double-click on the desktop icon.

First of all you need to check for updates by clicking the Search For Updates button. This will ensure that the Spyware signatures used by Spybot and the program itself are up to date. If there are any updates, click the Download Updates button and let them download and install.

It is very important to run Spybot with the latest signatures

The default for Spybot is to run in Easy Mode. In this mode, Spybot searches for problems using a predefined configuration.

Softpanorama is a site for power users and I recommend running is in Advanced Mode. To run Spybot in Advanced Mode, you need to modify the icon deleting /essymode key:

Right-click the desktop icon for Spybot.
In the menu, left-click on Properties.
The target executable for Spybot will be:
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /easymode
Change the executable target to:
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Double-click the icon.

Spybot Conguration Before Scan

All configuration changes are made through the menus contained in the Settings tab/ Here are the main options:

Save All Settings: This allows Spybot to be used with the same configuration for every scan. you should enable it.
Create Backups Of Fixed Spyware Problems: Some programs associated with Spyware will not function after the spyware component is removed. If you must use a program with a spyware component, the ability to recover the spyware will eliminate the need to reinstall the entire program. You should enable it.
Create Backups Of Removed Usage Tracks: Creating a backup of usage trackers allows you to view these trackers and examine which Web sites are trying to monitor your activity. You should enable it.
Create Backups Of Fixed System Internals: Any registry inconsistencies fixed by Spybot may cause problems for your system. Using this option allows the registry to be restored to the state it was in before the Spybot scan. You should enable it
Ignore If Single Detections In Include Files Need A New Program Version: Activate this option.
Display Confirmation Changes Before Doing Critical Changes: Using this option will ensure you are aware that changes are about to be made; you'll be prompted for confirmation. you should enable it.
Scan Priority: You should chose normal scan priority.
Autorun settings Like antivirus software Spybot has the ability to run whenever the system is booted (autorun) and to detect and fix any problems automatically. If you want this mode, you can enable the following settings under the Automation section of the Settings tab:

Run Check On Program Start

Fix All Programs On Program Start

Rerun Checks After Fixing Problems

Immunize On Program If Program Has Been Updated.

Search The Web For New Versions At Each Program Start

Download Updated Included Files If Available Online

Expert Settings. You should activate Expert Settings to use the program properly. Among other things the Expert Settings menu activates the Secure Shredder to run automatically when Spybot removes files. Because the Secure Shredder permanently deletes removed files, this tool should not be used automatically. To make it easier to select file sets, go to the Settings tab. Under the Expert Settings menu, enable the following settings:
- Show Expert Buttons In Results List
- Show Expert Buttons In Recovery List

These settings activate a drop-down list in the Search & Destroy screen. This list contains an easy-to-understand description of the types of scans available.

The Directories tab. The Directories tab is used to specify where downloaded files are stored. Spybot will scan this directory whenever a check is run. The software in the specified directory will be scanned to see if any spyware or Trojans will be installed with the downloaded software. To add a directory to the list, right-click in the blank under the Download Directory heading and select Add A Directory To This List. Browse for the folder you want to add to the list. At the bottom of the screen, select the Check Also Subdirectories Of The Above check box. Repeat the procedure for any additional folders you want checked by Spybot.

Running a Spybot Scan

After configuring Spybot you need to scan your system. Click on the Spybot-S&D tab and click Search And Destroy. Next, click on the File Sets button and select the type of scan to run. For this example, a Minimal Spyware Check was run. Click Check For Problems.

When the scan is complete, Spybot will display the results. Problems are divided into three categories. Red entries indicate spyware. Spyware problems are always selected to be fixed by Spybot. Green entries indicate usage trackers. You probably won’t cause any problems by removing these from your system. Black entries are system internals. Make sure you know exactly what areas of your system will be affected before removing any of these entries.

Spybot automatically selects spyware problems to be fixed, so the next step is to click on the Fix Selected Problems button. If there are any problems that cannot be fixed because a program is in use, Spybot will attempt to correct the program automatically the next time the system is rebooted, before the spyware program is started.

Now, click on the File Sets button and select Usage Tracks Check Only for the next scan. Click on Check For Problems, and Spybot will run a check for Internet usage trackers. To remove individual trackers from your system, click on the check box next to the tracker in the results, and then click on the Fix Selected Problems button. Spybot will remove the selected trackers from your system. To remove all usage trackers, click Select All Items and then click on Fix Selected Problems.

The same procedure applies when Spybot runs a check on your system internals. This check is looking for registry inconsistencies, broken desktop links, and bad paths to executables. When a check on system internals is run, make sure you understand the output. Removing reported registry problems, and other entries related to system performance, can cause problems for your system.

Additional Spybot Tools

The Tools menu controls several tools associated with Internet Explorer and services run at startup.

Resident tool. One of the programs you'll notice here is the Resident tool, a continuously running security program. Presently, the Resident tool section provides a browser application for Internet Explorer that prevents downloads of known malicious software, such as spyware installers. This is a very useful functionality. You should activate the Resident tool program by clicking on the Install button at the top of the screen.
The Active X menu displays a list of Active X controls currently installed on your system. Active X controls are categorized by color. Green entries are legitimate Active X controls. Red entries mark controls related to spyware. Black entries are not known to the Spybot database.
The BHOs tab displays information about Browser Helper Objects (BHOs). BHOs are small programs—often Active X controls—that extend Internet Explorer’s capabilities. Because they are integrated with your browser, BHOs have access to each Web site you visit. Green entries are legitimate BHOs; red entries are associated with spyware; black entries are unknown to Spybot.

If you have any concerns about a BHO in this list, you can easily disable it. Click on the BHO to be disabled. At the top of the BHO window, click on the toggle button. Disabled BHOs will then appear grayed out in the BHO list.
Browser Pages tab, Spybot also provides protection against browser-hijacking agents that can reset the start or search page in Internet Explorer. If your browser start page or search page is changed and cannot be reset through IE, the new URL will probably show up in this list.

To reset the offending URL and ensure the URL is added to the next Spybot update, click on the URL your browser has been redirected to. At the top of the screen, click on the Change button and enter the new URL. Mail the offending address to detections@spybot.info, and the URL will be added to the list of known bad URLs.
Hosts File tab. Spybot comes with its own hosts file, which contains an extensive list of Web sites known for spyware; you can view this list on the Hosts File tab. When this file is installed, no content from any of the sites in it will be displayed. To install the Spybot hosts file, click on the Hosts File tab.
At the top of the Hosts File screen, click on Add Spybot-S&D Hosts List. The Spybot hosts file will now be used instead of your default hosts file. To remove the Spybot hosts file, click on Remove Spybot-S&D Hosts List.

Note: Using the Spybot hosts file can cause decreased performance. Read the FAQ included with Spybot to correct these problems for your version of Windows.

The Process List tab displays all processes running on your system. Although any process may be killed (stopped) through this tab, it is intended primarily as information for technical support. To kill a process in this list, select the process and click on the Kill button at the top of the window.

System Startup Menu The System Startup menu lists all programs that are started when Windows is launched. This menu allows the user to change the path to a Startup program or change the command used to execute the program. You can also delete any program from Startup or insert a program to be started with Windows.
To view any item in the System Startup list, select the item and click on the Info button at the top of the System Startup screen. To disable a program run at startup, or to allow a disabled program in this list to start with Windows, select the program and click on the Toggle button at the top of the screen. To change the path to a program run at startup, or to change the command options run with the program, select the program from the System Startup list and click on the Change button at the top of the screen. it gives you the ability to add and configure new startup programs. To add a new program to the Startup list, click on the Insert button at the top of the screen. Make the program available to All Users On Startup or only to the Present User. Select how the program will be run. There are three selections available:
- Run The Program As A Normal Program
- Run The Program As A Service
- Create An Autostart Group Link

Provide a name for the registry entry and select the path to the executable file. A new entry with the value you enter will be added to the list of programs run at system startup.

Using Spybot Immunization

The Spybot Immunization function is controlled through the Spybot-S&D tab. It provides four very useful functions:

Permanently immunizing Internet Explorer from Spyware
Preventing Internet Explorer from downloading known Spyware installers
Preventing Spyware from making changes to Internet Explorer configuration
Locking the hosts file

To provide immunity for your browser and hosts file, click on the Immunize icon under the Spybot-S&D tab. In the first configuration panel, titled Permanent Internet Explorer Immunity, click on the Immunize button to immunize Internet Explorer. The next panel is labeled Percent Running Bad Download Blocker For Internet Explorer. In the drop-down list, select Block All Bad Pages Silently. Click on Install.

In the third panel, Recommended Miscellaneous Protections, click in each of the three check boxes available to lock the hosts file and to prevent Spyware from reconfiguring Internet Explorer when immunization is activated. Spybot blocks all entries that are in its database.

Note:

CoolWebSearch or ‘CWS’ as many refer to it as, has become one of the leading Spyware programs that affects many home users. It has surpassed a lot of very annoying hijackers such as Lop, Xupiter and Whazit etc. Today it has over 100 variants of this Spyware engine ( allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc )!!

CoolWebSearch (CWS), can not only hijack your browser to any of its variant URL’s but has also been known to cause major Internet Explorer slow downs. This ‘trojan’ enters your computer by a ByteVerify exploit in the Microsoft JavaVM and installs it self. For more information please see the following link.

Merijn (author of popular anti Spyware program HijackThis) has made a tool to get rid of CoolWebSearch, including many of its variants.

Webliography

Tutorial - The home of Spybot-S&D!

Using Spybot - Search & Destroy to remove Spyware from Your Computer

Spybot Search & Destroy Support Procedures

AIT - Using Spybot Search & Destroy to Remove Spyware

Spybot Search & Destroy 1.3 Tutorial

Techworld.com - Automating Spybot Search & Destroy with ZENworks

SpyBot tutorial

Feedback

[Aug 24, 2005] What a great app! (Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):

Thanks for recommending this freeware - I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!

What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.

... ... ...

Keep up the great work!

Regards

Peter

Peter,

There are several good free registry editors, watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):

Often spyware is pretty primitive and removal of the component that is installed in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

registry key disinfects the PC.

To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:

Open your registry in regedit

Click "start" (bottom left of your screen)

Select "Run"

Type "regedit" in the command line displayed

Click OK.

In a tree that is shown select HKEY_LOCAL_MACHINE

then click on + sign for the key SOFTWARE

then click on + sign for the key Microsoft

then click on + sign for the key Windows

then click on + sign for the key CurrentVersion

then click on + sign for the key Run

Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.

Print all entries (File, Print). Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.

Open Windows Explorer Click on Tools, Folder options , View and and Details View and

uncheck:

Hide extensions for know file types

Hide protected operating system files

check

Show hidden files and folders

Remember each folder view setting

click apply to all folders and OK.

Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section. If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.

For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware simply delete the key.

For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: November 16, 2009