|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
Dr. Nikolai Bezroukov
Warning: This document is mainly oriented on helping home PC users. Users generally should not install this software on their corporate PC...
Spyware is usually disguised as a useful free utility (for example for synchronizing your clocks with some atomic clocks), or as some diagnostic utility/procedure that was suggested on a pop-up screen ( directed to users who do not understand much about windows and TCP/IP ;-), but the fact has a hidden functionality: an analysis and tracking program (which reports your activities to the advertising providers' web site for storage and analysis, the 'spyware' agent). This additional modules are installed on your system without any warning or approval when you install this Trojan software on your PC and they are often difficult to remove as they contain "deletion resistance" mechanism typical for viruses.
Even though the name may indicate so, Spyware currently is not an illegal type of software if the functionality that it contain is adequately explained in the "fine print" and there is a removal capability. But the fact is that even if you agree to the "terms and conditions" what the adware and Spyware providers do with the collected information and what they're going to 'feed' you with, is beyond your control. That makes it a highly undesirable activity and it should be banned from the Internet and/or your computer system. There is a huge awareness problem that needs to be dealt with as for educating users about Spyware. Right now this kind of education is usually connected with the user attempt to remove accidentally installed Spyware from your PC: after such an experience users become more conscious and usually suspicious about 'free gifts" from the Internet.
Often this is a non-trivial takes as this king of software contains special mechanism to make remove difficult or impossible for a regular user. In a sense it hijacks the user PC.
The first thing you can do is to install one of thee antispyware utilities (Adaware or Spybot) and try to delete spyware using them.
If this does not help then you need to switch into investigative mode and try to understand what actually was installed on your PC.
First you need to print three list of items:
The list of your current
registry entries
(especially in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
section of the registry
The list of current processes and their association with files on the disk
The list of files installed in your Windows directory (or WinNT directory)
Generally you should have a baseline that provides you with this information. If you don't them similar PC can serve as a baseline if you can find it (that's easy in corporate environment with its "semi-standard PCs ;-)
After you create baseline you usually will find suspicious entries. Check them with Google and you will find some additional information. Create a HijackThis log and post it on one of the Webforums that help with such problems, for example Web User Forums. The map looks like this.
this is myLogfile of HijackThis v1.97.7
Scan saved at 7:20:03 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
.. ... ... ...
Be careful before removing suspicious entries. windows is a mess and often such entries belong to a legit software. Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications.
You can also use some information from the spyware program to find it. for example if it reset your internet connect to 169.254.141.16 you can try to find those items in the registry.
Ot if you browser home page is resetting to some page then this page can be user to search Google to find links to information from people who already dealt with this problem.
Spybot is one of two most popular free programs for fighting Spyware and adware (the other is Adaware). It is a donation-ware. That means you don't have to pay for it, unless you want too.
Frist you need to download the latest version of Spybot from the
Spybot Web site. Download the installation file, to a temporary directory on
your hard drive, and you're ready to go. You can go directly to
Download.com or
PCWorld.com - Spybot Search and Destroy v1.3 for download.
To install Spybot, double-click on the self-extracting archive and follow the prompts
in the Setup Wizard. Spybot installs like a typical Windows program. Once the installation
is complete, you can start using it. No reboot required.
Before using the ustility please print and read help pages for Spybot after the installation.
To scan the computer with the Spybot, double-click on the desktop icon.
First of all you need to check for updates by clicking the Search For Updates button. This will ensure that the Spyware signatures used by Spybot and the program itself are up to date. If there are any updates, click the Download Updates button and let them download and install.
|
It is very important to run Spybot with the latest signatures |
The default for Spybot is to run in Easy Mode. In this mode, Spybot searches for problems using a predefined configuration.
Softpanorama is a site for power users and I recommend running is in Advanced Mode. To run Spybot in Advanced Mode, you need to modify the icon deleting /essymode key:
All configuration changes are made through the menus contained in the Settings tab/ Here are the main options:
Autorun settings Like antivirus software Spybot has the ability to run whenever the system is booted (autorun) and to detect and fix any problems automatically. If you want this mode, you can enable the following settings under the Automation section of the Settings tab:
- Run Check On Program Start
- Fix All Programs On Program Start
- Rerun Checks After Fixing Problems
- Immunize On Program If Program Has Been Updated.
- Search The Web For New Versions At Each Program Start
- Download Updated Included Files If Available Online
Expert Settings. You should activate Expert Settings to use the program properly. Among other things the Expert Settings menu activates the Secure Shredder to run automatically when Spybot removes files. Because the Secure Shredder permanently deletes removed files, this tool should not be used automatically. To make it easier to select file sets, go to the Settings tab. Under the Expert Settings menu, enable the following settings:
These settings activate a drop-down list in the Search & Destroy screen. This list contains an easy-to-understand description of the types of scans available.
The Directories tab. The Directories tab is used to specify where downloaded files are stored. Spybot will scan this directory whenever a check is run. The software in the specified directory will be scanned to see if any spyware or Trojans will be installed with the downloaded software. To add a directory to the list, right-click in the blank under the Download Directory heading and select Add A Directory To This List. Browse for the folder you want to add to the list. At the bottom of the screen, select the Check Also Subdirectories Of The Above check box. Repeat the procedure for any additional folders you want checked by Spybot.
After configuring Spybot you need to scan your system. Click on the Spybot-S&D
tab and click Search And Destroy. Next, click on the File Sets button and select
the type of scan to run. For this example, a Minimal Spyware Check was run. Click
Check For Problems.
When the scan is complete, Spybot will display the results. Problems are divided
into three categories. Red entries indicate spyware. Spyware problems are always
selected to be fixed by Spybot. Green entries indicate usage trackers. You probably
won’t cause any problems by removing these from your system. Black entries are system
internals. Make sure you know exactly what areas of your system will be affected
before removing any of these entries.
Spybot automatically selects spyware problems to be fixed, so the next step is to
click on the Fix Selected Problems button. If there are any problems that cannot
be fixed because a program is in use, Spybot will attempt to correct the program
automatically the next time the system is rebooted, before the spyware program is
started.
Now, click on the File Sets button and select Usage Tracks Check Only for the next
scan. Click on Check For Problems, and Spybot will run a check for Internet usage
trackers. To remove individual trackers from your system, click on the check box
next to the tracker in the results, and then click on the Fix Selected Problems
button. Spybot will remove the selected trackers from your system. To remove all
usage trackers, click Select All Items and then click on Fix Selected Problems.
The same procedure applies when Spybot runs a check on your system internals. This
check is looking for registry inconsistencies, broken desktop links, and bad paths
to executables. When a check on system internals is run, make sure you understand
the output. Removing reported registry problems, and other entries related to system
performance, can cause problems for your system.
The Tools menu controls several tools associated with Internet Explorer and services
run at startup.
At the top of the Hosts File screen, click on Add Spybot-S&D Hosts List. The Spybot hosts file will now be used instead of your default hosts file. To remove the Spybot hosts file, click on Remove Spybot-S&D Hosts List.
Note: Using the Spybot hosts file can cause decreased performance. Read the FAQ included with Spybot to correct these problems for your version of Windows.
The Process List tab displays all processes running on your system. Although any process may be killed (stopped) through this tab, it is intended primarily as information for technical support. To kill a process in this list, select the process and click on the Kill button at the top of the window.
System Startup Menu
The System Startup menu lists all programs that are started when Windows
is launched. This menu allows the user to change the path to a Startup program
or change the command used to execute the program. You can also delete any program
from Startup or insert a program to be started with Windows.
To view any item in the System Startup list, select the item and click on the
Info button at the top of the System Startup screen. To disable a program run
at startup, or to allow a disabled program in this list to start with Windows,
select the program and click on the Toggle button at the top of the screen.
To change the path to a program run at startup, or to change the command options
run with the program, select the program from the System Startup list and click
on the Change button at the top of the screen. it gives you the ability to add
and configure new startup programs. To add a new program to the Startup list,
click on the Insert button at the top of the screen. Make the program available
to All Users On Startup or only to the Present User. Select how the program
will be run. There are three selections available:
Provide a name for the registry entry and select the path to the executable file. A new entry with the value you enter will be added to the list of programs run at system startup.
The Spybot Immunization function is controlled through the Spybot-S&D tab. It
provides four very useful functions:
To provide immunity for your browser and hosts file, click on the Immunize icon
under the Spybot-S&D tab. In the first configuration panel, titled Permanent Internet
Explorer Immunity, click on the Immunize button to immunize Internet Explorer. The
next panel is labeled Percent Running Bad Download Blocker For Internet Explorer.
In the drop-down list, select Block All Bad Pages Silently. Click on Install.
In the third panel, Recommended Miscellaneous Protections, click in each of the
three check boxes available to lock the hosts file and to prevent Spyware from reconfiguring
Internet Explorer when immunization is activated. Spybot blocks all entries that
are in its database.
Note:
CoolWebSearch or ‘CWS’ as many refer to it as, has become one of the leading Spyware programs that affects many home users. It has surpassed a lot of very annoying hijackers such as Lop, Xupiter and Whazit etc. Today it has over 100 variants of this Spyware engine ( allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc )!!
CoolWebSearch (CWS), can not only hijack your browser to any of its variant URL’s but has also been known to cause major Internet Explorer slow downs. This ‘trojan’ enters your computer by a ByteVerify exploit in the Microsoft JavaVM and installs it self. For more information please see the following link.
Merijn (author of popular anti Spyware program HijackThis) has made a tool to get rid of CoolWebSearch, including many of its variants.
Spybot Search & Destroy Support Procedures
Techworld.com - Automating Spybot Search & Destroy with ZENworks
[Aug 24, 2005] What a great app! (Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):
Thanks for recommending this freeware - I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!
What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.
... ... ...
Keep up the great work!
Regards
PeterPeter,
There are several good free registry editors, watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):
Often spyware is pretty primitive and removal of the component that is installed in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
registry key disinfects the PC.
To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:
- Open your registry in regedit
- Click "start" (bottom left of your screen)
- Select "Run"
- Type "regedit" in the command line displayed
- Click OK.
- In a tree that is shown select HKEY_LOCAL_MACHINE
- then click on + sign for the key SOFTWARE
- then click on + sign for the key Microsoft
- then click on + sign for the key Windows
- then click on + sign for the key CurrentVersion
- then click on + sign for the key Run
- Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
- Print all entries (File, Print). Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
- Open Windows Explorer Click on Tools, Folder options , View and and Details View and
- uncheck:
- Hide extensions for know file types
- Hide protected operating system files
- check
- Show hidden files and folders
- Remember each folder view setting
click apply to all folders and OK.
- Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section. If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
- For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware simply delete the key.
- For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.
Copyright © 1996-2007 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008