|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Dr. Nikolai Bezroukov
Warning: This document is mainly oriented on helping home PC users. Users generally should not install this software on their corporate PC...
Spyware is usually infects the computer when you browed infected or rogue sites. You can also get it via email disguised as a useful free utility and picturesque presentation of Paris, London, Moscow, etc. Even more nasty cases are when spyware distributors run fake antivirus utility or some rogue site pretends to be a spyware fighting site and offer infected downloads. As they often want money for disinfecting from the spyware they infected you with, this is as close to extortion as one can get.
Sometimes fake disinfection or diagnostic utility/procedure (you TCP connection is running slow, click to fix this problem) that was suggested on a pop-up screen in reality is a spyware that infects your computer. This trick is directed to users who do not understand much about windows and TCP/IP. any program that has a hidden functionality is a spyware. Often those programs are tracking program (which reports your activities to the advertising providers' web site for storage and analysis, the 'spyware' agent) or "advertizements substitution programs, which replace legitimate advertizements in web page with thier own, siphing advertizinf revenue to specific sites.
Not only those additional modules are installed on your system without any warning or approval they are often designed in such a way as to be difficult to detect and remove. They often contain "deletion resistance" mechanism typical for viruses.
Even though the name may indicate so, spyware currently is not an illegal type of software if the functionality that it contain is adequately explained in the "fine print" and there is a removal capability. But the fact is that even if you agree to the "terms and conditions" what the adware and Spyware providers do with the collected information and what they're going to 'feed' you with, is beyond your control. That makes it a highly undesirable activity and it should be banned from the Internet and/or your computer system. There is a huge awareness problem that needs to be dealt with as for educating users about Spyware. Right now this kind of education is usually connected with the user attempt to remove accidentally installed Spyware from your PC: after such an experience users become more conscious and usually suspicious about 'free gifts" from the Internet.
Often this is a non-trivial takes as this kind of software contains special mechanism to make remove difficult or impossible for a regular user. In a sense it hijacks the user PC.
As with anything, an ounce of prevention is worse pound of cure: using non-standard browser for example Opera, using disposable virtual machine or "public PC" mode in Windows.
In IE in private browsing, setting cache deletion after each session and checking Tools/Managed add-ons are also useful precautions.
More general procedure includes baselining you Windows directory, sensitive parts of the registry and list of process just after booting before you open any application.
The first thing you can do is to install several useful antispyware utilities to detect what kind of infection you have, so that you can browse Google or Bing to find the best way to disinfect it. You can just run Adaware and Spybot S&D on you PC and see what they will say. That does not mean that they necessarily will be able to disinfect you PC.
If this does not help then you need to switch into investigative mode and try to understand what new components were recently installed on your PC. In this case having full backup of you C drive is the most useful service for yourself you can imagine (and if you get tired playing the role of computer Sherlock Holmes you can just restore the image from Ghost of Acronis backup).
First you need to print five lists about your computer:
The list of your current registry entries in several parts of registry (starting with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run section of the registry (using HijackThis)
The list of current processes and their association with files on the disk Using free Process Explorer or other free Windows Process Viewers
The list of files installed in your Windows directory (or WinNT directory).
Your currently opened network connections using netstat, or more specialized utility, like Microsoft Network Monitor 3.3. Version 3.3. has a new feature called ‘Process Tracking’ which helps to identify any scamp applications sending network data. You can also view all the network traffic generated processes on your machine and view the frames associated with each process by using the conversation tree.
The list of processed that use Svchost, using, for example, free Svchost Process Analyzer 1.0
Generally you should have a baseline that provides you possibility to compare your current state with the previous. If you don't them similar PC can serve as a baseline if you can find it (that's easy in corporate environment with its "semi-standard PCs ;-)
The simplest and most popular baseline utility is HijackThis. After you create baseline you usually will find suspicious entries. Check them with Google and you will find some additional information. Create a HijackThis log and post it on one of the Webforums that help with such problems, for example Web User Forums. The map looks like this.
this is myLogfile of HijackThis v1.97.7
Scan saved at 7:20:03 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
.. ... ... ...
Do not jump to conclusions and be careful before removing suspicious entries. Windows is a mess and often such entries belong to a legit software. Also Web is a mess and a lot of sites that write about spyware belong to enthusiasts who do not have necessary qualification. That means that Google search results can mislead as much as it can provide useful information. If some site states that particular DLL or SYS file is a Trojan this is not necessary true. Such an information should always be verified.
Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications.
| Google search can mislead as much as it can provide useful information. Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications. |
When analyzing the process your PC is running you also can use processes/services information databases, for example ProcessLibrary.com
You can also use some information from the spyware program to find it. For example if it accesses a specific IP (visible in netstat ) you can Google this IP and find useful information about disinfection.
Or if you browser home page is resetting to some page then this page can be user to search Google to find links to information from people who already dealt with this problem.
Spybot is one of two most popular free programs for fighting Spyware and adware (the other is Adaware). It is a donation-ware. That means you don't have to pay for it, unless you want to.
First you need to download the latest version of Spybot from the Spybot Web site. It contains several useful free products:
Download the installation file for Spybot and Runalyser, to a temporary directory on your hard drive, and you're ready to go.
To install Spybot, double-click on the self-extracting archive and follow the prompts in the Setup Wizard. Spybot installs like a typical Windows program. Once the installation is complete, you can start using it. No reboot required.
Before using the utility please print and read help pages for Spybot after the installation.
To scan the computer with the Spybot, double-click on the desktop icon.
First of all you need to check for updates by clicking the Search For Updates button. This will ensure that the Spyware signatures used by Spybot and the program itself are up to date. If there are any updates, click the Download Updates button and let them download and install.
|
It is very important to run Spybot with the latest signatures |
The default for Spybot is to run in Easy Mode. In this mode, Spybot searches for problems using a predefined configuration.
Softpanorama is a site for power users and I recommend running is in Advanced Mode. To run Spybot in Advanced Mode, you need to modify the icon deleting /essymode key:
All configuration changes are made through the menus contained in the Settings tab/ Here are the main options:
Autorun settings Like antivirus software Spybot has the ability to run whenever the system is booted (autorun) and to detect and fix any problems automatically. If you want this mode, you can enable the following settings under the Automation section of the Settings tab:
- Run Check On Program Start
- Fix All Programs On Program Start
- Rerun Checks After Fixing Problems
- Immunize On Program If Program Has Been Updated.
- Search The Web For New Versions At Each Program Start
- Download Updated Included Files If Available Online
Expert Settings. You should activate Expert Settings to use the program properly. Among other things the Expert Settings menu activates the Secure Shredder to run automatically when Spybot removes files. Because the Secure Shredder permanently deletes removed files, this tool should not be used automatically. To make it easier to select file sets, go to the Settings tab. Under the Expert Settings menu, enable the following settings:
These settings activate a drop-down list in the Search & Destroy screen. This list contains an easy-to-understand description of the types of scans available.
The Directories tab. The Directories tab is used to specify where downloaded files are stored. Spybot will scan this directory whenever a check is run. The software in the specified directory will be scanned to see if any spyware or Trojans will be installed with the downloaded software. To add a directory to the list, right-click in the blank under the Download Directory heading and select Add A Directory To This List. Browse for the folder you want to add to the list. At the bottom of the screen, select the Check Also Subdirectories Of The Above check box. Repeat the procedure for any additional folders you want checked by Spybot.
After configuring Spybot you need to scan your system. Click on
the Spybot-S&D tab and click Search And Destroy. Next, click on the File
Sets button and select the type of scan to run. For this example, a Minimal
Spyware Check was run. Click Check For Problems.
When the scan is complete, Spybot will display the results. Problems are
divided into three categories. Red entries indicate spyware. Spyware problems
are always selected to be fixed by Spybot. Green entries indicate usage
trackers. You probably won’t cause any problems by removing these from your
system. Black entries are system internals. Make sure you know exactly what
areas of your system will be affected before removing any of these entries.
Spybot automatically selects spyware problems to be fixed, so the next step
is to click on the Fix Selected Problems button. If there are any problems
that cannot be fixed because a program is in use, Spybot will attempt to
correct the program automatically the next time the system is rebooted,
before the spyware program is started.
Now, click on the File Sets button and select Usage Tracks Check Only for
the next scan. Click on Check For Problems, and Spybot will run a check
for Internet usage trackers. To remove individual trackers from your system,
click on the check box next to the tracker in the results, and then click
on the Fix Selected Problems button. Spybot will remove the selected trackers
from your system. To remove all usage trackers, click Select All Items and
then click on Fix Selected Problems.
The same procedure applies when Spybot runs a check on your system internals.
This check is looking for registry inconsistencies, broken desktop links,
and bad paths to executables. When a check on system internals is run, make
sure you understand the output. Removing reported registry problems, and
other entries related to system performance, can cause problems for your
system.
The Tools menu controls several tools associated with Internet Explorer
and services run at startup.
At the top of the Hosts File screen, click on Add Spybot-S&D Hosts List. The Spybot hosts file will now be used instead of your default hosts file. To remove the Spybot hosts file, click on Remove Spybot-S&D Hosts List.
Note: Using the Spybot hosts file can cause decreased performance. Read the FAQ included with Spybot to correct these problems for your version of Windows.
The Process List tab displays all processes running on your system. Although any process may be killed (stopped) through this tab, it is intended primarily as information for technical support. To kill a process in this list, select the process and click on the Kill button at the top of the window.
System Startup
Menu The System Startup menu lists all programs that
are started when Windows is launched. This menu allows the user to change
the path to a Startup program or change the command used to execute
the program. You can also delete any program from Startup or insert
a program to be started with Windows.
To view any item in the System Startup list, select the item and click
on the Info button at the top of the System Startup screen. To disable
a program run at startup, or to allow a disabled program in this list
to start with Windows, select the program and click on the Toggle button
at the top of the screen. To change the path to a program run at startup,
or to change the command options run with the program, select the program
from the System Startup list and click on the Change button at the top
of the screen. it gives you the ability to add and configure new startup
programs. To add a new program to the Startup list, click on the Insert
button at the top of the screen. Make the program available to All Users
On Startup or only to the Present User. Select how the program will
be run. There are three selections available:
Provide a name for the registry entry and select the path to the executable file. A new entry with the value you enter will be added to the list of programs run at system startup.
The Spybot Immunization function is controlled through the Spybot-S&D
tab. It provides four very useful functions:
To provide immunity for your browser and hosts file, click on the Immunize
icon under the Spybot-S&D tab. In the first configuration panel, titled
Permanent Internet Explorer Immunity, click on the Immunize button to immunize
Internet Explorer. The next panel is labeled Percent Running Bad Download
Blocker For Internet Explorer. In the drop-down list, select Block All Bad
Pages Silently. Click on Install.
In the third panel, Recommended Miscellaneous Protections, click in each
of the three check boxes available to lock the hosts file and to prevent
Spyware from reconfiguring Internet Explorer when immunization is activated.
Spybot blocks all entries that are in its database.
Note:
CoolWebSearch or ‘CWS’ as many refer to it as, has become one of the leading Spyware programs that affects many home users. It has surpassed a lot of very annoying hijackers such as Lop, Xupiter and Whazit etc. Today it has over 100 variants of this Spyware engine ( allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc )!!
CoolWebSearch (CWS), can not only hijack your browser to any of its variant URL’s but has also been known to cause major Internet Explorer slow downs. This ‘trojan’ enters your computer by a ByteVerify exploit in the Microsoft JavaVM and installs it self. For more information please see the following link.
Merijn (author of popular anti Spyware program HijackThis) has made a tool to get rid of CoolWebSearch, including many of its variants.
Spybot Search & Destroy Support Procedures
Techworld.com - Automating Spybot Search & Destroy with ZENworks
[Aug 24, 2005] What a great app! (Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):
Thanks for recommending this freeware - I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!
What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.
... ... ...
Keep up the great work!
Regards
PeterPeter,
There are several good free registry editors, watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):
Often spyware is pretty primitive and removal of the component that is installed in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
registry key disinfects the PC.
To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:
- Open your registry in regedit
- Click "start" (bottom left of your screen)
- Select "Run"
- Type "regedit" in the command line displayed
- Click OK.
- In a tree that is shown select HKEY_LOCAL_MACHINE
- then click on + sign for the key SOFTWARE
- then click on + sign for the key Microsoft
- then click on + sign for the key Windows
- then click on + sign for the key CurrentVersion
- then click on + sign for the key Run
- Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
- Print all entries (File, Print). Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
- Open Windows Explorer Click on Tools, Folder options , View and and Details View and
- uncheck:
- Hide extensions for know file types
- Hide protected operating system files
- check
- Show hidden files and folders
- Remember each folder view setting
click apply to all folders and OK.
- Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section. If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
- For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware simply delete the key.
- For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.
Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Disclaimer:
Last modified: November 16, 2009