Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Non-Scanner Generic AntiSpyware Tools

Businesses want an inexpensive software tool that can be used to clean up a Spyware infection on a one-time custom basis. Larger companies usually have staff that can do quite a lot in analyzing a particular sample of Spyware and they need a toolkit to deploy the solution, if necessary.  To be 100% dependent on vendors is somewhat humiliating.

Vendors must offer such products, making sure they're affordable. We will classify tools into two broad ranges:

• Scanner-based. This is a strategy similar to antivirus scanners. It also involved a problem of false positives and false negatives.  We discuss this class of tools on a separate page
• Non-scanner based. This broad class of tools includes everything else including but not limited to process browsers (HijackThis is probably the most popular but far from being the only available process browser; it also shows other relevant entries like BHOs), registry changes detectors, integrity checkers.  We will advocate a simple protection strategy. It is called "Softpanorama spyware defense strategy" and consists of two simple steps:
  • creation of the second partition on the harddrive
  • periodic writing to it images created by Ghost or similar utility.

On this page we will discuss non-scanner based tool. SFU 3.5 is probably the most powerful generic antispyware tool available for Windows.  Also any tool that can search and delete entries in Registry is useful. There are several such tools in Microsoft Resource Kits and they are probably the safest to use.

The non-scanner based strategies of fighting spyware includes several lines of defense:

1. Restoring an image of your C partition ("Softpanorama strategy"). Splitting your harddrive into two (or more) partitions (using for example Partition Magic), formatting the second partition as FAT32 and writing a clean snapshot of a C: partition (for example via Ghost) to this partition, so that you can restore it anytime your system stops functioning properly (whether because of spyware or other problems).
    
2. Systematically updating your OS and IE. It's really important to keep your computer up-todate. Spyware often rely of IE vulnerabilities so the latest and greatest version of IE from Microsoft helps to protect your computer. The improvements to Internet Explorer [microsoft.com] in Service Pack 2 should help stop the spread of Spyware somewhat.
    
3. Using a special toolbar that blocks popup and Spyware components. Yahoo toolbar now contains antispyware component in addition to popup blocking (they beat Google toolbar in this area ;-)
    
4. Running selected free tools via scheduler to detect and remove Spyware.  There are very useful and effective tools outside a typical anti-Spyware troika (Hijackthis, Adaware and Spybot S&D). For example watching registry, and the process list  (see  command line process listers) after startup as well as content of major windows directories is very important and one can greatly benefit from using an appropriate tools to achieve that. For example I can recommend a registry watching tool like RegistryProt. There are several command line process listing utilities that can be configured to run during your startup.  To add the Integrity checker to the mix is more complex as there is no clearly suitable candidate, see Fighting Rootkit and Similar Trojans: Integrity Checkers and Trojan detectors
   
   Hijackthis this can provide a useful baseline that includes integrated list of relevant registry entries and a process map, but currently I do not know how to run it in a batch mode (other then via Expect).   Still this is the simplest way of manual creation of a useful baseline. It you are reading this page and do not yet have a problem, please create at least a process baseline. It might turn to be extremely helpful in the future. using. You cannot overestimate the value of  the baseline in fighting complex Spyware beasts.
    
5. Blocking (via proxy or redirection in the host file) Internet sites that download such pests.  This is a useful method of defense in a corporate environment when each detected "backchannel" can be instantly clocked on proxy and in many cases the site that is responsible for the infection can be detected and blocked. This is not that effective in a home environment. but still host file can be used to block obnoxious advertisers on one by one basis.
    
6. And the last but not least. Read the license of products that you are installing on your computer. Never ever install anything that is advertised via junk email or, worse, pop-ups. Most apps that install spyware usually have something in their license that says "we have the right to install whatever we want on your system". 

Softpanorama Strategy of Defense

A simple generic and very effective strategy of defense against spyware involves splitting your harddrive into two (or more) partitions (using for example Partition Magic), formatting the second partition as FAT32 and writing a clean snapshot of a C: partition (for example via Ghost) to this partition, so that you can restore it anytime your system stops functioning properly (whether because of spyware or other problems).  Here are the major stages:

Stage 1: Splitting your harddrive into two partitions

Stage 2: Formatting the second partition as FAT32

Stage 3: Creation of the image

After the image was created you can return to this stage by simply restoring it.  So if you internet connection was hosed or computer behave strongly after the deletion you can always "fall back" on a know good state of your system. With some caution most of  the environment and newly created files can be preserved. This is probably the easiest way to fight complex, mutating Spyware like CoolWWWSearch.

Restoration phase is slightly different. If computer is still bootable than it involves writing the image to the floppy disk and then restoring the partition by rebooting from this floppy. If the computer is not bootable then you need to have a floppy (preferable attached to the case of your computer using a plastic pocket).

This strategy is dicussed in more deatils on Softpanorama Strategy of Fighting Spyware page.

I would like to stress that the main tool in fighting spyware is your own understanding of  Windows OS: the better you understand it the sooner the spyware on your computer will be eliminated.

In view of proliferation of Spyware keystroke loggers and sites/downloads trackers and I strongly recommend to perform periodic checks on all Windows 2000/Windows XP desktops that are used for connection to DMZ servers for such programs at least once a month.  Especially vulnerable are home desktops that are shared with other family members (children) and those need to be checked more often. Please note that unlike worms/viruses, Spyware represents professionally written programs that specifically designed to work in stealth mode and collect various types of information about the user including, but not limited to, confidential financial information. It is also protected from partial removal from the PC which often happens if signatures that Spyware removal program is using are old: in case one on several components are deleted by the program, remaining components are able to download and reinstall missing components.  You need to use the latest signature files to remove Spyware successfully

Old News ;-)

[Nov 14, 2009] A guide and tutorial on using ComboFix

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Please note that this guide is the only authorized guide for the use of ComboFix and cannot be copied without permission from BleepingComputer.com and sUBs. It is also understood that the use of ComboFix is done at your own risk.

[Nov 14, 2009] Resplendence Software - Advanced System Tools and Developer Components

New: SanityCheck 2.00 released

SanityCheck is an advanced rootkit and malware detection tool for Windows. By making use of special deep inventory techniques, it goes to great lengths to detect hidden and spoofed processes, misbehaving kernel modules and finds a number of different hooks and hacks which are typically the work of rootkits and malware. It creates a comprehensible report on any regularities found.

[Mar 21, 2007] TrendSecure Trend Micro Hijack This™

It is already available from the Web site. Looks like there are sharp executives in Trend Micro

[Mar 14, 2007] Trend Micro buys HijackThis, launches SiteAdvisor competitor Zero Day ZDNet.com

[Mar 9, 2007] Description of the Port Reporter Parser (PR-Parser) tool

When a Microsoft Windows-based computer becomes vulnerable, an attacker typically uses the resources of the Windows-based computer to inflict more damage or to attack other computers. This kind of attack typically involves activities such as starting one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides this activity from the Windows-based computer itself, you can capture and identify this activity. Therefore, looking for indications of this kind of activity can help you determine whether a system is vulnerable.

The Port Reporter tool is a program that can run as a service on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server 2003-based and Windows XP-based computers, the Port Reporter service can log the following information:

• The ports that are used
• The processes that use the port
• Whether a process is a service
• The modules (.dll, .drv, and so on) that a process loads
• The user accounts that start a process

The data that is captured by the Port Reporter service may help you determine whether a computer is vulnerable. The same data is also useful for troubleshooting, for gaining an understanding of a computer's port usage, and for auditing the behavior of a computer.

PR-Parser is a tool that parses the logs that the Port Reporter service generates. For additional information about the Port Reporter service, click the following article number to view the article in the Microsoft Knowledge Base: 837243 (http://support.microsoft.com/kb/837243/) Availability and description of the Port Reporter tool The PR-Parser tool provides the following three basic functions:

The PR-Parser tool has a Windows Graphical User Interface (GUI) that makes it easier to review the logs. By using the GUI, you can sort and filter the data in a number of ways. The PR-Parser tool helps you identify and filter the data that you are interested in. The tool provides the following functionalities:

• Identifies processes that you are interested in that are running on a computer
• Tries to identify when a process that uses the name of a legitimate process is run from the wrong folder on a computer
• Identifies the modules, such as .dll and .drv, that are loaded on a computer
• Helps determine the time when the Internet Protocol (IP) addresses, fully qualified domain names (FQDNs), or computer names that you are interested in are communicating with a computer
• Identifies the ports that are used on a computer
• Helps determine when the user accounts are active on a computer

The PR-Parser tool provides some log analysis data also. This data can help you understand the usage of a computer. This data includes the following:

• A ranked list of local Transmission Control Protocol (TCP) port usage
• A ranked list of local process usage
• A ranked list of remote IP address usage
• A ranked list of user context usage
• Svchost.exe service enumeration
• Port usage by hour of the day
• Microsoft Internet Explorer usage by user

[Feb 24, 2007] SDFix  

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe  and save it to your Desktop.

[Aug 24, 2005] What a great app!

(Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):

Thanks for recommending this freeware -  I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!

What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.

... ... ...

Keep up the great work!

Regards

Peter

Peter,

There are several good free registry editors,  watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):

Often spyware is pretty primitive and removal of the component that is installed in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

registry key disinfects the PC.

To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:

1. Open your registry in regedit
   • Click "start" (bottom left of your screen)
   • Select "Run"
   • Type "regedit"  in the command line displayed
   • Click OK. 
2. In a tree that is shown select HKEY_LOCAL_MACHINE
   • then click on + sign for the key SOFTWARE
   • then click on + sign for the key Microsoft
   • then click on + sign for the key Windows
   • then click on + sign for the key CurrentVersion
   • then click on + sign for the key Run
3. Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
4. Print all entries (File, Print).  Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
5. Open Windows Explorer  Click on  Tools, Folder options , View and and Details View and
   • uncheck:
     • Hide extensions for know file types
     • Hide protected operating system files
   • check
     • Show hidden files and folders
     • Remember each folder view setting

   click apply to all folders and OK.
    

6. Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section.  If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
7. For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware  simply delete the key.
8. For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.

[Jan 12, 2005] Microsoft Windows AntiSpyware (Beta) Overview -- free tool from Microsoft

Related Links

System requirements

Frequently asked questions

Download the beta

Microsoft Windows AntiSpyware (Beta) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed. This helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up to date.

[Nov 30, 2004] PCWorld.com - Poor Defenders

Some anti-spyware companies use confusing ads, and our tests show their $20-$60 products are less effective than free competitors.

You've almost certainly encountered the ads: A dialog box pops up on your system, bearing the message "Warning! Your computer may be infected with spyware" and suggesting that you scan your computer immediately. Click it, and you often reach a Web site providing a "free spyware scanner" that finds all sorts of malware on your PC--and then offers to sell you software that will clean it all up. Should you buy these products? Based on our tests, our opinion is no. Following complaints from several PC World readers, we tested seven heavily advertised spyware-removal tools-- MyNetProtector, NoAdware, PAL Spyware Remover, SpyAssault, SpyBlocs, Spyware Stormer, and XoftSpy--and found that none were as effective as reputable free products such as Spybot Search & Destroy. A couple even installed new spyware.

PC Magazine Opinion Corruption at the Jersey Shore

I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

I did a little poking around in the Microsoft Knowledge Base and found that this was not an unusual problem and that it was caused by corruption of the Winsock. I hadn't thought about the Winsock—the Windows TCP/IP socket API and IP stack—in years, at least not since the advent of Windows XP. But it used to be a veritable Achilles' heel for Windows systems.

The Knowledge Base gave command line NetShell instructions that would reset the Winsock to its default configuration, and also listed Registry entries that I could remove to force a reload of the Winsock and TCP/IP stack. The two essential articles are 811259 and 299257. But before I did that, I decided to look further to figure out how the Winsock had become corrupted.

A little more investigation pointed to adware and spyware. Evidently some ad/spyware modifies the Winsock or installs itself into the IP stack to give ads access to your system—or to give a hacker free rein. When you run the removal programs (you do, don't you?), the shims inserted by the adware are not removed, but they no longer link to anything. The stack becomes unstable, and it begins reporting errors and behaving erratically.

I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP.

I decided to try it (I had a recent, full backup of my system on one of Iomega's great new REV 35GB removable hard drives, so I didn't mind living dangerously), and it worked perfectly. No more dropped wireless connections and no more "cable unplugged" error messages. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

PCWorld.com - Internet Tips Tweak Windows XP SP2 Security to Your Advantage

Trying to make Windows more secure, Microsoft released Windows XP Service Pack 1 in 2003, and Service Pack 2 recently. Whereas SP1 focused on remedying antitrust violations with bundled Windows utilities, almost all of SP2 is devoted to beefing up Internet security. SP2 doesn't thoroughly shield you from attacks, but it's definitely worth installing for its firewall improvements, Internet Explorer pop-up blocking, and security-configuration changes. Once you've installed it, you'll probably want to tweak some of SP2's new settings, and to know where--tweaked or not--the reinforced OS remains vulnerable.

SP2's most noticeable change to Windows XP is its introduction of a new Security Center Control Panel applet (see FIGURE 1). Security Center itself doesn't do much, but it provides a single location where you can view the status of the Windows Firewall (formerly known as Internet Connection Firewall) and of Windows' Automatic Updates service. The utility also tracks if you have an antivirus program installed, running, and updated.

If any of these three key security tools has been disabled or is less than fully functional, Security Center changes their corresponding status lights from green to either red or amber. The program also displays a warning icon in the system tray. A red light means that you should probably take steps to beef up security in the indicated area. An amber light signifies a service that is only partly enabled, or that a third-party product handles.

But even if all your dashboard security lights are green, you aren't necessarily safe. Conversely, certain red or amber conditions--triggered when Windows doesn't recognize your third-party firewall or antivirus program, for example--may be acceptable to you. So how do you disable that pesky tray icon?

Start by opening the Security Center: Choose Start, Control Panel and click Security Center. Many people will see a bank of green lights, thanks to SP2's more secure default settings. The firewall is now enabled by default for all Internet connections, which is a good thing if you don't have a third-party firewall program. The Automatic Updates feature downloads and installs often-crucial security updates from Microsoft while you're online. Unless you went out of your way to disable it during installation of Service Pack 2, this option will be fully enabled as well. And if you've installed an antivirus program that Microsoft recognizes, you'll get a green light in the virus-protection area.

Spyware Warrior » Beware of Spyware Removal Software Review Sites

On the Rogues page, there is a section for Trustworthy Anti-Spyware Products . There are spyware removal help forums, such as my own, where people discuss and compare products, often from having used and tested them. Other spyware removal help forums are also good sources of information. Download.com lists products and has reviews from consumers as well. I would take some of the reviews there with a grain of salt however, since they can be spammed by people who want to promote a particular product. Download.com does indicate the sponsored products in the listings.

Spyware Reviews, Anti Spyware Review, and Spyware Comparisons

It's not clear if this site is independent or objective. But still it contain a comparison that you might benefit from.  Adaware rated as no.5. S&D as No. 6. Test score are are very questionable as there is no information about spyware mix used:

Here are reviews of top free products. Both are grossly unfair:

Yahoo! Toolbar has anti-Spy feature.

Obsolete with the introduction by Microsoft free Windows Defender

Freeware downloads System Utilities - Command Line Tools - SnapFiles, we download it before you do!

A primitive integrity checker.  Compare with Integrity Checkers and Trojan detectors

Berkes Notify allows you to monitor a specified directory and be notified if files are changed, added or deleted. The program runs from the command line and pops up a small dialog if changes are detected. Small simple and useful.

Mike Lin's Home Page

StartupMonitor watches the Start Menu's Startup folders and the Run entries in the registry.

StartupMonitor does not require Startup Control Panel, but it complements it nicely. When you choose not to allow a program to register itself, the program's entry becomes disabled in Startup Control Panel, so you can go back and enable it later if necessary. StartupMonitor watches the Start Menu's Startup folders and the Run entries in the registry.

StartupMonitor has been tested on Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP; unfortunately, it does not function correctly under Windows 95 because of some unimplemented routines in the operating system

Download StartupMonitor 1.02 (60kb)

Resources Enough is Enough! Outdated. Last Updated: Apr 14 '02

Have you just about had it with sneaky spyware installations, pesky third-party cookies from pushy advertisers and marketers, and the unending blizzard of popups and popunders from web sites? Haven't you really had just about enough of these obnoxious, invasive practices that trash your computer and violate your privacy?

Then it's time you said, "Enough is Enough!"

Overview

Enough is Enough! is a lockdown utility for Internet Explorer 5 and 6. When you install Enough is Enough!, it will:

Lock down your Internet and Restricted sites zones with restrictive settings for dangerous options like ActiveX, Java, scripting, and a few others. Severely restrict the use of cookies (but not completely disable them for trusted web sites or for single session use). Disable several Advanced settings, including Install on Demand and Third-party Browser Extensions. Install Microsoft's IE PowerTweaks WebZone Accessory, putting two new options on your IE Tools menu, with corresponding buttons on your Toolbar: "Add to Trusted Zone" and "Add to Restricted Zone."

With these new Internet Explorer settings you will be protected from the more dangerous elements of the web without having to worry about putting known nasties into your Restricted sites zone:
 

You'll be protected from rogue crapware installations (e.g., Gator, BonziBuddy, WebHancer, Lop.com, and the like).   You won't be accepting cookies from direct marketing outfits who seek to monitor and track your travels around the Net.   You'll put an end to annoying, useless popups at most web sites by default.   You'll put all web sites on a "short leash" until you trust them enough to add them to your Trusted sites zone.

In short, Internet Explorer will start behaving as YOU want it to behave, not as direct marketers and spyware pushers want it to behave. What you do with Enough is Enough! is enforce your very own "opt-in" policy: no web sites get to use permanent cookies, ActiveX, Java, JavaScript and other dangerous Internet Explorer options until you explicitly give them the go-ahead by putting those sites into your Trusted zone.

Caution!

A word of warning: the severely restrictive IE settings that Enough is Enough! uses will break many web sites until you add them to your Trusted sites zone. These settings will also disable third-party browser add-ons (commonly known as "plugins").

Keep in mind that you can always tweak IE's settings through the Internet Options box after installing Enough is Enough!

And of course, Enough is Enough! installs Microsoft's Power Tweaks WebZone Accessory so that you can quickly and conveniently add sites you visit frequently (and which require permanent cookies or certain types of active content) to the Trusted sites zones. Once you add a site that you trust to the Trusted sites zone, it should start working again.

See the section in the ReadMe titled "Coping with Problem Web Sites & Browser Add-ons" below for more advice on dealing with problem web sites and third-party browser add-ons.

More than Enough?

Enough is Enough! isn't for everyone. If you find broken web sites extremely frustrating, and taking the time to add web sites to your Trusted sites zone is too annoying for you to deal with, then Enough is Enough! might be "more than enough" for you -- it might be much too much.

There are several uninstallation options, so you're not stuck with Enough is Enough! by any means, should you decide that it's not for you (see the "Uninstallation" section in the ReadMe for more details).

If Enough is Enough! isn't for you, you might consider downloading and installing IE-SPYAD. IE-SPYAD will add a long list of known advertisers, marketers, and crapware pushers to your Restricted sites zone, giving you a large measure of protection from the nastier elements of the web while still allowing you to keep your Internet zone settings fairly loose. You can download IE-SPYAD HERE.

Compatibility

Enough is Enough! is compatible with Internet Explorer 5.0 and above. The installer (INSTALL.BAT) will detect if you're using Internet Explorer 6.0 and adjust the settings it installs accordingly. Enough is Enough! also works with Windows XP Service Pack 2.

Enough is Enough! should not be used on Internet Explorer 3.0 or 4.0 (though the installer will let you do it). If you mistakenly install Enough is Enough! on Internet Explorer 3.0 or 4.0, you can uninstall it and restore your previous IE settings by re-running INSTALL.BAT.  

Installation & Use:

Download one of the following files from the Download section below:

ENOUGH.EXE	is a self-extracting .ZIP file, which you can double-click on to extract the files inside (default dir is C:\ENOUGH).
ENOUGH.ZIP	requires that you have an "zip/unzip" program like WinZip, 7-Zip, or PowerArchiver to extract the files.

After you explode the files from the archive you downloaded, run INSTALL.BAT, or consult README.TXT for more information about this utility. You can view an online version of README.TXT HERE.

Download:

ENOUGH.EXE	115 KB	PGP signature
ENOUGH.ZIP	77 KB	PGP signature

These files have been signed with with my 4096/1024 DH/DSS PGP key. You can get it and my other PGP keys HERE.

The PGP signature files are digital signatures that PGP users can use to verify the integrity and origin of the download packages. If you're not a PGP user, you don't have to download the PGP signature files (or my PGP public keys) in order to use the utilities that I make available. If you're interested in learning more about PGP, check some of the links on THIS page.

This program is  Please read this License & Disclaimer.

Last Updated: Apr 14 '02

How to temporarily remove string values from registry run keys when troubleshooting software conflicts

You are troubleshooting a suspected conflict between programs, and need to temporarily prevent programs from loading when Windows starts. The programs in question are loading from one of the Run keys in the Windows registry.

Solution:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified.

Please request the document, How to back up the Windows registry, before proceeding.

NOTE: If you are using Windows 98/Me/XP, as an alternative you can use the System Configuration Utility that is included with these operating systems. For these operating systems, this is the recommended method, as it does not require you to edit the registry. Please see your Windows 98/Me/XP documentation or the section "4. Disable unnecessary startup items" in the document, Basic guide to optimizing system resources for instructions on how to do this.

To temporarily remove values from the RUN keys in the Windows registry:

1. Click the Start button and then click Run. The Run dialog box appears.
2. Type regedit and click OK. The Registry Editor opens.
3. Navigate to the following key, and open it:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    
4. The right pane will display one or more string values.
   • If you only see (Default) or SystemTray, go on to step 10.
   • If there are additional values, for each value other than (Default) or SystemTray , follow the instructions in steps 5 through 9.
5. Double-click a String Value in the right pane. The Edit String dialog box will appear with the value selected.
6. Press the Home key on the keyboard. The cursor should be to the left of the string value, and the value should no longer be selected.
7. Type rem and press the Spacebar once. This remarks out the string value, and prevents the program from loading when Windows starts.
8. Click OK.
9. Repeat these steps for each string value you want to remark (REM) out.
10. Navigate to the following key, if it exists, and open it:
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
     
11. Repeat steps 4 through 9.
12. Some computers may also have Run or RunServices keys in the following location:
    
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (or \RunServices)
     
13. If it exists, repeat steps 4 through 9 for this location as well.
14. Exit the Registry Editor when you finish changing these values, and restart the computer.
15. Check to see whether or not this resolves the problem.
16. If it does, and you want these programs to load with Windows, add back one string value at a time by removing the REM and the following space.
17. Restart Windows, and then test the system after each addition. When you find the key causing the problem, you can either REM it out in the registry or delete the value.

NOTE: If you do this in Windows NT 4.0, for each REM line that exists you will see the following message when Windows NT boots:

"Cannot find the file REM (or one of its components). Make sure the path and filename are correct and that all required libraries are available."

You will need to click OK for each REM line that generates the message. To avoid this each time you start Windows, once you have determined the program that is causing the problem, delete the string value for that program.

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

• PCWorld.com list of antispyware tools
• Pestpatrol provides a free Spyware scan PestScan – free online Spyware scanner from PestPatrol . This is probably the simplest way to scan your PC but please note that this not very accurate. Please not that the vendor was recently bought by  Computer Associates, the company that killed a lot of  software projects it bought so the quality of the commersial version is now suspect... PerstPatrol also has a nice spyware database at research.pestpatrol.com.
   
• AD-Aware Scan your system for advertising Spyware This free utility scans your memory, hard drives, and your Registry for references to spyware like  Gator, Cydoor, DSSAgent, Alexa.
  http://www.lavasoftusa.com
   
• SpyBot It is am spyware scanner that is generally similar to ADaware, but contains some nice tools like process viewer and host blocking list
   
• BHODemon freeware that lets you monitor and disable "Browser Helper Objects"
   
• Browser Hijack Blaster Pour être prévenu de la prochaine tentative de Hijack - gratuit
   
• Merijn.org home to several nice antispyware tools like  HijackThis
• StartupList (zipped): A simple tool that lists all and every auto starting program on your system. You might be surprised what it finds, this is way better than Msconfig. Commonly used to troubleshoot malfunctioning systems, trojan/viral infections, new spyware/malware breed and the likes.
  Currently at version: 1.52.1
   
• HijackThis  (zipped): A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
  A rudimentary HijackThis log tutorial by me is available here.
  The official HijackThis QuickStart for posting on the SpywareInfo forums is available here.
  Currently at version: 1.97
• CWShredder: (zipped) A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D tends to forget essential parts of the hijack, so until it updates, you can just this to completely remove the hijack. Updated to remove the new variants once they come out.
  Read my article with documentation on Coolwebsearch here.
  Updated very, very often
• BHOList: A frontend for TonyKlein's BHO Collection that downloads the list, and displays it in a sortable, searchable list. You can also export it to a file and load that file back instead of downloading it from SWI.
  Currently at version: 1.20
• Uptimer4: A bar that sits at the top of your screen and can display over 20 pieces of system information that might be useful to you. System time, system date, uptime, free RAM, free pagefile, free disk space, CPU usage, IP address(es), Winamp controls, battery status, running programs, netstat, etc.
  This project is currently suspended until I have more time to update it. Keep sending in bugreports though. :)
  (Some functions may not work properly with Windows 95 and Windows NT4 without SP6.)
  Currently at version: 1.0 (beta)
• KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it.
  Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. An update is being worked on. If you still want to use KazaaBegone, download LSPFix to fix your Internet connection (download it before you run KazaaBegone, of course).
  Currently at version: 1.10
   
• Pestpatrol provides a free Spyware scan PestScan – free online Spyware scanner from PestPatrol . This is probably the simplest way to scan your PC but please note that this not very accurate. Please not that the vendor was recently bought by  Computer Associates, the company that killed a lot of  software projects it bought. PerstPatrol also has a nice spyware database at research.pestpatrol.com.

Free version of   Spybot Search and Destroy scanner Spybot Search and Destroy and/or Adaware provide better results (in case you are using the most latest signatures) and are recommended for checking. Please note that before the scan you do need to download the latest signature file separately  (older signature files miss the most recent mutations of engines like SAHAgent).

Recently written

Spyware Removal Guidelines use Spybot S&D as example, as it provides some additional useful tools, but old good Adaware is also an extremely useful tool  and can find and disinfect some Spyware variants that are missed by 

Spybot S&D (see, for example its VX2 cleaner plugin that I mentioned before) .  You probably are better off using both.

Recommended Papers

PC Review - Spyware and Adware Removal

HijackThis

HijackThis is a  heuristic spyware detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against homepage hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgeable folks (e.g. the forums) before deleting anything.

HijackThis quickly scans a user's computer, and create a list of running processes and some settings. Comparison of this list with a known spyware-free environment greatly helps to decide what from the list needs to be removed.  In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer.

Please note that blind use of its removal facilities can cause significant software damage to a computer. If you do not have a map of your spyware free environment you should carefully check the name of program that you view as suspicious via Goggle.

• HijackThis – Overview, Download and Quick Start Guide – Trend Micro official website
  • HiJackThis.exe -- download of the executable
  • HiJackThis.zip -- download of zip
  • HJTInstall.exe -- download of the installer
• merijn.org – website of HijackThis author Merijn Bellekom
• HijackThis Quickstart
• polish HijackThis site

Tutorials

• HijackThis Tutorial
• Acsell's Site - HijackThis Log Tutorial (How to Analyse a HijackThis log) -- a good tutorial
• FAQ
• HijackThis  Log Tutorial
• Help2Go - HijackThis log tutorial

BHO Listers

BHOs are similar to programs that run from autoexec.bat but they run during the start of IE not DOS. MS article Browser Helper Objects: The Browser the Way You Want It explains the concept.  Spyware BHOs can  conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance. BHOList contain the list of know BHOs with classification into several categories.  To view the list of the BHOs that are installed on your machine you can use HijackThis or more pecialized program BHODemon (freeware).

Example 1: The LOP spyware creates random BHO identifiers (as well as corrsponding files):

Registry entries look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll

Be aware of this possibility if you discover an unknown BHOs with random names. Several other spyware products random of semi-random BHO names.

Example 2: Vx2 and its derivatives (Data Transponder, etc). Vx2 is a browser helper object (BHO) that was included in the AudioGalaxy Satellite file-sharing system, but a user outcry got it removed in November 2001. Today, vx2 and its variants can be found in a "free" viewer for adult video content and the "free" products from Mindset Interactive. According to PestPatrol, "it is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies." PestPatrol lists the aliases of the code and sources of each as Transponder from Blackstone Data; vx2, RespondMiter and Sputnik from vx2, Corp.; Aadcom Extreme Targeting from Aadcom; NetPal from NetPalNow and also Mindset Interactive.

Recommended Links:

• Browser Helper Objects: The Browser the Way You Want It -- Microsoft article explaning the concept.
• Sysinfo.org - the home of BHO database Sysinfo.org/BHO search list 
• BHODemon 2.0

  BHODemon, our free program that lets you monitor and disable "Browser Helper Objects", is featured in the 12/1/2001 issue of the weekly Lockergnome newsletter.  Click here to learn why you need this program!  (For current users, here is the list of all known BHOs.)

• BHO Cop, PC Magazine Utility Library utitility,which gives you the ability to find out what BHOs are attached to your copy of Internet Explorer, and then empowers you to kill (disable) any BHO you find suspicious. Simply install and run BHO Cop ( download here ) to see a list of BHOs attached to Internet Explorer. To disable a BHO, uncheck the box next to its name. When you're finished managing BHOs, just click Exit.

Winsock 2 Layered Service Provider (LSP) Tools

LSP-Fix - a free program to repair damaged Winsock 2 stacks

Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access

LSP-Fix is a free utility to repair a specific type of problem associated with certain Internet software. This type of software is known as a Layered Service Provider or LSP, a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet.

Unfortunately, this type of software is sometimes quietly installed by unrelated software such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existance until something goes wrong, and he/she can no longer access Web sites. Common offenders include New.net* (NEWDOTNET) and WebHancer*, which are often bundled with file-sharing utilities, DVD player software, and other free downloads. LSP-Fix repairs the Winsock LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.

LSP-Fix is not a malware removal utility and does not target specific products. LSP-Fix does not delete any files. Downloads: (All downloads will fit easily on a floppy disk.)

• lspfix.zip - ncludes the program and documentation

Using LSP-Fix to remove O10 Entries in HijackThis

PC Magazine Opinion Corruption at the Jersey Shore  I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

I did a little poking around in the Microsoft Knowledge Base and found that this was not an unusual problem and that it was caused by corruption of the Winsock. I hadn't thought about the Winsock—the Windows TCP/IP socket API and IP stack—in years, at least not since the advent of Windows XP. But it used to be a veritable Achilles' heel for Windows systems.

The Knowledge Base gave command line NetShell instructions that would reset the Winsock to its default configuration, and also listed Registry entries that I could remove to force a reload of the Winsock and TCP/IP stack. The two essential articles are 811259 and 299257. But before I did that, I decided to look further to figure out how the Winsock had become corrupted.

A little more investigation pointed to adware and spyware. Evidently some ad/spyware modifies the Winsock or installs itself into the IP stack to give ads access to your system—or to give a hacker free rein. When you run the removal programs (you do, don't you?), the shims inserted by the adware are not removed, but they no longer link to anything. The stack becomes unstable, and it begins reporting errors and behaving erratically.

I also came across a freeware application that does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of your registry and then repairs any Registry entries that may have been affected by adware removal. Unlike the Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP.

I decided to try it (I had a recent, full backup of my system on one of Iomega's great new REV 35GB removable hard drives, so I didn't mind living dangerously), and it worked perfectly. No more dropped wireless connections and no more "cable unplugged" error messages. You can find WinSock XP Fix at a number of shareware sites, including www.spychecker.com/program/winsockxpfix.html.

Toolbars

Yahoo! Toolbar has anti-Spyware feature. CNET rates Y! Toolbar 5 out of 5! "Yahoo has definitely become the toolbar to beat."

Intro Yahoo Toolbar - ZDNet Reviews

Yahoo offers a bewildering number of services and options on its site, and the company's toolbar is no exception. With a generous portion of specific types of searches, more customization options than you can shake a stick at, a pop-up blocker that goes above and beyond, and even a spyware killer, Yahoo Toolbar gets our seal of approval.

Installing Yahoo Toolbar was easy in our tests; it took us less than a minute to download and run the install program (0.4MB for the toolbar only or 3MB for the toolbar and Yahoo's Anti-Spy utility). Once the toolbar is installed, you'll need to either sign in to your Yahoo account or register for one--a minor inconvenience. Once inside, you're then taken to a Web page where you can choose from literally dozens of buttons and services. You can reorder the buttons in any way you want (most toolbars don't give you that flexibility) and view icons and text or icons only--impressive. Our sole complaint is that you can't resize the smallish search box.

Yahoo Toolbar serves up a generous variety of search types, including the Web, current site, images, local services, news, products, maps, Yellow Pages, directory, stock quotes, and movie showtimes, each using specific Yahoo search services rather than tacking "news on" or "maps of" onto a search. All that's missing from the list is the weather, and while an optional weather toolbar button is available, you will have to enter a city or a zip code in the Web page. You also get a garden-variety highlighter that calls out where your search results appear on a given page.

Yahoo Toolbar with Anti-Spy - User opinions and free download at Download.com

Good overall" 30-Nov-2004 10:50:00 PM   Phil from Massachusetts
First, I'll say that if any other adware detectors report adware or spyware within the Yahoo toolbar, it's a false positive, because there isn't any. Adware detectors often interfere with each other and detect each other as adware, so this isn't surprising.

Now, to rate the product itself. On the upside, it has more features than the Google toolbar, and the spyware detector is pretty decent, although not as good as commercial products. The pop-up blocker is effective at blocking most common types of popups, but is quite powerless against certain obscure popup types, including those caused by Java error handlers and a few other kinds. These popups are rare in the real world though, and I would estimate that it blocks 90 to 95 percent of all popups, and doesn't interfere with routine surfing. The one significant downside is that it is a bit unstable.

The Y! Toolbar module has crashed Internet Explorer about 7 times during the 200 hours that I've used it during routine surfing, which isn't too awful, but hardly sterling, either.

Overall, I'd recommend it over competing free toolbars like Google. Obviously, you can't compare free products with paid products, but this is probably the best of the freeware toolbars. It's also the most comprehensive, being the only one with pop-up blocking, adware detecting, searching and navigating tools all-in-one.

"Helpful" 12-Nov-2004 03:10:02 AM Ai Tui
The spyware detector picked up on some dialers and adware that Spybot missed. Also, I've been a big fan of the Yahoo toolbar for quite awhile. I'm on the move a lot, in my office and in the field. The toolbar allows me to take the bookmarks to the sites I use frequently with me and helps keep me connected.

Tracking Cookies

If you are constantly prompted to remove 3rd party "Tracking Cookies" after scanning your machine with Ad-Aware or SpyBot then your IE  is not set up properly!

Many web pages write a cookie to your computer's hard disk to record when you visited their page and which pages you visited. The tracking cookie goes further and records details such as how long you stayed on a page, what you ordered, other pages you visited, and builds up a picture of your browsing. This information is reported back to the company that paid for this service.  Read Privacy pages of the companies you if you don't believe me. Or read an article by Keith Newman about it.

Mad about it? Don't get mad, get even. Put in Ad-Aware (it's free - click on 'Ad-Aware') and delete all tracking cookies regularly.

The HOSTS file and Restricted Zone (domains.reg) file both contain most of the "Tracking Cookies" listed in their database. The object is to prevent these (3rd party) Cookies from loading, not removing them "after the fact".

Netscape Navigator and Internet Explorer will still send out existing cookies even after disabling cookies in the browser settings. You must manually delete any/all cookie files on your system to eliminate being tracked by third-party ad networks or spyware or adware providers.

You can solve most of the tracking cookies problem with these two things: A malware-blocking hosts file and IE->Tools->Internet Options->Privacy tab->Advanced->Check "Override Automatic Cookie Handling", set Third-party Cookies (the ones used to track you across different web sites) to Block, and First-party to Enable or Prompt.

There are many arguments why cookies are not a bad thing at all.  Among their more benign uses are:

• Often cookies contain a unique code number so that website designers can see how many surfers return to their site, which pages in the site are the most popular, etc.  This allows them to improve the design of their website.
• Many sites such as portals and news providers such as Yahoo.com allow users to set preferences, for example selecting which categories of news they would like to appear on their homepage.  These preferences are 'remembered' by means of a cookie.
• Cookies are used to remember log-in names and passwords, so that users do not need to re-register every time they visit a site.  For example the New York Times website identifies users this way.
• Many shopping sites such as Amazon.com allow users to create a "shopping cart" of items they wish to purchase.  The computer remembers your purchase list by means of a cookie placed on your computer.

And, contrary to rumor, it is impossible for a cookie to transmit a worm or a virus. However, the opportunity to "personalize your web experience" by means of cookies recording your preferences and interests is a double-edged sword, because few consumers realize just how much information about themselves they are giving away as they surf the internet, and fewer still realize how easy it is for this "online profile" to be linked to their real identity.

Cookie Viewer [freeware] allows you to view information stored in a Cookie, delete unwanted Cookies on your hard drive. Note: when viewing Cookies stored on your drive if you discover any unwanted Cookies make a note of the server it is coming from (usually 3rd party) add that site to your "Always Block" list in the Internet Options | Privacy tab | Edit button. For home PC Patrol (Startup Manager) can help you manage Tracking Cookies.

See Usenet newsgroups for additional discussions about the removal of spyware from your system.

• alt.privacy.spyware
• Deja Usenet discussions about spyware