|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
Non-Scanner Generic AntiSpyware Tools
Businesses want an inexpensive software tool that can be used to clean up a
Spyware infection on a one-time custom basis. Larger companies usually have
staff that can do quite a lot in analyzing a particular sample of Spyware and
they need a toolkit to deploy the solution, if necessary. To be 100%
dependent on vendors is somewhat humiliating.
Vendors must offer such products, making
sure they're affordable. We will classify tools into two broad ranges:
- Scanner-based. This is a strategy similar to antivirus scanners.
It also involved a problem of false positives and false negatives. We
discuss this class of tools on a separate
page
- Non-scanner based. This broad class of tools includes everything
else including but not limited to process browsers (HijackThis
is probably the most popular but far from being the only available process
browser; it also shows other relevant entries like BHOs), registry changes
detectors, integrity checkers. We will advocate a simple protection
strategy. It is called "Softpanorama strategy" and consists of two simple
steps:
- creation of the second partition on the harddrive
- periodic writing to it images created by
Ghost or similar
utility.
On this page we will discuss non-scanner based tool. SFU 3.5 is probably the most powerful generic antispyware tool available
for Windows. Also any tool that can search and delete entries in Registry is useful.
There are several such tools in
Microsoft Resource Kits and they are probably
the safest to use.
The non-scanner based strategies of fighting spyware includes several lines
of defense:
- Restoring an image of your C partition ("Softpanorama strategy").
Splitting your harddrive into two (or more) partitions (using for example
Partition Magic), formatting the second partition as FAT32 and writing a
clean snapshot of a C: partition (for example via Ghost) to this partition,
so that you can restore it anytime your system stops functioning properly
(whether because of spyware or other problems).
- Systematically updating your OS and IE. It's really important to
keep your computer up-todate. Spyware often rely of IE vulnerabilities so the
latest and greatest version of IE from Microsoft helps to protect your
computer. The
improvements to Internet Explorer [microsoft.com] in Service Pack 2
should help stop the spread of Spyware somewhat.
- Using a special toolbar that blocks popup and Spyware components.
Yahoo toolbar now contains antispyware component in addition to popup
blocking (they beat Google toolbar in this area ;-)
- Running selected free tools via scheduler to detect and remove
Spyware. There are very useful and effective tools outside a
typical anti-Spyware troika (Hijackthis, Adaware and Spybot S&D). For example
watching registry, and the process list (see
command line process listers) after startup as well as content of major
windows directories is very important and one can greatly benefit from using
an appropriate tools to achieve that. For example I can recommend a registry
watching tool like RegistryProt. There are several command line process
listing utilities that can be configured to run during your startup. To
add the Integrity checker to the mix is more complex as there is no clearly
suitable candidate, see
Fighting Rootkit and Similar Trojans: Integrity Checkers and Trojan detectors
Hijackthis this can provide a useful baseline that includes integrated
list of relevant registry entries and a process map, but currently I do not
know how to run it in a batch mode (other then via Expect). Still
this is the simplest way of manual creation of a useful baseline. It you are
reading this page and do not yet have a problem, please create at least a
process baseline. It might turn to be extremely helpful in the future. using.
You cannot overestimate the value of the baseline in fighting complex
Spyware beasts.
- Blocking (via proxy or redirection in the host file) Internet sites
that download such pests. This is a useful method of defense in a
corporate environment when each detected "backchannel" can be instantly
clocked on proxy and in many cases the site that is responsible for the
infection can be detected and blocked. This is not that effective in a home
environment. but still host file can be used to block obnoxious advertisers
on one by one basis.
- And the last but not least. Read the license of products that you are
installing on your computer. Never ever install anything that is
advertised via junk email or, worse, pop-ups. Most apps that install spyware
usually have something in their license that says "we have the right to
install whatever we want on your system".
Softpanorama Strategy of Defense
A simple generic and very effective strategy of defense against spyware
involves splitting your harddrive into two (or more) partitions (using for
example Partition Magic), formatting the second partition as FAT32 and writing a
clean snapshot of a C: partition (for example via Ghost) to this partition, so
that you can restore it anytime your system stops functioning properly (whether
because of spyware or other problems). Here are the major stages:
Stage 1: Splitting your harddrive into two partitions
Stage 2: Formatting the second partition as FAT32
Stage 3: Creation of the image
After the image was created you can return to this stage by simply restoring
it. So if you internet connection was hosed or computer behave strongly
after the deletion you can always "fall back" on a know good state of your
system. With some caution most of the environment and newly created files
can be preserved. This is probably the easiest way to fight complex, mutating
Spyware like
CoolWWWSearch.
Restoration phase is slightly different. If computer is still bootable than
it involves writing the image to the floppy disk and then restoring the
partition by rebooting from this floppy. If the computer is not bootable then
you need to have a floppy (preferable attached to the case of your computer
using a plastic pocket).
This strategy is dicussed in more deatils on
Softpanorama Strategy of Fighting Spyware page.
I would like to stress that the main tool in fighting spyware is your own
understanding of Windows OS: the better you understand it the sooner the
spyware on your computer will be eliminated.
In view of proliferation of Spyware keystroke loggers and sites/downloads
trackers and I strongly recommend to perform periodic checks on all Windows
2000/Windows XP desktops that are used for connection to DMZ servers for such
programs at least once a month. Especially vulnerable are home desktops
that are shared with other family members (children) and those need to be
checked more often. Please note that unlike worms/viruses,
Spyware represents professionally written programs that specifically designed to
work in stealth mode and collect various types of information about the user
including, but not limited to, confidential financial information. It is also
protected from partial removal from the PC which often happens if signatures
that Spyware removal program is using are old: in case one on several components
are deleted by the program, remaining components are able to download and
reinstall missing components. You need to use the latest signature files
to remove Spyware successfully
Situation became more dangerous if the PC in question used to browse porno
sites or other "grey" sites. Spyware installed from those sites often contains
full keylogging capabilities and thus reveals all passwords that you are typing
on your PC. Some dangerous Spyware specifically targets this category of users.
For example Transponder Spyware (variant of VX2 mentioned above) is deceptively
labeled as an "free movie viewer" to see "hard-core adult content".
Disclaimer: the author of these pages has no financial relationship
with any of the companies whose products are discussed on these pages. I
am not an employee, affiliate, representative, or other agent of any of these
companies.
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
It is already available from the Web site. Looks like there are sharp
executives in Trend Micro
Trend Micro has acquired HijackThis, the freeware
spyware-removal program created by Merijn Bellekom.
Financial terms of the deal, believed to be
all-cash, were not released. This is the second
transaction between Trend Micro and Bellekmom,
following the company's purchase of
CWShredder, a standalone utility used to remove
the virulent Cool Web Search spyware program.
HijackThis is the de-facto standard for spyware
removal from Windows systems. The tool generates a
plaintext logfile detailing all entries — registry
and file settings — it finds and offers tech-savvy
users the ability to remove or disable files
associated with malware.
When a Microsoft Windows-based computer becomes vulnerable, an attacker typically
uses the resources of the Windows-based computer to inflict more damage or to attack
other computers. This kind of attack typically involves activities such as starting
one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides
this activity from the Windows-based computer itself, you can capture and identify
this activity. Therefore, looking for indications of this kind of activity can help
you determine whether a system is vulnerable.
The Port Reporter tool is a program that can run as a service on a computer that
is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows
2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server
2003-based and Windows XP-based computers, the Port Reporter service can log the
following information:
- The ports that are used
- The processes that use the port
- Whether a process is a service
- The modules (.dll, .drv, and so on) that a process loads
- The user accounts that start a process
The data that is captured by the Port Reporter service may help you determine whether
a computer is vulnerable. The same data is also useful for troubleshooting, for
gaining an understanding of a computer's port usage, and for auditing the behavior
of a computer.
PR-Parser is a tool that parses the logs that the Port Reporter service generates.
For additional information about the Port Reporter service, click the following
article number to view the article in the Microsoft Knowledge Base:
837243
(http://support.microsoft.com/kb/837243/) Availability and description of
the Port Reporter tool
The PR-Parser tool provides the following three basic functions:
The PR-Parser tool has a Windows Graphical User Interface (GUI) that makes it
easier to review the logs. By using the GUI, you can sort and filter the data in
a number of ways. The PR-Parser tool helps you identify and filter the data
that you are interested in. The tool provides the following functionalities:
- Identifies processes that you are interested in that are running on a computer
- Tries to identify when a process that uses the name of a legitimate process
is run from the wrong folder on a computer
- Identifies the modules, such as .dll and .drv, that are loaded on a computer
- Helps determine the time when the Internet Protocol (IP) addresses, fully
qualified domain names (FQDNs), or computer names that you are interested in
are communicating with a computer
- Identifies the ports that are used on a computer
- Helps determine when the user accounts are active on a computer
The PR-Parser tool provides some log analysis data also. This data can help you
understand the usage of a computer. This data includes the following:
- A ranked list of local Transmission Control Protocol (TCP) port usage
- A ranked list of local process usage
- A ranked list of remote IP address usage
- A ranked list of user context usage
- Svchost.exe service enumeration
- Port usage by hour of the day
- Microsoft Internet Explorer usage by user
[Feb 24, 2007] SDFix
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save
it to your Desktop.
[Aug 24, 2005] What a great app!
Thanks for recommending this freeware - I recently cleaned my
pc from a Trojan which disabled the wallpaper and gave a warning tool in the
task bar telling me to buy some anti malware software. I knew this was a
hack from the start and set about cleaning the registry , resetting dodgy
files in SYSTEM32 to a .doc extension, etc but I was not able to clean
certain items - I was not allowed to delete certain entries from the
registry (in particular the RUN key) - seemed like a permissions problem.
I ran recommended program in safe mode booting of XP and I cleaned everything it
found and the machine seems much happier now!
What I would like to know is how you remove an item from the registry
when you know its bad . I tried messing about with the permissions on the
item but nothing worked.
... ... ...
Keep up the great work!
Regards
Peter
Peter,
There are several good free registry editors, watchers. See
Free Registry Tools
for more information. But the first step is easy to do with regular Windows
registry editor (regex.exe):
Often spyware is pretty primitive and removal of the component that is
installed in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
registry key disinfects the PC.
To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look
suspicious. check each of them as outlined below:
- Open your registry in regedit
- Click "start" (bottom left of your
screen)
- Select "Run"
- Type "regedit" in the
command line displayed
- Click OK.
- In a tree that is shown select HKEY_LOCAL_MACHINE
- then click on + sign for the key
SOFTWARE
- then click on + sign for the key
Microsoft
- then click on + sign for the key
Windows
- then click on + sign for the key
CurrentVersion
- then click on + sign for the key
Run
- Put a bookmark for the Run entry (Click
Favorites,
Add to Favorites and
preserve the name Run
that Microsoft Registry Editor suggests, so that you can
gat tot he same place quickly if you need to.
- Print all entries (File,
Print).
Look for suspicious entries, that have strange
names, load programs from strange locations, etc but
don't take any actions on them.
- Open Windows
Explorer
Click on Tools, Folder options , View and and
Details View and
- uncheck:
- Hide extensions for know file types
- Hide protected operating system files
- check
- Show hidden files and folders
- Remember each folder view setting
click apply to all folders and OK.
- Find each suspicious file from the printed list
of Run section and check the
creation date. After that go to the listed directory
find the file, left click and click on
properties. Check Version section. If Description is
missing, Version is missing or this is an unknown
company, then the file is suspicious.
- For each suspicious file search Goggle. If
Google search proves that this entry belongs to
spyware simply delete the key.
- For each other file try to search Google. But be
critical as for results. do not rush to delete it
without additional consultation in one of the
recommended in Fighting Adware/Spyware
Paranoia page forums.
Related Links
System requirements
Frequently asked questions
Download the beta
Microsoft Windows AntiSpyware (Beta) is a security technology that helps
protect Windows users from spyware and other potentially unwanted software.
Known spyware on your PC can be detected and removed. This helps reduce
negative effects caused by spyware, including slow PC performance, annoying
pop-up ads, unwanted changes to Internet settings, and unauthorized use of
your private information. Continuous protection improves Internet browsing
safety by guarding more than 50 ways spyware can enter your PC. Participants
in the worldwide SpyNet™ community play a key role in determining which
suspicious programs are classified as spyware. Microsoft researchers quickly
develop methods to counteract these threats, and updates are automatically
downloaded to your PC so you stay up to date.
Some anti-spyware companies use confusing ads,
and our tests show their $20-$60 products are less effective than free
competitors.
|
You've
almost certainly encountered the ads: A dialog box pops up
on your system, bearing the message "Warning! Your computer
may be infected with spyware" and suggesting that you scan
your computer immediately. Click it, and you often reach a
Web site providing a "free spyware scanner" that finds all
sorts of malware on your PC--and then offers to sell you
software that will clean it all up.
Should
you buy these products? Based on our tests, our opinion is
no. Following complaints from several PC World
readers, we tested seven heavily advertised spyware-removal
tools--
MyNetProtector,
NoAdware,
PAL Spyware
Remover,
SpyAssault,
SpyBlocs,
Spyware Stormer, and
XoftSpy--and found that none were as effective as
reputable free products such as
Spybot Search & Destroy. A couple even installed
new spyware. |
|
|
I also
came across a freeware application that does a partial Winsock reset for you.
WinSock XP Fix 1.2 creates a backup of your registry and then repairs any
Registry entries that may have been affected by adware removal. Unlike the
Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP.
You can find WinSock XP Fix at a number of shareware sites, including
www.spychecker.com/program/winsockxpfix.html.
I did a little poking around in the Microsoft
Knowledge Base and found that this was not an unusual problem and that it was
caused by corruption of the Winsock. I hadn't thought about the Winsock—the
Windows TCP/IP socket API and IP stack—in years, at least not since the
advent of Windows XP. But it used to be a veritable Achilles' heel for
Windows systems.
The Knowledge Base gave command line NetShell
instructions that would reset the Winsock to its default configuration, and
also listed Registry entries that I could remove to force a reload of the
Winsock and TCP/IP stack. The two essential articles are 811259 and 299257.
But before I did that, I decided to look further to figure out how the
Winsock had become corrupted.
A little more investigation pointed to adware
and spyware. Evidently some ad/spyware modifies the Winsock or installs
itself into the IP stack to give ads access to your system—or to give a
hacker free rein. When you run the removal programs (you do, don't you?), the
shims inserted by the adware are not removed, but they no longer link to
anything. The stack becomes unstable, and it begins reporting errors and
behaving erratically.
I also came across a freeware application that
does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of
your registry and then repairs any Registry entries that may have been
affected by adware removal. Unlike the Microsoft solution, it doesn't remove
the stack and force you to reload TCP/IP.
I decided to try it (I had a recent, full
backup of my system on one of Iomega's great new REV 35GB removable hard
drives, so I didn't mind living dangerously), and it worked perfectly. No
more dropped wireless connections and no more "cable unplugged" error
messages. You can find WinSock XP Fix at a number of shareware sites,
including
www.spychecker.com/program/winsockxpfix.html.
Trying to make Windows more secure, Microsoft
released Windows XP Service Pack 1 in 2003, and
Service
Pack 2 recently. Whereas SP1 focused on remedying antitrust violations
with bundled Windows utilities, almost all of SP2 is devoted to beefing up
Internet security. SP2 doesn't thoroughly shield you from attacks, but it's
definitely worth installing for its firewall improvements, Internet Explorer
pop-up blocking, and security-configuration changes. Once you've installed
it, you'll probably want to tweak some of SP2's new settings, and to know
where--tweaked or not--the reinforced OS remains vulnerable.
SP2's most noticeable
change to Windows XP is its introduction of a new Security Center Control
Panel applet (see
FIGURE 1). Security Center itself doesn't do much, but it provides a
single location where you can view the status of the Windows Firewall
(formerly known as Internet Connection Firewall) and of Windows' Automatic
Updates service. The utility also tracks if you have an antivirus program
installed, running, and updated.
If any of these three key
security tools has been disabled or is less than fully functional, Security
Center changes their corresponding status lights from green to either red or
amber. The program also displays a warning icon in the system tray. A red
light means that you should probably take steps to beef up security in the
indicated area. An amber light signifies a service that is only partly
enabled, or that a third-party product handles.
But even if all your
dashboard security lights are green, you aren't necessarily safe. Conversely,
certain red or amber conditions--triggered when Windows doesn't recognize
your third-party firewall or antivirus program, for example--may be
acceptable to you. So how do you disable that pesky tray icon?
Start by opening the
Security Center: Choose Start, Control Panel and click Security
Center. Many people will see a bank of green lights, thanks to SP2's more
secure default settings. The firewall is now enabled by default for all
Internet connections, which is a good thing if you don't have a third-party
firewall program. The Automatic Updates feature downloads and installs
often-crucial security updates from Microsoft while you're online. Unless you
went out of your way to disable it during installation of Service Pack 2,
this option will be fully enabled as well. And if you've installed an
antivirus program that Microsoft recognizes, you'll get a green light in the
virus-protection area.
On the Rogues page, there is a
section for
Trustworthy Anti-Spyware Products . There are spyware removal help
forums, such as my own, where people
discuss and compare
products, often from having used and tested them. Other spyware removal
help forums are also good sources of information.
Download.com lists products and has reviews from consumers as well. I
would take some of the reviews there with a grain of salt however, since they
can be spammed by people who want to promote a particular product.
Download.com does indicate the sponsored products in the listings.
It's not clear
if this site is independent or objective. But still it contain a comparison that
you might benefit from. Adaware rated as no.5. S&D as No. 6. Test score
are are very questionable as there is no information about spyware mix used:
Spyware Test Score
|
91%
|
90%
|
88%
|
84%
|
64%
|
63%
|
50%
|
45%
|
37%
|
31%
|
Here are reviews of top free products. Both are grossly unfair:
Ad Aware came in fourth. While it
offers comparable protection to Spy Sweeper and Spyware
Eliminator, it lacks some basic features (such as scheduling) and
the user interface is very difficult to use. It is also priced
higher than the other products. Some users report that the
program doesn’t install correctly and there are reports that it
has even corrupted hard drives, making some PCs unbootable (we
did not experience these problems on our test computers). Despite
lavasoft's claim that Ad-Aware protects against over 24,000
spyware programs, we found its coverage to be lacking.
My comments: What an idiotic
requirement to have an independent scheduler. The reviewers
seems to be openly hostile to the product and it is fair to
assume that they just peddling a different product no matter
what...
Spybot
S&D is the most well-known freeware removal tool on
the market. The best part about Spybot S&D is that
it’s free! The worst part is that you get what you
pay for. Because Spybot S&D gives away their product,
they can’t afford to give good customer support, nor
is their product particularly stable on Windows XP.
On our test platform, Spybot S&D brought our browser
(Internet Explorer 6) to its knees. After
installation, we were unable to download anything in
under two minutes, and web pages took an
excruciatingly long time to load. Alas, we fixed the
problem by running Spy Sweeper! At last count, Spybot
S&D only effectively protected against about 200
spyware products. If you can afford a modest fee, we
highly recommend you choose a commercial product.
My comments:
The claim that Spybot S&D is not stable on
Windows XP is a deliberate attempt to downgrade a fine product.
It is reasonable to expect that a free product requires slightly
more knowledge to run then a commercial one, but the reviewer
does not understand that Spybot provides some tools for fighting
arbitrary spyware
not just scanning for known pests.
Obsolete with the introduction by Microsoft free Windows Defender
Berkes
Notify allows you to monitor a specified directory and be notified if files
are changed, added or deleted. The program runs from the command line and
pops up a small dialog if changes are detected. Small simple and useful.
StartupMonitor watches the Start Menu's Startup folders and the
Run entries in the registry.
StartupMonitor does not require
Startup Control Panel, but it complements it nicely. When you choose not to
allow a program to register itself, the program's entry becomes disabled in
Startup Control Panel, so you can go back and enable it later if necessary.
StartupMonitor watches the Start Menu's Startup folders and the Run entries
in the registry.
StartupMonitor has been tested on
Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, and
Windows XP; unfortunately, it does not function correctly under Windows 95
because of some unimplemented routines in the operating system
Have you just about had it with sneaky spyware
installations, pesky third-party cookies from pushy advertisers and
marketers, and the unending blizzard of popups and popunders from web sites?
Haven't you really had just about enough of these obnoxious, invasive
practices that trash your computer and violate your privacy?
Then it's time you said, "Enough is Enough!"
Overview
Enough is Enough! is a lockdown utility for Internet Explorer 5 and 6.
When you install Enough is Enough!, it will:
- Lock down your Internet and Restricted
sites zones with restrictive settings for dangerous options
like ActiveX, Java, scripting, and a few others.
- Severely restrict the use of cookies
(but not completely disable them for trusted web sites or for
single session use).
- Disable several Advanced settings,
including Install on Demand and Third-party Browser Extensions.
- Install Microsoft's IE PowerTweaks WebZone
Accessory, putting two new options on your IE Tools menu,
with corresponding buttons on your Toolbar: "Add to Trusted Zone"
and "Add to Restricted Zone."
|
With these new Internet Explorer settings you will be
protected from the more dangerous elements of the web without having to worry
about putting known nasties into your Restricted sites zone:
- You'll be protected from rogue crapware
installations (e.g., Gator, BonziBuddy, WebHancer, Lop.com,
and the like).
- You won't be accepting cookies from direct
marketing outfits who seek to monitor and track your travels
around the Net.
- You'll put an end to annoying, useless
popups at most web sites by default.
- You'll put all web sites on a "short leash"
until you trust them enough to add them to your Trusted sites
zone.
|
In short, Internet Explorer will start behaving as YOU want
it to behave, not as direct marketers and spyware pushers want it to behave.
What you do with Enough is Enough! is enforce your very own "opt-in"
policy: no web sites get to use permanent cookies, ActiveX, Java, JavaScript
and other dangerous Internet Explorer options until you explicitly give them
the go-ahead by putting those sites into your Trusted zone.
Caution!
A word of warning: the severely restrictive IE settings that Enough is
Enough! uses will break many web sites until you add them to your Trusted
sites zone. These settings will also disable third-party browser add-ons
(commonly known as "plugins").
Keep in mind that you can always tweak IE's settings through the Internet
Options box after installing Enough is Enough!
And of course, Enough is Enough! installs Microsoft's Power Tweaks
WebZone Accessory so that you can quickly and conveniently add sites you
visit frequently (and which require permanent cookies or certain types of
active content) to the Trusted sites zones. Once you add a site that you
trust to the Trusted sites zone, it should start working again.
See the section in the
ReadMe
titled "Coping with Problem Web Sites & Browser Add-ons" below for more
advice on dealing with problem web sites and third-party browser add-ons.
More than Enough?
Enough is Enough! isn't for everyone. If you find broken web sites
extremely frustrating, and taking the time to add web sites to your Trusted
sites zone is too annoying for you to deal with, then Enough is Enough!
might be "more than enough" for you -- it might be much too much.
There are several uninstallation options, so you're not stuck with Enough
is Enough! by any means, should you decide that it's not for you (see the
"Uninstallation" section in the
ReadMe
for more details).
If Enough is Enough! isn't for you, you might consider downloading and
installing IE-SPYAD. IE-SPYAD will add a long list of known
advertisers, marketers, and crapware pushers to your Restricted sites zone,
giving you a large measure of protection from the nastier elements of the web
while still allowing you to keep your Internet zone settings fairly loose.
You can download IE-SPYAD
HERE.
Compatibility
Enough is Enough! is compatible with Internet Explorer 5.0 and above.
The installer (INSTALL.BAT) will detect if you're using Internet Explorer 6.0
and adjust the settings it installs accordingly. Enough is Enough!
also works with Windows XP Service Pack 2.
Enough is Enough! should not be used on Internet Explorer 3.0 or 4.0
(though the installer will let you do it). If you mistakenly install
Enough is Enough! on Internet Explorer 3.0 or 4.0, you can uninstall it
and restore your previous IE settings by re-running INSTALL.BAT.
Installation & Use:
Download one of the following files from the
Download section below:
|
|
is a self-extracting
.ZIP file, which you can double-click on to extract the files inside
(default dir is C:\ENOUGH). |
|
|
|
requires that you have
an "zip/unzip" program like
WinZip, 7-Zip, or
PowerArchiver to
extract the files. |
|
After you explode the files from the archive you
downloaded, run INSTALL.BAT, or consult README.TXT for more information about
this utility. You can view an online version of README.TXT
HERE.
Download:
These files have been signed with with my
4096/1024 DH/DSS PGP key. You can get it and my other PGP keys
HERE.
The PGP signature files are digital signatures that
PGP users can use to verify the integrity and origin of the download
packages. If you're not a PGP user, you don't have to download the
PGP signature files (or my PGP public keys) in order to use the
utilities that I make available. If you're interested in learning more about
PGP, check some of the links on
THIS page.
This program is
Please read this
License & Disclaimer.
Last Updated: Apr 14 '02
You are troubleshooting a suspected conflict
between programs, and need to temporarily prevent programs from loading when
Windows starts. The programs in question are loading from one of the Run keys
in the Windows registry.
Solution:
CAUTION: We strongly recommend that you back up the system registry
before making any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure you modify only the
keys specified.
Please request the document,
How to back up the Windows registry, before
proceeding.
NOTE: If you are using Windows 98/Me/XP, as an alternative you can use
the System Configuration Utility that is included with these operating
systems. For these operating systems, this is the recommended method, as it
does not require you to edit the registry. Please see your Windows 98/Me/XP
documentation or the section "4. Disable unnecessary startup items" in the
document,
Basic guide to optimizing system resources for instructions on how to do
this.
To temporarily remove values from the RUN keys in the Windows registry:
- Click the Start button and then click Run.
The Run dialog box appears.
- Type
regedit and click OK. The Registry Editor
opens.
- Navigate to the following key, and
open it:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- The right pane will display one or more
string values.
- If you only see
(Default) or
SystemTray, go on to step 10.
- If there are additional values,
for each value other than (Default) or
SystemTray , follow the instructions in
steps 5 through 9.
- Double-click a String Value in the right
pane. The Edit String dialog box will appear with the value selected.
- Press the Home key on the keyboard. The
cursor should be to the left of the string value, and the value should no
longer be selected.
- Type
rem and press the Spacebar once. This
remarks out the string value, and prevents the program from loading when
Windows starts.
- Click OK.
- Repeat these steps for each string value
you want to remark (REM) out.
- Navigate to the following key, if it
exists, and open it:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Repeat steps 4 through 9.
- Some computers may also have Run or
RunServices keys in the following location:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(or \RunServices)
- If it exists, repeat steps 4 through 9 for
this location as well.
- Exit the Registry Editor when you finish
changing these values, and restart the computer.
- Check to see whether or not this resolves
the problem.
- If it does, and you want these
programs to load with Windows, add back one string value at a time by
removing the REM
and the following space.
- Restart Windows, and then test the system
after each addition. When you find the key causing the problem, you can
either REM it out in the registry or delete the value.
NOTE: If you do this in Windows NT 4.0, for each REM line that exists
you will see the following message when Windows NT boots:
"Cannot find the file REM (or one of its components). Make sure the path and
filename are correct and that all required libraries are available."
You will need to click OK for each REM line that generates the message. To
avoid this each time you start Windows, once you have determined the program
that is causing the problem, delete the string value for that program.
In case of broken links
please try to use Google search. If you find the page please notify
us about new location
-
PCWorld.com list of antispyware tools
- Pestpatrol provides a free Spyware scan
PestScan – free online Spyware scanner from PestPatrol .
This is probably the simplest way to scan your PC but please note that this
not very accurate. Please not that the vendor was recently bought by
Computer Associates, the company that killed a lot of software
projects it bought so the quality of the commersial version is now suspect...
PerstPatrol also has a nice spyware database at
research.pestpatrol.com.
- AD-Aware Scan your system for
advertising Spyware This free utility scans your memory, hard drives, and
your Registry for references to spyware like Gator, Cydoor, DSSAgent,
Alexa.
http://www.lavasoftusa.com
- SpyBot It is
am spyware scanner that is generally similar to ADaware, but contains some
nice tools like process viewer and host blocking list
-
BHODemon
freeware that lets you monitor and disable "Browser Helper Objects"
-
Browser Hijack Blaster Pour être prévenu de la prochaine tentative de
Hijack - gratuit
- Merijn.org home to several
nice antispyware tools like
HijackThis
- StartupList (zipped):
A simple tool that lists all and every auto starting program on your
system. You might be surprised what it finds, this is way better than
Msconfig. Commonly used to troubleshoot malfunctioning systems, trojan/viral
infections, new spyware/malware breed and the likes.
Currently at version: 1.52.1
-
HijackThis (zipped):
A general homepage hijackers detector and remover. Initially based on the
article
Hijacked!, but expanded with almost a dozen other checks against
hijacker tricks. It is continually updated to detect and remove new
hijacks. It does not target specific programs/URLs, just the methods used
by hijackers to force you onto their sites. As a result, false positives
are imminent and unless you are sure what you're doing, you should always
consult with knowledgable folks (e.g. the
forums) before deleting
anything.
A rudimentary HijackThis log tutorial by me is available
here.
The official HijackThis QuickStart for posting on the SpywareInfo forums
is available here.
Currently at version: 1.97
-
CWShredder: (zipped)
A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll,
White-Pages.ws and a dozen other names). Spybot S&D tends to forget
essential parts of the hijack, so until it updates, you can just this to
completely remove the hijack. Updated to remove the new variants once they
come out.
Read my article with documentation on Coolwebsearch
here.
Updated very, very often
-
BHOList: A frontend for TonyKlein's
BHO Collection that downloads the list, and displays it in a sortable,
searchable list. You can also export it to a file and load that file back
instead of downloading it from SWI.
Currently at version: 1.20
-
Uptimer4: A bar that sits at the top of your screen and can display
over 20 pieces of system information that might be useful to you. System
time, system date, uptime, free RAM, free pagefile, free disk space, CPU
usage, IP address(es), Winamp controls, battery status, running programs,
netstat, etc.
This project is currently suspended until I have more time to update it.
Keep sending in bugreports though. :)
(Some functions may not work properly with Windows 95 and Windows NT4
without SP6.)
Currently at version: 1.0 (beta)
-
KazaaBegone: A Kazaa uninstaller which scans and removes all elements
of all Kazaa versions, as well as all of the bundled software that comes
with it.
Warning: This version has a bug that
can cause your Internet connection to be broken when removing New.Net,
WebHancer or CommonName. An update is being worked on. If you still want
to use KazaaBegone, download
LSPFix to fix your Internet connection (download it before you
run KazaaBegone, of course).
Currently at version: 1.10
- Pestpatrol provides a free Spyware scan
PestScan – free online Spyware scanner from PestPatrol .
This is probably the simplest way to scan your PC but please note that this
not very accurate. Please not that the vendor was recently bought by
Computer Associates, the company that killed a lot of software
projects it bought. PerstPatrol also has a nice spyware database at
research.pestpatrol.com.
Free version of Spybot
Search and Destroy scanner Spybot Search and Destroy and/or
Adaware provide better results (in case
you are using the most latest signatures) and are recommended for checking.
Please note that before the scan you do need to download the latest
signature file separately (older signature files miss the most
recent mutations of engines like
SAHAgent).
Recently written
Spyware Removal
Guidelines use Spybot S&D as example, as it provides some additional useful
tools, but old good
Adaware is also an extremely useful
tool and can find and disinfect some
Spyware variants that are missed by
Spybot S&D (see, for
example its
VX2
cleaner plugin that I mentioned before) . You probably are better off
using both.
Recommended Papers
PC Review - Spyware and
Adware Removal
HijackThis is a general
spyware detector and remover. Initially based on the article
Hijacked!, but expanded with almost a dozen other checks against homepage
hijacker tricks. It is continually updated to detect and remove new hijacks. It
does not target specific programs/URLs, just the methods used by hijackers to
force you onto their sites. As a result, false positives are imminent and unless
you are sure what you're doing, you should always consult with knowledgeable
folks (e.g. the forums) before
deleting anything.
HijackThis Log Tutorial
Help2Go - HijackThis log tutorial
BHOs are similar to programs that run from
autoexec.bat but they run during the start of IE not DOS. MS article
Browser Helper Objects: The Browser the Way You Want It explains the
concept. Spyware BHOs can conflict with other running programs,
cause a variety of page faults, run time errors, and the like, and generally
impede browsing performance.
BHOList
contain the list of know BHOs with classification into several categories.
To view the list of the BHOs that are installed on your machine you can use
HijackThis or more
pecialized program
BHODemon
(freeware).
Example 1: The
LOP
spyware creates random BHO identifiers (as well as corrsponding files):
Registry entries look something like this:
{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll
Be aware of this possibility if you discover an unknown BHOs with random
names. Several other spyware products random of semi-random BHO names.
Example 2: Vx2 and its derivatives (Data Transponder, etc).
Vx2 is a browser helper object (BHO) that was included in the AudioGalaxy
Satellite file-sharing system, but a user outcry got it removed in November
2001. Today, vx2 and its variants can be found in a "free" viewer for adult
video content and the "free" products from Mindset Interactive. According to
PestPatrol, "it is hard to tell where
this piece of spyware originated. It was first seen as Blackstone Data's
Transponder, but repackaged versions of the same product are popping up under
several different companies." PestPatrol lists the aliases of the code and
sources of each as Transponder from Blackstone Data; vx2, RespondMiter and
Sputnik from vx2, Corp.; Aadcom Extreme Targeting from Aadcom; NetPal from
NetPalNow and also Mindset Interactive.
Recommended Links:
-
Browser Helper Objects: The Browser the Way You Want It -- Microsoft
article explaning the concept.
- Sysinfo.org - the home
of BHO database Sysinfo.org/BHO search list
- BHODemon 2.0
BHODemon,
our free program that lets you monitor and disable "Browser Helper
Objects", is featured in the 12/1/2001 issue of the weekly
Lockergnome newsletter.
Click here
to learn why you need this program! (For current users,
here is the
list of all known BHOs.)
-
BHO Cop,
PC Magazine Utility Library utitility,which gives you the ability to find out
what BHOs are attached to your copy of Internet Explorer, and then empowers
you to kill (disable) any BHO you find suspicious. Simply install and run BHO
Cop (
download here
) to see a list of BHOs attached to Internet
Explorer. To disable a BHO, uncheck the box next to its name. When you're
finished managing BHOs, just click Exit.
LSP-Fix - a free program to repair
damaged Winsock 2 stacks
Repairs Winsock 2 settings, caused by buggy
or improperly-removed Internet software, that result in loss of Internet
access
LSP-Fix is a free utility to repair a
specific type of problem associated with certain Internet software. This type
of software is known as a Layered Service Provider or LSP, a piece of
software that can be inserted into the Windows TCP/IP handler like a link in
a chain. However, due to bugs in the LSP software or deletion of the
software, this chain can get broken, rendering the user unable to access the
Internet.
Unfortunately, this type of software is
sometimes quietly installed by unrelated software such as file-sharing
programs, sneaking onto a system unannounced. In fact, in many cases, the
user does not know of its existance until something goes wrong, and he/she
can no longer access Web sites. Common offenders include
New.net* (NEWDOTNET) and
WebHancer*, which are often
bundled with file-sharing utilities, DVD player software, and other free
downloads. LSP-Fix repairs the Winsock LSP chain by removing the entries left
behind when LSP software is removed by hand (or when errors in the software
itself break the LSP chain), and removing any gaps in the chain.
LSP-Fix is not a malware removal utility
and does not target specific products. LSP-Fix does not delete any files.
Downloads: (All
downloads will fit easily on a floppy disk.)
-
lspfix.zip -
ncludes the program
and documentation
Using LSP-Fix to remove O10 Entries in HijackThis
This self-help guide will walk you
through using LSP-Fix to remove unwanted LSPs
Warnings:
Removing LSPs can cause your computers
Internet connection to no longer work. If you follow these
instructions carefully, you should not have a problem. If you
feel that you are not comfortable doing this on your own, then
please ask for help in our
forums.
What are LSPs:
LSPs are programs that are attached to
the networking protocols on Windows XP and 2000 computers. When a
unwanted LSP connects to this chain, it has the ability to
manipulate any data that passes through it manipulating it to
their own desires. It is important to note that not all LSPs are
bad, so it is important to do research as to whether or not the
LSP you are going to remove is indeed unwanted. We will provide
all the tools necessary, though, so that you can determine this.
Tools Needed for this fix:
Related Tutorials:
Symptoms in a HijackThis Log:
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
|
PC Magazine
Opinion Corruption at the Jersey Shore I also
came across a freeware application that does a partial Winsock reset for you.
WinSock XP Fix 1.2 creates a backup of your registry and then repairs any
Registry entries that may have been affected by adware removal. Unlike the
Microsoft solution, it doesn't remove the stack and force you to reload TCP/IP.
You can find WinSock XP Fix at a number of shareware sites, including
www.spychecker.com/program/winsockxpfix.html.
I did a little poking around in the Microsoft
Knowledge Base and found that this was not an unusual problem and that it was
caused by corruption of the Winsock. I hadn't thought about the Winsock—the
Windows TCP/IP socket API and IP stack—in years, at least not since the
advent of Windows XP. But it used to be a veritable Achilles' heel for
Windows systems.
The Knowledge Base gave command line NetShell
instructions that would reset the Winsock to its default configuration, and
also listed Registry entries that I could remove to force a reload of the
Winsock and TCP/IP stack. The two essential articles are 811259 and 299257.
But before I did that, I decided to look further to figure out how the
Winsock had become corrupted.
A little more investigation pointed to adware
and spyware. Evidently some ad/spyware modifies the Winsock or installs
itself into the IP stack to give ads access to your system—or to give a
hacker free rein. When you run the removal programs (you do, don't you?), the
shims inserted by the adware are not removed, but they no longer link to
anything. The stack becomes unstable, and it begins reporting errors and
behaving erratically.
I also came across a freeware application that
does a partial Winsock reset for you. WinSock XP Fix 1.2 creates a backup of
your registry and then repairs any Registry entries that may have been
affected by adware removal. Unlike the Microsoft solution, it doesn't remove
the stack and force you to reload TCP/IP.
I decided to try it (I had a recent, full
backup of my system on one of Iomega's great new REV 35GB removable hard
drives, so I didn't mind living dangerously), and it worked perfectly. No
more dropped wireless connections and no more "cable unplugged" error
messages. You can find WinSock XP Fix at a number of shareware sites,
including
www.spychecker.com/program/winsockxpfix.html.
Yahoo! Toolbar has
anti-Spyware feature. CNET rates Y! Toolbar 5 out of 5! "Yahoo has definitely
become the toolbar to beat."
Intro Yahoo Toolbar - ZDNet Reviews
Yahoo offers a bewildering number of services
and options on its site, and the company's toolbar is no exception. With a
generous portion of specific types of searches, more customization options
than you can shake a stick at, a pop-up blocker that goes above and beyond,
and even a spyware killer, Yahoo Toolbar gets our seal of approval.
Installing Yahoo Toolbar was easy in our
tests; it took us less than a minute to download and run the install program
(0.4MB for the toolbar only or 3MB for the toolbar and Yahoo's Anti-Spy
utility). Once the toolbar is installed, you'll need to either sign in to
your Yahoo account or register for one--a minor inconvenience. Once inside,
you're then taken to a Web page where you can choose from literally dozens of
buttons and services. You can reorder the buttons in any way you want (most
toolbars don't give you that flexibility) and view icons and text or icons
only--impressive. Our sole complaint is that you can't resize the smallish
search box.
Yahoo Toolbar serves up a generous variety of
search types, including the Web, current site, images, local services, news,
products, maps, Yellow Pages, directory, stock quotes, and movie showtimes,
each using specific Yahoo search services rather than tacking "news on" or
"maps of" onto a search. All that's missing from the list is the weather, and
while an optional weather toolbar button is available, you will have to enter
a city or a zip code in the Web page. You also get a garden-variety
highlighter that calls out where your search results appear on a given page.
Yahoo Toolbar with
Anti-Spy - User opinions and free download at Download.com
Good overall"
30-Nov-2004 10:50:00 PM Phil
from Massachusetts
First, I'll say that if any other adware detectors report adware or spyware
within the Yahoo toolbar, it's a false positive, because there isn't any.
Adware detectors often interfere with each other and detect each other as
adware, so this isn't surprising.
Now, to rate the product itself. On the
upside, it has more features than the Google toolbar, and the spyware
detector is pretty decent, although not as good as commercial products. The
pop-up blocker is effective at blocking most common types of popups, but is
quite powerless against certain obscure popup types, including those caused
by Java error handlers and a few other kinds. These popups are rare in the
real world though, and I would estimate that it blocks 90 to 95 percent of
all popups, and doesn't interfere with routine surfing. The one significant
downside is that it is a bit unstable.
The Y! Toolbar module has crashed Internet
Explorer about 7 times during the 200 hours that I've used it during routine
surfing, which isn't too awful, but hardly sterling, either.
Overall, I'd recommend it over competing
free toolbars like Google. Obviously, you can't compare free products
with paid products, but this is probably the best of the freeware toolbars.
It's also the most comprehensive, being the only one with pop-up blocking,
adware detecting, searching and navigating tools all-in-one.
"Helpful" 12-Nov-2004
03:10:02 AM Ai Tui
The spyware detector picked up on some dialers and adware that Spybot missed.
Also, I've been a big fan of the Yahoo toolbar for quite awhile. I'm on the
move a lot, in my office and in the field. The toolbar allows me to take the
bookmarks to the sites I use frequently with me and helps keep me connected.
If you are constantly prompted to remove 3rd party "Tracking Cookies" after
scanning your machine with Ad-Aware or SpyBot then your IE is not set up
properly!
Many web pages write a cookie to your computer's hard disk to record when you
visited their page and which pages you visited. The tracking cookie goes further
and records details such as how long you stayed on a page, what you ordered,
other pages you visited, and builds up a picture of your browsing. This
information is reported back to the company that paid for this service. Read
Privacy pages of the companies you if you don't believe me. Or read
an article by Keith
Newman about it.
Mad about it? Don't get mad, get even. Put in
Ad-Aware (it's free -
click on 'Ad-Aware') and delete all tracking cookies regularly.
The HOSTS file and
Restricted Zone (domains.reg)
file both contain most of the "Tracking Cookies" listed in their database.
The object is to prevent these (3rd party) Cookies from
loading, not removing them "after the fact".
Netscape Navigator and Internet Explorer will still send out existing cookies
even after disabling cookies in the browser settings. You must manually delete
any/all cookie files on your system to eliminate being tracked by third-party ad
networks or spyware or adware providers.
You can solve most of the tracking cookies problem with these two things:
A malware-blocking hosts
file and IE->Tools->Internet Options->Privacy tab->Advanced->Check "Override
Automatic Cookie Handling", set Third-party Cookies (the ones used to track you
across different web sites) to Block, and First-party to Enable or Prompt.
There are many arguments why cookies are not a bad thing at all. Among
their more benign uses are:
- Often cookies contain a unique code number so that website designers can
see how many surfers return to their site, which pages in the site are the
most popular, etc. This allows them to improve the design of their
website.
- Many sites such as portals and news providers such as Yahoo.com allow
users to set preferences, for example selecting which categories of news they
would like to appear on their homepage. These preferences are
'remembered' by means of a cookie.
- Cookies are used to remember log-in names and passwords, so that users do
not need to re-register every time they visit a site. For example the
New York Times website identifies users this way.
- Many shopping sites such as Amazon.com allow users to create a "shopping
cart" of items they wish to purchase. The computer remembers your
purchase list by means of a cookie placed on your computer.
And, contrary to rumor, it is impossible for a cookie to transmit a worm or a
virus. However, the opportunity to "personalize your web experience" by means of
cookies recording your preferences and interests is a double-edged sword,
because few consumers realize just how much information about themselves they
are giving away as they surf the internet, and fewer still realize how easy it
is for this "online profile" to be linked to their real identity.
Cookie Viewer [freeware] allows you to view information stored in a Cookie,
delete unwanted Cookies on your hard drive. Note: when viewing Cookies stored on
your drive if you discover any unwanted Cookies make a note of the server it is
coming from (usually 3rd party) add that site to your "Always Block" list in the
Internet Options | Privacy tab | Edit button. For home PC
Patrol (Startup
Manager) can help you manage Tracking Cookies.
See Usenet newsgroups for additional discussions about the removal of spyware
from your system.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
June 02, 2008
){kind=link}