|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
Dr. Nikolai Bezroukov
Warning: This document is mainly oriented on helping home PC users. Users generally should not install antispyware software on their corporate PC...
Spyware is usually infects the computer when you browed infected or rogue Web sites. You can also get it via email disguised as a useful free utility and picturesque presentation of Paris, London, Moscow, etc. Even more nasty cases are when spyware distributors run fake antivirus utility or some rogue site pretends to be a spyware fighting site and offer infected downloads. As they often want money for disinfecting from the spyware they infected you with, this is as close to extortion as one can get.
Sometimes fake disinfection or diagnostic utility/procedure ("your TCP connection is running slow, click to fix this problem") that was suggested on a pop-up screen in reality is a spyware that infects your computer. This trick is directed to users who do not understand much about Windows and TCP/IP.
Any program that has a hidden functionality that communicate data from our computer outside is a spyware. Often those programs are tracking program (which reports your activities to the advertising providers' web site for storage and analysis, the 'spyware' agent) or "advertisements substitution programs, which replace legitimate advertisements in web page with their own, redirecting advertising revenue to specific sites.
Not only those additional modules are installed on your system without any warning or approval they are often designed in such a way as to be difficult to detect and remove. They often contain "deletion resistance" mechanism typical for viruses.
Even though the name may indicate so, spyware currently is not an illegal type of software if the functionality that it contain is adequately explained in the "fine print" and there is a removal capability. But the fact is that even if you agree to the "terms and conditions" what the adware and Spyware providers do with the collected information and what they're going to 'feed' you with, is beyond your control. That makes it a highly undesirable activity and it should be banned from the Internet and/or your computer system. There is a huge awareness problem that needs to be dealt with as for educating users about Spyware. Right now this kind of education is usually connected with the user attempt to remove accidentally installed Spyware from your PC: after such an experience users become more conscious and usually suspicious about 'free gifts" from the Internet.
Often this is a non-trivial takes as this kind of software contains special mechanism to make remove difficult or impossible for a regular user. In a sense it hijacks the user PC.
As with anything, an ounce of prevention is worse pound of cure: using non-standard browser for example Opera, using disposable virtual machine or "public PC" mode in Windows.
In IE in private browsing, setting cache deletion after each session and checking Tools/Managed add-ons are also useful precautions.
More general procedure includes baselining you Windows directory, sensitive parts of the registry and list of process just after booting before you open any application.
The first thing you can do is to install several useful antispyware utilities to detect what kind of infection you have, so that you can browse Google or Bing to find the best way to disinfect it.
You can get a simple map installed components on you Pc by using Hijackit. That log needs to be saved and can be posted on several Web site that can provide some helpful advice.
If you have several PCs and can use other just mothball this one and use other PC. Transferring relevant data is usually much simpler that finding cure for some nasty spyware infection. In three to four months the spyware that infected your computer probably will be detected by Microsoft free AV and this PC can be disinfected without spending dozens of hours browsing the Web and downloading God knows what AV programs that supposedly are one step ahead for this particular spyware at the time. This idea can also be used as an excuse for buying yourself brand new laptop about which you dreamed but has reservation as for its price and usefulness in view of existence of the other laptop :-).
If you still have a desire to fight it, you need to switch into investigative mode and try to understand what new components were recently installed on your PC. This is possible only if you have a resent full backup of your C drive. If you don't have such a backup, you are out of luck. Actually making regular backups of C drive is the most useful AV service for yourself you can imagine (and if you get tired playing the role of computer Sherlock Holmes you can just restore one of older images using Acronis True Image or Symantec Ghost. See Softpanorama Spyware Defense Strategy
Still even without a backup you can create five lists about your computer:
The list of your current
in several parts of registry
(starting with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
section of the registry (using
The list of current processes and their association
with files on the disk Using free
Process Explorer or other free
The list of files in the following directories
C:\Windows (just the directory, without subdirectories)
Windows\System32 (the whole tree with subdirectories)
C:\Documents and Settings\your_user_name\Application Data. For example "C:\Documents and Settings\dell\Application Data\"
Windows Temp directories:
"C:\Documents and Settings\your_user_name\Local Settings\Temp\". For example "C:\Documents and Settings\dell\Local Settings\Temp\"
Your currently opened network connections using
netstat, or more specialized utility, like
Microsoft Network Monitor 3.3. Version 3.3. has a new feature
called ‘Process Tracking’ which helps to identify any scamp
applications sending network data. You can also view all the
network traffic generated processes on your machine and view the
frames associated with each process by using the conversation tree.
The list of processed that use Svchost, using, for example, free Svchost Process Analyzer 1.0
Generally you should have a baseline that provides you possibility to compare your current state with the previous. If you don't have a similar PC can serve as a baseline at home, you usually can find a friend who have setup similar to your (that's easy in corporate environment with its "semi-standard PCs ;-).
Also if you have image of the previous version of drive C you can install it and upgrade it to current and use as a reference version. Most image programs permit browsing of the image and comparing files.
The simplest and most popular baseline utility is HijackThis. After you create baseline you usually will find suspicious entries. Check them with Google and you will find some additional information. Create a HijackThis log and post it on one of the Webforums that help with such problems, for example Web User Forums. The map looks like this.
this is myLogfile of HijackThis v1.97.7
Scan saved at 7:20:03 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
.. ... ... ...
Do not jump to conclusions and be careful before removing suspicious entries. Windows is a mess and often such entries belong to a legit software. Also Web is a mess and a lot of sites that write about spyware belong to enthusiasts who do not have necessary qualification or even belong to malware authors who what to mislead you. That means that Google search results can mislead as much as it can provide useful information. If some site states that particular DLL or SYS file is a Trojan this is not necessary true. Such an information should always be verified.
Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications.
|Google search can mislead as much as it can provide useful information. Microsoft has DLL Help Database to determine if a particular DLL belongs to any of their applications.|
When analyzing the process your PC is running you also can use processes/services information databases, for example ProcessLibrary.com
You can also use some information from the spyware program to find it. For example if it accesses a specific IP (visible in netstat ) you can Google this IP and find useful information about disinfection.
Or if you browser home page is resetting to some page then this page can be user to search Google to find links to information from people who already dealt with this problem.
Again, not all spyware can be found this way and not all components disinfected but it is a useful first step to kill rogue process or processes on the infected mashine, at least those which can be easily detected.
Task Manager in Windows XP is an underpowered program that does not provide useful information for this task.
The Microsoft program that provides the necessary information is Windows Defender
Good explanation of how to use it can be found at Windows Defender's best feature - Software Explorer Windows Vista for Beginners
Paradoxically you can use Windows defender only if you did not install Microsoft Security Essentials with it s free AV program. If this is the case than the alternative tool to use is Process Explorer from Microsoft Windows Sysinternals site. You can easily download Process Explorer at Microsoft TechNet Windows Sysinternals site and it's free.
See How To Identify Unknown Processes In Windows
If you created regular backups of your C drive you can use Softpanorama Malware Defense Strategy
Generally only full reinstallation guarantee that you completely get rid of complex piece of malware -- often antivirus program delete of part of the beast and remaining part can download missing parts. Also anti-virus program that scan harddrive for offenders are always one step behind malware authors. At the same time non-scanning approaches to malware defense remains under the radar as antivirus companies now represent a powerful lobby that is hostile to spread of any technology that can undermine their revenue stream. Symantec suit against Microsoft is pretty typical reaction to such threats:"Symantec, like a lot of security vendors, is afraid that if Microsoft catches up on security they'll win the market by default," said Plato. "I think it shows, once again, that Symantec doesn't have technology that stands on its own merits and they have to sue their way to profitability."
Also anti-virus complies often use questionable tactics to win customers ( Forbes, Jan 11, 2012)Security firms often warn users about “scareware”: malicious software that performs fake antivirus scans and then demands the user pay for a cleanup. Now a lawsuit claims that the world’s top antivirus firm, Symantec, is itself a scareware scammer.
James Gross, a resident of Washington State, filed what he intends to be a class action lawsuit against Symantec in a Northern District California court Tuesday. Gross claims that Symantec defrauds consumers by running fake scans on their machines, with results designed to bully users into upgrading to a paid version of the company’s software.
Among alternative approaches are:
- Microsoft SteadyState technology (Existed in XP, was dropped in Windows 7 although can be emulated by native capabilities of Windows 7)
- Disposable images based defense. It exists in two major flavors
- Disposable virtual machine based defense.
- Ghost-style image of bootable drive based defense -- this one we will call Softpanorama malware defense strategy.
... ... ...
You can eliminate arbitrary complex infections by restoration of "clean" state from the backup image. Please note that a full disk backup to image is not that much different in time to run from full disk AV scan of the harddrive. In both case almost full content of the drive is read. But despite similar time to run, the latter provides you with the opportunity to restore this state of Windows anytime you want. As such is a better option. Please understand that the only difference between backup and AV program scan of the hard drive is that AV-program does not send the data it read to another drive and skips some files. Otherwise the amount of bytes read from the harddrive and total time required for the scan are comparable.
Please understand that the only difference between backup and AV program scan of the hard drive is that AV-program does not send the data it read to another drive and skips some files. Otherwise the amount of bytes read from the harddrive and total time required for the scan are very similar.
The stupidity of the idea of the "best AV scanner"
Typically additional hidden agenda of a user with infected PC frantic Internet search for the cure for the particular malware infection is a very popular idea that it is possible to find "the best anti-malware scanner". See for example Top Spyware Scanners.
In reality the idea of perfect cure for malware is very similar to the search of Philosopher's stone, the mysterious substance that can turn lead to gold. This is actually pretty apt analogy as infected computer is as close to a brick of lead as one can get. The problem of converting lead to gold remains intractable.
Malware is a generic term that encompasses tremendous variety of products and each approach to combat it faces limitation on certain types of malware. Also geographical distribution of various strains of malware if not uniform, in other words malware is local to particular geographical area. Only tiny percentage became global. So while there definitely can be the best AV for a particular type of malware at given period of time (until all other get the sample and catch up) there is no and can't be "generic" best AV. Scanning approach is by definition is a solution mired in the past, as there is always a lag between the signature database and state of the things "in the wild". Also signature databases are universal while malware distribution has distinct regional features (see also Overview of VB’97). All those claims are just PR designed for really stupid users.
For example plain-vanilla signature based scanner will fail on the root kit based malware. It also will fail if malware is too new and was not included in the installed version of its signature database (the lag is typically at lease a week since the detection, sometimes more even for the most money rich AV vendors such as Microsoft, McAfee and Symantec who can afford farms of lab computers specifically for infections and automatic signature creation tools). For all this period it will happily report "no infections found".
Also some types of malware install additional drivers or components on the computer which can provide for the recovery of deleted components on the next reboot. In such a component was missed then malware scanner can successfully delete malware processes and some files that constitute Trojan, but this disinfected state will last only till the next reboot.
Some malware uses random names to make it more difficult to find and delete registry entries that launch it after it started. This list can go on and on. Right now malware authors started to dust off the bag of tricks invented by DOS virus writers.
Only changes in Windows architecture can provide lasting malware defense effects and the last thing Microsoft wants is the break in compatibility. In this sense the most secure version of Windows is Windows 8 that run on tablets with non-Intel CPUs. Moreover frantic search for the anti-malware program that can remove particular infection subjects PC users to additional dangers. Not all anti-malware vendors play fair. The recent proliferation of fake antivirus products is one example of the trend. In January 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. That means that they have that amount of money. See also People of the State of New York v. Direct Revenue, LLC.
The truth is that there is no perfect antispyware/antivirus program and there cannot be such thing. This is a variant of a classic "shell vs. armor" story. Malware authors quickly adapt to the capabilities of existing tools when writing new versions or new generation of malware based on more deeply analyzed vulnerabilities of Windows and the most popular applications. Now states joined the game and part of "state-sponsored" malware got into wild.
But even without helpful state sponsored malware, malware authors have access to funds as substantial part of malware is now about money (via direct or indirect extortion). And due to typical return on investment they do have motivation to achieve their goals. To get an idea of the technical complexity of spyware please read the description of Conficker (see Conficker-analysis). All this suggests that scanner based protection is far from being the best way to protect PC from spyware. It is valuable as a generic detection tool as sooner of later popular spyware will get into the signature database. But can be a month or more, if you are unlucky. Enterprise users can submit samples and get modified signature database in a day or so but that service costs money.
My claim is that better (or equal ;-) level of protection is achievable using image based restores of C-drive. That means that it is preferable to limit yourself to free antivirus/antispyware program like offerings from Microsoft (Microsoft Security Essentials ), AVG Free , Avast! Home or Avira Antivir Personal and invest money into creating a fast system partition images backup infrastructure.
My claim is that better (or equal ;-) level of protection is achievable using image based restores of C-drive. It takes less then a couple of hours and unlike AV-based disinfection is 100% reliable disinfection method.
The key value of AV/antispyware scanners is not immediate disinfection, but alerting you to the problem "after the fact" in case you missed it. All those tools are usually are one step behind spyware writers. This is a generic weakness of AV/antispyware scanners and nothing can be done about it. They always are fighting the last war.
So buying some commercial AV/Antispyware program, for example Norton Antivirus 2010 from Symantec for $20 (which is actually $60 if you have three computers at home; see NORTON ANTIVIRUS 2010 1U/3PC ) is not a wise move. While it might be better on some spyware it is definitely worse then Microsoft's Security Essentials in some areas. Historically Norton Antivirus home edition used to cause so many problems on Windows to the extent it can be classified as a Trojan horse in its own right, no less dangerous then most ad-ware ;-).
Generally the less AV/antispyware programs is running on your Pc the more stable it works. So one free from Microsoft is more then enough. At least Microsoft's software is less likely interfere with the stability of the OS. The less known and smaller is the AV company the less money they have for testing and the higher is the danger of side effects on your configuration of OS. There is no free lunch -- yes smaller companies are more nimble and often provider better quality of disinfection. But they can crash OS or interfere with some applications.
Softpanorama Strategy: Up-to-date image of the C-drive as an effective antispyware tool
Money spent on commercial AV should better be spent for creating fast image-based backup subsystem and 1 or 2 TB USB drives. This amount of space permits creating images on a weekly basis (or even daily if you move your data folder to another partition) and keeping them for several months. In this case you can restore your computer in case of troubles in approximately a three-four hours instead of three four days. And can resume your work in an hour or so. Saving countless hours on the phone with the vendor or researching the subject on Internet (which actually can lead to additional infections ;-).
SATA or iSATA connection to backup permits backing up/restoring of 30G of data on C partition (which is the typical size of data on C partition in Windows XP) in approximately 15 min. USB 2.0 takes approximately twice longer but still you can fully restore 30 GB image in less then hour. USB 3.0 is close to iSATA.
A additional step in this pretty simple but very effective anti-spyware strategy involves splitting your harddrive into two partitions and storing some of your user folders (Documents and Settings in Windows XP) and private data on the second partition, which you should backup daily using Acronis image or similar Ghost-based backup tool. For those who store a lot of media on this drives this makes creation of the image of your system partition quicker as it has a smaller size. For those who do not store much data on the C: partition this step can be omitted. But those are tactical issues. The key strategic idea here is using image based fast restore instead of AV/antispyware program. That presuppose rigid discipline of making backups so it is beneficial for all other not connected with spyware problem and crashes of the computer. So the strategy has positive side effects allowing you better (actually much better than usual) protect your vital data.
While many simpler variants are possible in variant described below we will assume usage as a backup storage one of the following devices:
- USB drive (as of March 2010 USB 3.0 enclosures and cards are now available and are slightly faster then USB 2.0; probably equal to speed to eSATA as limitations is speed of the drive not a channel). This is the most simple and easily implemented option. USB drive are really cheap. 1TB drive can be bought for ~ $70, 2TB for $90. There are even 2.5" 1 TB drive now (for example $89 Western Digital My Passport Essential SE 1 TB USB 3.0-2.0 Ultra Portable)
- eSATA drive. Those are more rare breed and not all computers have eSata connection. Theoretically they are three or more times faster (1.5 Gbit or 3 Gbit) then USB drive, but in practice the speed is approximately double of USB drives.
- Firewire drive. This type is mostly used with Apple computers.
- Internal drives connected to the SATA or SAS controller. This is possible mostly for desktops. Few laptops (for example like Dell Latitude series: D6xx, D8xx,, E4xxx, E5xxx, E6xxx, etc) allow replacement of DVD drive with the second harddrive and as such can use this scheme.
To make recovery faster and less labor consuming, this backup drive can be split into two partitions: one small for booting the OS (~ 60GB) and the second for backup images. Two drives also can be used. The idea is to have ability to boot from the partition of the second drive the OS with all components. Summarizing we need to have:
- The small (60-120G) partition (or drive). It will be used for restoring the image that you have so the disk can be booted into Windows and you can continue work almost immediately without frantic efforts to restore the internal C-drive (efforts that can often lead to important data destroyed, multiplying the damage from the infection). Using the second drive is especially convenient for laptop users. In this case you can buy a drive identical or slightly bigger then you have on your laptop. If you harddrive crashes you can replace it with backup drive not waiting for delivery of a new drive. The latter happens more often on laptops because the latter usually are abused much more then desktop.
- The second large partitions (or the second drive). It will be used exclusively for storing images of the C-partition and regular backups of user data. Should have large size (at least 1TB or better 2 TB).
Spybot is one of two most popular free programs for fighting Spyware and adware (the other is Adaware). It is a donation-ware. That means you don't have to pay for it, unless you want to.
First you need to download the latest version of Spybot from Spybot Download site or Spybot - Search & Destroy from Safer Networking. It is free for private use.
Why use the Free Edition?
If all you require is to be able to scan and remove malware and rootkits from your system. Or if you want to protect your PC by immunizing your browser and hosts file, the ‘Free Edition’ is the choice for you. If you are a more experienced user you can also check various ‘autostart’ locations using the ‘Startup Tools’. Spybot 2 can scan single files or specific folders and unlike other software it doesn’t matter if the file is located on your local drives or on a network share. Spybot 2 comes with its own whitelist which helps to identify if files are legitimate or not. This useful addition helps to speed up the scan. Even though this fully functioning product is free of charge you can still get free support by emailing our support team
It contains several useful free products:
Download the installation file for Spybot and Runalyser, to a temporary directory on your hard drive, and you're ready to go.
To install Spybot, double-click on the self-extracting archive and follow the prompts in the Setup Wizard. Spybot installs like a typical Windows program. Once the installation is complete, you can start using it. No reboot required.
Before using the utility please print and read help pages for Spybot after the installation.
To scan the computer with the Spybot, double-click on the desktop icon.
First of all you need to check for updates by clicking the Search For Updates button. This will ensure that the Spyware signatures used by Spybot and the program itself are up to date. If there are any updates, click the Download Updates button and let them download and install.
It is very important to run Spybot with the latest signatures
The default for Spybot is to run in Easy Mode. In this mode, Spybot searches for problems using a predefined configuration.
Softpanorama is a site for power users and I recommend running is in Advanced Mode. To run Spybot in Advanced Mode, you need to modify the icon deleting /essymode key:
All configuration changes are made through the menus contained in the Settings tab/ Here are the main options:
Autorun settings Like antivirus software Spybot has the ability to run whenever the system is booted (autorun) and to detect and fix any problems automatically. If you want this mode, you can enable the following settings under the Automation section of the Settings tab:
- Run Check On Program Start
- Fix All Programs On Program Start
- Rerun Checks After Fixing Problems
- Immunize On Program If Program Has Been Updated.
- Search The Web For New Versions At Each Program Start
- Download Updated Included Files If Available Online
Expert Settings. You should activate Expert Settings to use the program properly. Among other things the Expert Settings menu activates the Secure Shredder to run automatically when Spybot removes files. Because the Secure Shredder permanently deletes removed files, this tool should not be used automatically. To make it easier to select file sets, go to the Settings tab. Under the Expert Settings menu, enable the following settings:
These settings activate a drop-down list in the Search & Destroy screen. This list contains an easy-to-understand description of the types of scans available.
The Directories tab. The Directories tab is used to specify where downloaded files are stored. Spybot will scan this directory whenever a check is run. The software in the specified directory will be scanned to see if any spyware or Trojans will be installed with the downloaded software. To add a directory to the list, right-click in the blank under the Download Directory heading and select Add A Directory To This List. Browse for the folder you want to add to the list. At the bottom of the screen, select the Check Also Subdirectories Of The Above check box. Repeat the procedure for any additional folders you want checked by Spybot.
After configuring Spybot you need to scan your system. Click on the
Spybot-S&D tab and click Search And Destroy. Next, click on the File Sets button
and select the type of scan to run. For this example, a Minimal Spyware Check
was run. Click Check For Problems.
When the scan is complete, Spybot will display the results. Problems are divided into three categories. Red entries indicate spyware. Spyware problems are always selected to be fixed by Spybot. Green entries indicate usage trackers. You probably won’t cause any problems by removing these from your system. Black entries are system internals. Make sure you know exactly what areas of your system will be affected before removing any of these entries.
Spybot automatically selects spyware problems to be fixed, so the next step is to click on the Fix Selected Problems button. If there are any problems that cannot be fixed because a program is in use, Spybot will attempt to correct the program automatically the next time the system is rebooted, before the spyware program is started.
Now, click on the File Sets button and select Usage Tracks Check Only for the next scan. Click on Check For Problems, and Spybot will run a check for Internet usage trackers. To remove individual trackers from your system, click on the check box next to the tracker in the results, and then click on the Fix Selected Problems button. Spybot will remove the selected trackers from your system. To remove all usage trackers, click Select All Items and then click on Fix Selected Problems.
The same procedure applies when Spybot runs a check on your system internals. This check is looking for registry inconsistencies, broken desktop links, and bad paths to executables. When a check on system internals is run, make sure you understand the output. Removing reported registry problems, and other entries related to system performance, can cause problems for your system.
The Tools menu controls several tools associated with Internet Explorer and services run at startup.
At the top of the Hosts File screen, click on Add Spybot-S&D Hosts List. The Spybot hosts file will now be used instead of your default hosts file. To remove the Spybot hosts file, click on Remove Spybot-S&D Hosts List.
Note: Using the Spybot hosts file can cause decreased performance. Read the FAQ included with Spybot to correct these problems for your version of Windows.
The Process List tab displays all processes running on your system. Although any process may be killed (stopped) through this tab, it is intended primarily as information for technical support. To kill a process in this list, select the process and click on the Kill button at the top of the window.
System Startup Menu
The System Startup menu lists all programs that are started when Windows is
launched. This menu allows the user to change the path to a Startup program
or change the command used to execute the program. You can also delete any
program from Startup or insert a program to be started with Windows.
To view any item in the System Startup list, select the item and click on the Info button at the top of the System Startup screen. To disable a program run at startup, or to allow a disabled program in this list to start with Windows, select the program and click on the Toggle button at the top of the screen. To change the path to a program run at startup, or to change the command options run with the program, select the program from the System Startup list and click on the Change button at the top of the screen. it gives you the ability to add and configure new startup programs. To add a new program to the Startup list, click on the Insert button at the top of the screen. Make the program available to All Users On Startup or only to the Present User. Select how the program will be run. There are three selections available:
Provide a name for the registry entry and select the path to the executable file. A new entry with the value you enter will be added to the list of programs run at system startup.
This is essentially creating your custom host file. Be careful. The Spybot Immunization function is controlled through the Spybot-S&D tab. It provides four functions:
This is more ricky and more intrusive option and your mileage may very.
CoolWebSearch or ‘CWS’ as many refer to it as, has become one of the leading Spyware programs that affects many home users. It has surpassed a lot of very annoying hijackers such as Lop, Xupiter and Whazit etc. Today it has over 100 variants of this Spyware engine ( allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc )!!
CoolWebSearch (CWS), can not only hijack your browser to any of its variant URL’s but has also been known to cause major Internet Explorer slow downs. This ‘trojan’ enters your computer by a ByteVerify exploit in the Microsoft JavaVM and installs it self. For more information please see the following link.
Merijn (author of popular anti Spyware program HijackThis) has made a tool to get rid of CoolWebSearch, including many of its variants.
Details Spybot © ™ - Search & Destroy
Spybot – Search & Destroy - Wikipedia, the free encyclopedia
spybot_search_and_destroy By PCWorld Staff review (Jul 21, 2011)
Thanks for recommending this freeware - I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!
What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.
... ... ...
Keep up the great work!
There are several good free registry editors, watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):
Often spyware is pretty primitive and removal of the component that is installed in
registry key disinfects the PC.
To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:
- Open your registry in regedit
- Click "start" (bottom left of your screen)
- Select "Run"
- Type "regedit" in the command line displayed
- Click OK.
- In a tree that is shown select HKEY_LOCAL_MACHINE
- then click on + sign for the key SOFTWARE
- then click on + sign for the key Microsoft
- then click on + sign for the key Windows
- then click on + sign for the key CurrentVersion
- then click on + sign for the key Run
- Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
- Print all entries (File, Print). Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
- Open Windows Explorer Click on Tools, Folder options , View and and Details View and
- Hide extensions for know file types
- Hide protected operating system files
- Show hidden files and folders
- Remember each folder view setting
click apply to all folders and OK.
- Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section. If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
- For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware simply delete the key.
- For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March 12, 2019