How to Remove Spyware

8/6/2019 How to Remove Spyware

1/74


2/74

Introduction

There is no one tool or easy way to remove spyware. However using a combination of tools and abetter understanding of running process can make the whole process a lot easier, and painless.This guide will walk you through a typical spyware removal process as well as teach you how touse each tool properly to avoid damaging the system or the users file integrity in anyway. Every

tool listed in this guide is free from the Internet at the time of this writing. It is advised to check forupdated software for each one at least once a month. Most of the programs have an auto updatefeature on them. Keep in mind that the most powerful tool you can use when removing spyware isGoogle. (Or whatever search engine you prefer) The second most powerful tool you can use isprevention education. Teaching the user safe web surfing habits and what they can do to avoidgetting re-infected can save a lot of time in the future. Most users get spyware because they dontunderstand what they are doing wrong. You will find a handy article at the end of this manual onhow people get spyware, feel free to print this out and give to users, because every one of themwill ask you How did I get this. Each program in this manual can be very powerful, and unlessotherwise stated I suggest keeping the standard settings until you become more comfortable withthe program itself. I will try to list any specific dangers of each program that might cause problemslater on with the system. Throughout this manual I have tried to make things as easy as possibleby highlighting actions or things to be aware of in Yellow. This is not how the program will look

when your running it, this was just a reference point to make things easier to spot and find. Lastnote, it is impossible to know if you have truly removed the spyware in its entirety, unless yourusing a monitoring program at the time each piece was installed on a particular machine to seewhat it has all installed, there really is no way of knowing if we have removed every single piece itinstalled. This doesnt mean that our efforts are for nothing, just dont get to excited if somespyware seems to get the better of you.

WARNINGFailing to follow the instructions in this manual or the proper

instructions for each program used can result in damage to thesystem including data loss and system failure.

DisclaimerThe author of this document assumes no responsibilities for what may happen toa machine following the procedures outlined in this document. This is merely aguideline. It is up the reader to determine the best course of action including butnot limited to, backing up the users data, backing up the registry, and any othermeasures the reader deems necessary to prevent damage to the system, or theusers data.


3/74

ToolsTools of the trade

List of tools needed.

This is a list of tools that are required to remove Spyware. Like anything else dealing with computers there are

hundreds of tools to do the same job. The same goes with Spyware removal. This is a list of tools that I have used

every time I remove Spyware and they seem to work pretty well. Are there better tools available? That is up to the

user. The good things about working in a corporate environment, you always get plenty of chances to test a new toLets start with the basic tools I feel are required to remove Spyware. Each tool listed is linked to its respected

website where you can download the latest version. The tools I included in this manual are not available on the we

(Win2kfiles.exe, XPProFiles.exe, Wincdfix.bat).

Spybot-S&DTried, tested and free, this tool has been around since the beginning of Spyware and does a really go

job.

HijackThisA great tool for analyzing startups, BHOs, registry entries and more.

Code Stuff StarterGives detailed information of programs on startup, along with detailed descriptions of running

processes.

Ad-awareAgood utility for getting rid of Spyware! Will pick up the slack of what Spybot S&D leaves behind.

Recommended Tools

The tools listed in this section all have their own unique quality in fighting Spyware. Some of them werent even

designed for Spyware but work great on it none the less. Not all these tools are needed when removing Spyware, b

when you get a difficult system, they can come in handy. Its better to come prepared then come up short handed an

spend more time then needed trying to figure out how to get around a stubborn DLL or process.

DLL.Compare.exe (Used to find odd DLL files that could be used by Spyware or virus)

Killbox.exe (Used to kill stubborn process or DLL files)

Procexp.exe (Used to figure out what DLLs a program is using.)

Trend Micro online or command line(This virus scanner treats certain spyware as viruses and can be very helpf

for locating and killing stubborn Spyware.)

Mozilla FirefoxA safer way to browse the web without pop-ups.

InuseInUse is a command-line tool that performs on-the-fly replacement of files currently in use by the operating

system

XrayPCA lot like HijackThis but a lot more user friendly. (Still in testing)

WinDiff A stand alone program, no need to install. Windiff compares directories or files showing the results graphically. Great forcomparing a system file you think has been altered by Spyware with a known good file of the exact name.

Window WatcherDisplays the titlebar text of all open windows, including windows that are not visible in extreme details.
http://www.safer-networking.org/en/index.htmlhttp://www.spywareinfo.com/~merijn/downloads.htmlhttp://codestuff.mirrorz.com/http://www.lavasoftusa.com/software/adaware/http://downloads.subratam.org/DllCompare.exehttp://www.bleepingcomputer.com/files/spyware/KillBox.ziphttp://www.sysinternals.com/ntw2k/freeware/procexp.shtmlhttp://housecall.trendmicro.com/http://www.mozilla.org/products/firefox/http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asphttp://www.x-raypc.com/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tools/tools/windiff.asphttp://www.karenware.com/powertools/ptwinwatch.asphttp://www.karenware.com/powertools/ptwinwatch.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/tools/tools/windiff.asphttp://www.x-raypc.com/http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asphttp://www.mozilla.org/products/firefox/http://housecall.trendmicro.com/http://www.sysinternals.com/ntw2k/freeware/procexp.shtmlhttp://www.bleepingcomputer.com/files/spyware/KillBox.ziphttp://downloads.subratam.org/DllCompare.exehttp://www.lavasoftusa.com/software/adaware/http://codestuff.mirrorz.com/http://www.spywareinfo.com/~merijn/downloads.htmlhttp://www.safer-networking.org/en/index.html


4/74

Chapter1Add/Remove Programs

Removing Unwanted Software

The first thing you want to do before anything else is to be sure you are logged in as the current user. Spyware can bevery specific to the current user, and if you logging in as admin or yourself then you might not get it all. Below you will findsome pictures depicting some of the Spyware you might see on a system, and some of the ways it requires you to removethem. However this is just an example and what you find on a system may or may not resemble the pictures below. It is upyou to research each programyou suspect might be

Spyware and deal with it inthe proper way. Lets start offby opening the add removeprograms in the control panel.Look for anything that doesntbelong and remove it. Seefigure 1. This first step isessential. If we dont removewhat we can in the add andremove programs list first wecan cause serious errors tooccur later on if we allowSpybot S&D or another

program to try and removethem. Some Spyware will bemore stubborn then others toremove as you will see insome of the examples I haveprovided throughout thischapter. Figure 1 shows aclassic Spyware program!Click the Change RemoveProgram button and followany instructions given by theprogram to remove it.

Figure 1

Figure 2shows why it isimportant to pay close attentionto the uninstall instructions. Asyou can see below the spotwhere the usual yes orcontinue key would be hasbeen replaced with no. This isa trick commonly used bySpyware, malware, or adwareprograms. Our first instinct is tochoose the yes option. Howeverif you read the statement it is

actually asking you if you wouldlike to keep some of thefeatures included with thesoftware. Of course we dont, sowe would choose no in thisinstance. Again, pay closeattention to what it is askingyou.

Figure 2


5/74

Below is another example of Spyware installed that we dont want on the system. As you get used to seeing what isupposed to be installed it will get easier to spot what is not!

In Figure 3you will see why we need to be connected to the internet in order to remove some of the Spyware. If yoare not connected, this program will attempt to lock up the entire system causing you to reboot. The last thing we want is t

reboot. Some Spyware can actually re-manifest itself under different names after a reboot. Well get into that with a little mdepth later on in this manual.

Figure 3


6/74

In Figure 4 and 4-1 we can see why the program wanted us to be connected to the internet. Again its just anotheploy to try and stop us from removing the Spyware. Again, read carefully each question it asks you and dont be surprised trys to confuse you. Continue through the uninstall process.

Figure 4

As seen below, it will do anything to slow you down and confuse you. This was actually the third screen in theuninstall process that it popped up.

Figure 4-1


7/74

Figure 5is yet another example of Spyware!

Figure 5

Once clicking on theChange/Remove button,this program actually askedthree different timeswhether or not you were

sure you wanted to removeit. Pay attention to thefigures below and how thebuttons I have highlightedfor you to click on actually reverse positions to confuse you.

The second window itbrought up again playthe distraction game. youre not payingattention you might cliyes and inadvertentlyreinstall the Spyware.

After the first two windows it brought up one finalwindow to ask if you are really sure? Just theannoyance alone of removing this softwarewould make me not want it on my system even ifit was a legitimate program.


8/74

Once this was all done, it actually sent me to a site for Spyware and removal tools. The fact that the software I jusremoved is supporting the links for Spyware removal tools listed below would make me think twice about using them. Not tmention the irony involved in sending the user to a site for Spyware software only proves that the producers of this softwaknow that their software is in fact Spyware. Its not unusual to find removal tools that actually install Spyware. If youre notsure of which ones are bad or good, check out this link. http://www.spywarewarrior.com/rogue_anti-spyware.htm They listover 130 removal tools and which ones are known to be sponsored by Spyware or have Spyware in them.

I included Figure 6to show that some Spyware will try to make the name of it self as close to a respectable prograas possible. Sometimes Spyware will have names like windozeupdate or something similar. Windows Add/RemovePrograms places everything

in alphabetical order. Thus tabove mentioned programwould be placed in with theWs of the add removeprograms, or better yet, downby the windows updatessection, like the example in

he

Figure 6. By doing this themakers of Spyware arehoping that when you scanthe add remove programs thatyou will not catch it becauseits name is so closely related

to a legitimate program. Ifyour unsure, Google it!

Once in awhile your Googleresults may turn up nothing.This is when asking yourcolleagues can help out. Ordigging deeper into theprogram you are working withmight reveal a key word orprocess that you can searchon to find out more.

Figure 6
http://www.spywarewarrior.com/rogue_anti-spyware.htmhttp://www.spywarewarrior.com/rogue_anti-spyware.htm


9/74

This one brings up its own window for uninstall, the nice thing about this one is, if it installed multiple programs onyour system then usually (notice I said usually) it will list them in the enabled window. Just be careful again and make sureyoure not accidentallyputting the disabledones into the enabledwindow.

Once we haveselected theUninstall Optionwe are onceagain presentedwith the questionas to whether ornot we are really sure we want to do this. As annoying as these questions get, trust me, answering them now is a lot easierthen hunting down the errors later if we dont follow through with them.

Although Figure 7looks legitimate, turns out this is just another piece of Spyware. Keep in mind that this was allfound on the same system. Not that the user actually went out and downloaded or visited this many infected sites, rather athey have to do is get one, and it will install multiple malicious programs.

Figure 7


10/74

In Figure 8you will see that I have Golden Retriever Cash Back highlighted for removal, and below it I have alsohighlighted Infotriever. Golden Retriever Cash Back is obviously a piece of Spyware, however, even though Infotrieversname is closely related and would make you think that it as well is Spyware, a quick search on the internet shows that thisprogram is actually a piece of software for palm users. After checking with the user, it was confirmed that he does have apalm device and that he does use that software. Thus the second one (Infotriever) is not Spyware and should not be removI show this as an example because it pays to check with a user on some software to find out if maybe they know what it isbefore removal. Uninstalling this might have caused other pieces of the palm software to not work properly, and more timespent by us to possibly fix it later on. Were not only trying to make the removal process as painless for us, but for the user well.

Figure 8

Now that we have clicked the Change/Remove buttonwe can see in Figure 9that this particular Spyware (GoldenRetriever Cash Back) has a new twist. This is why I said it issometimes necessary to remove as much Spyware as you canfrom the add/remove program directory rather then rely onSpybot S&D or some other piece of software. This program isasking you to enter what you see in the window above, into thebox I have highlighted below. If this is not done then it will notuninstall itself. This is a crafty trick used to stop programs likeSpybot S&D or Ad-Aware from removing it. Since removalprograms will not see this box nor would they know what to do if

they saw it, the program will not allow either program to removeit. On the other hand both Spybot S&D, and Ad-Aware willprobably be able to remove some of the programs registryentries or program directories, causing the program to crashupon reboot and cause major problems and annoying errormessages that would be very difficult to track down now bthe program is trying to run without all of its components. On topof all that, the chances of the actual uninstall working prop(thats assuming you figure out what is causing the errormessages in the first place) are slim to none. In order for theprograms uninstall to work properly it needs to see thecomponents it installed so it can remove them, if it doesnt see them, then it will more then likely bomb on you.

Figure 9

ecause

erly


11/74

Figure 10shows another example of what you might come across in the add remove programs.

Figure 10


12/74

Chapter 2Spybot S&D

Removing The Parasites

Now that we have removed all the suspected programs from the Windows Add and Remove utility, we can move ontonext step which is installing, configuring and running Spybot S&D (If you want more help on how to run the program and afeatures refer to Spybot S&D Tutorial section at the end of this manual). After you install Spybot S&D (choosing all defauyou will be faced with some options. Thefirst thing you will see when you run the

program is the default language setting,choose the desired language and click Ok.The next item you will be faced with is notactually an option but more a warningmessage. As highlighted in Figure 2-1 ,check the Dont show this message againbox and then click OK

Figure 2-1

The second option you will see is Backupregistry as illustrated in Figure 2-2. Ifyour having problems after removingcertain objects this option will allow us torevert back to its original state. Of course

this also means if do have to use thisoption we will be reverting back all of ourSpyware as well.

Figure 2-2

As I have highlighted above, click the Create Registry Backup button followed by the Next button. This feature

must, incase something gets deleted that isnt supposed to (have yet to see Spybot S&D harm the system) this option willallow you to revert the registry back to the way it was before you ran the program.The next to options we are going to skip, one of them is to Immunize the system. And the other one is to check for updateSince we havent set the proxy in Spybot S&D yet, looking for updates would fail, and until we get the updates it doesnt paimmunize the system until we get the updated definition files. Remember, we are going for the fastest removal possible, anso, why immunize the system twice when we can do it once after the updates. Instead click on the Start using programbutton. If the program gives back an error, just restart the application.


13/74

Now that we have the program up and running there are a few things we need to change. First we have to change themode from Default mode to Advanced mode as depicted in the Figure 2-3below. You will get a warning screen telling ythat advanced mode has some features not meant for average users. Just click yes, as this is the only way we can setup thproxy.

Figure 2-3

Advanced mode gives us a few more options to play with. The only one we are concerned with at this time is the settingsbutton, which I have highlighted in yellow in Figure 2-4. This will bring a new section up as shown in Figure 2-5.

Figure 2-4


14/74

Again, the only one we are concerned with is the Settings button which I have highlighted below in yellow.

Figure 2-5

In the right pane window, scroll down until you see Web Updates The last option in the web updates section is Useproxy to connect to update server (Figure 2-6). We want to put a checkmark in the box. As soon as you put the checkmarthe box a new window will pop up asking you for the proxy you wish to use and the port number. The proxy we want to entein this box needs to be an outside proxy. I use http-proxy.gecmc.ge.com, and port 80. After you have entered this, click ok


15/74

Figure 2-6

Now that we have our proxy setup we can search for updates. On the left hand side of the window click on the SpybotS&D button! If you do not see the below window in the left then click on the Search & Destroy button on the left until youwindow looks like Figure 2-7. Next click on the Search For Updates button at the top of the program highlighted in yellowand wait for it to give you a list of all the updates. Put a check in front of all the updates and then click the Download Updabutton at the top of the program. After it gets done installing all of its updates it will restart the program. You may be faced some of the same options you were when you first installed them. Refer to the first section of Step 2 on what to do if you

dont remember.


16/74

Figure 2-7

You should now be back inDefault Mode as depicted byFigure 2-8. This is fine as wehave no need to go back into

advanced mode anymore.Before we check for problemson the system we want toimmunize the system.Highlighted in Figure 2-8youwill see where that can befound. You should get aconfirmation window statinghow many bad objects areblocked. Now click on theSearch & Destroy button onthe left again until your screenis back to the Figure 2-8. Click

on the button that is highlightedin the picture as Step Two,and allow the program to run itsscan of the system.

Figure 2-8


17/74

Chapter 3CodeStuff Starter

Stopping Programs From Running At Start-up

To keep things moving along and speed things up a bit, we are going to move onto our next install program whileSpybot is running. Go ahead and install CodeStuff Starter. Keep all the default settings because we will be removingprogram once we are finished. Once it completes the install you will be at the finish window. Uncheck the box that sayView Read Me and keep the box checked that says Run Program.To make things easier, I have highlighted certain objects throughout this program, however your screen will not look lik

the figures below as your objects will not be highlighted, this was done only as an example and should not be used as comparison.

Below Figure 3-1 shows a sample picture from a desktop of what CodeStuff Starter looks like when you run it. Imention desktop because later in this manual I will show you what a laptop has running. Both have a lot of the samesoftware running, but laptop users have more that needs to stay running. The more you get comfortable with both of ththe more you will get used to spotting what should be running and what should not be running. By default it goes into tcurrent user settings and that is all we will need for now. Again for more advanced features refer to the CodeStuff Stasection at the end of this manual. I have highlighted in yellow the things I spotted right away that can be Deleted fromstartup or at the very least disabled. The first two entries are blank and have nothing in them, so deleting them will notharm anything, and whatever we can safely remove from startup might help speed the computer up as well. The thirdthing is a program called Friskies As I am not sure what this program is, but am pretty sure the user has installed thisam not going to delete it from startup, but rather disable it incase they want or need this. (Highly doubtful from the namand icon) Always click the Refresh button to be sure the program you delete or disable does not show back up. If it do

then chances are there is another program recreating our nasty pest that we will need to hunt down. I go more into deon this in the advanced section of this manual. But for now, lets move on.

Figure 3-1


18/74

Once you have selected an object to disable or delete, you will be presented with a warning asking if you are sure want to do this. Simply click ok to each one. Figure 3-2illustrates this.

Figure 3-2

CodeStuff Starter has a nice feature, in that if you dont recognize what a running process is, simply right click it and avery bottom is a Search On Internet Option. The first option it gives you is to search Google. This can save a lot of timfrom mistyping in an .exe file you are unsure about.

After disabling or deleting entrys from the startup options we now want to move onto the current running processes.


19/74

This is the real purpose for running this program while Spybot S&D is searching the system. To speed things up wwant to use CodeStuff Starter to kill any processes that might be running from Spyware that would effect Spybot S&Dfrom removing them. Why not use Windows Task Manager for this? Simple, by using CodeStuff Starter we can expanboth the process field (highlighted below in yellow) and the executable (also highlighted below in yellow) field to learnmore about what that particular process is doing, where it is coming from, its priority to the system, memory usage, anthe bottom window pane, what DLLs it might be using. This can be very helpful in determining if a process is legitimatnot. If thats not enough help, our friendly right click and Search the internet function also works here.

These next few figures show the difference between what is running on a desktop and a laptop. The laptop obviously ha lot more running on it. For instance the laptop has built in wireless, and several other stand alone programs that neerun. Its best to familiarize yourself with each type of system to better understand what should stay and what should gobefore you start disabling or deleting things. With that said, in Figure 3-3we can see what looks like a legitimate progrAutoupdate Even searching the internet on this one was a little tricky since the name itself is a legitimate process thalot of programs use including Windows. But reading the path closely reveals that this might be Spyware. After siftingthrough some articles on the Internet it was determined that this was indeed Spyware. Research, research, research!

Figure 3-3


20/74

This laptop user had a little more then the usual installed. Keep in mind that each one of the items is running atstartup. So if the user is complaining that their system is running slow, you can point out why and ask them if they realneed all this running at startup. Then determine what you can eliminate to speed up the system.

When we switch over to the process of this laptop one thing stood out right away. The icon alone made me want tocheck into it. Ive highlighted this in Figure 3-4. In the bottom portion of CodeStuff Starter it gives us a description of wthis program is. In the description we can see that this is a vital component to the laptop dealing with the pointing devicThe programs I

have provided do avery thorough job atgiving you as muchinformation aspossible about aprogram or processthat is runningmaking our job a loteasier. Had wedeleted this withoutchecking into it first,we would havecaused some

problems later onfor the user.


21/74

Chapter 4Back To Spybot S&D

Getting The Results

If youre satisfied with the outcome of CodeStuff Starter then go ahead and close the application and go back toSpybot S&D. By now the scan should be complete and you should see the results of the scan in the window. Spybotshould have already placed a checkmark in each box that should be fixed. Double check what it has found to be sure tthere is nothing that should not be checked in the list and if there is something that isnt checked, research it and decidit needs to stay or go. Once you are sure of everything checked or not checked, go ahead and click the Fix selectedproblems button at the top of the program as illustrated in the Figure4-1.

Figure 4-1

If everything went according to plan you will get a confirmation of the problems fixed with green check boxes in all the probareas (Figure 4-2). Click Ok to continue.

Figure 4-2


22/74

If Spybot was unable to fix all the selected problems you will be faced with a decision as shown in Figure 4-3. Wenow have a few choices, we can allow Spybot S&D to run again on startup and try to remove the selected problems,(which dont always work) or we can investigate a little deeper as to what problems it was not able to remove and go fthere. I suggest the latter of the two, as most of the problems it cant fix we can take care of on our own, and I dontrecommend rebooting until we are completely done. Plus if we run the scan on reboot we cant do anything else until tscan is done, and this in my opinion is a waste of time.

As stated in Chapter 1 I will go into a little more detail as to why rebooting can be bad.. Spyware today is much msophisticated then most viruses. Some of the more advanced versions of spyware can tell when it is being removed. Ita back up program hidden on the system that is told to start up upon reboot and during Windows login which means it be running in safe mode as well. This can happen in a split second, just long enough to check and see if its worker

programs are still installed and running. If it doesnt see them, then it will rebuild them. I have also seen spyware thatworks in conjunction with another program. The first program creates a second program with a random name deletingitself once it is done. The second program then executes the malicious code installing and distributing whatever malicisoftware it has been told to do. Before it is complete, it recreates the first program with a random name and deletes itsagain and the whole process repeats itself. Most of these will also check for an internet connection to receive instructiofrom a master server or pc. This pc will have updated information for this piece of software for any additional or newversions it should install of the malware or spyware. All of this happens in a matter of seconds, and can be difficult to tdown. I go more into depth on this subject in the advanced spyware removal section of this manual. One last thing athe whole rebooting of a pc before we have cleaned it, if a program is not completely removed before we are finished can cause error messages that could be a lot harder to track down after a reboot then if we had dealt with it in full frombeginning. Select no for now, and lets take a closer look at what we see in the results.

Figure 4-3

As we can see with Figure 4-4,Spybot S&D had problems with onlytwo of the items. Not bad. Now lets

expand both of these trees one at atime and take a closer look at what ithad trouble with.

Figure 4-4


23/74

Once expanded, we cansee from Figure 4-5thatSpybot S&D only hadtrouble removing one itemfrom the selected tree, thatone item being a registrykey. Now all we have to dois navigate to this key in theregistry and remove it

manually. But there is aneasier way. Right click thekey that could not beremoved with Spybot S&Dand go to the More detailsselection as illustrated inFigure 4-5.

Figure 4-5

From here we can tell Spybot S&D to navigate to the registry key for us, saving us time and a lot of hassle. Once you havelocated the key, simply click on it in the registry and delete it. You will be asked to confirm your deletion, simply click yes oYou can repeat this process for anyother registry keys that Spybot S&Dcould not remove. If the item thatSpybot S&D could not remove happensto be something other then a registrykey, for instance an .exe file or DLL(Dynamic Link Library) we can do thesame thing with those as we did with theregistry key. Navigate to where the fileor DLL is located and simply delete it. Ifyou get an error message saying thatthe file could not be deleted as it iscurrently running, then we have to use

some different tools. This is beyond thescope of the average spyware you willencounter, thus, if you want to knowmore about these tools and techniquesrefer to the advanced spyware removal section of this manual to learn more. Were done using Spybot S&D for the timebeing, but dont close it just yet, just minimize it for now.


24/74

Chapter 5Removing the Files

Getting Rid Of Unnecessary Files and Folders

Whether you have gotten a cleanscan, and have tried to removeanything Spybot S&D could not,Its time to move on, but before we

do that we need to do a little cleanup on the system to help speed uour next piece of software. Firslets clean out our temp files andcookies from Internet Explo(

pt

rerFigure 5-1). Right click Internet

Explorer on the desktop and clickon properties. Or from insideInternet Explorer, click on toolsand then Internet Options Fromthe General tab, click on theDelete Cookies button. Once it iscomplete click on the Delete

Files button, when it brings up twarning screen, be sure to checkthe box that says, Delete OfflineContent and then click ok. Afteryou have deleted the cookietemp files, change the history frowhatever setting it is at, to 0.Click the Apply button and thenOk.

he

s andm

Figure 5-1

Our second objective in the file removal process is to dig through Explorer in a couple of known places where spywarelikes to hide itself. A lot of times it will remove the initial program that it installed but leave the installation files of otheroffending software on the system. This could be for several reasons, maybe we missed a registry key that tells thissoftware to reinstall itself at a later date and time, or after a reboot, or maybe its to speed things up a bit the next timeuser visits a certain website. Instead of actually trying to get the user to install the initial software, it just does a check tsee if it is already on the system and go ahead and install it from the said directories. Either way we need to remove thIn doing so you might come across some DLL files that dont want to be deleted because they are in use. Why are theyuse? Refer to the section in this paragraph that explains about programs leaving installation files lying around. First thiwe need to do is turn on the Show all Files in folder options. From the Explorer window, click on Tools and thenFolder Options. (See Figure 5-2)

Figure 5-2


25/74

Now click on the View Tab! In Figure 5-3I have highlighted the three main areas we are concerned with. The first obeing Show hidden files and folders. This is a must, as most Spyware will attempt to hide itself. The second option Hextensions for known file types. We need this to be unchecked so we can see what type of files we are dealing with. Tlast option Hide protected operating system files (Recommended) also needs to be unchecked. Some Spyware willdisguise itself as a system file, thus if this is checked we wouldnt be able to find it.

Figure 5-3

Now that we have the options we need in the folder settings, we can start digging through explorer for any left overSpyware on the system. Keep in mind that earlier I said that Spyware can be specific to the user that is logged in. Thisalso means that Spyware might be specific to the user that installed it. In which case, our actual running program we alooking for might be in other users folders. The easiest way to deal with this instead of searching through each usersprofile that is on that particular system, is to find out from the user if anyone else logs into that machine. If no one elsedoes, then we can delete all other profiles. This is an easy search on the system for Spyware files and programs, becaif we get any errors during this deletion process such as cannot delete file because it is in use, it will tell us exactly whthis file is located, saving us a lot of time of searching through each profile for any suspected software.


26/74

Since Spyware can hide itself just about anywhere on the system it would be impossible to show every location here in thimanual of known locations. However what I will point out is a few key locations that should be checked each time you remoSpyware form a system. Lets start with the Temp files on the root of the drive. In Figure 5-4I have highlighted the path aa definite Spyware program lying there in dormant even after Spybot S&D has run its scan.

Figure 5-4

Figure 5-5shows a popular spot for Spywareto hide. Both the Local Settings folder andthe Application Data folder are normallyhidden when searching through Explorerwindow, making them great hiding spots. Look

around in both of these folders for suspiciousfolder names as well as stand alone programfiles that dont belong here.

Figure 5-5


27/74

Figure 5-6

Figure 5-6Same thing goes for the All Users profile. Spyware will makeduplicate copies of its self and place them in any profile it sees. This is why wedeleted as many unnecessary profiles as we can.Once we have cleaned any unwanted folders and files from the profiles, wecan move onto the Program Files Directory as shown in Figure 5-7Again, were looking for any directories that dont need to be there or looksuspicious. If you have any doubt, look it up.

Figure 5-7


28/74

Figure 5-8

Figures 5-8 & 5-9show the last two main locations we are going to lookfor any remaining folders and files. This doesnt mean that these are the

only locations in which Spyware may be hiding; this is just some of themore popular spots. It is up to you to check in other locations if yoususpect something might still be on the system or if the system is stillbehaving in an odd matter. Figure 5-8depicts the WINNT temp folder.One thing Windows doesnt lack is its temp folders throughout thesystem. Double check this folder as with the rest, we are looking for anyodd or suspicious folder names and files, and deleting any you mightfind. In Figure 5-9we are looking in the System32 folder. This one canbe a little overwhelming, and usually you wont find any directories inhere, but you will find stand alone program files and DLLs. Unless youknow the file names you are looking for, it will be very difficult todetermine what files might be harmful. Never the less, it doesnt hurt totake a quick glance through this folder and see what you can find. It alsohelps to better familiarize your self with the System32 folder contentsfor future Spyware removal.

Figure 5-9


29/74

Chapter 6Ad-Aware SE

Hunting and Killing the Remaining Spyware

Now that we have cleaned out our temp files and any directories or installation files we can move onto our next piece software, Ad-Aware SE Personal. Chose all of the defaults during the install, and once you get to the last screen asdepicted in Figure 6-1, uncheck the top and bottom boxs but leave the middle one checked. We dont want to performfull scan just yet as we have a few settings to tweak and unless you need to read the help file we dont need that either

Click the finish button.

Figure 6-1

After clicking the finish button, you will be presented with the screen shown in Figure 6-2. The first thing that Ad-AwarSE is going to do is check the definition files you have with the latest definition files it has on its server. If your definitioare not current it will let you know. Click the ok button and then click the Configure button as shown below.

Figure 6-2


30/74

Once you click on the configure button we can see from the Figure 6-3that we need to setup the proxy just like we didSpybot S&D. Click the red X and in the open box enter the proxy.

Figure 6-3

Again enter the proxy http-proxy.gecmc.ge.com in the open box and change the port to port 80. Once this is done, clthe connect button (Figure 6-4). Ad-Aware SE will connect to its database and tell you whether or not there aredownloads to get. If there is go ahead and get them.

Figure 6-4


31/74

We are now presented with the main screen of Ad-Aware SE ( Figure 6-5). In the lower right hand corner of this screethe Start button, go ahead and click this.

Figure 6-5

The next screen you see is our second setting we need to change. This is our scan options. Choose Use custom scanningoptions as shown in Figure 6-6and then click the Next button.

Figure 6-6


32/74

Figure 6-7shows our custom scanning options. The only one we are concerned with is the first one with the red X.Click the red X so that our scan will Scan within archives After that click the Proceed button in the lower right handcorner.

Figure 6-7


33/74

Chapter 7HikackThis

A Close Up Look At Spyware

While your Ad-Aware SE scan is running we are going to move onto our last major program, Hijackthis. Out of all theprograms listed in this manual thus far, Hijackthis is by far the most dangerous and can cause the most damage to thesystem if not used properly. If your running Hijackthis from the GE utilities folder then click ok through the statements igives you until the program is presented to you. If you are running Hijackthis from the utilities provided in this manual tI suggest putting Hijackthis into a designated folder you create, as Hijackthis will create backups of everything it doesincase a mistake is made in the folder you have created. The next couple of figures will be from the Hijackthis v1.99.0

included with this manual.

Figure 7-1

Figure 7-1 shows the first options we arepresented with in Hijackthis v1.99.0. Youcan choose either option at the top. Thefirst option will create a log file of the scanthat it runs. This can come in handy if weneed to compare this with a clean mThe second option will run a scan onlywith no log, and the last option at thebottom of the screen will do neither of

these options but just start the program.The choice is yours, but if you choose thelast option then you will have to tell theprogram to start the scan by clicking thescan button as illustrated in

achine.

Figure 7-2.

The choice is yours, but if you choose the last option then you will have to tell theprogram to start the scan by clicking the scan button as illustrated in Figure 7-2.

Figure 7-2

In Figure 7-3I have highlightedseveral things that can be removed

safely. If your unsure of something,you can Google it, or try the Info onselected item button at the bottomof the program. I will go more intodetail of some of the items I haveselected in the figures below.

Figure 7-3


34/74

Things to pay close attention to in a Hijackthis scan are the BHOs listed (Figure 7-4). These are Browser Helper Objects,Internet Explorer pretty much allows any program to install them. Some of these can be good, but if a browser is hijacked getting a lot of pop-ups this is usually what is causing it. By reading the entire line in the Hijackthis scan we can usuallydetermine which ones are bad and which ones are good. Legitimate programs will usually give their name and running patUnwanted programs usually hide behind very obscure names that are unrecognized and are usually dumped into the systefolder.

Figure 7-4

In Figure 7-5we see a few things in the HKLE\Run. Although these might not necessarily be bad, we also dont need themrunning as long as they are not company related. The first one being QuickTime player! The second item checked is RealPlayers scheduler, again not needed. The last two are tools or radial buttons probably attached to Internet Explorer, againneeded.

Figure 7-5

I included the above picture to show some of the lengths Spyware will go to confuse you. Notice the windupdates is very clto Windows Updates. But continue reading the line and we see Downloads Unlimited. Checking their site we find a questioand answer page that pretty much explains that this is Spyware.Quoted from windupdates.com!

What is Wind Updates?

Wind Updates is free ad delivery software which provides targeted advertising offers.

Paying close attention to the entire line in HijackThis is very important and can tell you a lot about what an object is. A sim60 second search on the internet turned up the results for the above example. After this, it became much easier in the fututo spot this piece of Spyware and remove it. Researching your results usually helps to really get things to stick in your minwhereas simply clicking on objects and hoping for luck can end up slowing things downor damaging things later down the road. Youll also notice that on the far left of each l

there is a numbering system, this is done for a reason and is there to help you. Cheout the detailed Tutorial on HijackThis at the end of this manual for more details.

og

ck


35/74

Once you have selected the items you want to remove or fix, go ahead and click on the Fix Checked button in the lower lehand of the screen. You will get several warnings, click yes through each one. Once complete your screen will be blank. Wnow want to click on the scan button again. The purpose of doing the scan twice is to clean up any leftover items from our scan. If our first scan has a lot of items listed, it can be very easy to miss or skip one. This is also a chance to see if any of Spyware has reared its ugly head again. Figure 7-6shows what a second scan may look like and what if any items we caremove. The items I have selected below are after the first scan and are Internet Explorer re-directors. Which means it doesee the Spywares tool, or redirection service, so by default Windows puts its own sites and search pages in. Click them anthen once again click the Fix Checked button. Run the scan one more time, and all of these items should be gone giving a clean looking scan list.

Figure 7-6

Figure 7-7 shows what asystem might look like with aclean scan. Once again thereis going to be a differencebetween what you see duringyour scan with a desktopusers computer and a laptopusers computer. The laptop isalways going to have morethings that need to berunning. It is up to you tobecome more familiar witheach system to determine

what is good and what is badby either researching eachitem in question or askingsomeone with moreknowledge of the runningprocess of each system. Eachcomputer you work on theprocess gets a lot easier andfaster. Once you are satisfiedwith your results, you canclose the program down andreturn to Ad-Aware SE.

Figure 7-7


36/74

Chapter 8Back to Ad-Aware SE

Finishing the Job

Now that we have completed our HijackThis scans, we can move back to Ad-Aware SE which should be done runits own scan at this time. Figure 8-1 shows what a completed scan might look like. From this screen we can see that AAware SE found 201 new critical objects in its scan, and 31 Negligible Objects (Highlighted in yellow). Ignore theNegligible Objects, we are only concerned with the New Critical Objects Lets take a closer look at what these objecare. 171 of them are files, 20 of them are registry values, 5 are registry keys, 3 are folders, 1 is a process identified, an

is a module identified. The reason I point this out is if something goes wrong during the removal we can go back to thefile that Ad-Aware SE creates and confirm these figures with what was removed or attempted to be removed. Click on Next button.

Figure 8-1


37/74

After clicking the next button we will be givena screen with all the critical items it found onthe system. As with most of the programs wehave used so far, if we right click any of theobjects (Figure 8-2) we can see that we aregiven several options, ranging from Item

Details, Jump to Key , to More SelectionOptions. We can also see from the top of thewindow, the Vendor of the suspectedobject, its Type, Category, and thelocation of said object.We can select or deselect certain objects bygroups, or add certain objects we might thinkneed to stay to the ignore list. We can alsoview, and export the scan log, again forcomparing to a clean machine if we have anydoubts about a certain object or item.Chances are that everything in the scan is okto eliminate since Ad-Aware SE only keeps adatabase of known spyware and not

unknown objects like Hijackthis, we shouldnthave to worry about seeing anything inparticular that would be company related,Thus eliminating the possibility of deletingsomething that we shouldnt. However, neverassume anything, and it is always best toskim through the log file or object list to makesure. Plus its handy to learn more aboutcertain objects and become more familiar

with what you will be seeing on futuremachines.

Figure 8-2

By clicking on the Item Details we get a detailedanalogy of the item as referred to by Ad-Aware SE.Figure 8-3shows a typical items detail. From this Figurewe can see a lot of things including what threat Ad-Aware has placed with this object and what damage itmight cause to the system. There is also a clickable linkat the bottom known as the TAC, or the ThreatAssessment Chart. Ad-Aware uses this TAC tocategorize how bad the suspected software is in its

database. Almost all Spyware removal sites havesomething similar that they use to asses whether or notit should be included in its database. If it doesnt reach ahigh enough number then it is not included. You canlearn more about Lavasofts TAC by visitinghttp://www.lavasoftnews.com/ms/research/tac.htm

Figure 8-3
http://www.lavasoftnews.com/ms/research/tac.htmhttp://www.lavasoftnews.com/ms/research/tac.htm


38/74

For now the only option we are really concerned with is the Select All Object option as illustrated in Figure 8-4. Oncethe objects are selected we can click the next or continue button in the lower right hand side of this screen.

Figure 8-4

After clicking continue, you will be presented with a confirmation screen (Figure8-5). Simply click ok and allow Ad-AwSE to delete the selections.

Figure 8-5


39/74

If everything went well, you will be presented with a screen much like the one in Figure 8-6. If it had trouble removing of the objects then you will be presented with a screen much like in Spybot S&D asking if you would like to run theprogram the next time you reboot. By now you should be seeing the reason behind running CodeStuff Starter andHijackthis during the scans of Spybot S&D and Ad-Aware SE, that purpose being to try and eliminate the cause of eacthese program not being able to eliminate all of the spyware on its first scan. By using CodeStuff Starter and Hijackthisduring the scans of Spybot S&D and Ad-Aware SE we can alleviate much of the problems that occur during the clean phases of these two programs. Remember we want to keep from rebooting as much as possible while there is stillspyware on the system and we want to clean the system in minimal time. Rebooting several times is not very efficient.You can view the log file once Ad-Aware SE is complete to see the items it could not remove and use the same steps adescribed in Chapter 4 to try and remove any unwanted items.

Figure 8-6

After Ad-Aware SE has completed removing the Spyware, bring Spybot S&D back up one last time and run another scNine times out of Ten, if it had items it couldnt remove before they will be eliminated now. Same goes for Ad-Aware Srun it a second time and chances are the items it couldnt remove will be gone now. This is why I say it is not necessar

run these programs on reboot. The only thing this will accomplish is slowing us down considerably.


40/74

Chapter 9Windows Updates

Patching up the system

After you have run both scans at least twice and have gotten clean scans from each program, run Windows Update. If dont see the Windows Update in either the start menu or while in Internet Explorer by clicking on tools, then we need change a few settings in the Group Policy. Click on start, run, and type in gpedit.msc without the quotes. Figure 9-1shows the group policy window you will be presented with. The settings we are concerned with are under the UserConfiguration, which I have highlighted below. Expand the Administrative Templates option, and click on Start MenTaskbar. This will bring up several options in the right pane window. The second one from the top should be Disable

remove links to Windows Updates. Double click on this to bring up its properties.

Figure 9-1

Figure 9-2

Change the setting from either Not Configured or Enabled toDisabled as shown in Figure 9-2, and click Ok.


41/74

The second option we need to change is just above Start menu & taskbar setting in the left hand window pane, labeleWindows Updates which I have highlighted in yellow in Figure 9-3. Click this once, and in the right hand window panyou will see only one option (Remove access to use all Windows Update features). Double click on this option to bring its properties window.

Figure 9-3

Figure 9-4

Once again, change the setting from what ever it iscurrently, to the Disabled option. (Figure 9-4) Click

the Ok button and close the Group Policy Managerwindow. You should now be able to download allcritical updates for windows by either accessing itthrough the start menu, or opening Internet Explorerand clicking on Tools, and Windows Updates. Theonly updates we are concerned with are the criticalones.

We can be logged in as the user to download theupdates, however, you will need to be logged into themachine locally after you reboot. This is because ifany of the updates involved anything with InternetExplorer, upon reboot, our login script (which runs

using Internet Explorer) will interrupt the installation ofsaid patches or upgrades before they can becompleted rendering them useless and causing errorswhen the user trys to run Internet Explorer.

By logging into the machine locally, the login scriptdoesnt run allowing the patches and updates to beinstalled without interruption.


42/74

Chapter 10Applying Standard Fixes

Error messages you might see

In this chapter we are going to show some tools that should be run on any system containing Spyware and some commerror messages you might encounter on a system. Sometimes a user will call in a ticket for error messages they arereceiving, and may not be categorized as Spyware but ultimately in the end we discover that it is indeed Spyware. Onethe most common error messages and a dead give away that the user could have Spyware is the 16 bit MS-DOSSubsystemerror shown in Figure 10-1. This could be a result of bad programming on the Spyware creators part, ormaybe a guilty conscious, either way it should be a red flag to us that the system in question could have Spyware. (Thi

could also be an error caused by Symantec; upgrade to nav9 to find out) Whatever the Spyware may be it is altering tAutoexec.nt, config.nt, and the command.com files in the system32 folder. To fix this error, first we need to follow theinstructions in the previous chapters on removing the Spyware. Then we need to replace these files with known goodones. You can do this from either a Windows CD and the expand command, or run the Win2kFiles.exe included in thismanual (Recommended).

Figure 10-1

Once the Spyware is removed and you run the .EXE file (Figure 10-2), this error should disappear upon reboot. To masure that these files are not altered in the future by any Spyware, navigate to the System32 folder in the WINNT directand change each files attributes to Read only. If they are running XP Pro, then run the XPProfiles.exe and change thfiles attributes. If a system has Spyware I usually run this fix regardless if they are getting the error message or not. It wnot harm the system in anyway by running this little fix even if the error message doesnt exist. By running this fix weensure that the machine has clean versions of each of these files, just incase future variants of whatever is causing therror message learns from its mistakes and we dont see this error anymore.

Unzip the files included in the WinZip exe file. Double check make sure that the default directory these files are going toextract to, is indeed the correct location to the machine you aon. The default location should be the same as I havehighlighted in Figure 10-2for a Windows 2000 machine.

Figure 10-2

Once the files are unzipped to the system folder, you shouldget a confirmation. Click ok, and close the WinZip Self-Extractor window.

Figure 10-3


43/74

Another error that is usually associated with Spyware is the Windows File Protection error (Figure 10-4.) This happenwhen a certain Spyware (I have found Adtool Status to be one of them) changes system files in relation to InternetExplorer. The Spyware makes it so that when you attempt to get Windows Updates, you receive an error message stathat a previous installation is requiring a restart of the system and Windows Update cannot continue. No matter how mtimes you restart the system you will get the same error message.

Figure 10-4

I created a batch file, included in this manual, which re-registers certain DLL files associated with Internet Explorer tha

are affected by this Spyware called Wincdfix.bat. Double click on this file and click ok through each of the confirmation(Figure 10-5)You can edit this batch file with the /s to run each command silently. I prefer clicking the confirmation window just to besafe. Once it has finished re-registering the DLLs it will close on its own. Running this tool on a system with Spyware doesnt receive this error message will not hurt the system in anyway. For that reason I run this on any system withSpyware regardless if they have received the error message or not, just to be safe.

Figure 10-5


44/74

Figure 10-6is a common error you might see after rebooting the machine from removing Spyware. This is caused when oof the pieces we removed said it needed to reboot in order to finish its uninstall. (Notice the title of the error at the top ofFigure 10-6) This is simply a registry key that one of our programs removed. Just ignore it, and on the next reboot it shouldisappear.

Figure 10-6

This concludes the basics of Spyware removal.


45/74

Chapter 11Advanced Techniques

Removing stubborn Spyware

In this section I am going to go over some of the more advanced techniques used when removing Spyware. Thissection assumes you have already done the required steps in chapters 1-10, and that you have a better understandinghow some of the tools work. For that reason this section does not include as many illustrations as in the previous chapbut focuses more on detail on some key elements to our additional tools.

One of the easiest ways to tell if we are going to need to go farther with the removal process is when we are running

CodeStuff Starter. The refresh button on this program will show us our reappearing Spyware. After disabling or removia program from the startup list and waiting a few minutes, the program reappears after hitting the refresh button. This iwhere our hunt begins. Something in the system is telling this program or process to come back, which means thatsomething is running constantly and checking whether or not our program is still in the start up processes. If we switchover to the process view we might even see the same process as our startup program, or possibly an odd process thatdoesnt belong. Some of these processes will turn up empty results when searching the internet. If you cant find anython the internet about the process or program that is running that is usually a really good sign that what you have founda mutating piece of Spyware. Why? Simple, legitimate programs or windows system file will show up on the internet.Someone has had a problem or a question in the past at one time or another to warrant an article or even a definition 99% of everything running on a system. Spyware creators are very smart in their design. By creating something that isrecognized most people wont know what to do with it and will leave it alone.

If you right click the suspecting program in CodeStuff Starter and select File Properties and it turns up no results, or s

something like file not found, then what we have is a disappearing piece of Spyware. Somewhere on the system a calfunction, registry key, DLL or a combination of them all is telling a piece of software to start up and then immediatelyterminate and delete itself from the system. This is a good sign that we have multiple programs all working on the sampiece of Spyware. These are what I would call drone programs. Because the drone programs are the ones altering thesystem they are the ones that our usual scans pick up and try to remove. This is what will usually cause the error inSpybot S&D or Ad-Aware SE to want to run again after reboot, because it cant find the file it wants to delete, much likwhen we click on File Properties in CodeStuff. Our scanners probably picked up its trace when our drone programpopped up for a split second. When our scan then tries to delete it and cant find it, it assumes that this is an error andasks to delete the file upon reboot. This is why I said when you get this message, it is better for us to hunt down theproblem ourselves rather then try the reboot option. Chances are when we reboot it will not see the offending programthen either, or our program has switched to another drone with a different name. Once again our scan will pick it up, bwhen it tries to delete it, the program is gone. Now it doesnt see the first program that it wanted to delete when werebooted, so the scan doesnt reflect this and we think the file has been taken care of. But now we have a new file namand again our scanning software is asking us to run again on reboot. You can do this all day with the same results, eactime getting a different file name. This is why it is important to pay attention to the scan results and use this to ouradvantage. Write down the files it is finding but cant delete, in many cases if we reboot into safe mode, each offendingprogram is visible in whatever folder it was running from. If we go into the system and search for this file and it doesntexist, this isnt a time to breathe a sigh of relief in hopes that the file magically went away; instead it should be a red flaus that something is seriously wrong and we will need to investigate a little further. A lot of times the only way a pieceSpyware can pull the disappearing act is to have multiple copies of the same drone programs with similar names. If yonot sure, Google them on another machine. Once you see more of these programs you get better at spotting them righaway. If for some reason we cant delete it and the Spyware was smart enough to start itself even in Safe Mode, then will need to use some of our other tools. This is what I am going to try and focus on in the next few sections.


46/74

Lets start with taking a closer look at CodeStuff Starter and some of the things you can expect to see when you mightcome across a stubborn piece of software. In Figure 11-1 I have right clicked a file I intentionally removed from thesystem, and clicked on fileproperties.

Figure 11-1

As you can see, CodeStuffStarter saw the program onstartup but now that I haveremoved it from the system itdoesnt have any details about the

software. This same thing canhappen when you right click aSpyware program that deletesitself. Fortunately, CodeStuffStarter is still able to tell us thelocation of where the file waslocated when it was initiated fromthe previous screen.

This is where Pocket Killbox comes into play. Open up Pocket Killbox and you will be presented with a small windowwith a type box. Type the path of the suspected file into the open type box in Pocket Killbox, if the files exists it will showup in blue just below the type box.(Figure11-2)

If nothing shows up below the type boxthen our file truly has disappeared. Welldeal with these types later. For now, we aregoing to assume that the file did show up inblue which means Pocket Killbox can see it.

If the file we are trying to get rid of is asimple .EXE file then click the check boxthat says End Explorer Shell While KillingFile. This will cause Windows ExplorerShell to suspend temporarily to try anddelete the file. If the file we are trying to killhappens to be a DLL file, then we can clickboth the End Explorer Shell While KillingFile, and Unregister .dll Before Deleting.As handy as this tool is, it doesnt alwayswork on the more sophisticated Spyware butit is a very handy tool to use, because it isquick and is a stand alone program, so there

is no reason to install anything. If deletingthe file doesnt work, we will need to reboot into safe mode. But as long as we have to do this, we might as well try somof the other options offered with Pocket Killbox, specifically the Replace On Reboot. If you check the box that says uDummy then Pocket Killbox will attempt to replace the original version of the file we are trying to get rid of with a dumfile.

Figure 11-2


47/74

It is always best to first navigate to the file, and change its security settings. (Figure 11-3) Right click the file and denyaccess in the properties menu security tab for each user. This will make Pocket Killboxs job a lot easier and ours as w

You can let Pocket Killbox rename it or name it yourself foreasier location upon reboot. Either way, make a note of where itis placing the new file so we can find it after the reboot anddelete it permanently.If neither CodeStuff Starter nor Pocket Killbox could see the fileand we have navigated to the said file location and cannot locate

it then we need to reboot in safe mode. Since most of ourSpyware rebuilds itself in full upon shutdown, and then removesitself again once the machine is booted normally and connects tothe internet, by booting into safe mode without networking weshould be able to see all the files that were previously missing.Some of them, especially DLL files might still be in use even insafe mode. But killing them now should be easier, now that wecan physically see them, and assuming you remembered tochange the security settings for the file to deny all before we shutdown. Once again bring CodeStuff Starter up and see if it stillshows our initial offending program. I say initial because chanare there will be more then one controlling our system from thesame root program. You should now be able to right click this fin CodeStuff and get more details about it including its full path,which we can now copy and paste into Pocket Killbox. If yougoing to use Pocket Killbox, I suggest you still put a checkmarkin the end explorer shell box.

ces

ile

are

Figure 11-3

This is the easy way out and can cause other programs created by the same Spyware to still reside on the system. Paclose attention to the results you see in CodeStuff Starter both in Safe mode and in a normal Windows login. The file cchange names making you think it is morphing. But in reality it is more then likely one of several drones being used by initial program. This is why I suggest that while in safe mode you navigate to the System32 folder in the Windowsdirectory and search through the entire folder manually. This can take some time at first but as you get familiar withSpyware it gets easier. Even though Spyware vendors are constantly updating their software to elude Spyware removprograms, they usually dont change the name of their EXE files by very much. By changing the folder view options toarrange icons by type we can narrow the field down to just looking at the EXE files. We will get to looking at the DLL fi

later. Once you have tracked down the name or names you have made note of earlier, look to see if there are any otheprograms near it with very similar names. Chances are if there is, they are also associated with our Spyware program.VX2 is a strong candidate for this, and I have seen as many as 10 EXE files, or drones, all associated with it.Sophisticated Spyware will usually reside in the System32 folder of the Windows directory; however it can also reside its own directory elsewhere on the system. In either case scanning through the system is essential in hunting downSpyware. Reading the entire file location line in all of our programs is very important as it will teach you the commonplaces where Spyware resides.


48/74

Now lets move on to DLL files. Dynamic link libraries are used by just about every program created; Spyware cansometimes attach itself to DLLs that are already on the system. No need to reinvent the wheel when they can just usewhat is already available to them. In some cases though they will create their own DLLs in hopes that no one will noticthem and the fact that the DLLs provided already in the system arent sufficient for their needs. This will allow futureSpyware to call on these DLLs and use them just the same eliminating the need for the user to install a new program.There are a couple of tools we use to determine what DLLs are bad, and what DLLs are used by the system. Our firstprogram, Dllcompare.exe, is strictly geared to searching out known bad DLL files on a system. It is wise to check forperiodic updates of this program from its creator as they will ad new definition files as they discover them.

Dllcompare is another stand alone program that requires no install. When you first start Dllcompare you will be presenwith a screen much like the one in Figure 11-4.

Figure 11-4

Click on the Run Locate.com button. This will setup the database it needs. Once this is done click on the Comparebutton in the lower right hand corner of the screen. This will check the entire system for DLL and make a log of them. then compares the DLL files it found with its database to see if it has found any of the known DLL to be used by Spywaand tell you in the lower window. Figure 11-3illustrates a suspected Spyware DLL it found on the system. Once it findany DLL files, click on the button that says Make a log file of what was found. Once you click on this it will ask you if ywant to view the log file, and we do, so click on the yes button. The log file comes up as a text document and will shoany and all bad DLL files it found. Again if you are unsure of the results, Google the files it found. With this log file we cnow copy the full path of each said DLL and paste it into our friendly Pocket Killbox, to delete them. Any DLL file you tdelete needs to be unregistered first or the delete will fail, so be sure to click the checkbox in Pocket Killbox that says unregister the DLL before deleting.

Our next program for checking DLL files relies heavily on the user to check what it finds. Procexp.exe, known as ProceExplorer, will give a lot of details about any given program or process currently running on the system, including, what it is associated with, and what DLL files it uses. This program is great for determining if a suspected program or procelegitimate. It also is good to determine if the suspected process is using a legitimate DLL or Windows file so as we dondelete the wrong thing. Ultimately it is up to the user to determine what is good and what is bad, only experience andresearch can conclude this. The scope of this program is immense and to go into every detail that is in this software wtake more then the scope of this manual. I will leave it up to you to play around with this program, what I will focus on the basic areas we are concerned with when hunting down Spyware. However this program is capable of much more acan be useful for a number of things other then just fighting Spyware.


49/74

One of the key features in this program is the Find Windows Process as seen in Figure 11-5.

Figure 11-5

This allows us to drag over any process or file and see what is associated with it in the lower window. If we drag over asuspected Spyware program, this tool will tell us exactly what it uses to run, so we can be assured that we are killingeverything associated with the Spyware. Keep in mind that this program is not specifically targeted towards Spyware tit will also show any good files used by other legitimate programs in the window as well. As long as the file is up andrunning, and most Spyware will be, Process Explorer will show us what it is using.In the lower window, click on any DLL file and at the top of the program click on DLL. If you dont see the DLL option, c

on the view DLLs button .From here we can view its properties, and once again we have the option to Google imaking our job much easier. With this program we can also kill processes, suspend them, and also find specific objectfiles, or DLLs. Another key feature of this program is its processor power meter. At any given time we can view a spikpower and what caused it. So if your having trouble with a system that you have already cleaned, this is a great prograto try and help determine what is going on. By placing your mouse cursor over any activity in the upper right hand windit will give us the details of what program caused the spike, and when it was caused. This can help us find hiddenSpyware on the system. When the program is used we can use the monitor and check the spikes to find it. If we click othe spike, we get a nice large display of the activity meter, and more details on the system. As said before, this tool haenormous capabilities and can be very powerful in more ways then just fighting Spyware.


50/74

Trend Micro is a antivirus and Spyware removal tool. You can use their online scan and requires nothing more then toand install an active-x component. They also have a command line based scanner free for download. This can be handto run in safe mode. Both the online scan and the command line based scan can take a very long time depending on thamount of data the user has on thecomputer. This is why I usually save itas a last resort if I am still havingproblems on a system. If it does findeither viruses or Spyware and it has

trouble removing them, it will give youthe full path of where it found theoffending items so that we can usesome of the techniques described ato try and remove them manually.

bove

We can also use the readily availabletools on the web. Some Spyware haswarranted people to create their veryown removal tools. Some Examples areCWShredder, and VX2 removal. Alongwith these tools, check Symantecswebsite to see if they have a removaltool. Some Spyware is warranted as avirus thus antivirus venders will createremoval tools.

Figure 11-6

The RegistryWhen removing Spyware manually, more then likely we will need to dive into the registry. I suggest backing up theregistry before deleting or removing anything. For the most part Spyware will keep its registry entries in a few knownlocations and usually under the name of which it was created. So if you deleted a file or directory already, using the fincommand in the registry editor is a good place to start. The first and most obvious place to look in the registry isHKEY_LOCAL_MACHINE\SOFTWARE. Basically all were looking for in here is any directories that match any of the

Spyware we already have removed. If we do find any, simply right click the entire directory and delete it. Another locatis specific to users, HKEY_USERS\.DEFAULT\Software. Digging through the registry can be an exhausting experiencespecially when you start having to dig through a lot of HKEY_USERS\S-1-5-21-789336058-484763869-725345543-72729keys. For the most part you wont find much Spyware in these odd keys. Notice I said usually, because who knowhat tomorrows Spyware will bring. One of the last major places to check is HKEY_CURRENT_USER\Software.Spyware will place the same key in multiple locations. Not that it will use all of them at once, but instead as we find andelete them, it always has a fallback to use. I suggest getting very familiar with the registry. When using Spybot S&D, Aware or any of the other programs that list registry keys, take the time to not only look at these keys they list, but alsonavigate to these keys in the registry. This will help you to remember the key locations of where Spyware hides in theregistry and helps you to check to see if any of the programs possibly missed anything new that a program might haveslipped in.


51/74

Some times the hardest part about combating Spyware is determining which tool to use at each given time. As stated the very beginning of this tutorial, there is no one tool, and determining what tool you will need depends on what yourneeds are at the particular time for whatever particular problem or program is giving you trouble. As you will notice a lothese tools have some of the same characteristics as others, each one having different strengths and weaknesses. Thnext few tools are just that.

Window Watcheris another very detailed tool. It will give every single process running, hidden and not hidden, along wany sub directories it is using. After clicking on an item in the upper window, we can see all the details about it in the lowindow, including whether or not the process has an open window, hidden window, or whether or not the window isenabled at that current time. With Window Watcher, we can learn more details about a given process and some of its processes. This is much like Procexp.exe except with Window Watcher some things tend to be in a little more reader

friendly version.

X-RayPCis a lot like HijackThis but with more detail and a little easier to understand. Instead of putting everythingtogether in one long string like HijackThis does, it separates everything out into columns. In the far left column is the nof the process, while the middle section gives the full path of where the file resides. If we click on any of the programslisted, the bottom window gives us full details of the program. Double clicking any program file will prompt to have itremoved. Much like HijackThis, X-RayPC is a stand alone program and requires no install. If connected to the internetthis program will also try to determine from a database of what is considered good and what might be bad. Never rely program to determine fully what is and what isnt good, instead use it as a crutch to help you determine what should betaken off of the system.

New tools and techniques come out every week to help fight the war on Spyware, but the best tool we can use iseducation. The more you know about the internals of a system, the easier it is to get rid of Spyware. Removing itemsmanually will also teach you a lot about how a system works. I suggest taking a spare machine and setting it up to get much Spyware as you can. This will help you to learn more about each piece and if you happen to mess something upduring the removal process, no harm is done. The next few sections of this manual will detail some helpful web links infighting and tracking down Spyware, and some detailed tutorials on some of the tools we have used throughout thismanual.


52/74

Chapter 12

How did it get on my system?Common questions and answers about Spyware

.

Is your PC feeling sluggish? Has your browser recently acquired a mysterious new toolbar? Are new programs

showing up unexpectedly in your system tray? Do advertising windows pop up even when you're not browsing t

Web?

All of these are telltale signs that your computer is beset with adware, Spyware, or other malicious software youdon't want and don't need. Like viruses, these programs often sneak onto your PC by piggybacking on a

downloaded program, e-mail message, or Web site. Adware, Spyware, and other unsolicited software can slow y

PC, bog down your Internet connection, reduce your productivity, and jeopardize your personal privacy.

You can avoid installing unwanted software by being choosy about the free programs you download, and by

watching your web surfing habits.

Adware is any kind of software that, once installed on your PC, pops up browser windows containing

advertisements. The software may also track your Web browsing (without attempting to identify you personally)

and use the information to send targeted advertising related to your browsing habits. While this is fairly innocuo

behavior, you are nevertheless paying for these ads to be displayed by donating your machine's processor time ayour Internet connection's bandwidth.

How Did This Get Here?

Spyware is like adware, except that it has gone completely over to the dark side, scanning your hard drive for

personal information or attempting to link your surfing habits to your name or e-mail address. Once Spyware has

discovered your e-mail address, an onslaught of spam can't be far behind. More insidious than either adware or

Spyware are dialers, which highjack your Internet connection and silently route you through toll numbers that ca

cost several dollars per minute. Dialers often piggyback on the porn spam that plagues most e-mail in-boxes.

Simply previewing the e-mail message can, in some cases, install the dialer. This is why I refuse to use the previ

box in any email program.

Most adware and Spyware come bundled with popular free programs, notably the popular peer-to-peer file-shari

programs like Kazaa, IMesh, and BearShare. Installing one of these can dump dozens of additional programs on

your PC. Unfortunately, the makers of the host programs try not to advertise their programs' hidden payloads.

Reading the licensing agreement (carefully) during installation will often reveal embedded licenses for the

piggybacking adware. Look for notorious adware and Spyware names like CommonName, FavoriteMan, GAIN

New.net, and "nCase." For an extensive catalog of the many varieties of adware and Spyware currently in

circulation, see the section on parasites at Andrew Clover's Web site.


53/74

Below are some examples.

Drive-by download - This is when a Web site or pop-up window automatically tries to download and install

Spyware on your machine. The only warning you might get would be your browser's standard message telling yo

the name of the software and asking if it's okay to install it.

Browser add-ons - These are pieces of software that add enhancements to your Web browser, like a

toolbar, animated pal or additional search box. Sometimes, these really do what they say they do but also

include elements of Spyware as part of the deal. Or sometimes they are nothing more than thinly veiled

Spyware themselves. Particularly nasty add-ons are considered browser hijackers -- these embed

themselves deeply in your machine and take quite a bit of work to get rid of.

Photo courtesyBonzi Buddy is an "add-on" application that includes spyware

in its package.


54/74

Masquerading as anti-Spyware - This is one of the cruelest tricks in the book. This type of software

convinces you that it's a tool to detect and remove Spyware.

When you run the tool, it tells you your computer is clean while it installs additional Spyware of its own.

It even looks like a legitimate Windows Warning. But notice on the far right where it says Advertiseme

Spyware can do any number of things once it is installed on your computer.

At a minimum, most Spyware runs as an application in the background as soon as you start your computer up,

hogging RAM and processor power. It can generate endless pop-up ads that make your Web browser so slow it

becomes unusable. It can reset your browser's home page to display an ad every time you open it. Some Spyware

redirects your Web searches, controlling the results you see and making your search engine practically useless. I

can also modify the DLLs (dynamically linked libraries) your computer uses to connect to the Internet, causing

connectivity failures that are hard to diagnose.

Certain types of Spyware can modify your Internet settings so that if you connect through dial-up service, your

modem dials out to expensive, pay telephone numbers. Like a bad guest, some Spyware changes your firewall

settings, inviting in more unwanted pieces of software. There are even some forms that are smart enough to know

when you try to remove them in the Windows registry and intercept your attempts to do so.

The point of all this from the Spyware makers' perspective is not always clear. One reason it's used is to pad

advertisers' Web traffic statistics. If they can force your computer to show you tons of pop-up ads and fake searc

results, they can claim credit for displaying that ad to you over and over again. And each time you click the ad b

accident, they can count that as someone expressing interest in the advertised product.

Another use of Spyware is to steal affiliate credits. Major shopping sites like Amazon.com and Ebay.com offer

credit to a Web site that successfully directs traffic to their item pages. Certain Spyware applications capture you

requests to view sites like Amazon and EBay and then take the credit for sending you there.

You may, in some cases, be able to opt out of installing adware or Spyware elements by un-checking a box durin

installation. Often, this will allow you to install the free program you do want, without installing the undesirable

Frequently, however, bundled adware or Spyware installs silently, and offers no uninstall link or tool.

And be forewarned that many programs that include Spyware or adware won't work after the Spyware is remove

In such cases, you'll need to find a (Spyware-free) replacement. For a more in-depth review of both antivirus and

anti-Spyware tools, see "Pest Zappers."

Unfortunately, there's no sure way to know if a program contains Spyware. Reviews, the maker's Web site, close

examination of the installer and license agreements, and the experiences of other users are your best bets for soli

information; try Google for a fast way to find all of these. If you think a program may be safe, go ahead and inst

it, but be sure to scan your PC afterward with an up-to-date anti-Spyware utility, or even two. You can't be too

cautious.


55/74

LegalitySo is it legal to install difficult-to-remove software without the user's permission? Not really. There's an increasi

body of state legislation that explicitly bans Spyware, including the Spyware Control Act in Utah and the Consu

Protection Against Computer Spyware Act in California. But even without these new state laws, federal law alre

prohibits Spyware. The Computer Fraud and Abuse Act covers any unauthorized software installations. Decepti

trade practices of any kind also violate the Federal Trade Commission Act. Additionally, the Electronic

Communications Privacy Act makes it unlawful for companies to violate the security of customers' personal

information.

Just like anti-spam legislation, these Spyware laws can be very difficult to enforce in practice, and the perpetratoknow it. It can be tough to find hard evidence connecting individual companies to their Spyware products, and, a

with all Internet-related lawsuits, there are often battles over which court's jurisdiction applies to the case. Just

because it's illegal doesn't mean it's easy to stop.

Conclusion

Spyware can come in many shapes and forms. Free doesnt necessarily mean free. Popular browser add-ons, em

enhancements or task bar programs are free because they come bundled with additional software that in turn is

S

Documents

How to Remove Spyware