[Computers] Your Guide to Spyware

[Ragabash]

Author: nahirean
Original Thread: Your Guide to Spyware

Your Guide to Spyware

Spyware Destruction Guide by Nahirean


"What is the difference between unethical and ethical advertising? Unethical advertising uses falsehoods to deceive the public; ethical advertising uses truth to deceive the public."

Vilhjalmur Stefansson (1879 - 1962), "Discovery", 1964


Section 1: The best defense is prevention.


As the title of this section states, the best defense against *ANY* malware is prevention. If you aquire spyware on your machine it is almost certainly the fault of the user. Before I begin, I'd like to describe what "firewall" and/or "special" software I have on my machine to prevent the aquisition of virii and malware:

I have none. I don't have any virus scanners, no firewalls, zero - zip. And I have absolutely no spyware or virus issues. You are in absolute control of

your machine until you allow a program to compromise that. The key is not doing so.

Onward then! Into the breach!


[Please note, if your machine is laden with spyware/malware scroll down to the section of this guide that deals with eliminating it.]


Section 2: Immunization.


Many (and I mean thousands) of known spyware exploits, registry modifications and programs can be stopped dead in their tracks by certain forms on immunization. For this you'll need a few programs that do this quickly for you. (Assuming you don't want to research every variant of spyware and make the changes yourself.)

Here are the applications that are essentional to IMMUNIZATION:

Spybot - Search and Destroy. Link: http://www.safer-networking.org/en/download/

This application not only detects and removes spyware, but it also IMMUNIZES your machine against many common threats. Download the application, update the routines, and immunize if you've not already done so.

Spyware Blaster. Link: http://www.javacoolsoftware.com/spywareblaster.html

This is another excellent application that provides all sorts of immunization and browser tweaks. Another essential. Download this, update it and immunize against everything.

With these two applications you can make your machine invulnerable to over 3,000 known spyware and malware exploits. A good place to start.

Here are the applications that are essential to eradicating spyware forever:


Microsoft Anti-Spyware Beta. Link: http://www.microsoft.com/athome/secu...e/default.mspx

It may be somewhat surprising to learn that Microsoft has taken over the license for a product that provides decent spyware removal and prevention. Here it is, another essential. Download it and run it.


HijackThis. Link: http://www.spywareinfo.com/~merijn/downloads.html

This is a brilliant application. It allows you to check for alternate data steams, and most importantly allows you to easily access the registry entries pertaining to Internet Explorer. This is where *MANY* spyware threats tend to hide themselves, with this you can track them down and remove them.

AboutBuster. Link: http://www.besttechie.net/tools/AboutBuster5.zip

It can be a bit hard to find a link for this software, so I suggest you download this now. This is *THE* tool from removing bad data steams. These are feeds to the advertising companies that monitor you. If you detect alternate data streams, you KNOW you have spyware installed and need to use the above programs to attempt to remove it.


Trend Macro Web Antivirus. Link: http://www.antivirus.com

This is the ONLY virus scanner I use. There are several reasons.

#1: Running a local Virus application only subjects it to attack by trojans and malware.

#2: They constantly update their virus database.

#3: This application now searchs for all known SPYWARE in their database. This is a great service, and it's offered FREE through their web site and I've been using it for years. Use it often.. it's a lifesaver.


Easycleaner. Link: http://personal.inet.fi/business/toniarts/ecleane.htm

This is not for spyware, but it's a nice tool to quickly access what's in your windows startup, registry errors, et cetera. Download it.

All of these applications are wonderful pieces of software, and they're all freeware.


Section 3: Regular Maintainence.


Evil companies are constantly trying to formulate new ways to infect your machine with all sorts of negative software. This gives you a choice if you wish to use the Internet: Maintain your machine against such innovation, or subject yourself to alternate data streams. Running the aforementioned programs (Spybot, and Spyware Blaster) at least weekly is an excellent way to prevent your machine from being compromised. It's essential to note that some spyware applications take active measures to DISABLE or crash these applications, so it's good to catch problems before they occur. Run your applications, and run them often.

I do *NOT* suggest running them with Task Scheduler or leaving them in Windows Startup. Leaving them in the startup reduces your system resources and many malware applications modify your windows startup which can cause them to inbed themselves further if they detect counter-measures.

Run these and run them often. Aside from your competence, it's your front line defense against malware.


Every week I suggest running the applications in this order.

1: Easycleaner. Check for anything odd or suspicious in the Startup list. Also it can't hurt to clean out your Registry.

2: Microsoft Anti-Spyware. This application is quite powerful and will help you remove problems.

3: Spybot Search and Destroy. Once a week check for updates to the immunization database and run the scans, obviously - remove the culprits.

4: Trend Macro Antivirus. The best way to scan for Virii and threats to your machine.

5: Spyware Blaster. Run this often to check for updates, install them if they exist and immunize your machine.


Section 4: Common sense.


I am not trying to insult anyone here, but many infections can simply be avoided by using common sense. Don't open the e-mail attached file that says "penis.scr.zip" or, "AmericanFlagYay.zip.vbs" and the like. I am not here to judge the web content you browse, but you should know that many genres of web sites are much more pronse to distribution malware. Here's a small list.

Porn
Warez
Many "video game" sites

If it doesn't look official DON'T OPEN THE PAGE. I don't suggest referring to links given to your through alternate sources unless you absolutely trust whoever gave you the link.


Section 5: I'm infected.


You probably realize that you're infected with a horde of spyware if you are. Your machine is slow, you have all sorts of icons placed on your desktop that you didn't authorize, your homepage in IE keeps changing, you get popups even though you have a popup blocker, your machine randomly reboots, you get MS Messager messages popping up for no reason, etc.

You're going to have to attack these problems. Contrary to what some people will tell you it is possible to recover from almost any malware infection without having to reinstall your operating system. Sometimes it's simply easier to do so, but not everyone has the luxury of backed up data. Here are my suggestions. First, boot up normally and download every application that I cited. Do not visit www.antivirus.com yet.

Second, once every application is downloaded reboot your machine and enter Safe Mode. You can do this by tapping the F8 key while your machine is booting and choosing "Safe Mode" from the list. Once you've done this, install every application I listed above.

Once installed, the first thing you need to run is Easycleaner. Open it up and navigate to the "Startup" icon and take a look at everything that is running when your machines boots up. Chances are, if you have an infection this list is going to be riddled with odd programs and dll files. Now you've confirmed it.

Close easy cleaner for now and run Aboutbuster. Let is go through it's process and it will close down any bad data streams that. It will run again, and let is close down explorer.exe. After this is completed (chances are you found at least 1.) run Spybot.

Run a system scan with spybot and delete every infection you find. After doing this close Spybot. After closing Spybot repeat this process again, and chances are you'll find some more than either Spybot missed - or have since replicated themselves.

Now run HijackThis and take a look at the installed BHOs (browser helper objects) that appear. Remove anything that looks suspect. Scan for bad MD5 streams with HijackThis as well.

Open up Easycleaner again and remove ANYTHING that is even remotely suspect from your Startup Menu. In this case, it's better to be safe than sorry - so be liberal. After you've done this, you need to give your machine a COLD BOOT. This means flipping the power switch on the power supply, or simply unplugging the machine. The reason for this is that many malware applications will replicate themselves upon Windows Shutdown. So switch your machine off (NOT BY HOLDING THE POWER button.)

Boot up normally.

Run Spybot again, and see if it comes up clean or if your machine is riddled with spyware again. Clean it if it is, and Immunize.

Run SpywareBlaster and immunize.

Go to Trend Macro www.antivirus.com and run a Free Online scan for both Virii and Spyware. Remove any infections you have.

Open up Easycleaner again and check your startup list. Are they back? If so they're replicating themselves and the problems are imbedded.

Run Microsoft Anti-Spyware Beta and remove any infections it finds.

Run Aboutbuster again. This time it may find even MORE bad data streams because you're not in safe mode.

Run HiJackThis again and remove any bad BHOS and check for MD5.

COLD BOOT your machine again (by switching it off from the PSU, or unplugging it.)

Now repeat the above steps until you're satisfied with your start-up menu and results from all of the applications.

[a note on embedded malware]

If you follow this process to a "T" then you will eradicate 99% of the spyware on your machine. If you happen to be one of the unlucky ones who has what I like to call an "embedded" piece of malware, then it's going to be an uphill battle to remove this. You'll need to search the web and hit up the anti-spyware forums for your specific information. You have all the tools you'll need, and they will most likely ask your for your HiJackThis logs. By their nature embedded pieces of software are notoriously difficult to eliminate - but I know from experience that it can be done. It's going to be a hassle, but you can learn a lot from this experience. The reason they are so difficult to eliminate is that they're constantly altering themselves and changing.

They are also littering your machine with plauged .DLL files that future versions of the mutant-program can accesss and use. Those guys at the forums have a long history of dealing with these issues and can be a good help for you. Here are some good forums to start with: http://forums.net-integration.net/

You can also check out the forums for the various applications I listed above.

Thank you for your time. If you need help with a specific trojan or piece of malware, feel free to PM me here on the forums.


Section 6: Disclaimer.


This document cannot be reproduced in any shape or form without written permission from myself, (Nahirean). I am not responsible for any damages incurred on your system as the result of following this guide. I do not claim that you can be safe from spyware of virii.