Here are a few techniques you can employ to make your system more resistant to spyware and safeguard it further.
Run a Full System Scan
Most anti-spyware programs offer both a quick scan feature and a full system scan feature (sometimes called a deep scan ). When you have more time, be sure to run a full system scan (see Figure 2.20). The program digs deeper into your system to look for less obvious spyware.
Figure 2.20. Microsoft AntiSpyware has a full system scan that should be run occasionally when you have time to check every nook and cranny of your computer for spyware.
Install a Second Anti-spyware Program
The anti-spyware program you choose will not stop and clean all spyware infections. There are so many kinds of spyware that many anti-spyware programs only capture a portion of them. So to be vigilant it's advisable to use two anti-spyware programs on your computer. I've had good luck with using both Microsoft AntiSpyware and Spybot Search & Destroy together (see Figure 2.21). I also like PestPatrol, a commercial anti-spyware product available from http://www. pestpatrol .com that is very effective at catching more spyware than the freebies. A third free anti-spyware tool is Ad-Aware SE Personal Edition available from http://www.lavasoft.de.
Figure 2.21. I recommended using two anti-spyware programs on your computer. Besides Microsoft AntiSpyware, I like to use Spybot Search & Destroy, another excellent free anti-spyware tool.
Inoculate Your System
Microsoft AntiSpyware comes with a feature called Real-time Protection (see Figure 2.22). This feature watches 100 key areas of your computer looking for spyware behavior. If a setting is changed or an Internet connection is made, it alerts you to the behavior with an information pop-up box. If the alert is deemed severe, it asks you for a decision.
Figure 2.22. Microsoft AntiSpyware has a feature called Real-time Protection that watches over 100 key entries points used by spyware to get onto a computer.
Spybot Search & Destroy also has a similar feature. It's called Immunize. It tweaks settings in Internet Explorer to block installation of known spyware.
If anyone is to blame for the spyware problem, it's Microsoft. That's because the great big software company produced operating systems that are full of security holes. At particular fault is Microsoft's web browser Internet Explorer (IE). It has all kinds of functions that are exploited by spyware writers. These include software called Browser Helper Objects (BHOs) which are add-ons for the browser that can auto-install from the web. IE also uses something called ActiveX which allows mini-programs to self-install on a computer.
Many people quit using IE as their browser. Instead they install Firefox (see Figure 2.23), a really nice alternative from Mozilla.org that doesn't have the security holes that plagues IE. I recommend this as well.
Figure 2.23. Using Firefox as your primary web browser closes one door on spyware on your system because its mechanisms won't allow spyware to come onto your system automatically.
You can't totally abandon IE because some sites, including Microsoft's own Windows Update, won't work without it. However, installing and using Firefox most of the time is a good stopgap against getting your machine chuck full o' spyware.
If you'd like to clean browser cookies in the Internet Explorer web browser (see Figure 2.24), take the following steps:
Figure 2.24. In Internet Explorer's Internet Options box you can clean all your cookies with one click.
If you'd like to clean your cookies in Firefox (see Figure 2.25), do the following:
Figure 2.25. In the Firefox Options menu you can wipe out many temporary Internet files, including cookies.
Spyware Infection Found! How to Scrub Your System
Despite your best efforts, you might still get infected by spyware or adware. In fact, because of the pernicious nature of this kind of malware, it's almost a certainty . So this section will come in handy. Here's how to clean spyware and adware from your system.
Clean, Yes! Spyware, No!
I am going to show you how to use Microsoft AntiSpyware to remove threats. The process that most other anti-spyware software use is not that different.
First, you'll want to run a system scan to detect infections. When you do this, the software does the following:
Anti-spyware programs usually offer two kinds of scans :
Microsoft AntiSpyware has both modes. Let me take you through a deep scan. Before you start, check to see if there are any spyware signature updates.
Figure 2.26. Microsoft AntiSpyware can do either a quick scan that takes a few minutes or a thorough deep scan that takes a half hour or more, depending on the size of your hard drive.
Figure 2.27. Microsoft AntiSpyware alerts you as it finds threats during the scan.
When the scan is complete, Microsoft AntiSpyware lists all the threats it found and rates its severity as follows :
Microsoft AntiSpyware also recommends an action to take when you click the Continue button to clean the threats from the system:
What to Do When an Infection Is Found
When Microsoft AntiSpyware finishes its scan, it gives you the option to remove it (see Figure 2.28). Click Continue. Hum merrilyspyware killing can be fun. Be sure to reboot your system after the removal process is done to stop spyware from regenerating. As long as it's in memory, some spyware and adware can re-install, self-repair, and download new infections from the Internet.
Figure 2.28. When a scan is done, Microsoft AntiSpyware rates the threat and makes a recommendation as to what you should do with it.
If the Removal Routine Fails
If an anti-spyware program has a problem removing a threat, you may want to do a scan with it in Windows Safe Mode.
Safe Mode is a Windows troubleshooting mode that allows you to run Windows without loading anything unnecessary in memory. You can get into it by restarting your computer and hitting F8 repeatedly as the computer starts. This takes you to a menu where you choose Safe Mode and boot into Windows in a raw state. This is useful to remove spyware and viruses because in Safe Mode nothing extraneous is loaded into memory, except key Windows components. Since program components spyware uses are not in memory in this state, they can be easily removed. Think of it like this: You can't put a ladder in the garage if you're standing on it. And you can't delete a program if it's running.
Running a scan in Safe Mode increases your chances of successfully removing the threat completely. Before going into Safe Mode, don't forget to update your spyware signatures first, by using the Update button in the program (see the previous section).
How to Fix a Browser Hijack
The infections you'll have great difficulty removing is a category of spyware called browser hijackers .
As mentioned earlier in this chapter, it's a kind of malware that takes over your Internet Explorer home page and switches it to another web page. (A home page is the website that loads when a browser is first opened.) If you try to reset the home page, the browser hijack switches it back the next time you start your computer or open Internet Explorer again.
Spybot Search & Destroy, Ad-Aware SE, and Microsoft AntiSpyware all have capabilities to cleanse some browser hijackers, but they are not always successful.
I highly recommend you run all three free anti-spyware programs first before resorting to the following procedures. Fixing a browser hijacker problem can be an extremely difficult task and you'll likely want to recruit some help.
Browser hijackers are very clever at making themselves difficult to remove. They insert themselves in obscure places deep inside your operating system and cling to your computer like an amorous dog on your leg. There are, however, a couple of tools that can help you rid yourself of the more insipid browser hijackers.
HijackThis: An Introduction
One way to fix a browser hijack is with a diagnostic program called HijackThis (see Figure 2.30) written by a clever Dutch student called Merijn Bellekom. It's available free from his website at www.merijn.org.
Figure 2.30. Make sure you type Merijn.org correctly when you go to download HijackThis (the correct site is shown). Misspellings of the site address take you to adladen websites.
When you type www.merijn.org in your web browser, be sure you spell it right (see Figure 2.31). A slight misspelling can take you to an incorrect web page where there will be misleading links and lots of ads.
Figure 2.31. HijackThis is a good but complicated tool that helps you remove a browser hijacker from your computer.
That said, here's a piece of bad news. HijackThis is about as do-it-yourself as a 747 jet. It's not a tool that beginners should use on their own because you can really bung things up if you make a wrong move. Let me say that again:
You + HijackThis + cavalier attitude = computer goes BOOM!
HijackThis is like that pull catch in your car that opens the hood. Anyone can use it, but it exposes inner workings that can be intimidating, and if you blindly mess around in there, you can get a limb caught in the fan belt.
The program shows you the settings that relate to the guts of Internet Explorer, other web browsers, items that activate during the Windows start up, and other key system settings. It can also remove those settings. The problem here is finding the right items to remove and that takes a trained eye and a steady mouse finger.
So big neon caution here: Your best bet is to find an expert to help. But don't worry, I'll show you where those dastardly hijackers hide and how to lure them out into the sunlight.
Recruit a HijackThis Expert
Because HijackThis is a very advanced tool, a lot of eager experts on the Web are willing to help you diagnose a spyware problem with it. You just have to find one. Here's how to get an expert to help you.
Close Internet Explorer and any other browsers that are running. Start HijackThis, and follow these steps carefully :
Figure 2.33. The Malware Removal discussion area in the forums at SpywareInfo. com is a good place to post your request for analysis of your HijackThis log.
Do It Yourself HijackThis
If you're the kind of person who likes to land the 747 yourselfand really, who doesn't?you're going to need a few days and an in-depth step-by-step do-ityourself process to learn HijackThis.
However, how about a quickie course that should both fix most ornery snags that Spybot and Ad-Aware can't fix and at the same time get your feet wet with HijackThis?
Check the Memory First
At the top of your HijackThis log you see a series of programs listed as Running Processes (see Figure 2.34). This is what is in your computer's memory at the time of the scan.
Figure 2.34. At the top of the HijackThis log is a list of processes running in your computer's memory.
You may see some obvious spyware program running. I helped out one guy who had a nasty spyware infection. Here are five of the 10 things that were running in his system's memory. Pop quiz! Can you guess which program is spyware?
1. C:\WINDOWS\system32\winlogon.exe 2. C:\WINDOWS\system32\svchost.exe 3. C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe 4. C:\DOCUME~1\s1\LOCALS~1\Temp\nsu1C.tmp\ns1E.tmp 5. C:\Documents and Settings\s1\My Documents\Porn stars.exe
If you answered 4 and 5, you're right! Number 4 is a giveaway because it an obscure gobbledygook program name with a .tmp extension. Very suspicious! Sometimes spyware programs randomize the names of the program they launch to evade detection from anti-spyware programs.
Item 5 is pretty obvious, too. In this sample case, two of these with slight variations to their names were running in memory. Actually, these files had longer names that mentioned actual actors and described the act they were acting, so to speak. I cleansed it for you to keep this book out of the Human Sexuality section of the book store.
So check your HijackThis log for suspicious entries and then do what geeks call the three-finger salute: Hold down the Control and Alt keys and tap the Del key.
The Windows Task Manager opens (see Figure 2.35). If you click on the Processes tab, you'll see all the programs running in memory. Scroll through them and try to figure out which ones are spyware.
Figure 2.35. Open the Windows Task Manager and, in the Processes tab, look for programs that might be spyware.
To help, check out www.processlibrary.com. You can enter in names of the files you see on that site and it tells you whether it's a legitimate program or spyware. It won't have an answer for everything, though. What it's best for is to help you make a short list of the suspicious programs. Then you can investigate each one.
Use Google.com to help search for program names and be sure to enter them between sets of quotes if there are spaces in the name, as follows:
This tells Google to search for the whole name as a phrase and not pieces of it.
Here Spyware, Spyware. It's Time to Die
With the memory cleansed, you can get down to the business of killing spyware in the system.
Open HijackThis, click the Scan button, and look at the list of entries (see Figure 2.36).
Figure 2.36. HijackThis generates a series of entries from the Windows Registry where spyware might be hiding.
There are lots of entries and they all look like they could be items on a Chinese food menu. But if you study them, you'll start to see stuff you recognize. Let's go through some notable entries you will likely encounter.
R0, R1, R2, R3IE Start and Search Page
These are addresses of the web pages Internet Explorer uses for the homepage and the default search page. If anything looks funky here and you see web addresses you don't recognize on the right side of each item, the entry is probably a hijack. Check off the boxes to the left of these and click the Fix Checked button. This wipes out the settings.
Congrats, you have just killed your first spyware with HijackThis. I think you are clever! But wait, we are not done.
F0, F1, F2, F3Autoloading Programs from INI Files
These are autoloading programs from old versions of Windows. F0 references are always bad. Nuke 'em.
F1 items are usually old programs. If you run old Windows programs, you will probably recognize these. Do research on these if you're unsure.
N1, N2, N3, N4Netscape/Mozilla Start and Search Page
These are Netscape and Mozilla (Firefox) web browser settings for their start and search pages. This look like the following:
[View full width]
These browser settings are usually OK. Malware called Lop.com hijacks these, though. If you don't recognized the web addresses, BBQ them.
O1HOSTS File Redirections
These are HOSTS file redirects. What that means is the web address on the right will be redirected to the numerical Internet address (called an IP address) on the left when you type it into your web browser. For example
O1 - Hosts: 18.104.22.168 google.com
In this example, if you typed in Google.com into your web browser, it would be redirected to Disney.com (because that 199 number is an ABC/Disney- related IP address). Unless you put these in your HOSTS file yourself, these are bad. The only one that belongs there is
O2Browser Helper Objects
These are called Browser Helper Objects or BHOs. They are programs that install into Internet Explorer that can add new features. They look like the following:
[View full width]
For example, you'll see the Google Toolbar here if you have it installed. Of course, BHOs can also be spyware.
If you see something that looks odd or unfamiliar, it could be spyware. Again, it's worth searching Google.com for entries to learn more about them before you nuke them.
These items reference Internet Explorer toolbars and look similar to this example:
[View full width]
If there's an odd toolbar at the top of IE that appears and wasn't there before, chances you'll find it listed as an O3 entry. Torch it.
O4Autoloading Programs from Registry or Startup Group
These entries reference programs that load automatically when Windows starts. They look like the following:
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\ msnmsgr.exe " /background
This is where many spyware programs get started. Killing them off here stops them from loading when Windows restarts. Tread carefully here.
Besides these entries listed, there are loads more of esoteric entries that could hide spyware references. Learning them all requires a university course, time, and patience.
For a full compliment of entries and what they do, check out this really good reference page: www.bleepingcomputer.com/forums/tutorial42.html.
If you have the time and the inclination, you can learn tons more about the workings of HijackThis and can make a study of all the critical entries it finds.
I also recommend visiting these web pages to learn more about using HijackThis:
Decimate the Little Suckers with CWShredder
Another free program called CWShredder (see Figure 2.37) might also be able to help you with your browser hijack. It finds and destroys traces of CoolWebSearch, a name given to a wide range of browser hijackers. It's available for free from www.intermute.com/spysubtract/cwshredder_download.html.
Figure 2.37. CWShredder is a free program that helps defeat CoolWebSearch browser hijackers.
It's a small file so it won't take long to download. Before you run it, be sure to close Internet Explorer and Windows Media Player, if they are open.
Now run CWShredder. You'll see four buttons at the bottom of the initial window. Click Scan Only if you want to see if there are any CoolWebSearch hijacks on your system. Click Fix if you want to search for infections and clean them.
Microsoft Mimics HijackThis: System Explorers
Now if all this talk about HijackThis has made you queasy, you might want to take a step back and find a tool like HijackThis that doesn't require a grasp of advanced hamster science to use it.
While it's no HijackThis, Microsoft AntiSpyware does have a fabulous little function hidden in its advanced menus that could be termed HijackThis Lite. It's called System Explorers (see Figure 2.38). The feature exposes key Windows and browser settings like HijackThis does and identifies those that might be spyware-related. It's not as comprehensive as HijackThis, but it touches on the key settings that are frequently changed by spyware.
Figure 2.38. System Explorers is an advanced feature in Microsoft AntiSpyware that is like HijackThis but without the complexity.
To work with this feature, follow these steps:
Figure 2.39. Microsoft AntiSpyware's System Explorers feature can give you a good analysis of each of the Startup Programs that run when Windows XP boots up.
Figure 2.40. A problematic toolbar probably left over from a spyware installation is shown in the System Explorers feature in Microsoft AntiSpyware. Note that it can be blocked or removed with controls on the bottom right.