How do you get rid of spyware?

bulls84 · March 13, 2007, 11:59:57 PM

darkelementwars · March 14, 2007, 12:00:32 AM

download ad-aware

:) · March 14, 2007, 12:02:39 AM

[spoiler]
What is malware?

Malware is pretty much any application that reduces the functionality and performance of a pc.

some examples include: 
Popup windows alerting you that your "machine is at risk", or that "your machine is infected"

Changes to your homepage, and/or sudden redirects to pages that you would normally never visit (also known as browser hijacks, or browser re-directs)

Random browser lockups & crashes. Usually, the browser locks up, and eventually the window that it's in turns white, with a "(not responding)" message in the title bar.

However, this does NOT mean that you DO have spyware. This could also be caused by corrupted plug-in from a bad install, or bad download.

Now, there's 2 ways to go about this, and they both have their good points & bad points:

<hr>
One, is to adjust your browsers security settings by removing execution privileges for certain folders on your system, as well as disabling features that could be used to cause you grief, such as active x & javascript.

Exec & Synja both have a tutorial on that, I'll have to convince them to post it here on the forums :-P

Basically what the above means is, is that because each user has rights & abilities, (such as running files) by removing it, malware may still be downloaded to your pc, but, because it doesn't have permission to run (aka – execute) it cant modify your system (such as: disabling taskmanager, running on boot up, etc)

(Note: This tips/tutorial is geared more towards Internet Explorer users - If you use Firefox, that's fine. Personally, I don't like it, but on the same token, I have more than the "average" users knowledge, so doing this is a snap for me and other peeps here on the Comp & Tech forum)

The good thing about doing this, is that it's a one time deal. Do it once, and your good for life. (At least... until you reformat =o| )

The only bad thing, (and this can't even be deemed "bad") is that it may seem too intimidating for someone who uses their pc for browsing the web, and writing email.
<hr>
The second thing to do, is to install, configure, update, and then scan your system for malware, which is the purpose of this tutorial.

And yes, that is the preferred order. What good is doing a scan if your using out of date "fingerprints" to scan? Thats like looking at last weeks t.v guide to find out what time this week your favorite t.v. show is on.

Now:

First things first.

Scanners:
There's a whole plethora of them out there:
<a href="http://www.ewido.net">AVG/Ewido</a>
<a href="http://www.pctools.com/spyware-doctor/">Spyware Doctor </a>
<a href="http://www.webroot.com/?rc=4929&ac=5190722">Webroot</a>
<a href="http://www.safer-networking.org/en/download/">Spybot Search & Destroy</a>
<a href="http://www.lavasoftusa.com/software/adaware/">LavaSoft Ad-Aware</a>

Note: Use ALL the default installation options - especially the one that says "install for all users" or "install for just this user" ( Make sure the "install for all users" option is the one that's checked - You'll see why later on in this tutorial.)

It's always a good idea to update the definitions before doing a scan & removal, simply because new malware is being written & released on literally an hourly basis. Granted, updating your definitions now, may not protect you against malware that was released 10 minutes ago, but it still a good idea.

For the purposes of this tutorial, my workstation has Ewido/AVG Anti-spyware installed, so that's where the screen shots are going to be from.

Here's the main screen for AVG:
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/avg_main.jpg">

Now, before we do anything, we want to update our signatures/definitions. Because like what was previously stated, new spyware types are being released on literally on an hourly basis.

So, click the following icon:
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/avg_circled.jpg">
Clicking that icon will bring you to the following screen:
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/avg_update.jpg">

Now, before you scan, you want to change the default action:
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/scanner_circled.jpg">

Then, click the "Settings" tab
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/settings_circled.jpg">

After that, click the link that says "Recommended actions" and a little drop down menu will open up:
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/reccomended_actions.jpg">

Personally, I would reccomend that you select the "Delete" option. There is one down side to this however:

If an application critical file becomes infected, (usually malware targets files that end with .dll) then Ewido/AVG will delete the file, more than likely rendering the program unusable.

However, there is a very simple fix for this: just reinstall the application. 

Ok.

Lets go through our checklist:
Anti-Spyware application installed? - Check
Spyware definitions updated to the latest signature file? - Check
Default action set to delete? - Check

Now, lets get the ball rolling:

Once the above things are done, reboot your pc.

Immediately, during the boot up process, continually hit the "F8" key

(You only have a 5-10 second window to access the boot up menu, so you have to continually hit the F8 key)

You should get a black screen that says "Windows Boot Options menu"
You want to select "Safe Mode"

<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/boot_options_menu_safe_mode.jpg">

Now, your going to see a lot of white text show up, don't worry about this, that's normal.

However, when you get to the login screen (It should be blue screen with 2 user accounts showing up)

Make sure you select the account titled "Administrator"

Why?
2 Reasons:
1. Because usually pre-built pc's have 2 accounts on them:
One titled "Administrator" and the other, depending on the make/model/manufacturer, will say something along the lines of: "HP_User"

2. Most types of malware installs it self under the account that was being used at the time of infection, and, 95% of the time malware creates several registry keys to allow it to start up when windows starts up. However, that usually only applies to the account that was being used when the pc was infected.

Usually, the Administrator account isnt the one that's being used.

Most of the time, you wont see the login screen that allows you to select the account if there's only one person using the pc.

Windows Xp, by default, automatically logs into the one account that was created when the pc was built. ( for example - if its an hp machine, there will be 2 user accounts: one called "hp_user" and one called "Administrator" the pc will then automatically log in using the "hp_user" account)

Now, because the Administrator account isn't normally used, the chances that this user profile has the start up entries for the malware written to it, is fairly low. This is important because, when a file is running, Windows prevents the files from being changed (namely: deleted and/or renamed)

Have you ever gotten the error message:

"Cannot delete "file name here" - Access is denied. Please make sure the disk is not write protected, or that the file is not in use"

That is because the file is in use, and windows has "locked" the file. The same thing applies to malware.

Here's why we did this:
1. Safe mode loads up with the bare minimum files needed to make it to the desktop.

2. Chances are that the Administrator account doesn't have the entries needed for the spyware to start up.
(Some spyware still starts up regardless if your in safe mode or not... think of this as added insurance that its not running.

Think of it like this: because each user profile is like a different set of instructions, and the instructions are specific to each person.

Now that that explaination is out of the way, lets go on with the scan.

Click the "Scanner" icon 
 Then below that, you should see "Complete System Scan"
<img src="http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/system_scan.jpg">

Allow the scan to finish, and if anything comes up in the window, there should be a link at the bottom that says: "Apply default actions"

One important note:
It would be a wise idea to install/update and then scan with several different scanners, because one scanner will pick up several things that another scanner failed to pick up. There is no one "cure all" scanner out there.

[/spoiler]

from myspace. xD

Irock · March 14, 2007, 12:13:56 AM

I don't know...maybe Make use of your virus protection program?

bulls84 · March 14, 2007, 01:40:56 AM

Yeah okay thanks, yeah my virus protector thing deletes all this stuff but pop-ups randomly appear(one just popped up)

Blizzard · March 14, 2007, 11:45:48 AM

Antiviruses don't protect against spyware. The anti-spyware program I use is called "Spybot - Search and Destroy"

Mushroom Panda · March 18, 2007, 04:23:24 PM

Spybot S&D is a really wonderful program when it comes to this. It doesn't search every file on your computer... It searches every threat that it knows.

SexualBubblegumX · March 18, 2007, 06:29:06 PM

I use Spyware Doctor.

Actually if people pester me enough I could upload the install file.

Irock · March 18, 2007, 10:42:47 PM

Quote from: Blizzard on March 14, 2007, 11:45:48 AM
Antiviruses don't protect against spyware. The anti-spyware program I use is called "Spybot - Search and Destroy"

That reminds me...I removed that on accident when I got McAfee. Dammit.

EDIT: That was surprisingly a fast download.

Tsunokiette · March 19, 2007, 09:38:33 PM

I have a solution.

STOP LOOKING AT PORN

Ericmor · March 24, 2007, 03:57:23 PM

You don't NEED to look at porn to get infected - BlackHats now bobbytraps averything in the internet, INCLUDING sites about rpgmaker and specially application downloads. They also -in my case- explore a flaw in win 2000 that allows the PC to be targeted if you use ANY P2P program, and from nowhere, a 'virus.exe' show ups in your windows NT/system32 directory.
I lost months of precious time and two versions of my game to those pests.
The solution is this: you HAVE to get absolute control of EVERTHING that goes on your PC - i mean, all processes that are running NOW and conections monitoring, etc. I have a few softwares for that, they're quite light:
http://www.ewido.net/en/
Ewido is the best anti-malware, and NO - you dont leave it into auto startup, because sometimes worms do infect all autostartup applications, including antivirus! Ewido is a run-and-shut down application for removing malwares. It seems that it turned into the new AVG or something.
http://www.bitdefender.com/
This antivirus is the best. At http://www.virustotal.com, he's the one that get's ALL threats, them i started using it.He is firewall, behavioral spyware watcher and shield. But sometimes applications start to go slow or buggy becaause of him, but you can block all internet traffic and disallow his watchers to work.

http://www.techadvice.com/win2000/m/msconfig_w2k.htm
Now that'sa interresting piece of free software: The old windows versions had ir, but microsoft removed it because people could easily turn off AOL crap with it. He's a startup manager, and a good one. One way to know if you're infected is to verify his startup menu: something different shows up, no doubt: is a virus/spyware.

Ther's a couple more tools that WILL help you:
http://www.microsoft.com/technet/sysinternals/default.mspx
A software called PROCESS EXPLORER, V.9.25. All it does is show up EVERTHING that's running on your PC RIGH NOW and has the abbility to shut down any process you want. If you ever try to do that on the standard windows process explorer, he will sometimes tell you that it "can't, because is a crucial system app". Of course, black hats WILL make spyware and vírus non-disable, so you HAVE to have process explorer to shut it down.

Most viruses i caught with those last free two, normally new spyware that's NOT recognized by any protection software, them restarted windows in SAFEMODE and removed them manually (otherwise windows won't let you).
Don't EVER DELETE THEM! Create a folder in c:\, like C:\VIRUSCAUGHT, and them sent the víruses to http://www.virustotal.com. They have a anti-virus lab battery that WILL detect the new threat, and eventually your anti-vírus - who's best be in virustotal lab list - will have the virus signature in his update. Usually this takes about a couple of days.
When you start to look at things on your computer with them? After you install them the first time, and everytime something weird starts to happen, so make a lot of backups - specially the crucial system ones, like REGISTRY backup and "Documents and Settings" folder.
I defeated a couple of threats myself with this procedure.. hope that helps.