Let’s face it… I’ve never had spyware and I look at porn, and browse the web for hours at a time… whats your problem? 🙂 All kidding aside, spyware is a real problem. I’m sure everyone reading this at some point or another has had or dealt with fake antivirus software that just will NOT go away! Luckily for you I do this for a living and understand the limitations of spyware and how to deal with it. Coders are lazy people… they do just enough to get things to work and patch/update as problems arise rather than spending a few extra days to plan out every possible scenario and code it into their program– I suppose if Microsoft tried that… well… lol
Current spyware has several limitations:
- Unable to cross user profiles (possibly due to Windows Vista/7 and UAC… limiting coders options to the current user). While this is not a REAL limitation, when you code a program to mass infect, you have to make it as compatible as possible. Sticking around in the current user’s profile makes the software very compatible.
- Relies on reboots/triggers to activate. Usually spyware will associate itself with .exe (exefile) in the registry, other times it will load as a hook… because of this it has more limitations. One of these triggers is setting Internet Options to use a proxy… the proxy is the spyware usually as a service or as a DLL hook
- It can’t effectively control where you go in explorer.exe (Windows shell) or it would potentially block itself…
- It usually can’t block regedit because it makes changes to the registry… or it would potentially block itself…
- To deal with antivirus and AWESOME programs like MalwareBytes… it has to remain anonymous. Thus, its very easy to spot 130e9rjfm312rja.exe in a folder or in task manager
- If you are lucky enough to be in a domain environment, it can’t stop domain admin from another PC using PSTOOLS! 🙂
I think you get the point, so here’s what I am going to do for you today… I’m going to teach you… how to count….all the way… to schffifty schvive. Actually… I’m going to show you how to solve 99% of spyware problems.
Problem: You have spyware!
Solution: Taking what we know into account, the first thing you should do is create a new user and set a good password. If you anticipate having lots of spyware problems, leave the account in place when we are done. In almost all verisons of windows, its the same process to add a new user
2. Control Panel
3. User Accounts
4. Add a new user (administrative user, not standard user)
5. Call it… swsvc or AntiSpyware or.. Joe (me) and everytime you get spyware you can login as me (Joe)
6. Create a password… preferably a pass-phrase. A pass-phrase is at least 14 characters… you can use your phone number spelled out, i.e. “four eight zero five five five one two three four”
When the computer comes back up, login as the new user you created. If you are lucky, the spyware hid itself in an obvious place and we can delete it before we continue. Once you are logged in, click Start, click Run (or use Windows key + R) and launch “regedit” then navigate to LOCAL MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN
This is usually how the spyware starts everytime you reboot. Check for items that have a path starting with \users\<your username>\appdata\local or \documents and settings\<your username>\. These paths usually end up somewhere in a temp folder with a random lettered/numbered executable.
Honestly though, you can probably delete everything under Run and be safe. Most of that stuff is your quick launch, antivirus tray icon (not the service), adobe quick launch, java update, etc. Once that is done, browse to USERS>long string of numbers>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN. There are going to be quite a few “SIDs” which are the long string of numbers, but y0u won’t find that path if it isn’t a valid user. So take the time and explore them all. Delete anything “weird” under Run.
Just for the heck of it, Windows Vista/7 users should open up My Computer and browse to \users\<their username>\appdata\local\ and look inside temp and microsoft for folders that have random letters and numbers. XP users will do the same, except use \documents and settings\<their username>\application data\ or \documents and settings\<their username>\local settings\.
Once you’re done looking, whether you find anything or not, goto Start > Control Panel > Internet Options > Connections tab > LAN Settings button and clear all the check boxes.
Next step is to download the greatest tool ever made, MalwareBytes. Here is a link: http://download.cnet.com/3001-8022_4-10804572.html?spi=cd39b95079d2256cc6dc1fc880e6e8d0&part=dl-10804572
MalwareBytes is small, compact, FREE… it doesn’t have bloat-ware or annoying ads… and it WORKS! It is your typical Next>Next>Finish type of installation. No tricks… At the very end of the install leave “Update” and “Launch” checked.
After it updates and opens up, close it. — yea… lol. You could have unchecked “Launch” but let’s face it… we’re already worn out trying to search for this article.
In Vista/7 we have to right click MalwareBytes and “Run as Administrator” or it will not search other user’s profiles.
Once its loaded, do a full scan on C:\ … and wait… depending on how many files (usually 100,000 per hour if you have a decent PC) you might have to wait a while.
Once the scan is completed, it will have undoubtedly found your spyware. Remove all of it and reboot. Login as your regular user and verify the spyware is gone. You will have to double check Internet Options again (as noted above) and verify the same things. If you don’t, internet might not work right away.
Under rare circumstances, spyware will associate itself with .exe and exefile in the registry. If you open up regedit, navigate to HKEY_CLASSES_ROOT\.exe, default should be set to exefile. If it is not, it is probably set to scefile or something else. In any case, browse to HKEY_CLASSES_ROOT\exefile or scefile or whatever is there, and check the load options (SHELL>OPEN>COMMAND) and see if it provides you with a strange path. Command default should be set to “%1 %*”
Also a rarity, once in a while the spyware will infect your hosts file. This file is located at C:\windows\system32\drivers\etc\hosts. The easiest way to open this file, is to have notepad open, and drag/drop it into notepad. It should have ONE entry (two if you have IPv6):
If you can’t figure this out, or something isn’t working and you haven’t removed your spyware… leave a comment with the exact steps and messages you get and I will surely (inb4 don’t call me Shirly) try to answer your questions. If you are in the Phoenix area, I can always come over and fix your problems for a nominal fee.