Preventing Spyware

You wouldn’t be reading this if you weren’t curious about spyware… I’ve shown you how to get rid of it (easily) so lets look at how to prevent it.

I’m not going to repeat myself so I won’t go into detail, but spyware has several limitations. If you don’t want to get too advanced, here are a few easy ways to prevent spyware:

1. Use Internet Explorer 8 (stop whining, it does work very well)

2. Use Google Chrome (preferred method)

3. Use Mozilla Firefox (whatever the lastest version is)

4. Don’t click on pop-ups… if you have a pop-up blocker, turn it on!

5. If it tells you that you have a virus, the thing telling you is probably the virus… stop clicking on things!

6. Download and install MalwareBytes… then do a full scan occasionally

Now for more advanced ways!

1. Set security on C:\windows\system32\drivers\etc\hosts to Everyone read-only

2. Use regedt32 to set permissions on HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to Everyone Read-Only. *** SOME SOFTWARE INSTALLS WILL NOT LIKE THIS: meaning future installations of software may fail because they cannot write to this key ***

3. Research CLEANMGR and use it’s “autopilot” function to clean temp files every time you reboot.

4. If you are in a domain environment, lock down Internet Options (specifically the proxy part)– and if you ARE in a domain environment, get a web filter… Barracuda even has its own spyware removal tool. There are some free ones out there like Untangle that even work pretty well.

5. Change your DNS to OpenDNS servers (http://opendns.org/) by setting it manually on your NIC or where ever you get DHCP from (at home this would be your “Linksys” router)

6. Set these registry keys to everyone read-only as well HKEY_CLASSES_ROOT/.exe and HKEY_CLASSESROOT/exefile

Dealing With Spyware

Let’s face it… I’ve never had spyware and I look at porn, and browse the web for hours at a time… whats your problem? ūüôā All kidding aside, spyware is a real problem. I’m sure everyone reading this at some point or another has had or dealt with fake antivirus software that just will NOT go away! Luckily for you I do this for a living and understand the limitations of spyware and how to deal with it. Coders are lazy people… they do just enough to get things to work and patch/update as problems arise rather than spending a few extra days to plan out every possible scenario and code it into their program– I suppose if Microsoft tried that… well… lol

Current spyware has several limitations:

  • Unable to cross user profiles (possibly due to Windows Vista/7 and UAC… limiting coders options to the current user). While this is not a REAL limitation, when you code a program to mass infect, you have to make it as compatible as possible. Sticking around in the current user’s profile makes the software very compatible.
  • Relies on reboots/triggers to activate. Usually spyware will associate itself with .exe (exefile) in the registry, other times it will load as a hook… because of this it has more limitations. One of these triggers is setting Internet Options to use a proxy… the proxy is the spyware usually as a service or as a DLL hook
  • It can’t effectively control where you go in explorer.exe (Windows shell) or it would potentially block itself…
  • It usually can’t block regedit because it makes changes to the registry… or it would potentially block itself…
  • To deal with antivirus and AWESOME programs like MalwareBytes… it has to remain anonymous. Thus, its very easy to spot 130e9rjfm312rja.exe in a folder or in task manager
  • If you are lucky enough to be in a domain environment, it can’t stop domain admin from another PC using PSTOOLS! ūüôā

I think you get the point, so here’s what I am going to do for you today… I’m going to teach you… how to count….all the way… to schffifty schvive. Actually… I’m going to show you how to solve 99% of spyware problems.

Problem: You have spyware!

Solution: Taking what we know into account, the first thing you should do is create a new user and set a good password. If you anticipate having lots of spyware problems, leave the account in place when we are done. In almost all verisons of windows, its the same process to add a new user

1. Start

2. Control Panel

3. User Accounts

4. Add a new user (administrative user, not standard user)

5. Call it… swsvc or AntiSpyware or.. Joe (me) and everytime you get spyware you can login as me (Joe)

6. Create a password…¬†preferably¬†a¬†pass-phrase. A pass-phrase is at least 14 characters… you can use your phone number spelled out, i.e. “four eight zero five five five one two three four”

7. Reboot

When the computer comes back up, login as the new user you created. If you are lucky, the spyware hid itself in an obvious place and we can delete it before we continue. Once you are logged in, click Start, click Run (or use Windows key + R) and launch “regedit” then navigate to LOCAL MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN

This is usually how the spyware starts everytime you reboot. Check for items that have a path starting with \users\<your username>\appdata\local or \documents and settings\<your username>\. These paths usually end up somewhere in a temp folder with a random lettered/numbered executable.

Honestly though, you can¬†probably¬†delete everything under Run and be safe. Most of that stuff is your quick launch, antivirus tray icon (not the service), adobe quick launch, java update, etc. Once that is done, browse to USERS>long string of numbers>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN. There are going to be quite a few “SIDs” which are the long string of numbers, but y0u won’t find that path if it isn’t a valid user. So take the time and explore them all. Delete anything “weird” under Run.

Just for the heck of it, Windows Vista/7 users should open up My Computer and browse to \users\<their username>\appdata\local\ and look inside temp and microsoft for folders that have random letters and numbers. XP users will do the same, except use \documents and settings\<their username>\application data\ or \documents and settings\<their username>\local settings\.

Once you’re done looking, whether you find anything or not, goto Start > Control Panel > Internet Options > Connections tab > LAN Settings button and clear all the check boxes.

Next step is to download the greatest tool ever made, MalwareBytes. Here is a link: http://download.cnet.com/3001-8022_4-10804572.html?spi=cd39b95079d2256cc6dc1fc880e6e8d0&part=dl-10804572

MalwareBytes is small, compact, FREE… it doesn’t have bloat-ware or annoying ads… and it WORKS! It is your typical Next>Next>Finish type of installation. No tricks… At the very end ¬†of the install leave “Update” and “Launch” checked.

After it updates and opens up, close it. — yea… lol. You could have unchecked “Launch” but let’s face it… we’re already worn out trying to search for this article.

In Vista/7 we have to right click MalwareBytes and “Run as Administrator” or it will not search other user’s profiles.

Once its loaded, do a full scan on C:\¬†… and wait… depending on how many files (usually 100,000 per hour if you have a decent PC) you might have to wait a while.

Once the scan is completed, it will have undoubtedly found your spyware. Remove all of it and reboot. Login as your regular user and verify the spyware is gone. You will have to double check Internet Options again (as noted above) and verify the same things. If you don’t, internet might not work right away.

Side notes:

Under rare circumstances, spyware will associate itself with .exe and exefile in the registry. If you open up regedit, navigate to HKEY_CLASSES_ROOT\.exe, default should be set to exefile. If it is not, it is probably set to scefile or something else. In any case, browse to HKEY_CLASSES_ROOT\exefile or scefile or whatever is there, and check the load options (SHELL>OPEN>COMMAND) and see if it provides you with a strange path. ¬†Command default should be set to “%1 %*”

Also a rarity, once in a while the spyware will infect your hosts file. This file is located at C:\windows\system32\drivers\etc\hosts. The easiest way to open this file, is to have notepad open, and drag/drop it into notepad. It should have ONE entry (two if you have IPv6):

127.0.0.1       localhost
::1             localhost

If you can’t figure this out, or something isn’t working and you haven’t removed your spyware… leave a comment with the exact steps and messages you get and I will surely (inb4 don’t call me Shirly) try to answer your questions. If you are in the Phoenix area, I can always come over and fix your problems for a nominal fee.

20-20 Worksheet: The file format was not recognized

A while back I was troubleshooting an error for a user running 20-20 Worksheet on a Windows XP machine. The user was one of many running the program, but had a specific issue opening sif files that no one else had.

If she attempted to open a sif file, she would get the file format was not recognized. Other users would attempt to open the same file and they would not have errors.

Like most technicians… I don’t have the patience to call other companies for technical support. So I sent 2020 customer support an e-mail and while I waited I decided to do it on my own.

I quickly downloaded process monitor and excluded all the crap. I opened the sif file and magic! It couldn’t find a few registry entries (HKCU/Software/Classes/CLSID and HKCR/CLSID). I went to a machine that was working and exported the missing keys and it fixed the problem.

Problem: Opening a .sif file within 20-20 Worksheet produced a “The file format was not recognized” error message.
Resolution: Import missing registry keys

…the best part is the e-mail correspondence between myself and “technical support”

“Great,

What registry key did you import into her machine that fixed it?? And where in the registry did you find this key?

Thanks

Sincerely, 20-20 Technical Support Team”