preCharge Forums - View Single Post

SMF For Free · 08-11-2006

Defeating Spyware

My Tips

First do a scan with spyware scanner such as Spysweeper from webroot.
The trial version of spysweeper will at least tell you the files, and registry keys that affected.

Check your task manager and look at the process list if you see anything usually then I would suggest to find the path of the process. Using the System Information program from the Start menu under Accessories and then under System tools. Open up the software then under software environment under the running tasks group you will see a list of process that are running and the path to each process.

Spyware is normally copied either to C:\ or to c:\windows or c:\windows\system32

You can normally tell if it is an odd filename with no manufactor. If you really wanted to be detailed you can open the file up with a hex editor and check if the file has been compressed. A lot of spyware will use UPX compression and you would see a string UPX! in the file.

There are about 25 to 30 locations where spyware could be installed to run on startup.
Easy one is the startup folder
Win.ini is another.
The rest are mostly in the registry which is another topic.

The best bet is to get Autoruns and Rootkit revealer from Sysinternals Freeware

Autoruns will show everything that starts on startup and allows you to remove and edit items that run on startup, be careful using it. I highly recommend it for removing spyware.

Rootkit realver will find programs that run at low level that intercept the windows api to stay hidden. It searches the disk and the registry for hidden programs and keys.

Some spyware will when you try to delete will say access denied next step would be to boot into safemode and hope the software is not running as well in safe and try to delete the file. To get in safemode and restart your computer press the F8 key after the bios screen appears and you will get a menu choice to boot normally, boot in safe mode, and boot in safemode without networking. Any of the last two will be find, I normally do with networking in case I need to get a file from the internet.

Another way to defeat the file in use error when deleting a file is to get Unlocker from UNLOCKER 1.8.3 BY CEDRICK 'NITCH' COLLOMB will attempt to unlock a file to allow you to delete it.

I would also suggest getting a firewall such as ZoneAlarm so at least you can tell when programs are trying to access the internet.

Always run Windows updates and make sure you are patched. Microsoft normally releases patches on the first Tuesday of the month.

Hope this helps a little. There is a lot to talk about and barely scratched the surface. I think I may write a big article on this one day heh.

08-11-2006	#1 (permalink)
SMF For Free Member Join Date: Jul 2006 Posts: 95	Defeating Spyware Defeating Spyware My Tips First do a scan with spyware scanner such as Spysweeper from webroot. The trial version of spysweeper will at least tell you the files, and registry keys that affected. Check your task manager and look at the process list if you see anything usually then I would suggest to find the path of the process. Using the System Information program from the Start menu under Accessories and then under System tools. Open up the software then under software environment under the running tasks group you will see a list of process that are running and the path to each process. Spyware is normally copied either to C:\ or to c:\windows or c:\windows\system32 You can normally tell if it is an odd filename with no manufactor. If you really wanted to be detailed you can open the file up with a hex editor and check if the file has been compressed. A lot of spyware will use UPX compression and you would see a string UPX! in the file. There are about 25 to 30 locations where spyware could be installed to run on startup. Easy one is the startup folder Win.ini is another. The rest are mostly in the registry which is another topic. The best bet is to get Autoruns and Rootkit revealer from Sysinternals Freeware Autoruns will show everything that starts on startup and allows you to remove and edit items that run on startup, be careful using it. I highly recommend it for removing spyware. Rootkit realver will find programs that run at low level that intercept the windows api to stay hidden. It searches the disk and the registry for hidden programs and keys. Some spyware will when you try to delete will say access denied next step would be to boot into safemode and hope the software is not running as well in safe and try to delete the file. To get in safemode and restart your computer press the F8 key after the bios screen appears and you will get a menu choice to boot normally, boot in safe mode, and boot in safemode without networking. Any of the last two will be find, I normally do with networking in case I need to get a file from the internet. Another way to defeat the file in use error when deleting a file is to get Unlocker from UNLOCKER 1.8.3 BY CEDRICK 'NITCH' COLLOMB will attempt to unlock a file to allow you to delete it. I would also suggest getting a firewall such as ZoneAlarm so at least you can tell when programs are trying to access the internet. Always run Windows updates and make sure you are patched. Microsoft normally releases patches on the first Tuesday of the month. Hope this helps a little. There is a lot to talk about and barely scratched the surface. I think I may write a big article on this one day heh. __________________ Free forum Hosting http://www.smfforfree.com