Spyware
Spyware,
also called Ad-ware, are programs placed on your system, without you knowledge,
designed to extract system information, use your computer to share copyrighted
software, or just limit your capabilities to cause you to purchase their removal
tool. Well you do not have to be at their mercy if you educate yourself and
take simple steps to protect yourself.
Spyware
Spyware
usually gets on your system from the internet or via email. It imbeds itself in
your system and often does not show itself for days or weeks in an attempt to
get into your backups. It will often name itself after well know programs or
write itself into windows executables or dynamic libraries to make them harder
to start. So finding them may be hard and in most of the time an active spyware
cannot be removed by an anti-virus or spyware program.
If
your system seems to be infected, you can use Process/Thread Tool to search
through all of your processes (a program executed to run, for example an .exe
or .drv) and threads (modules need for the program to successfully run, for
example .dll files) looking for anything out of place. Process/Thread Tool will
attempt to look for known names that spyware often utilizes, but if flagged it does not mean it is spyware, it just
identifies a name that may be spyware. Then starts the investigating, is a
flagged program valid or spyware.
Lets
say AOL.exe is flagged. First, do you have AOL installed? If not remove the
suspect file. If you do have AOL installed, is the AOL.exe flagged in the proper
directory. If you installed AOL to C:\Program Files\AOL, and that is the path
of the active AOL, then it is more than likely valid. If the path for the
active AOL is C:\Windows\System32 then the AOL running is spyware and needs
dealt with immediately.
Most
spyware will put itself in one of three places, the Windows Folder, Program
Files Folder, or Documents and Settings Folders, and only in sub folders that
are created by default when windows is initially installed.
It
should also be noted that 99% of the spyware out there is going to be activated
by writing itself in 1 or 4 started locations on your computer (methods
designed to start a program when your computer starts). A program like StopIt
Jr can watch all of these locations and warn you when a program is set to run
on boot.
Removal
Removal
can be difficult in some situations, to the point of requiring a reformat and
re-installation; however, if you watch for changes in how your computer runs
and read the signs, it can be done without loosing data and valuable time.
First,
as mentioned earlier, as much as anti-virus and spyware programs boost, when a
spyware is active, they just cannot remove most of them. So this is where
education on how things work is so valuable.
Lets
use the example from earlier, your system appears infected and the program
C:\Windows\System32\AOL.exe is flagged by Process/Thread Tool. You may head to
the task manager and end task on it but it comes right back. This is because
most of the spyware will have two or even three programs running, all watching
each other and restarting when one is stopped. So you need to look over all the
running processes, checking for ones out of place or unrecognized (A good
practice is to run Process/Thread Tool on your system when first setup then
create a file listing all processes and threads, this can be used for
comparison.) Stopping all of the programs is hard, you can try and end task on
them one at a time and try and catch them all, or use StopIt Jr to end task on
as many programs desired instantly. If you succeed in stopping the AOL, then go
and delete the file C:\Windows\System32\AOL.exe, and if you are sure of the
others, delete them.
If
you cannot stop the program, then you need to stop it from starting when your
computer does. You can check the multiple sections in the registry, your
startup folder, documents and settings, and finally the windows ini files, or
again let StopIt Jr search these areas and show you all of the entries. Remove
the required entries, reboot and see if the program fails to start. If it does
not start, then delete the files and all should be well.
You
are also going to run into spyware that is not so obvious, ones that write
themselves into windows dll (dynamic library) files that run when windows
start. These are not easy to fix, as the dll files are loaded and you just
cannot delete or replace them. In this situation you can do a reformat and
re-install or you can run Windows Repair (if windows version is XP) and let it
restore a the original dll files (the XP install disk is needed)
Protection
Protection
is always the best front line defense, but when you go looking there are so
many things out there, which anti-virus do you select, should your run an
adaware program, will you be safer if you run multiple anti-virus programs?
First,
I have never been a fan of anti virus programs. I tried one on my first
computer, with only windows 3.1 and not modem connections I was periodically
told of a virus I had that it fixed and I should upgrade for better protection.
I believe the best protection is this:
1.
A good backup utility, not just windows system restore which is worthless, but
a good program that makes easy full and protected backups of your drive then
daily incrementals. The best one I have seen is by Farstone (www.farstone.com) called RestoreIt.
2.
Use a program like StopIt Jr to monitor the four areas where programs can be
set to run when your computer boots. If you want to manually check some of the
areas, Click START, then RUN, enter REGEDIT then click OK. Browse and check
these areas for a start:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
3.
Make a RAMDrive and set all the internet files to the RAMDrive. You can find
free RamDrive programs that make up to 128 Meg in size or purchase ones that
will use all of the memory available (www.cenatek.com
and www.farstone.com). The idea behind a
RAMDrive is the creation of a virtual drive out of system RAM. The main benefit
is incredible speed, you will see increased performance when surfing; however,
the benefit we are looking as is that when you re-boot everything on the drive
is gone. Imagine you are doing a search that takes you to a porn page that will
dump spyware on your computer. Instead of disaster, you just reach down and hit
your reset button; all is wiped out before it can do any damage.
4.
Know your programs. As mentioned earlier it is an excellent idea to make a list
of all your active (running) programs when you setup your system. When you
notice a new program that you did not install, you can take immediate action.
5.
Use a good registry tool such as RegHealer (http://www.zoneutils.com/regheal/index.htm)
to keep your registry clean and to maintain regular backups.
There
is not need for expensive anti-virus program or ad-ware programs that will not
get rid of the really bad programs out there, instead invest your money where
it will do the best for you. What good is an anti-virus when you install a new
program, re-boot and windows will not start. With a program like RestoreIt you
can be back up and running in minutes (even with a full hard drive failure)
like nothing happened. You can also use this powerful tool to wipe out the
spyware you just got on your computer. Any time I go to a site that looks questionable,
I will immediately reboot and restore my computer to the point it was that
morning, thus avoiding any issues.