|
|
|
|
Spyware From Hell, Part 3By John Crawford In parts 1 and 2 I discussed
the programs to use to remove spyware. But, the first thing you should
do when attempting to remove spyware is to look at all the processes
that are running. You can look at the task manager, if you see funky
named processes in there like fgthdz or kwsbrl, it's a good bet spyware
has
taken over your computer. More than likely attempting to stop those
processes will fail. If you're using Windows XP, ME, or 98, you can run
the msconfig utility from the command line and see what is in the
startup folder. Be careful what you uncheck, such as your antivirus
software. Once you deselect the bad processes, restart the computer.
Hopefully, some of the bad stuff will not start, and free up needed
resources. You may even find that some applications or devices may
suddenly start to work.
If you're using Windows 2000, msconfig is not
available, so you must use regedit. Navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and
all other "Run" folders). Regedit does not have an undo option, so use
extreme caution. If in doubt, make a backup
of the registry by exporting a copy from the regedit drop-down menu.
You can also use regedt32 (vice regedit); from the menu options, select
"confirm on delete". Restart the computer after making the changes to
the registry.
Once the desktop
is back up, go back to msconfig (or regedit) and see what is still
there that should not be there. Also look at the task manager to see
what's running. For W2K, you'll also need to check the Startup menu
(Program Files --> Startup). For all others with msconfig, those
startup entries will appear in the Startup tab.
At this point if more needs to be removed from the
startup, repeat the above steps. If
you are knowledgeable enough to use hijackthis, now is a good tim.
Caution, caution caution, I can't stress this enough. Always reboot
after removing anything from the startup.
Recently, I
cleaned a laptop that had the spyware from hell. As soon as I removed
the entry from the startup with msconfig or the registry, the entries
would reappear. Talk about resilient! I had to use hijackthis several
times to get rid of the really bad stuff.
Now, once you've
cleaned the startup, it's time to scan the add/remove programs
and uninstall those search programs, IE Toolbars, etc. Just about all
search bars are spyware, with exception is Google. I'm sure there's
other, but generally, search bars are spyware. Things like Hotbar, Wild
Tangent, ebates, Xupiter, and Wintools are very common and are BAD for
your machine. Wintools is a ROYAL PITA to remove. If you have a program
installed and you didn't put it there, it probably needs to be removed.
Again, caution! We sometimes have a short memory or forget that we
installed something important. The description may not ring a bell as
to what the program really is, so - caution.
One trick
spyware programs like to use is to build-in a delay to the uninstall,
like 600 seconds (5 minutes). You click to "remove" a program and
nothing happens. The trick is to wait it out. You know your threshold,
but if you click on a button and nothing happens, what do you do? Click
it again, and again, and again? Open task manager to see if it is
running? Wait it out, it will come up, and sometimes they make you go
to their website to get the uninstall program. At that point it's time
to call on the big guns of Antivirus, Ewido Security Suite, Adaware,
and Spybot. If they want you to install something to enable you to
UNINSTALL something else, it's probably not good.
When you're
ready to run the anti-spyware tools, delete everything they find, do
not leave in quarantine or backups. After each scan (and delete),
reboot. Run another scan, keep scanning with different programs until
they all come up clean. Yes, that could takes days, and it will take
days. But the alternative is to put in the recovery disk and reload
everything.
About The Author John Crawford works as a Computer Systems Administrator for a small defense contracting company in Maryland. |
|
|
©
COPYRIGHT 2006 ALL RIGHTS RESERVED PIPER
ENTERPRISES
|
