The Continuing War on Spyware

by Inglix the Mad

As a full-time student and PC technician for a mid-sized PC company I read Patrick Madigan's article "Ad-Ware: The Art of Removal" in 21:4 with interest.

It was an excellent primer on spyware detection and removal tools.  The state of today however, given the possible lag time in the article, dictates a much different approach.

Mind the fact that if you are unable to repair a system within two hours, you are probably better off backing up your data then reloading.  The previous article and this one should help you arrive at a point where you can at least perform a backup of your vital data.

First let's touch upon a couple of tools Mr. Madigan did not reveal.

The first is Security Task Manager (www.neuber.com) which allows one to kill many running processes and toss them directly into quarantine.  The best part of all is that it includes a couple of niceties such as listing who made the file, and event gives the "readable" text contained within it.

This excellent tool has one last feature, the ability to "Google" the process that first takes you to the Neuber Software page which lists anything other users of the software have posted.  If it is not listed or you're just not sure whether or not to believe it, you can continue onto Google to check what is linked on the process.

Second is a tool called LSP-Fix (www.cexx.org).  This tool lists all of the Layered Service Providers (LSPs) in a system and allows you to remove them.  While one cannot say enough good things about this tool it is, as Security Task Manager also is, very dangerous.  Using these tools without taking precautions can render your system unusable and possibly unrecoverable, so take advantage of the third tool.

The third tool is Google itself.  The collective power of the Internet means that people help each other on a regular basis and many spyware files are identified in a quick manner.  Beware though, for I have seen a few sites that purport to help remove spyware while actually causing you to either download more spyware or making your tools ineffective.

There is one more tool and it is the most important: your own mind.

Over the past few months, spyware authors have become increasingly sneaky about hiding their files, not naming the files and directories they hide in properly.  Since they are dumping them in various places around the hard disk, here are a few common places: Windows, System (for Win9x), System32 (2000/XP), Common Files (under Program Files), My Documents, the Temp and temporary Internet directories, and of course the root directory.

Now to find many of these files you will have to enable showing hidden files, extensions for known fire types, and the protected operating system files.  You may find these options through "Folder Options --> View".

Now as for identifying spyware files, look for small files with recent creation dates.

Check to see who the company is that created the file, and for heaven's sake don't delete it if it says Microsoft Corporation.

Look for files with odd names that are similar, but not identical to real system files (i.e., KERNE132.DLL instead of KERNEL32.DLL - that 1 instead of an L is pretty tricky to the average person) or ones that have total garbage names like WWLKJFO.EXE in the above directories.  Right-click on the file, choose "Properties", and see what info is available.

Finally, a word to be wary for the future.

Rootkit attacks are coming, if not already here.

Microsoft themselves (research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775) has published an article on them.

They have released a beta removal tool but even they admit that the only way to be positive a rootkit is gone is to format and reload your computer.  I think I may have found a couple of these myself by accident.  These files that I had to delete in either "Safe Mode", or even more drastically in "Safe Mode Command Prompt", deny any other attempt to remove them.

I've gotten quite good at removing spyware over the last year.

It is the number one problem for all computer builders.  Being at such a company that is not huge, I can only imagine the nightmare for those smaller than us, much less the end user.  I urge everyone to protect themselves by using a smaller market share browser, avoid the MS email client, and get smart about downloading "free" programs.

Donate money to the major spyware hunters - they help protect you.

Finally, never, ever, under any circumstances, click anywhere on a pop-up.