Preface

Spyware, adware, tracking cookies, etc. All scary sounding things, are they not? Well, in this world today, with the way advertisers are performing gurrella advertising, you must constantly be on your toes, so to speak.

In the early days, around the early/mid 90's, the only form advertising (which alot of people actually found intrusive) was banners. These banners, to web surfers, were very annoying; they would take up half a web page and do other things to catch your attention, such as flashing. Then came popups. When these came about, they were a minor annoyance, but with other forms of online advertising, the advertisers wished for more money and in that pursuit of money, they made their advertisements come up more frequently and used other methods just to gain your attention. The popups would be huge, they would flash, they would make sound, or, they would simply just pop up dozens upon dozens of them at a time.

At this point, users took a stand. They created popup blockers to block these intrusive forms of advertising. Then came the popunders; same concept as popups, except the user, if not paying attention, would not notice the popup until they closed their browser. Many popup blockers blocked these as well. But many did not.

Then came flash advertisements. These were harder to block since knowing a flash advertisement from a regular flash file was next to impossible. But that didn't stop the advertisers; these flash files would cover up almost everything on the website you were attempting to view; they would play annoying sounds to catch your attention; they would make a full-screen window. The list goes on and on.

Then the online world of advertising as we know it came to an astounding form of gurrella advertising: Spyware, adware, tracking cookies. These forms of advertising were very intrusive; they would download onto your computer via many methods (explained later) and would install themselves into often cryptic locations. Once installed, they would then take over your computer, slowly; most even had their own downloaders that would keep up with their latest versions. Ironically, most of these were installed without the user's notice which in it's self gives many of these programs the name of a "trojan," or basically, and viral piece of software; which they were.

Note: This text will be updated on a need-to-basis. It shall NOT be considered "complete" as of yet. Use at your OWN RISK

Spyware/Adware: Methods of infection

There are numerous ways spyware or adware may be installed onto a users computer. I will attempt to clarify as many as I can think of at the moment. If there are any others that you believe shall be included, please see the end of this document for contact information.

1) Direct installation.
Direct installation is just that: You installed it. Usualy, this is done by a rare type of computer user who believes they MUST install this software to use a product/website etc, But most commonly, they are conned into believing that they are in need of it. There are a few sub-topics of this method.
1.1) ActiveX Install (windows/IE)
This type of install occures when a user visits a website and is prompted by an activeX install dialogue:

1.2)Piggy back
Piggy back is a common way: Usualy, done by shareware or other freeware type programs. These programs, within their installation program, install various spyware/adware type programs as part of an ad revenue program. Usualy, you can see if it's going to install these types of programs is by reading the EULA of the program before it installs. If a program does not contain a EULA, or does have one, and it installs spyware/adware, you may wish to contact the maker of that software with concerns of such things.

2)Exploits
Exploits are the nastiest of the way adware/spyware are installed and quite frankly, in most countries, is an illegal way of installing software since it is most likely installed without the user's concent nor knowledge.

What do I do if I have been attacked?

Well, you've got a few options. But the ones I recommened is: 1) Do not use any products that are in that specific advertiser's product program. 2) Contact your senate and complain about said company (the advertiser; such as claria, gator, etc).

Or, you can quite simply educate yourself on not becomming infected in the first place.

I think i've been infected. What do I do?! (how do I tell)

Ah, the tricky part.

First, you want to become quite aquainted with your task manager, registery and core windows system files. But, most important is definitly the task manager:

Your taskmanager is one of the most vital parts of finding an infection and even destroying an infection. Infact, even when not infected, it's just a good thing to know since you can find other problems with it.

To access the task manager on windows 2000, windows XP, and probably windows 2k3 and windows longhorn, simply press ctrl+shift+escape. ON windows 98, just press ctrl+delete. Once this pops up (2k,2k3,xp,LH) click the "Processes" tab. Under this tab you can see any files that are currently running within your system. You can also tell other neat stuff such as their current CPU use, RAM usage, VM usage, GDI objects, PID, IO read/writes and a plethora of other things. But we're only interested in seeing the Image Named at the moment.

Don't let all these things confuse you; some of them you'll probably NEVER find out what they do, but in this case, that might be fine. In most cases, a simple search on google.com of the image name (IE: winlogon.exe) will tell you what that image file is. If it's spyware/adware, some sites will tell you right off the bat; even then, you don't have to search far. Usualy, one of the first results will be from a site that specializes in telling you exactly what the file name does that you provided. But, do beware of some file names that appear to be gibberish or randomly generated. If they do not pop up under google as a valid device/software program, then more than likely it's adware/spyware, but not always so..

If you do locate a file that might be potential spyware, find the file on your harddrive. Now, you may NOT be able to find this file, that is ok since it's more than likely marked as hidden. To combat this, you do one simple thing: Double click your My Computer Icon. Then, double click your C Drive icon. This will bring up your windows explorer of that drive:

Now, make sure it's expanded enough so that you can see the "Tools" menu at the top. Click it. You will then want to click Folder Options as this will bring up the following window:

Now, click the "View" tab. This will bring you to the following window:

You will want to select "Show hidden files and folders" and select ok. It is at this point you will want to attempt looking for that file once again; chances are, you'll find it.

Now, once you do find this file, there are a few things you will want to do. The first and foremost, is to take notice at the date of which this file was created. You will want to right click the file icon, and go down to Properties. You will be faced with a similar window. Take notice at the red circled location:

From what you see there, you see two things. First, is it's file size. This is a key thing to remember for future references. The next is the date it was created and the date of which it was modifed.

Now, at this point, if you HAVE determined that it is, indeed, spyware or adware, you may want to run your favourite spyware/adware scanner. Although I do not believe in these programs nor use them myself, if it makes you feel better, you may wish to do it anyways. It may, or may not find anything, it may or may not find what you believe is spyware; it's up to the software vendor for that. But do note: Most spyware/adware removale programs are bound by the same problems of online advertising; they are subject to the same advertising programs. Such as, some adware removing programs, such as Microsoft's adware removal program, may or may not purposly not detect/remove certain pieces of adware/spyware. In this case, Microsoft's does not detect, nor remove, Claria's spyware/adware.

Another thing you will want to take note of, but not needed, is the software vendor who created the file you're viewing the properties of. If, when viewing the properties of the file as described above, you see a tab called "version" (not shown in that screen shot, but in the next one) then click it and make notice of the information it can tell for future references:

Do note that not all software vendors fill out this information when creating their programs, but some do. If they do, you can use this information to contact them or to keep records. Simply go though "Company name," "Internal Name," "Langauge," etc and keep records of them for reference.

Now, since we're already accoustomed with the Task Manger, let's get aquainted with window's core files. This goes for the same as the task manager files; if you see a file, run it's file name through google to find it's use. This is a very simple, but time consuming task. But, thankfully, once you learn it, you do not have to ever do it again unless you run across a file you do not know.

Now, for the registry. The most complex part of adware removal.

Note of warning: I am NOT responsible for ANY damages that you cause to your computer, life, car, children, unborn children or even your dog caused by you messing with the Registry.

Messing with the registry can be dangerous for your computer's well being if you do not know what you are doing. So please, please, please always follow instructions and remember to ALWAYS do a backup of your registry. Instructions for doing such shall follow.

To open your registry, simply click START then go to run. Once the dialogue is open, type in Regedit. This will open the registry editor:

And as stated above, before you do ANYTHING you want to backup. So, let's backup; Click "Registry" Then click "Export Registry". This will open a save file dialogue. Simply type in a file name you wish to save it as in a convinently placed location (such as a specific directory) and save it. ALWAYS do this before editing. Do note, this can take a few minutes if you have a large registry, as do most windows computers who have had windows installed for quite a while.

Now that we've got that out of the way, please re-read the disclaimer. Infact, don't scroll up, i'll resay it here:

Note of warning: I am NOT responsible for ANY damages that you cause to your computer, life, car, children, unborn children or even your dog caused by you messing with the Registry.

Messing with the registry can be dangerous for your computer's well being if you do not know what you are doing. So please, please, please always follow instructions and remember to ALWAYS do a backup of your registry. Instructions for doing such shall follow.

Now, we can finally get to it some education.

The key places that spyware/adware like to install themselves into the registry are very, very important. Not only do adware/spyware install here, but so do other programs that run on your system. So, as with the task manager things, always run a check on the file names you see.

The first location you'll want to be aware of is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE and HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX.

I'll explain how to get to those locations in a moment. First, let me tell you what they are:

"Run" is the location of which software will place it's self in the registry if it wishes to be ran upon startup of your computer. Please note, this is completely different from the 'startup' folder on your computer. This is a core location of many programs that require startup.

"RunOnce" is the location a program will install it's self when it wishes to only be ran ONCE upon startup. Usualy, programs that have just installed that require a reboot will install theirselves here so that they can resume upon reboot and not re-run upon other reboots.

"RunOnceEx" Well, Microsoft said it better than me:

• Status: A dialog box is displayed while the items contained in the
registry key are being processed. The entries to be processed are grouped
into sections and the dialog box highlights the current section being
processed. You can disable the status dialog box feature.

• Performance: The majority of the commands contained in the Run and
RunOnce registry keys create separate processes, which is inefficient.
The RunOnceEx registry key does not create a separate process. The
RunOnceEx registry key also supports a dependency list of DLLs that
remain loaded while either all the sections or some of the sections are
being processed.

• Error Handling: If an exception occurs while calling a function in a
DLL, the exception is caught and an error dialog box is displayed to the
user. You can suppress this error dialog box by using a flag in the
RunOnceEx registry key. You can also set a flag to enable log errors and
run the RunOnceEx registry key.

• Deterministic: The RunOnceEx registry key sorts the entries and
sections alphabetically to force a deterministic order.

Now, to get to these locations, refer back to a couple screenshots ago:

Notice how I said, "HKEY_LOCAL_MACHINE" then a bunch of stuff after it? Basically, everything after a backslash "\" means that is the location you go to within the previous location. So, click on "HKEY_LOCAL_MACHINE" in the list on regedit. You will then click on "SOFTWARE" then "MICROSOFT" and so on until you come to a view like this (shown above):

It is here that you will see most installations of spyware. If you see a listing to a previously found file here, make note of it. But do not delete the entry yet!.

Also, you will want to look for all instances of that file within the registry. Simply click "Edit" on the toolbar, and go to find. Enter the file name and click search. Once it finds something, you may press your F3 button to make it search again from that location to find more. Make note of EACH location that it's at.

Once you've done that, we'll move on to the more tedious part: Finding all instances.

For this, you are going to use windows built-in search tool for files. Double click your Mycomputer icon again and your C drive icon again to bring up windows explorer. Now, press f3. This SHOULD bring up a search dialogue. If it does not, click the 'search' button on the toolbar.

Now, from here we will want to enter the filename that we found earlier into the "Search for files or folders named" box. Leave "Contained Text" empy and set your "Look in:" box to "Local Drives" (if you do not see local drives, simply set it to C).

Now just click search. At this point, go make a cup of coffee, tea, or some vodka. You're going to be waiting a bit as Windows searches. Once it is done, though, if it found any files, right click each and view their properties. Make note of each of their locations:

After you've got the location, make note of each one; you'll need it.

Now, go back to the search box

But this time, click "Search OPtions" and select "Date".

You will be presented with a screen like that. Now, in the "Search for files or folders named" box, enter "*.*" (star dot star) and under date, on the box, select "Files Created". You will then want to make sure the "Between and" and selected as well (as it is in the screen shot). Now, the dates you have on the file(s) we found earlier, enter it's date in the first box. In the second box, make it one day ahead of the first date. Click Search now. Go get more coffee, tea or vodka.

When it's done, you may, or may not, be presented with a huge list of files. This is ok. Just go through each, verifying each file. Some may be yours, some may be created by the supposed rodent that has infected your system. Make note of each one that you believe if part of the 'rodent'. Do remember to search for files on google that you are not sure of.

Now, for the fun part: Removing.

Spyware/adware: Removing

Up to this point, all we have really done is located alot of files and some registry locations. But we really haven't accomplished that much. If you're new at this, it may have taken quite a while to accomplish these tasks, but trust me, when you know what you're doing, you can do all this in a matter of minutes. Now, we get into the risky part. I'd completely recommend that you do a backup of your entire system if possible. I repeat: Back up your system if possible!

There is a tool that I must recommend you download as well. It is called HiJack This and many of you have probably already heard of it. Now, we shall put it to use. You may download it here:

Click here to download HIJack This

Once you download it, simply extract this zip file and run the program. We won't be doing anything, yet with it. Although, if you have expierence with HJT, you may skip these new few paragraphs.

Upon opening HJT for the first time, you may be presented with the following message box:

Do not be alarmed by this, but do heed it's warning well.

Now, you may click past that warning and continue to the program. You will then see the following:

What we'll want to do, for now, is click the "Do a system scan only" button. After a few moments of it doing some weird stuff to your computer (I joke. It's doing nothing but scanning key locations for BHO's and other adware. more on bho's in the education portion of this tutorial,) it'll present you with a screen with a bunch of text in a list box. Something like the following:

Don't let all this scare you. Most of it is harmless, I assure you. But what you want to look for, are the ones labeled under "Hosts" (which usualy are redirects. More on that in the education phase aas well in the deeper-cleaning phase), BHO's (Browser helper objects), TOolbars (only if you have a spyware/adware problem that adds toolbars to your browser), and DPFs.

The BHO's are the most important. Usualy, you do not have ANY BHO's installed as very few programs actually need them -- but spyware/adware LOVE them. One most common BHO that i've personally seen is the Adobe Acrobat BHO. This is usally shown as "AcroIEhlprobj Class". Again, you can, and should, do searches for these listings on google if you have no idea what they are. It is up to you, or a site that has it listed as such, to determine if it's spyware or not.

Now, click on the "CONFIG" button at the bottom of the window. This will take you to another window. Simply click "Misc Tools" click "OPen Process Manager" This is another thing, much like task manager to help you find processes that are running:

If you notice anything out of the ordinary there, repeat steps already discussed.

You may now click the "Misc Tools" Button again. You will be placed at the screen once again. Click "Generate Startup List". This will make a list of things starting up with your computer that may, or may not be listed in your HKEY_CURRENT_MACHINE registry hive. It will open it up into notepad, so just save it in a place where you know it'll be.

Now on to actual cleaning/removing.

NOTE: Before you even think of deleting anything while following these instructions (even while in safe mode!) back it up to a safe location. Even if it is viral/spyware/adware, if it's backed up to a new location, it will NOT run/install it's self as long as YOU do not re-run it. If it's safe after you delete everything and your system is stable, you may delete the backed up files.

What we're going to need to do is boot into safemode. This process is simple in it's self. Simply, reboot your computer. As soon as you see, "Windows is starting up" and the screen is black (not showing the graphical windows 2000/xp logo yet) hit your F8 key. If you go straight to the graphical splash screen, restart your computer and try again. Sometimes the timing is tricky since that part of the process can go quite quickly. Easiest thing to do is to start hitting F8 as soon as your computer gets through with it's POST.

Once you've managed to hit that bloody F8 key in time, you will be presented with a menu of options. Simple press your down/up key until "Safe Mode" is selected. Once it is, press enter. Do note that it may take a while for your system to boot up in safe mode; this is fine. And once it IS booted, you may or may not be presented with several message boxes. Ignore these and just simply click ok on each of them (if they occur).

Once you're at your desktop you'll notice a few things, especially if you've never been in safe mode before; first: Your colours will be completely weird. Your screen resolution will be horrible and everthing will be as ugly as ugly can be; this is fine.

Now, double click your My Computer icon and then double click your C Drive icon which will bring you to window's explorer. ONce you're there, bring up the search dialogue by pressing F3 or clicking the search button the toolbar. At this point, you may wish to refer back to the earlier part of the text about the 'searching for dates of the files'. Why, you may ask? Well, we want to find those lovely files that we've made notes of so that we may delete them (remeber to backup!) and get them off our system.

Since we're in safe mode, these files are not loaded into memory. So you will not see them in the task manager. But they are still there. Once search finds them, delete them.

Now, open regedit (refer above) and go to all the locations you made note of, or just do all the searching/going to locations again and find the items that need to be removed. Simply select the part within the regedit (not the actual HIVE (which is on the left) but the part on the rigth that must be deleted) and press your delete key. DId I mention you may want to backup? That includes your registry too!

After all that is done, load up HiJack This again. Go through the same procedure as before (first step) of scanning the system. All things that must go from what you found earlier, select by checking the box to the left of it and clicking "Fix Selected" at the bottom of HJT. You will also want to save a log to somewhere you can remember (for future references if something messes up. You can send it to a professional and they can analyize it for you). So just click "Save Log" after it's done.

Now click on "Config" and then "Misc. Tools". Check your process lists and make sure everything is all nice and pretty. ALso, check your hosts file by clicking "Open Hosts file manager":

You want to make sure that nothing is being redirected. In my case, I have *.contextweb redirected to localhost to block their ads. Some spyware/adware will install redirects to their site. Example: They may do *.google.* theirsite.com, which, when you type 'www.google.com' in your browser, it'd go to their site. This is called HIjacking. If you notice something like that, select it and click "Delete line"

After that's all done, you may close HJT. Now, we will want to fix some Internet explorer stuff since adware/spyware LOVE to mess with that, too.

OPen up Internet Explorer via your regular method.

Now, Click on "Tools" and go down to "Internet Options". You will be presented with the following screen:

Since most spyware/adware/tracking cookies like to do nasty things, we're going to reset some options here. First, click the buttons highlighted in red here:

Click "Use Blank" first. Then, when you have done that, click the "Delete Cookies" Button. Once you click it, you may or may not be presented with the following box:

Just Click ok.

Now, click the "Security" tab at the top of the options window. Click "Default Level" and press apply. Click the "Privacy tab" and make sure the slider is set to Medium if it is not, put it there. If it is set HIGHER than MEDIUM, leave it there.

Now click the "Connections" tab. You will be presented with the following screen:

Click the "LAN Settings" button and you will go to this screen:

If "Automatically detect Settings" is checked, leave it checked. If not, leave it unchecked. If "Use Automatic Configuration script" is checked, and you don't even know what that is, uncheck it.

Now, if "Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections)." is checked, well, this is tricky. If it's checked, and the address part is localhost, uncheck it. If it's something else, and you know for a fact you don't use a proxy server, uncheck it.

If you do not know what a proxy server is, and you know for a fact you don't use one, uncheck it. When done, click ok and click apply on the internet options screen.

Click the "Programs" tab. You will be presented with the following screen:

Click on the "Reset web settings..." button and you will be presented with the following screen:

Click ok to it. Then click "Apply" You may now click the "advanced" tab at the top of internet options. You will be presented with the following screen:

Simply click the "Restore Defaults" button and click apply. Close IE and close everything else open at the moment. This is a good time to go to your control panel and click on Add/Remove software. Go through that list and see if anything is out of the ordinary (such as spyware/adware). If you are unsure of something, write it down and look it up later, but do not remove it. If something does not belong and you know for a fact it doesn't, remove it..if you can.

Now, restart your computer and boot into regular windows (just let it boot). Check your registry, task manger, HJT and everything else we covered. Repeat steps above until everything is clean. When you are content, run your favourite spyware/adware remover program if you must. I do recommend this site, though:http://housecall.trendmicro.com. Go there, and do their online virus/spyware scan. They are very safe and very accurate.

After all is fixed, read the Education Section for tips on how to stay clean!

If everything is NOT fixed, try the steps again. If that doesn't work, even with your favourite scanners and the like, seek out a certified professional.

Contact:
Email: mike@nanobit.net

These works are my own and are stated as such. All writings, images, everything are my own work. If you wish to reproduce these in any way, email me for permission.
Copyright (C) 2005. Nanobit Software.