UniversalTechSupport
Welcome To UniversalTechSupport

Spyware removal

Go down

Spyware removal

Post by Admin on Wed Nov 13, 2013 11:53 pm


SPYWARE:

Spyware has become a real problem for web users. It is also a security threat. The purpose of spyware is financial gain, whether it's by creating popups to scare you into buying a product, advertising affiliate links, redirecting you to a paid porn site, or collecting your surfing data for market research purposes, etc.
Steps to resolve spyware issues:
1) Disable System Restore
To turn off System Restore, follow the steps below:
Start > Control Panel > System > System Restore tab > check Turn off system restore on all drives


2) Show Hidden Files
1. Select Show hidden files and folders
2. Uncheck Hide extensions for known file types
3. Uncheck Hide protected operating system files (Recommended)
4. Click Apply and OK
We will restore these settings later.




3) Remove Spyware in Safe Mode
Safe Mode is a Windows mode with the minimal number of drivers and programs loaded and running.
It is not compulsory to boot into Safe Mode to remove most spyware threats but it is sometimes necessary because the spyware is running and the spyware processes cannot be ended.



=> To boot into Safe Mode, restart your computer and repeatly hit the F8 key on your keyboard.
=> You should see the above. If you see a boot device priority menu instead, then you have missed the opportunity. Restart the computer again and repeat step 1. Select Safe Mode if it's not already selection and hit ENTER.

=> You will then be given the choice of what operating system you wish to start. Most people only have the one option but there is the possibility of more than one. Simply pick the one you boot up in.


=> Give it a few minutes to boot. Speed will vary depending on your system. You will see something similar to the above.


=> First, exit all non-essential running processes and programs. Begin with the programs in the System Tray.

=> Exit all the programs by Right-Clicking on the icons and and clicking Exit. Programs here are normally not very important and can be closed without problems.





=> The next step is to end non-essential processes running in the background. This means you will close down all or most of the spyware that is running. Hold Ctrl and Alt, and press Delete once on your keyboard (Ctrl + Alt + Delete). If it doesn't take you straight to the Task Manager, select Task Manager from the choices.

Select the Processes tab. Select the suspicious processes and then click End Process for each suspicious process to close them. You can also end non-essential programs. i.e. RealPlayer, printer software, etc. Spyware processes may come back after you've ended them. If this happens, try a few times but leave it if you can't end it completely. In the example above, I have deemed the following as suspicious.
TheMatrixHasYou.exe [Obvious one'
paytime.exe
kl1.exe
0mcamcap.exe
HbtSrv.exe
paytime.exe
HbtOEAddOn.exe
HbtWeatherOnTray.exe
Leave processes like svchost.exe as this could shut down your computer.






=> Add/Remove Programs

The easiest way to start removing spyware is by uninstalling them from the Add/Remove Programs utiltity located in the Control Panel.
Start > Control Panel > Add/Remove Programs
=> Look for suspicious programs. In the example above, the following could be deemed as suspcious.
Hotbar Browser, Weather and Wowpapers Tools
Hotbar Outlook Tools



After scrolling down, the programs listed below are deemed suspicious.
Search Plugin
Shopper Reports
Spy Sheriff
WinAntiVirus Pro 2008 2.0.220.0
WinFixer 2008 1.2.125.3
The 'Search Plugin' is suspicous because selecting it does not display any information about the software vendor.

You are likely to encounter different spyware programs to the ones shown in the example above.
You will need to determine for yourself whether the programs in your Add/Remove Programs list are trustworthy or dodgy. Be suspicious of the following:
Toolbars (or anything with the word 'Bar' in it)
"Bargain", "Shopping", etc. search tools
Spyware scanners from unknown makers
Software you don't remember installing
Fun software
Sceensavers
Weather reporting programs
Clock sync programs
etc.
If unsure, run a search in a search engine for the program and include the word "spyware" in your search criteria.









=> Deleting spyware manually

Only do this once you've tried using Add/Remove Programs if they are there.


The window above popped up as soon as Windows loaded. That is a clear sign of something fishy going on. Not only that, my Home Page was also changed to the page shown above. It display my actual IP address (I checked). The whole point of the page above, which resembles the Windows BSOD (Blue Screen of Death), is to try to scare me into buying some security software. The security software is probably something the author of the page above created, or is affiliated with and earns a commission for each sale. The security software would probably be more spyware so do not buy it if you're ever presented with something similar to the above. Notice there's also a yellow Toolbar with a search bar.
The first time you open certain directories, i.e. C:\, C:\WINDOWS, C:\Program Files, etc, the files will not be visible until you tell Windows to show the contents of the directory.









The secure32.html file is shown in the image above. This file comes back every time it is deleted. It is a part of a browser hijack. The image above shows the C drive (C:\). There are many .exe files and they should not be there and should be deleted.
Native Windows files in C:\ that you can/should leave:
AUTOTEXEC.BAT
boot.ini
BOOTLOG.TXT
CONFIG.SYS
IO.SYS
MSDOS .SYS
NTDETECT.COM
ntldr
pagefile.sys
If unsure about a file, search the Internet for it to confirm that it is genuine or not. Sometimes .exe files can have the names of genuine Windows programs. Check what directory they are. For example, explorer.exe should be in C:\WINNT\ or C:\WINDOWS. If you find it in C:\ or C:\WINDOWS\System32, etc, then it is most likely a virus.




=> Remove spyware from Registry
The Registry is where Windows and many installed programs store their settings.There will be spyware in the Registry on systems that are infected.
Start > Run > type "REGEDIT" Click OK or press ENTER on your keyboard.

The Registry Editor will now look something like the above with the folders opened. The big area will list the items in the Run folder. The tree structure is on the left, you can double click, click on the '+' press ENTER or the Right arrow cursor key to open each directory to display their contents. I recommend using the cursor keys. Press Down to select the folder, then press Right to open it. Repeat until you've found the folder you're looking for.


=> Finding spyware in the Registry
In the image above, the list of items in the right pane are the programs that run when Windows starts. We have a rather big list and this is normally a bad thing. The smaller the list, the better because having too many programs run on startup will slow down the Windows boot up speed because it has more to load. A big list can also mean that there are a lot of unecessary programs and even spyware running. The items in the example above are listed below.
0mcamcap
ATIModeChange
AtiPTA
eabconfig.cpl
HbTools
IMEKRMIG6.1
IMJPMIGB.1
MSPY2002
PHIME2002A
PHIME2002ASync
PPHIDPAD
rhnyqvph
srmclean
SSBkgdUpdate
SynTPEnh
SynTPLpr
SysTray
WeatherOnTray
WinAntiVirusPro2008
WinVNC


I have picked out what I believe are legitimate and what I believe are spyware. The red items are possible spyware threats and the blue items are what I believe to be legit. How do you tell them apart? There is no guarantee that you can spot all of them but there are a few ways to spot them, as listed below:
=> Where in the registry to look for spyware
Visit the following Registry Keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The above is a path. Each folder or Key is separated by a back slash. You would find the folders in the following order.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Once you have found the Key (Run), delete values that you believe are malicious (look up the ones you're not sure about). The values are instructions for Windows to run the programs each value points to when Windows starts up. If you look at the Data column, you will also see where the programs (including spyware) are so you can find them and delete them. Repeat the above for the following areas.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Alternatively,
Start > Run > type "MSCONFIG" > Startup tab
Check the following Registry Key areas. If you have performed the HijackThis step, then you may have already removed the bad values. With the two below, if you see a suspicious value, change it to something you want to use.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
At the following locations, delete any suspicious entries.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
You can also find spyware Keys in the following locations:
HKEY_CURRENT_USER\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\
Spyware removal tools do not remove these. You can delete them if you want to. Only do this after you've removed the spyware using the other methods (i.e. Add/Remove Programs, Manual deletion of the files, etc). Only delete them if you are absolutely sure that the item is spyware.

Admin
Admin

Posts : 181
Join date : 2013-11-13

View user profile http://universaltechsupport.4rumer.com

Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum