Security

SolutionBase: Dealing with &#034spyware residue&#034

You've identified and removed spyware applications from a computer, but more work may lie ahead. Stray spyware files and registry entries are probably still hanging around, and they could create big headaches if you don't find and eliminate them.

All the hype surrounding spyware concerns recognizing it when it's installed on a computer and then removing it. But what happens after you remove those invasive programs? Spyware removal programs don't always eliminate every trace of spyware. They usually get the heart and soul of the spyware programs, but slight remnants of the offending application are often left behind. Sometimes, the fragments go unnoticed, but other times, they can cause serious problems. Let's take a look at what you can do to remove traces of spyware that remain on a computer after the removal tool has finished its job.

Looking for remnants

A good spyware removal tool, such as LavaSoft's AdAware or Spybot Search & Destroy, can take care of most spyware-related files and registry entries. However, spyware removal tools must have a thorough understanding of each application to eliminate everything associated with it. And since spyware authors continually modify their programs to avoid detection, the spyware removal companies may sometimes lag behind in their definition file updates. This is why stray files, registry entries, and other spyware residue may remain on the computer even after the application is removed.

The first thing you can do to locate spyware residue is open Add Or Remove Programs and look for applications you didn't install. If you find any, click the Change Or Remove Programs button and uninstall the program. This sounds like a basic step — and it is — but it's still an effective starting point.

The next step is to open Windows Explorer and look for any strange or unknown files and folders. Sometimes, spyware removal tools will delete the files in a folder but leave the folder on the drive. For instance, if you see a file named GMT in Common Folders, you can probably delete it because it's part of the Gator spyware application. Of course, you should be careful when deleting files and folders to make sure you don't inadvertently remove something that one of your legitimate applications needs. If you're not sure about a particular item, either leave it alone or move it to a different location for a few weeks until you're certain it can be safely deleted.

Finally, look in the Startup folder for applications that don't belong. Many spyware applications put themselves in this folder so they launch when you start the computer. This folder is located in different places depending on the version of Windows that is on the computer. In older versions, the Startup folder is located at C:\Windows\Start Menu\Programs\Startup. In Windows XP, it's located in the user profile at C:\Documents and Settings\userid\Start Menu\Programs\Startup. Be sure to check the Startup folder in the All Users profile too.

Taming registry problems

One of the most common areas for spyware remnants to hide is in the system registry. These stray values can cause the computer to run slow, generate system errors, or in extreme cases, make the system unusable. Eliminating these problems may require you to edit the registry, but be very careful. If you're unsure of whether to remove an entry, leave it alone. Don't remove anything unless you are certain you can do so without harming the system. If you mistakenly delete a registry entry for a critical system function, you can corrupt the registry and make the system unusable. Searching the registry for stray values is difficult, even for experienced technicians.

Back up the registry

Before you make any registry changes, you should back up the registry. That way, you can restore it if you accidentally remove a critical entry. Use the following steps to create a backup of the system registry:

  1. Click Start | Run, type Regedit, and press [Enter] to open the Registry Editor.
  2. Click File | Export and navigate to the location where you want to save the file.
  3. Enter a filename, such as Backup_Reg, and click Save.

The current registry will be exported to the location you specified. Note this information in case you need to use the backup file.

Finding spyware residue in the registry

Instead of manually searching through the registry for spyware-related entries, you might consider using a tool such as HijackThis. This program identifies possible spyware entries in the registry. However, it is not a spyware removal tool, and some of the entries it flags may be legitimate. You're ultimately going to make the choice of which entries are deleted. Once again, use extreme caution when doing this. HijackThis is available as a free download. Here's a brief rundown on how to use it.

After you download HijackThis, double-click the icon to launch the program. HijackThis will present the warning message shown in Figure A.

Figure A

 

When you click OK, the HijackThis main screen displays, as shown in Figure B. To begin a registry scan, click the Scan button.

Figure B

 

The registry scan takes just a few moments. As Figure C shows, the results will be displayed in the HijackThis window. Select any entries that you want to remove and click Fix Checked. Click Yes when the warning message appears. HijackThis will then remove the selected entries.

Figure C

 

Restoring Winsock and TCP/IP settings

Another troublesome problem that can occur after running a spyware removal program involves the computerï¿??s network configuration. The TCP/IP settings on the computer are controlled by the Winsock.dll file. Spyware removal tools can sometimes delete registry entries or values in Winsock that are used for network connectivity. One indication of this problem is that when you try to view a Web page and receive a Page Cannot Be Displayed error, you can still ping the Web site.

In pre-XP versions of Windows, you could reinstall the TCP/IP protocol to resolve this problem. However, in Windows XP, TCP/IP is a core component of the operating system. There are, however, tools that will help you restore the TCP/IP protocol to the state it was in when you first installed Windows XP. One of these tools is WinSock XP Fix, which you can download free from Spychecker.com. Let's look at how it works.

After downloading WinSock XP Fix, double-click the executable file. When the utility launches, you'll see the main window shown in Figure D.

Figure D

 

The first thing you should do is create a backup of the registry. You can either follow the procedure described earlier or use the ReG-Backup feature in WinSock XP Fix. The next step is to restore the corrupted registry keys. Click the Fix button and then click Yes to apply the WinSock XP Fix settings.

WinSock XP Fix will restore the file and fix the network configuration. The progress will be displayed in the main program window, as shown in Figure E.

Figure E

 

Once WinSock XP Fix has finished restoring the registry settings, click OK to reboot. The network configuration should then work normally again.

Wrap-up

Spyware applications can slow down a computer, use disk space, and when removed, may leave behind remnants that can disable certain system functions, such as the network configuration. Programs like HijackThis and WinSock XP Fix help make locating these remnants and removing them a much easier process.

Editor's Picks