Menu
homeYandex

Spyware: bookmarks, Trojans, keyloggers. How to remove viruses and spyware from your computer

Almost all users today are familiar with viruses and the consequences of their impact on computer systems. Among all the threats that have become most widespread, a special place is occupied by spyware that monitors the actions of users and steals confidential information. Next, we will show what such applications and applets are, and discuss the issue of how to detect spyware on a computer and get rid of such a threat without harming the system.

What is spyware?

Let's start with the fact that spy applications, or executable applets, usually called Spyware, are not viruses as such in the usual sense. That is, they have virtually no impact on the system in terms of its integrity or performance, although when infecting computers they can constantly reside in RAM and consume part of the system resources. But, as a rule, this does not particularly affect the performance of the OS.

But their main purpose is precisely to monitor the user’s work, and, if possible, steal confidential data, spoof email for the purpose of sending spam, analyze requests on the Internet and redirect to sites containing malware, analyze information on the hard drive, etc. Itself It goes without saying that any user must have at least a primitive anti-virus package installed for protection. True, for the most part, neither free antiviruses nor, especially, the built-in Windows firewall provide complete confidence in security. Some applications may simply not be recognized. This is where a completely logical question arises: “What then should be the protection of a computer from spyware?” Let's try to consider the main aspects and concepts.

Types of spyware

Before proceeding with a practical solution, you should clearly understand which applications and applets belong to the Spyware class. Today there are several main types:

  • key loggers;
  • hard drive scanners;
  • screen spies;
  • mail spies;
  • proxy spies.

Each such program affects the system differently, so next we will look at how exactly spyware penetrates a computer and what they can do to an infected system.

Spyware penetration methods into computer systems

Today, due to the incredible development of Internet technologies, the World Wide Web is the main open and weakly protected channel that threats of this type use to penetrate local computer systems or networks.

In some cases, spyware is installed on the computer by the user himself, as paradoxical as this may sound. In most cases, he doesn't even know about it. And everything is banally simple. For example, you downloaded a seemingly interesting program from the Internet and started the installation. In the first stages, everything looks as usual. But then sometimes windows appear asking you to install some additional software product or add-on to your Internet browser. Usually all this is written in small print. The user, trying to quickly complete the installation process and start working with the new application, often does not pay attention to this, agrees to all the conditions and... ultimately receives an embedded “agent” for collecting information.

Sometimes spyware is installed on a computer in the background, then masquerading as important system processes. There may be plenty of options here: installing unverified software, downloading content from the Internet, opening dubious email attachments, and even simply visiting some unsafe resources on the Internet. As is already clear, it is simply impossible to track such an installation without special protection.

Consequences of exposure

As for the harm caused by spies, as already mentioned, this generally does not affect the system in any way, but user information and personal data are at risk.

The most dangerous among all applications of this type are the so-called key loggers, or simply put, they are the ones that are able to monitor the set of characters, which gives an attacker the opportunity to obtain the same logins and passwords, bank details or card PIN codes, and just something that the user would not want to make available to a wide range of people. As a rule, after all the data has been determined, it is sent either to a remote server or via email, naturally, in hidden mode. Therefore, it is recommended to use special encryption utilities to store such important information. In addition, it is advisable to save files not on a hard drive (hard drive scanners can easily find them), but on removable media, or at least on a flash drive, and always along with the decryptor key.

Among other things, many experts consider using the on-screen keyboard to be the safest, although they recognize the inconvenience of this method.

Screen tracking in terms of what exactly the user is doing is dangerous only when confidential data or registration details are entered. The spy simply takes screenshots after a certain time and sends them to the attacker. Using the on-screen keyboard, as in the first case, will not give any results. And if two spies work simultaneously, then you won’t be able to hide anywhere.

Email tracking is done through your contact list. The main goal is to replace the contents of the letter when sending it for the purpose of sending spam.

Proxy spies are harmful only in the sense that they turn the local computer terminal into some kind of proxy server. Why is this needed? Yes, only to hide behind, say, the user’s IP address when committing illegal actions. Naturally, the user has no idea about this. Let’s say someone hacked the security system of a bank and stole a certain amount of money. Monitoring of actions by authorized services reveals that the hack was carried out from a terminal with such and such an IP, located at such and such an address. The secret services come to an unsuspecting person and send him to jail. Is there really nothing good about this?

First symptoms of infection

Now let's move on to practice. How to check your computer for spyware if suddenly, for some reason, doubts creep in about the integrity of the security system? To do this, you need to know how the impact of such applications manifests itself in the early stages.

If for no apparent reason a decrease in performance is noticed, or the system periodically “freezes”, or refuses to work at all, first you should look at the load on the processor and RAM, and also monitor all active processes.

In most cases, the user in the same “Task Manager” will see unfamiliar services that were not previously in the process tree. This is just the first call. The creators of spyware are far from stupid, so they create programs that disguise themselves as system processes, and it is simply impossible to identify them manually without special knowledge. Then problems begin with connecting to the Internet, the start page changes, etc.

How to check your computer for spyware

As for scanning, standard antiviruses will not help here, especially if they have already missed the threat. At a minimum, you will need some kind of portable version like Kaspersky Virus Removal Tool (or better yet, something like Rescue Disc that checks the system before it boots).

How to find spyware on your computer? In most cases, it is recommended to use highly targeted special programs of the Anti-Spyware class (SpywareBlaster, AVZ, XoftSpySE Anti-Spyware, Microsoft Antispyware, etc.). The scanning process in them is fully automated, as well as subsequent deletion. But here there are things that are worth paying attention to.

How to remove spyware from your computer: standard methods and third-party software used

You can even remove spyware from your computer manually, but only if the program is not disguised.

To do this, you can go to the programs and features section, find the application you are looking for in the list and start the uninstallation process. True, the Windows uninstaller, to put it mildly, is not very good, since it leaves a bunch of computer garbage after the process is completed, so it is better to use specialized utilities like iObit Uninstaller, which, in addition to uninstalling in the standard way, allow you to perform in-depth scanning to search for residual files or even keys and entries in the system registry.

Now a few words about the sensational Spyhunter utility. Many people call it almost a panacea for all ills. We beg to differ. It scans the system yet, but sometimes it gives a false positive. This is not the problem. The fact is that uninstalling it turns out to be quite problematic. For the average user, just the number of actions that need to be performed makes their head spin.

What to use? Protection against such threats and search for spyware on your computer can be done, for example, even using the ESETNOD32 or Smart Security package with the Anti-Theft function activated. However, everyone chooses for themselves what is better and easier for them.

Legalized spying in Windows 10

But that's not all. All of the above concerned only how spyware penetrates the system, how it behaves, etc. But what to do when espionage is legal?

Windows 10 did not perform well in this regard. There are a bunch of services here that need to be disabled (communicating data with remote Microsoft servers, using identity to receive ads, sending data to a company, determining location using telemetry, receiving updates from multiple locations, etc.).

Is there 100% protection?

If you look closely at how spyware gets onto a computer and what it does afterwards, there is only one thing we can say about 100% protection: it does not exist. Even if you use the entire arsenal of security tools, you can be 80 percent sure of security, no more. However, there should be no provoking actions on the part of the user himself in the form of visiting dubious sites, installing unsafe software, ignoring antivirus warnings, opening email attachments from unknown sources, etc.

http://www.computermaster.ru/articles/secur2.html

What you need to know about computer viruses

(c) Alexander Frolov, Grigory Frolov, 2002

[email protected]; http://www.frolov.pp.ru, http://www.datarecovery.ru

Since the creation of personal computers, accessible to specialists and the general public, the history of computer viruses began. It turned out that personal computers and programs distributed on floppy disks represent the very “breeding environment” in which computer viruses arise and live carefree. Myths and legends that arise around the ability of computer viruses to penetrate anywhere and everywhere envelop these malicious creatures in a fog of the incomprehensible and unknown.

Unfortunately, even experienced system administrators (not to mention ordinary users) do not always understand exactly what computer viruses are, how they penetrate computers and computer networks, and what harm they can cause. At the same time, without understanding the mechanism of the functioning and spread of viruses, it is impossible to organize effective anti-virus protection. Even the best antivirus program will be powerless if it is used incorrectly.

A short course in the history of computer viruses

What is a computer virus?

The most general definition of a computer virus can be given as a program code that self-propagates in the information environment of computers. It can be embedded in executable and command files of programs, distributed through the boot sectors of floppy disks and hard drives, office application documents, via e-mail, Web sites, as well as through other electronic channels.

Having penetrated a computer system, a virus may be limited to harmless visual or sound effects, but may cause data loss or corruption, as well as leakage of personal and confidential information. In the worst case scenario, a computer system infected with a virus may be under the complete control of an attacker.

Today, people trust computers to solve many critical problems. Therefore, the failure of computer systems can have very, very serious consequences, including human casualties (imagine a virus in the computer systems of airfield services). Developers of computer information systems and system administrators should not forget about this.

Today, tens of thousands of different viruses are known. Despite this abundance, there is a fairly limited number of types of viruses that differ from each other in their mechanism of spread and principle of action. There are also combined viruses that can be classified as several different types at the same time. We will talk about the different types of viruses, following as much as possible the chronological order of their appearance.

File viruses

Historically, file viruses appeared earlier than other types of viruses, and were initially distributed in the MS-DOS operating system environment. By injecting themselves into the body of COM and EXE program files, viruses change them in such a way that when launched, control is transferred not to the infected program, but to the virus. The virus can write its code at the end, beginning or middle of the file (Fig. 1). The virus can also divide its code into blocks, placing them in different places in the infected program.

Rice. 1. Virus in the file MOUSE.COM

Once controlled, the virus can infect other programs, invade the computer's RAM, and perform other malicious functions. The virus then transfers control to the infected program, which executes as usual. As a result, the user running the program does not even suspect that it is “sick”.

Note that file viruses can infect not only COM and EXE programs, but also other types of program files - MS-DOS overlays (OVL, OVI, OVR and others), SYS drivers, dynamic link libraries DLLs, as well as any files with program code . File viruses have been developed not only for MS-DOS, but also for other operating systems, such as Microsoft Windows, Linux, IBM OS/2. However, the vast majority of viruses of this type live precisely in the environment of MS-DOS and Microsoft Windows.

In the days of MS-DOS, file viruses thrived thanks to the free exchange of programs, gaming and business. In those days, program files were relatively small in size and distributed on floppy disks. The infected program could also be accidentally downloaded from a BBS or the Internet. And along with these programs, file viruses also spread.

Modern programs take up a considerable amount of space and are usually distributed on CDs. Sharing programs on floppy disks is a thing of the past. By installing a program from a licensed CD, you usually do not risk infecting your computer with a virus. Another thing is pirated CDs. We cannot vouch for anything here (although we know of examples of viruses spreading on licensed CDs).

As a result, today file viruses have lost the palm in popularity to other types of viruses, which we will talk about later.

Boot viruses

Boot viruses gain control during the initialization of the computer, even before the operating system starts loading. To understand how they work, you need to remember the sequence of initializing the computer and loading the operating system.

Immediately after turning on the computer's power, the POST (Power On Self Test) test procedure recorded in the BIOS begins to work. During the scan, the computer configuration is determined and the functionality of its main subsystems is checked. POST then checks to see if the floppy disk is inserted into drive A:. If the floppy disk is inserted, then further loading of the operating system occurs from the floppy disk. Otherwise, booting is done from the hard drive.

When booting from a floppy disk, the POST procedure reads the Boot Record (BR) from it into RAM. This entry is always located in the very first sector of the floppy disk and is a small program. In addition to the program, BR contains a data structure that determines the floppy disk format and some other characteristics. The POST procedure then transfers control to BR. Having received control, BR proceeds directly to loading the operating system.

When you boot from a hard drive, POST reads the Master Boot Record (MBR) and writes it to the computer's RAM. This entry contains the boot program and partition table, which describes all the partitions on the hard drive. It is stored in the very first sector of the hard drive.

After reading the MBR, control is transferred to the boot program that just read from the disk. It analyzes the contents of the partition table, selects the active partition, and reads the BR boot record of the active partition. This entry is similar to the BR entry of the system floppy disk and performs the same functions.

Now let’s talk about how a boot virus “works”.

When a floppy disk or hard drive of a computer is infected, the boot virus replaces the BR boot record or MBR master boot record (Figure 2). The original BR or MBR records are usually not lost in this case (although this does not always happen). The virus copies them to one of the free sectors of the disk.

Rice. 2. Virus in the boot record

Thus, the virus gains control immediately after the POST procedure is completed. Then, as a rule, he acts according to the standard algorithm. The virus copies itself to the end of the RAM, thereby reducing its available capacity. After that, it intercepts several BIOS functions, so that access to them transfers control to the virus. At the end of the infection procedure, the virus loads the real boot sector into the computer's RAM and transfers control to it. Next, the computer boots as usual, but the virus is already in memory and can control the operation of all programs and drivers.

Combined viruses

Very often there are combined viruses that combine the properties of file and boot viruses.

An example is the file-boot virus OneHalf, which was widespread in the past. Penetrating into a computer running MS-DOS, this virus infects the master boot record. As the computer boots, the virus gradually encrypts sectors of the hard drive, starting with the most recent sectors. When the virus's resident module is in memory, it monitors all access to encrypted sectors and decrypts them, so that all computer software works normally. If OneHalf is simply removed from RAM and the boot sector, it will become impossible to correctly read the information written in the encrypted sectors of the disk.

When the virus encrypts half of the hard drive, it displays the following message on the screen:

Dis is one half. Press any key to continue...

After this, the virus waits for the user to press a key and continues its work

The OneHalf virus uses various mechanisms to camouflage itself. It is a stealth virus and uses polymorphic algorithms to spread. Detecting and removing the OneHalf virus is a rather complex task, and not all antivirus programs can do it.

Satellite viruses

As you know, in the MS-DOS and Microsoft Windows operating systems of various versions, there are three types of files that the user can launch for execution. These are BAT command or batch files, as well as COM and EXE executable files. In this case, several executable files with the same name but a different name extension can simultaneously be located in the same directory.

When a user runs a program and then enters its name at the operating system prompt, he usually does not specify the file extension. What file will be executed if there are several programs in the directory with the same name, but different name extensions?

It turns out that in this case the COM file will run. If only EXE and BAT files exist in the current directory or the directories specified in the PATH environment variable, then the EXE file will be executed.

When a satellite virus infects an EXE or BAT file, it creates another file in the same directory with the same name but with a COM name extension. The virus writes itself to this COM file. Thus, when the program is launched, the satellite virus will be the first to take control, which can then launch this program, but under its own control.

Viruses in batch files

There are several viruses that can infect BAT batch files. To do this, they use a very sophisticated method. We will look at it using the example of the BAT.Batman virus. When a batch file is infected, the following text is inserted at the beginning of it:

@ECHO OFF REM [...] copy %0 b.com>nul b.com del b.com rem [...]

In square brackets [...] here is a schematic diagram of the location of the bytes, which are processor instructions or virus data. The @ECHO OFF command disables displaying the names of executed commands. The line starting with the REM command is a comment and is not interpreted in any way.

The copy %0 b.com>nul command copies the infected batch file to the B.COM file. This file is then executed and deleted from the disk using the del b.com command.

The most interesting thing is that the B.COM file created by the virus matches the infected batch file down to a single byte. It turns out that if you interpret the first two lines of an infected BAT file as a program, it will consist of CPU commands that actually do nothing. The CPU executes these commands and then begins executing the actual virus code written after the REM comment statement. Having gained control, the virus intercepts OS interrupts and becomes active.

During the spreading process, the virus monitors the writing of data to files. If the first line written to the file contains the @echo command, then the virus thinks that a batch file is being written and infects it.

Encrypting and polymorphic viruses

To make detection more difficult, some viruses encrypt their code. Each time a virus infects a new program, it encrypts its own code using a new key. As a result, two copies of such a virus can differ significantly from each other, even have different lengths. Encrypting the virus code greatly complicates the process of researching it. Ordinary programs will not be able to disassemble such a virus.

Naturally, the virus can only work if the executable code is decrypted. When an infected program runs (or boots from an infected BR boot record) and the virus gains control, it must decrypt its code.

To make it more difficult to detect a virus, not only different keys are used for encryption, but also different encryption procedures. Two copies of such viruses do not have a single matching code sequence. Such viruses, which can completely change their code, are called polymorphic viruses.

Stealth viruses

Stealth viruses try to hide their presence on a computer. They have a resident module that is permanently located in the computer's RAM. This module is installed when an infected program is launched or when booting from a disk infected with a boot virus.

The resident module of the virus intercepts calls to the computer's disk subsystem. If the operating system or another program reads an infected program file, the virus substitutes a real, uninfected program file. To do this, the resident virus module can temporarily remove the virus from the infected file. After finishing working with the file, it becomes infected again.

Boot stealth viruses operate in the same way. When any program reads data from the boot sector, the infected sector is replaced by the real boot sector.

Disguising stealth viruses only works if there is a resident virus module in the computer's RAM. If the computer boots from a “clean”, uninfected system floppy disk, the virus has no chance of gaining control and therefore the stealth mechanism does not work.

Macro viruses

So far, we have talked about viruses that live in executable program files and boot sectors of disks. The widespread use of the Microsoft Office suite of office programs has caused an avalanche of new types of viruses that spread not with programs, but with document files.

At first glance, this may seem impossible - in fact, where can viruses hide in Microsoft Word text documents or in Microsoft Excel spreadsheet cells?

However, in fact, Microsoft Office document files may contain small programs for processing these documents, written in the Visual Basic for Applications programming language. This applies not only to Word and Excel documents, but also to Access databases and Power Point presentation files. Such programs are created using macro commands, which is why viruses that live in office documents are called macro commands.

How do macro viruses spread?

Along with document files. Users exchange files via floppy disks, network directories on corporate intranet file servers, email, and other channels. To infect your computer with a macro virus, you just need to open a document file in the appropriate office application - and the job is done!

Nowadays, macro viruses are very common, which is largely due to the popularity of Microsoft Office. They can cause no less harm, and in some cases even more, than “regular” viruses that infect executable files and boot sectors of disks and floppy disks. The greatest danger of macro viruses, in our opinion, is that they can change infected documents while remaining undetected for a long time.

Spy viruses!

Spyware is the scourge of this century. Many millions of computers in the world are infected with these malicious spyware programs, and many do not notice it.

Spies not only harm the security of your information, but also significantly reduce the speed of your computer. When you download one of the spyware packages, the program is automatically installed on your computer regardless of your desire. Sometimes, during installation, the spy asks you to install sponsor software. When installed, the spyware tries to install itself in the system registry of your computer and remains there until you completely remove it from there.

The spy, devouring the computer's potential, reduces the performance of the central processor and memory. As a result, your PC slows down or even stops responding completely. The spyware will not disappear on its own, but will only cause more and more lag as Spyware continues to collect information from your computer. There are three main ways spyware can destroy your system:

1. There are spies who constantly monitor all your purchases. If you use your credit card, you may end up missing out on your finances; the spy program will find out your credit card number and give you the opportunity to use it for purchases by other people. You may not know this until you discover that you are short of money.

2. Hackers (those behind the scenes) will be able to gain access to your computer and information about it. They will be able to find out which keys you use in real time, break into your computer, change browser settings, and install their programs without your consent. In addition, spies can also collect information about email addresses, passwords, and even credit card numbers. But this problem can be solved, but just look through and carefully study all the available spyware removal programs and their reviews, because some of them can cause more harm than good.

3. Spyware can find information about your email addresses. If this happens, then you will face many problems, one of which is that you will simply be inundated with advertising letters.

Even if you are a simple user, there are several things you can easily do to quickly and reliably increase the speed of your computer. The first and most accessible method that you should definitely do is to defragment your disks. The "Defragmentation Wizard" on your computer will help you do it. You might want to do this quickly, however, it may take a long time. The process should not be interrupted. With regular work, the next check will take less time.

The second way is to install and use a good anti-spyware program. For example, Spyware Doctor is good at dealing with them.

Next, you can programmatically in browsers reduce the period of saving visited pages, if you do not need it, from one month, as is the default, to 1-2 days, or to delete them immediately after leaving the site page.

When you deactivate your desktop, the load on RAM will be less. And you won’t feel the difference in design and work.

Make sure you have a good antivirus program and use it constantly. If you remove viruses and prevent their spread, then you will noticeably speed up your computer.

Once you follow these simple rules, you will be amazed at how much faster your computer is and how much disk space you free up.

In fact treat viruses, this is not a very complicated operation to pay specialists a lot of money for this work. You can protect your computer from viruses, or, in case of infection, return your computer to a “healthy” state by removing malicious programs yourself by choosing a good anti-virus program and following some rules. Take at least two of the most important ones: First, regularly update the antivirus database. The second is to completely scan your computer for viruses once a month.

So, with this in mind, I think it is clear that malware removal is carried out using antiviruses. They can be paid or free; I talked about free methods in the following article:

And now about what is a malicious program or, in other words, a virus?

Computer virus or malware is a program whose main purpose is to cause harm to a computer, damage user data, steal or delete personal information, degrade computer performance, and much more.

To date malware can be classified into several types based on their impact on the computer.

  • Classic viruses.
  • Trojan programs.
  • Spies.
  • Rootkits.
  • Adware.

Let's take a closer look at each type of malware.

Classic viruses are malicious programs that can infect a computer, for example, via the Internet. And the essence of such viruses is self-reproduction. Such viruses copy themselves, copy files and folders that are located on the infected computer. They do this in order to infect the data so that it is impossible to recover it in the future. This virus tries to damage all data on the computer by inserting its code into all files, from system files to the user’s personal data. Most often, salvation on such an infected computer is .

Trojan horse- This is a serious type of virus. Trojan programs are written by attackers for a specific purpose, for example, stealing information from computers, or “stealing” passwords, and so on.

The Trojan is divided into two parts. The first part, called the Server, is stored by the attacker, and the second, the Client part, is distributed to all possible corners of the Internet and other places. If the client part of the malicious program gets onto a computer, then this PC becomes infected and the Trojan begins to disguisedly send various information to the attacker on his server.

The Trojan can also perform various operations on the computer at the request of the server (the attacker), steal passwords, and infect documents and files with malicious code.

Spies, are somewhat similar to Trojan horses. But they have the main difference and it is that spies do not harm the system and user files. Spyware quietly sit on the computer and spy. They can steal passwords or even save absolutely everything you type on your keyboard.

Spyware is the most intelligent type of virus and can even send files from the infected computer. The spy knows a lot of information about the infected PC: what system is installed, what antivirus you use, what browser you use on the Internet, what programs are installed on the computer, and so on. Spyware is one of the most dangerous malware.

Rootkits These are not viruses themselves. But rootkits are programs whose purpose is to hide the existence of other viruses on the computer. For example, the computer was infected with a spyware virus at the same time as a rootkit. And the rootkit will try to hide the spy from your antivirus and operating system. Accordingly, the presence of rootkits on a computer is no less dangerous, since they can work quite well and hide a bunch of viruses (spyware, Trojans) from the eyes of our antivirus for a long time!

Adware is another type of malware. This is a less dangerous program, and its essence is to display advertisements on your computer in various ways in various places. Adware does not cause any harm, does not infect or corrupt files. But you also need to protect yourself from this type of virus.

These are the types malware exist. To protect your computer from viruses, we need a good antivirus. I talked about that in another article, and now let’s continue the topic of describing viruses and protection schemes for your computer.

Previously, viruses did not have any specific purpose, they were written for fun and the developer did not set a specific goal. Now viruses are complex algorithms, the essence of which is most often the theft of money and data. Trojans, most often, are designed only to steal passwords and other important data.

By the way, whether your computer has been attacked by viruses can be determined by certain signs:

  • Programs do not work correctly or stop working altogether.
  • The computer started to slow down and work slowly.
  • Some files become corrupted and refuse to open.

Very often such signs can become a sign of a computer virus infection, but fortunately not always.

Please note that most often one specific virus can infect different types of files. Therefore, even after the computer has been cured from a strong virus attack, the most correct thing to do is to format the partitions.

Antivirus programs will help you protect yourself from viruses, as I said above. Today, antivirus programs have functions that are enough to repel almost all malicious programs that are distributed on the Internet. But for maximum virus protection An important role is played by a properly selected and configured anti-virus program for full “combat” functionality. I recommend that you read the article about. But if you don’t have time, then I will tell you the best antivirus programs right here. Today it is:

  • Kaspersky
  • Avast
  • Dr.Web
  • NOD32

I think there are plenty to choose from.

Good luck and good luck with your virus protection.