Page II: Spyware is a growing annoyance for users and organisations. With these techniques, you can help get spyware under control.
To understand why Windows might malfunction once spyware has been removed, you need to understand a little bit about the way that Windows attaches your computer to the Internet. As you probably know, computers communicate across the Internet through the use of the TCP/IP protocol. Windows implements TCP/IP through a mechanism called Winsock.
Winsock, however, is not made up of a single file. Instead, Winsock takes a layered approach to implementing TCP/IP in a chain-like fashion. If you were to remove a file from the chain, Winsock would cease to function properly and Internet communications would be either handicapped or completely disabled.
Some spyware modules exploit Winsock. There are certain benefits to doing this. First of all, the spyware module appears to be part of the operating system and therefore is more difficult to detect than other types of spyware. Second, if the spyware module is hooked into the Winsock chain then it makes it extremely easy for the module to monitor all Internet- (and network-) based communications. Finally, if a spyware module can trick Windows into thinking that the module is a part of the operating system, then the module will not be limited to the permissions granted to the machine's current user. In most situations, the operating system and its subcomponents have full permissions over the machine.
Here's where things get tricky, though. Imagine that a spyware module has infiltrated the operating system and has hooked itself into the Winsock chain. Now imagine that you ran a spyware removal program that was able to detect and remove the module, but now the Winsock chain is broken and Internet access does not work. In a situation like this, it would seem as though you should be able simply to reinstall Windows over the existing copy, and that in doing so, you would replace any missing files, thus relinking the Winsock chain in the process. Unfortunately this technique doesn't work, and here's why.
Microsoft designed Windows to be upgradeable and adaptable. Therefore, the components included in the Winsock chain are not hard-coded into Windows. Instead they are called through the system's registry. Any time that you reinstall Windows over an existing copy, the Setup program will refresh the system files, but it will make every effort to preserve any customizations that have been made to the registry. This means that if a spyware module was designed to sit in between two normal Winsock components, then the registry may still try to call the spyware module even though the spyware module has been removed and Windows has been reinstalled.
The only way to really fix the problem is to rebuild the Winsock chain and correct the Winsock-related entries within the registry. Keep in mind that editing the registry is dangerous because an incorrect modification can destroy Windows and/or your applications. I therefore recommend that you perform a full system backup prior to attempting the procedure that I am about to show you.
To manually rebuild Winsock, locate and delete the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
After removing these keys, you must close the registry editor and reboot the machine. When you reboot the machine, Windows will look for the registry keys that you have deleted. When it does not find them, it will recreate them from scratch, thus correcting the registry problem.
After the machine reboots, you must reinstall the TCP/IP protocol. To do so, right-click on the machine's network connection and select the Properties command from the resulting shortcut menu. This reveals the connection's Properties sheet. Now, click the Install button, select Protocol, and click Add. Next, click the Have Disk button and when prompted, enter C:\Windows\inf (where C:\Windows is the path to your Windows directory). Select the Internet Protocol (TCP/IP) option from the list of available protocols and click OK. Reboot the computer to complete the operation.
Although this procedure will fix the Winsock problem, there is an easier way to get the job done. Someone has created a free utility called Winsock Fix that automates the procedure. Keep in mind, though, that the utility still works by modifying the registry, so it's a good idea to back up your system prior to running it. You can download Winsock Fix from DSLReports.
Software restriction policiesOne way that you can fight spyware is to use a little-known Windows XP security feature called a software restriction policy. Software restriction policies were originally designed to help administrators to keep unauthorized software, such as games, off of network workstations. In some cases though, a software restriction policy can be very effective in the fight against spyware.
4%
4%
Hi Brien,
Loved your article but....
Windows XP Pro SP2 does not have linkages via Control Panel/Performance And Maintenance to carry out the processes to remove Gator as outlined in your article.
Would love an update for SP2!
Graham