Cornell University IT Security Office

Spybot - Search & Destroy Scanner

Spybot - Search & Destroy is one of the utilities supported by Cornell Information Technologies for the detection and removal of spyware from Windows computers.

Contents

• Install Spybot-S&D
• First Run Processing
• Normal Processing
• Advanced Features
  
  
• Use Ad-Aware as well as Spybot-S&D
• What if I'm still having trouble?

Warning: Removing spyware, like any change to the operating system software, may cause your computer to malfunction, and you might need to reinstall Windows. To be on the safe side, you should have a current backup of all critical files.

Who can use Spybot - Search & Destroy?

• The software is free for use by both faculty/staff and students.
• On an office or lab computer where someone else, such as a network administrator, usually handles software installations and upgrades, always consult that person before installing any type of software.

Installing Spybot - Search & Destroy

1. Download Spybot - Search & Destroy from http://SpyBot.safer-networking.org/en/mirrors/.
2. You may elect to run it now or to save the installer to your desktop (or another location) and then run it from there.
3. Launch the installer and you will be presented with a typical set of installation screens.
   
   Step-by-Step Instructions
   1. On the Select Setup Language dialog box, English is pre-selected; click OK.
   2. On the Welcome screen click Next.
   3. On the License Agreement screen click on I accept the agreement then click Next.
   4. On the Select Destination Location screen click Next.
   5. On the Select Components screen you may optionally want to un-check the Additional languages and Skins to change appearance options then click Next.
   6. On the Select Start Menu Folder screen click Next.
   7. On the Select Additional Tasks screen you should un-check all the options then click Next.
      We will cover the Permanent protection choices in the advanced section of this document.
   8. On the Ready to Install screen click Install.
   9. You will see a series of screens as the installer installs and configures Spybot-S&D on your system.
   10. On the Completing the Spybot - Search & Destroy Setup Wizard screen you may be prompted to restart your system if the installer was not able to complete the installation.  If so select Yes to re-start your system, or continue with step 4 below.
        
4. The last screen will default to launching SpybotSD.exe when you click Finish.
5. Click Finish to exit the installer and launch Spybot - Search & Destroy.

First Run Processing

1. The first time Spybot - Search&Destroy is deployed, it will automatically launch a Wizard which will prompt you to "Create registry backup" and allow you to "Search for Updates."
   
   Step-by-Step Instructions
   1. On the Legal stuff dialog box click Don't show this message again, then click OK.
   2. On the Spybot-S&D Wizard screen click Create registry backup to make a backup of your system registry in case of problems while running the scanner. Then click Next.
   3. On the Spybot-S&D Wizard screen click Search for updates.
   4. On the Spybot-S&D Wizard screen if any updates are found, the second button will be un-grayed and you should click Download all available updates then click Next.
   5. You will see a series of screens showing the update progress.
       

Normal Processing

Spybot - Search&Destroy displays the following screen when it opens:

1. If this is not your first time, you should click on the Search for Updates button first.  A list of available updates will appear in the white area at the bottom of the screen. You will need to select the updates you wish to download. To select ALL available updates, right-click on the Update header entry and click Select All.  When you have made your selections, click on the Download updates button.
   
    
2. To prevent potential problems under Windows XP, some sites suggest turning off creating restore points when fixing problems when using Spybot-S&D Version 1.3.  To do this follow the following steps:
   1. Click the Mode menu item and select Advanced Mode.
   2. At the warning that asks "Do you really want to switch to Advanced Mode?" click Yes.
   3. At the bottom left of the Spybot-S&D window click on the + sign next to Settings.
   4. Click on the Settings icon either in the list at left or in the white part of the Spybot-S&D window.
   5. Scroll down to the Main Settings section.
   6. Uncheck the two Create system restore point ... (Win XP only) entries.
   7. Click the + sign next to Spybot-S&D in the upper left corner to return to the standard window view.
    
3. To start a system scan, click on the Check for problems button.
    
4. After the scan completes, you will see a screen like the following:


 

5. Clicking on the + next to each entry will expand it to show you more detail about the problem indicated. The first thing you should know is to distinguish between the red entries and the green entries.
   
   • Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is pre-selected to be fixed.
   • Green entries indicate usage tracks (cookies fall into this category). It can do no harm to remove these.
      
   Note: The "DSO Exploit" listed above may be in error.  It is a known problem with this version of  Spybot-S&D will be fixed in a future update.
   
   
6. When ready, click on Fix selected problems to have Spybot - Search&Destroy make changes to your system.
    
7. Spybot-S&D will create a System Restore point unless you disabled it in the Settings section at step 2 above.
   
    
8. A Confirmation window will note that you are about to remove these entries and ask if you want to continue. Click Yes.
   
    
9. If Spybot-S&D finds some problems that can't be fixed because associated files are in use, then a Warning window will appear. This window asks permission for Spybot-S&D to run automatically the next time you restart your computer. Click Yes.
    
10. A confirmation screen will tell you either that everything was fixed, or that some number of problems could not be fixed and you need to restart your computer. Go ahead and restart your computer if asked to do so.
    
    Spybot-S&D will restart automatically, with a "Check in progress" window that says "Spybot - Search & Destroy is checking your system. Please stand by..." When the check is completed, a regular Spybot-S&D window will appear. Continue with scanning and fixing if needed, or exit Spybot-S&D to return to your regular Windows desktop.
     
11. Return to step 3 above (click on the Check for problems button) and repeat these steps as many times as needed until all the spyware is gone.

    Remember to run Spybot-S&D at least once a week to clean up new spyware that may make its way onto your computer.

12. If Spybot-S&D is unable to remove a piece of spyware even after a restart, then you may wish to run Spybot-S&D in Safe Mode. To get into Safe Mode, hold down the F8 key while restarting the computer. For complete instructions, see Microsoft's description of Safe Mode for Windows XP or Windows 2000.

Advanced Features

To access advanced features of Spybot-S&D you need to select Mode->Advanced mode from the Menu bar (Default mode is pre-selected)

1. Automatic Updates on Startup [Settings->Setting->Automation->Web-Update]
   Search the web for new versions at each program start and optional download and install them.
    
2. Immunize on program start if program has been updated [Settings->Settings->Automation->Program Start]
   This will automatically add new Active-X controls to the immunization list for Internet Explorer.
    
3. Scheduling Automatic scans [Settings->Scheduler] (relies on Windows task scheduler)
   
   • Click on 
   • Click on
   • In the Spybot - Search & Destroy - Scheduled Task dialog box:
     • Click on the Schedule tab.
     • Click on the New button.
     • Select the Period (Daily/Weekly/Monthly) and  the Start Time for the automatic scans to be done
     • Click Apply
     • In the Set Account Information dialog box enter the ID and Password of an Administrator account then click OK.
     • Click OK to close the dialog box.
   • Optionally place a check mark next to Fix problems after scheduled scan and Close program after finishing schedule unless you wish to determine the action after the scan completes.
   • Make sure the "Legal stuff" warning is turned off, otherwise the scan will wait for your response to that warning. Under Settings->Settings->Main Settings put a check mark in the box next to "I do know about all that legal stuff."
    
4. TeaTimer [Tools->Resident]
   

   The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options how to deal with this process in the future: You can set TeaTimer to:

   - be informed when the process tries to start again
   - automatically kill the process
   - or generally allow the process to run There is also an option to delete the file associated with this process.

   In addition, TeaTimer detects when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change. As TeaTimer is always running in the background, it takes some resources of about 5 MB.
    

5. Immunize (see illustration)
   
   Spybot-S&D allows you to immunize your computer against some spyware. It currently offers two different immunities:

   Permanent Internet Explorer immunity

   Similar to JavaCools SpywareBlaster, this allows you to tweak some internal Internet Explorer settings to block the installation of known spyware (and similar threats) installers. Spybot-S&D is able to set all entries for those that are in its database to be blocked. If you want to distinguish, you should install SpywareBlaster.

   Permanently running bad download blocker for Internet Explorer

   This is a second layer of protection for IE. While the Permanent Immunity blocks installers by their ActiveX ID, this one blocks anything that should come through by different aspects.

   To enable this do the following:

   • Launch Spybot - Search & Destroy
   • On the left hand side of the window click on Immunize
   • A window pops up to warn you that "0 bad products already blocked, 2332 additional protections possible. Please immunize." Click OK.
   • In the right hand panel click on  
     
      
   • Optionally to configure the Internet Explorer Browser Helper to block bad downloads click the checkbox next to Enable permanent blocking of bad addresses in Internet Explorer.
     
     

Next Steps

For more complete spyware protection, CIT recommends that you use two or more anti-spyware utilities. In addition to Spybot-S&D, CIT currently supports Ad-Aware SE Personal Edition.

What if I'm still having trouble?

If you have run both Ad-Aware and Spybot-S&D, and now your system won't boot, won't connect to the net, or won't display web pages, then your system files may have been damaged. Refer to our Winsock Repair Techniques page.