2.5 Spyware and Your Registry

Ho

Windows’ Registry is a collection of information that Windows uses to configure and run your computer. Most of us don’t even know it’s there, let alone how to use it because the registry is a repository of cryptic keys and values and we have no idea what they do, let alone if they belong there.

Windows has its own information in the registry, and almost every program that you install puts its own information there, too.  Unfortunately, it’s very easy for spyware to do the same and compromise your computer.

DLLs, such as about:blank and se:dll, set references to themselves in the registry.  Each of these is a program that hijacks your web browser, pops up unwanted advertising on your screen, slows your system, and transmits your personal information.  Both of these are very difficult to remove from your computer. 

The about:blank and se:dll reference tells Windows where to find the spyware and how to load it into memory.  Other registry entries tell Windows what programs to start when you start your computer.  Spyware often sets references to itself so that it can start invading your privacy as soon as you’ve turned on your machine. 

Editing the registry directly to remove these rogue entries is no small undertaking.  Changing or deleting the wrong values can have serious consequences, so manually editing the registry should never be taken lightly.  Spyware removal tools generally include a registry scan as part of their analysis.  These programs can find and delete traces of spyware in the registry so you shouldn’t have to do the searching and editing yourself. 

Once you have removed all spyware from your computer, it is useful to make a registry backup.  If your system becomes infected with spyware again, having a copy of the registry as it was before the infection occurred can be useful in eliminating entries made by offending programs. 

If you wish to have a little “extra insurance” by making a registry backup, one way to do this is to take the following steps: 

1.   Click the “Start” button and the Start Menu will appear.

2.   Click “Run.” 

3.   Type “regedit” into the “Open:” combo box. 

4.   Click the “OK” button.  The “Registry Editor” window appears. 

5.   Click “File” on the menu bar. 

6.    Click “Export.”  The “Export Registry File” dialog will appear. 

7.   Use the folder list at the top of the window to pick a location for your registry backup file. 

8.    Enter a file name for the registry backup in the “File name:” combo box below the folder list. 

9.   Select the “All” button in the “Export range” panel at the bottom of the window. 

10. Click the “Save” button.  Registry Editor makes a backup of the registry in the location that you specified earlier.

To restore the registry from a backup that you have previously made, do the following: 

1.     Repeat Steps 1 – 5 above. 

2.     Click “Import…”  The “Import Registry File” dialog opens. 

3.     Locate and click the registry backup file in the folder list at the top of the window.  The name of the backup file appears in the “File name:” combo box. 

4.     Click the “Open” button.  The Registry Editor imports the registry from the backup file that you selected. 

You can find information about the registry process on the web. 

http://www.pchell.com/support/aboutblank.shtml 

http://www.bleepingcomputer.com/forums/tutorial42.html 

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html 

You can also go to web-based forums where you can get personalized help from advanced computer users.  Some of these are: 

http://www.bleepingcomputer.com/forums/forum55.html 

http://www.computing.net/security/wwwboard/wwwboard.html 

http://computercops.biz/forums.html 

<< Chapter 2.4 - Downloading Dangers | Chapter 3 - Removing Spyware >>