This guide will show you how to detect and remove the Webwatcher software. These instructions work for versions 4 - 6 (NOT the latest anymore) of the software, but may also work for other versions. Note that the company (incorrectly) claims that the software is undetectable.
- Steps
-Non-Technical Methods
1. The most obvious technique is to simply ask the person who installed the software (assuming you know them) to remove it. Obviously, this will not work if an unknown or uncooperative person installed it.
2. You can also try to have the vendor (Awareness Technologies) remove this software for you. However, this company requires you to prove that the software is illegally installed, a process which is invasive (usually they remote access your computer). Requests are reported to be usually ineffective and are often ignored.
3. If these methods do not work for you, or you want to confirm that it was in fact uninstalled, then read on.
-Easy Detection Method (Not Guaranteed)
1. Hold down the control and alt keys on your keyboard, then press caps lock. This is the default key combination to bring up the password prompt. However, note that whomever installed this software can easily change this. If a box appears asking for a password, then you are likely infected. If not, then try the other steps described here.
-For Manual Detection
1. First open up a command prompt. You can do this by clicking on start, then run, then typing cmd and press enter (XP). Or by using the start menu search to find a shortcut (Vista/7).
2. Try one known Webwatcher directory. Then type 'cd c:\windows\system32\config\atww' (without quotes). If command prompt shows 'cannot find this file' or similar, then move on to the next steps. If not, then you may be infected.
3. Try other directories. Repeat step 2 for the directories 'c:\windows\system32\config\atuvp', 'c:\program files\webwatcherv5' and 'c:\program files\skyhook wireless' filling in the part after 'cd' with the appropriate directory. If any of these are found, then you may be infected. Proceed to delete or rename these files or use an antivirus/antispyware program.
-For Automated Detection
1. Use Spy DLL remover. Download a copy of spy DLL remover or the portable apps version at www.portableapps.com. Launch the program. Use 'run as adminstrator' (Vista/7)
2. Click on the gears (settings) icon.
3. Check your options. Enable 'Scan for hidden processes' and all of the options below it. In the dropdown box select 'show dangerous, suspicious, and analysis level threats' Make sure that 'Ignore non DLL files' is UNCHECKED
4. Click the save button to confirm your preferences.
5. Click 'scan now'
6. Check the results. If anything appears in orange or red, then you are likely infected with Webwatcher or other spyware. Check the list of suspect files for the directories mentioned in the manual detection section of this guide. Check for any file named 'wpsnuio'. Also check for a folder in the c:\windows\system32 or c:\windows\system32\config directory for a directory with a name beginning with 'epphp'. For these items, note their file/folder names and paths, then click on them and then click 'remove all' to unload the spyware.
-Manual Removal
1. Try your hand at deleting or renaming the detected files. Type the path of the target file into windows explorer (my computer), then select the file and move it to recycle bin or rename it. Do this for all of the suspected files, then restart your computer.
-Automatic Detection and Removal
1. Use AD-Aware. Download a copy of Ad-Aware free form lavasoft.com.
2. Run a smart scan.
3. Remove webwatcher if it appears on the scan. Note that it may be called Ultraview
-Boot Disk Method
1. Note that this method completely bypasses Windows (and therefore Webwatcher's rootkit), giving you unrestricted access to the disk. However, there is also no protection against accidentally deleting, renaming, or modifying important system files. Make a backup first and be careful.
2. Burn your CD/DVD. Burn a linux live CD/DVD. You can use Ubuntu, Linux Mint, or really any distribution capable of accessing your hard disk (almost all of them should).
3. Boot up. Start up your computer with the CD/DVD. Check out other articles on how to do this.
4. Open your hard disk. Using the included file manager, open the drive which contains your windows folder.
5. Look for suspicious files. Try and find the files and folders mentioned in the manual detection section.
6. Move, rename, or delete the files. You can move them to a different location on the hard disk, move them to a USB drive, or rename the files. Deleting the files will work too, but be careful as this can cause system instability or crashes.
7. Reboot into windows. Restart the computer without the CD/DVD in the drive. You should also use Spy DLL Remover or another program to determine whether you have completely removed the software.
-Prevent Future Infection
1. Set a strong administrator password. Avoid telling your password to anyone. If they should need administrator rights for some reason, then log on for them, watching everything they do to prevent installation of this software in the future.
- Tips
- Webwatcher uses a rootkit to hide itself from Task Manager, Windows Explorer and Regedit, but fails to hide itself from Command Prompt. Also, if the name of the hidden directory is typed into windows explorer, then the files are exposed.
- Your antivirus/antispyware program might already detect webwatcher. Check the logs for detection entries titled 'Webwatcher' or 'Ultraview'
- Remember that there are plenty of other similar programs which can possibly be used to do the same thing as Webwatcher.
- Many of these steps require administrator rights on Windows
- Remember that the software CAN be reinstalled even after you delete it. So, run these detection steps as often as you deem necessary.
- When researching/looking up Webwatcher on the internet, avoid confusion between the commercial spyware (what we are talking about here) and the many non-spyware programs (which are completely separate).
- Warnings
- These instructions might not work for newer versions, and there is no guarantee
- Version 7.0 of this software has been released, possibly rendering these instructions (especially the manual detection/removal sections) obsolete. This is not to say that they will certainly not work, but that they are untested on versions 7.0 and up.
Source : http://www.wikihow.com/
No comments:
Post a Comment