full_screen.png

This panel indicates the options within Spybot in its Default mode, and is the one used by most people.

Search & destroy is the first function of the program, and will give options of Check for  problems, Recovery, and Search for Updates.

Updates should be done at least weekly. The Spybot update page is frequently too busy to cater for all requested downloads and returns a 'bad checksum'. In this case it is easier to go the homepage at http://www.safer-networking.org/en/download/index.html and scroll down to Detection Updates. Download and run this executable file called spybotsd_includes.exe to quickly update the program.
immunize.png
Having updated, it is wise to immunize against infection by selected spyware.
Click on the Immunize shield to do this. If immunization is necessary you will be presented with a green cross to tick. This produces the green progress bar shown here and indicates how many items need to be added to the immunization database. It will not always be necessary but is a valuable check.
Immunity works on Internet Explorer by blocking installation of executable code from known bad sites, and by setting known tracking cookies to not be accepted by Internet Explorer. It is a extra layer of permanent protection beyond that of removing known spyware.
scan.png
The main function of Spybot is to check for problems and remove them from the PC.

At the time of writing Spybot scanned for 39997 known spyware objects - which can take some minutes, and this figure increases with every update. Spyware is indicated in red text and each item will have a check box where it can be selected for what Spybot calls 'fixing'.

Here is a portion of a scan window showing two spyware tracking cookies that somehow penetrated my security. The green entries are usage tracks, left whenever you visit a page with your browser, or just open any file. These can be useful if you want to open that file again, and can select it from a list instead of typing the whole filename or browsing the whole directory structure again, but it also makes that information available to spyware and Internet attackers. It can certainly do no harm to remove them.
settings.png      
We now move on to the Advanced mode that opens up a whole new world where many may fear to tread. But for those prepared to learn and try it offers valuable tools. The Settings mode is the first and I will leave most of it in your hands. But the help file in Spybot S&D is extensive and easy to follow and I urge you to take some time reading and following it. 
web_update.png



What should be pointed out is that you can update automatically, and this is buried deeply in the Settings subsection of the Settings option.  Admittedly it warns and asks:

You should only check this if you are permanently connected to the Internet or if you have a flatrate. Do
you really want to enable auto-checking for updates?

But for most of us on ADSL or broadband these days the answer would have to be, Yes.


file_sets.png
File Sets shows us in detail what we are being protected from and what the program can remove from our system.

Just to take a few of the 39997 items:

 *   Diallers can make international calls at your expense without your knowledge.
 *   Keyloggers can read keys as you use the keyboard, reading credit card numbers and much more.
  *  Trojan horses can infect your system and spread to contacts in your address book.
tools.png
The Tools option is one that is really reserved for experts, but you can all become experts if you wish and if you have the time.

*  Secure Shredder uses pre-defined bit patterns that overwrite files making even hardware recovery impossible.

*  Resident is the browser helper for Internet Explorer that blocks download of files known to be malicious.

*  ActiveX is a Microsoft technology that works only in Internet Explorer and allows Internet applications that are more powerful than simple scripts. Spybot will display a green checkmark in front of ActiveX applications known as legitimate, and a red sign in front of applications known as illegitimate.

*  BHOs are small programs that extend Microsoft's Internet Explorer. They include visible add-on toolbars in Internet Explorer, but can also be spyware to display ads or follow your track across the Internet.

*  IE tweaks and Hosts File basically protect against misdirection of the addresses you type into your browser.

*  Process List is dealt with below

*  System Internals repairs registry entries typically not addressed by other similar programs.

*  System Startup is dealt with below.

*  Winsock LSPs displays a list of installed network drivers; definitely a reference for only professionals
process_list.png
The process list provides a detailed analysis of programs and processes running on your PC.
Processes are the various tasks running on a Windows PC.
Some of the processes are parts of the operating system, while others are applications automatically launched at startup or manually by the user - such as Avast, Spybot S&D, Zone Alarm, Outlook Express.

Some of the information is readily digestible; name, path, company, and description. Other information is more esoteric, but the combination of all this information is invaluable in determining the integrity and authenticity of any process.

Take the process I have highlighted. The very reliable source, Process Library, gives this definition:

spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers. This program is important for the stable and secure running of your computer and should not be terminated.

Note: spoolsv.exe is also a process which is registered as the Backdoor.Ciadoor.B Trojan or the Iambigbrother spyware. The Ciadoor Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

So how do I know which one I have? By holding the mouse over the filename I am presented with the full description of that process on my PC, and I can see that it is not a Trojan but the genuine article.
startup_small.png

The System Startup tool lists all programs that are started at Windows startup, with some more information about those of which it is aware.
Programs can be temporarily halted by unticking the relative box, or removed with the delete icon.

The different colours represent:
  • Green: legitimate program
  • Yellow: unknown, unneeded or unambiguous program.
  • Red: malicious program
Spybot will find and identify Trojans and other malware in the startup list, because many filenames have been hijacked - the same as in our process list.

Freeware databases cannot always tell you the state of the particular file on your PC. They know about the genuine file and all the variations, and will probably rely on file location to classify it. You will see this especially clarified at www.sysinfo.org that we look at later.

I use Uniblue's Wintasks 5 to positively identify these threats. If you rely totally on freeware you should check the file location and and use the filename+location to do a Google search. You will almost certainly find an entry that puts your mind at ease or else recommends deletion.
startup_info.png
This information actually appears on the right of the image above but was too big to include that way on any monitor at only 800 x 600 resolution, so I split it.

You can see the comprehensive information and advice available within Spybot , and hopefully appreciate it enough to use it effectively on your own PC.
Here you can see if a file that correctly resides in the Windows\system32 folder is located instead in another folder. In that case it is almost certainly a Trojan or virus.