Spyware Traces in Detail

In December of 2006, a total of over 150,000 Malware infections were reported by the Emsisoft Anti-Malware Scanner. The actual figure including all those not reported is probably much higher. According to this statistic, one could think that almost every computer was infected with one or more types of Malware before Anti-Malware was used.

Well over half of the discovered objects were so-called Spyware Traces. As usual, the term “Traces” comes from English computer terminology and means “tracks” or “indications” in this context. To explain exactly what this means, we will first make a small excursion into the world of Malware extermination.

The first and main approach to finding damaging software is through the use of signatures. In a similar manner to the way in which the police use fingerprints to recognize a criminal, the Anti-Malware Scanner compares every scanned file on the hard drive with a signature database of known damaging programs. If the file and signature agree then the file is declared to be Malware and can be deleted or placed under quarantine.
The Traces scan functions in a somewhat different manner. Instead of using a fingerprint, the Anti-Malware Scanner looks for files, folders, registry entries and Tracking Cookies that are typically created by Spyware programs. Traces are exactly these trails that Spyware leaves behind.

This approach has both advantages and disadvantages for Malware recognition. The positive property of using Traces is that a simple folder trace can recognize all versions of a particular Spyware program, as long as all versions use the same file path. This can provide additional protection against new Spyware for which a file signature is not yet available. The negative side is that it provides a relatively inexact, or insufficiently differentiated to be more precise, Malware recognition. Benign software can be falsely recognized, for example, if it uses the same file name or folder as a dangerous Spyware program.

Software discovered via Traces should therefore first be double-checked to see if it is actually Malware before it is finally deleted.
There are four different types of Traces scanned, which are described in more detail below:

  • Trace.File.<Spywarename>
    File Traces are known Spyware and Adware file paths. Recognition of File Traces is based solely on the file path. It is therefore possible that benign files are reported if they are located in known Spyware folders and have the same file name as Spyware files. However, benign files are not normally stored in known Spyware folders.
  • Trace.Directory.<Spywarename>
    Directory Traces are somewhat more general in nature. These recognize entire folders including all files that they contain. You should only delete this type of discovery when at least one of the files in the folder is clearly recognized as Spyware.
  • Trace.Registry.<Spywarename>
    Registry Traces are known Spyware or Adware traces stored in the Windows Registry. These can be Autostart entries that automatically start Spyware when Windows is started. Registry Traces can also be registrations of Adware DLL files that are used to hijack the Windows Explorer or Web Browser, i.e. to use them for Malware purposes. By definition, Registry entries are not dangerous in themselves but are used to allow Malware to be installed and started.
  • Trace.TrackingCookie
    Cookies are small snippets of information stored on your PC by the Web Browser (Internet Explorer, Firefox, etc.) when requested by a visited website. This allows you to be recognized the next time you visit the site. Advertising companies use these in a targeted manner to record your surfing habits. For example, advertising banners are then customized to suit your personal interests. Although Tracking Cookies present no direct danger to the security of your computer, they can represent a violation of your privacy. For this reason they are recognized by Anti-Malware and can be removed if desired. More information on this topic is in the article “A Closer Look at Cookies“.

Summary:
If Traces are found on your computer then this is an indication of Spyware infection. Do not blindly delete all discovered objects but rather check first whether this is possibly benign software. Only Tracking Cookies can usually be deleted without further thought. All other discoveries should first be placed in quarantine so that you can restore them if necessary.