Spyware Removal guide
For those that don’t know, spyware is bad, spyware is really bad. It also has many different names. Like adware, malware, badware, trojans, worms, downloaders, junkware, etc. Whatever you call it it’s bad and you need to know how to get rid of it. The most common method people use to remove spyware is to download some software from Download.com and run that to remove the spyware. This method works ok most of the time but it usually takes much longer than I would ever want to spend on a computer. This spyware removal guide presents a much faster more effective way.
To understand how to deal with spyware you first have to understand how it works. It gets on a computer by attaching itself to, or disguising itself as, some useful piece of software. Kazaa is the classic example of that It is a useful piece of Peer to Peer software but it is packed full of spyware. The first thing that spyware does when it is on a computer is add itself to various parts window’s registry so that it will be loaded when windows starts up. So the first thing you need to do is removed these various registry entries so that you can then remove the spyware.
To do this you will need to use some cool software. The first cool software you should use is called msconfig. It is installed standard on Windows XP, Windows ME and Windows 98. It is not included with Windows 2000. Don’t ask me why. I always run this right off before I do anything else. To access it all you have to do is click the Start button. Then click on Run and type in “msconfig” and click “ok”. You are greeted with the System Configuration Utility. You can disable most
start up items by clicking on “Selective Startup” and uncheck “Load Startup Items”. If you do this most of the stuff that normally starts up will not start up when you reboot your computer. Then go to the Services tab and Disable all non-Microsoft services. Don’t be timid in disabling anything in this utility. There is nothing you can do that will permanently damage Windows because you can always come back to this utility and undo your changes.
After you have ran msconfig I would reboot the computer into safe mode. You can do this by pressing “F8” while windows is starting up. Sometimes it hard to know when to do this. It’s after your computer goes out of the bios and boots off the hard drive you should press F8. If in doubt repeatedly press F8 while the computer is starting up. The advantage of being in safe mode is that none but the cleverest Spyware is loaded in Safe Mode. In safe mode it is time to try the powerful program known asHijackThis. HiJackThis functions like msconfig but it is much more thorough at finding possible spyware problems. The rule to follow when using HiJackthis is, “If you don’t know what it is get rid of it.” When you run a scan with HiJackThis you will be presented with a list of possible spyware found in the registry. Keep in mid that it is possible spyware, just because it is there it doesn’t mean it is bad. Most of the stuff listed here will be extensions to Internet explorer and stuff like that. Everything listed is optional. Your computer will work perfectly fine even if you removed everything listed. Once you check those things that you want to remove and you click “Fix Checked”, restart your computer in normal mode and you should have about 90% of your spyware removed.
To find out if you have successfully removed all the spyware, start HiJackThis again and do a scan. If you find anything listed that you had previously removed that means that the spyware is still on your computer somewhere and has come back to plague your existence. At this point it is hard to give you an exact procedure on how to remove the remaining spyware. Probably the easiest thing to do is download a good spyware scanner and run that. You can see a list of the ones I recommend at the Spyware Scanners page. If the spyware scanners still fail to remove the spyware than you’ll have to find a more involved procedure. A sure fire method of removing a known spyware file is by booting into an entirely different operating system and manually deleting it.
When you ran HiJackThis you probably noticed a file name associated with. This is most likely the file that is run when windows starts up that activates the evil spyware process. If you thought, “I’ll just delete this file.” It would be a great idea but if you tried to do so you probably came across the error, “Access Denied, file may be in use” or something like that. Don’t ask me why but Windows is unable to delete a file if it is in use. There is absolutely no reason why this has to be the case. I have no problems deleting executables of running processes in Linux. Anyway, to delete this file you need to boot the computer from a different medium, the most convenient is probably a CD. The best type of bootable CD for spyware removal purposes is probably Bart’s PE. You can find information on how to build a bootable CD with windows XP and spyware removal tools here.
If you took a look at that you probably noticed that it was a rather complicated procedure. It is quite possible that you already have a boot CD that will do what you need to do. If you have a windows Installation CD you could boot from it and then press ‘r’ to enter the recovery console. Sometimes it will ask you for your administrator password. If you don’t know it try just pressing enter. If that doesn’t work see Windows Password Recovery Guide for information on how to reset administrator passwords. Once you are presented with a prompt you can issue DOS commands like, “del /Path/to/file/filename.exe” to remove the offending file that you found with HiJackThis.exe (you did wright that file name down, right?).
Hopefully this spyware removal guide has helped you get your computer working as good as the day you purchased it. Of course this all would have been avoided if you had just used Linux. Don’t forget to check out Spyware prevention once you get all the spyware removed.
I like the hijackthis software.. It’s really help me. Thanks a lots
uhhh….wow my rig is running crispy now! thanks a lot bro!
Thanks for all of the useful information on your site. I really would like to use this method to try to save time removing malware, but after reading the following article I am not sure whether this is a good process to use. Please let me know what you think about this.
http://forums.majorgeeks.com/showthread.php?t=149804
“Why you should not be using MSconfig to control startups”
Many people frequently use MSconfig as a long term solution to control startup processes and services. You will also see many websites condoning use of MSconfig and teaching you how to use it for controlling startups. This is a very bad idea for many reasons.
1.) MSconfig was designed to be used only as a temporary debugging/troubleshooting tool. It was not meant to be used for long term solutions.
2.) MSconfig does not show all startups anyway.
3.) If you uninstall programs while they are being disabled with MSconfig, they will not be uninstall properly and you will have to resort to manual registry editing to properly get everything removed. MSconfig will leave orphan entries if/when installed software is uninstalled while under the control of MSconfig . When/if MSconfig is turned back to normal startup, it will give errors on boot due to those orphan entries.
4.) MSconfig and Services:
If you uninstall programs while you have some of the programs services being controlled with MSconfig, the programs will not be uninstall properly and you will have to resort to manual registry editing to get everything properly removed.
When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer.
It is safer to control services by using Control Panel, Administrative Tools, Services (this runs services.msc).
5.) You can lock malware items into your registry that you may not see anymore until some point in time where you switch back to Normal Startup mode and now you can cause total reinfection of your PC with the malware. You need to remove the malware not mask it.
If you still don’t understand why not to use MSconfig, see what Microsoft writes here: http://support.microsoft.com/kb/310560 The key point is stated as such:
Hi, I wanted to comment on the “You should not use msconfig” that Kev said. I have always used msconfig and is a great tool to use to clean up computers very quickly. Yes it only disables it and yes you can really screw up your computer ~ but only if you disable Microsoft Services. Start up items in the system only slow the computer down and most are useless unless wanted/desired.
I love these blogs and will continue to read on, Thank you.
‘The first cool software you should use is called msconfigI always run this right off before I do anything else. To access it all you have to do is click the Start button’
How can i click start ??? when i cant even log onto my computer with this annoying blue screen
Try it in safe mode if you can. Press F8 as the computer starts up. If that doesn’t work tell me the first part of what it says on the blue screen and I’ll see if I can help.
my computer would not work because i cant get to the hijackthis. i have it in safe mode and it’s fine, but once i start rebooting it gets to the welcome screen, then a blue screen pops up for a very short time (can’t read the words) and it reboots itself over and over. what should i do?
Press F8 as the computer is starting up and then choose “disable automatic reboot on system failure” this will allow you to read what is on the bluescreen. Google the stop code or error message for hints on how to fix it. Or leave a reply and I’ll help the best I can.
I know that you have to reinstall windows at last resource, but I tell people that after certain period of time (let’s say one year) it’s recommended to make a clean install of windows in order to get rid of many problems and start with a fresh PC again. What do you think? When do you decide to reinstall Windows as a way of rapid fix?.
Congratulations for the site, it’s very informative.
As per your spyware removal guide, in my Windows Vista Home Premium P.C. I clicked Selective startup’, unchecked Load Startup Items, then went to the Services Tab & disabled all non Microsoft services. Then I retarted my PC in Safe Mode & tried HjJackThis. I was informed then that the Windows Installer Service could not be started in Safe Mode, is not accessible. The PC is telling me that the ‘HiJackThis’ program will not work in Safe Mode. In Safemode I went to TaskManager,Services,tried to start Win.Installer manually, would not work…
Any Tips on how I get around this problem..
regards, john
excellent website, very informative….