For those that don’t know, spyware is bad, spyware
is really bad. It also has many different names. Like adware, malware, badware,
trojans, worms, downloaders, junkware, etc. Whatever you call it it’s bad and
you need to know how to get rid of it. The most common method people use to
remove spyware is to download some software from Download.com and run that to remove the
spyware. This method works ok most of the time but it usually takes much longer
than I would ever want to spend on a computer. This spyware removal guide
presents a much faster more effective way.
To understand how to deal with spyware you first have
to understand how it works. It gets on a computer by attaching itself to, or
disguising itself as, some useful piece of software. Kazaa is the classic example
of that It is a useful piece of Peer to Peer software but it is packed full of
spyware. The first thing that spyware does when it is on a computer is add
itself to various parts window’s registry so that it will be loaded when
windows starts up. So the first thing you need to do is removed these various
registry entries so that you can then remove the spyware.
To do this you will need to use some cool
software. The first cool software you should use is called msconfig. It is
installed standard on Windows XP, Windows ME and Windows 98. It is not included
with Windows 2000. Don’t ask me why. I always run this right off before I do
anything else. To access it all you have to do is click the Start button. Then
click on Run and type in "msconfig” and click "ok”. You are greeted with the
System Configuration Utility. You can disable most
start up items by clicking on "Selective Startup” and uncheck "Load Startup
Items”. If you do this most of the stuff that normally starts up will not start
up when you reboot your computer. Then go to the Services tab and Disable all
non-Microsoft services. Don’t be timid in disabling anything in this utility.
There is nothing you can do that will permanently damage Windows because you
can always come back to this utility and undo your changes.
After you have ran msconfig I would reboot the
computer into safe mode. You can do this by pressing "F8″ while windows is
starting up. Sometimes it hard to know when to do this. It’s after your
computer goes out of the bios and boots off the hard drive you should press F8.
If in doubt repeatedly press F8 while the computer is starting up. The
advantage of being in safe mode is that none but the cleverest Spyware is
loaded in Safe Mode. In safe mode it is time to try the powerful program known
HiJackThis functions like msconfig but it is much more thorough at finding
possible spyware problems. The rule to follow when using HiJackthis is, "If you
don’t know what it is get rid of it.” When you run a scan with HiJackThis you
will be presented with a list of possible spyware found in the registry. Keep
in mid that it is possible spyware, just because it is there it
doesn’t mean it is bad. Most of the stuff listed here will be extensions to
Internet explorer and stuff like that. Everything listed is optional.
Your computer will work perfectly fine even if you removed everything listed.
Once you check those things that you want to remove and you click "Fix Checked”,
restart your computer in normal mode and you should have about 90% of your
To find out if you have successfully removed all
the spyware, start HiJackThis again and do a scan. If you find anything listed
that you had previously removed that means that the spyware is still on your
computer somewhere and has come back to plague your existence. At this point it
is hard to give you an exact procedure on how to remove the remaining spyware.
Probably the easiest thing to do is download a good spyware scanner and run
that. You can see a list of the ones I recommend at the Spyware Scanners
page. If the spyware scanners still fail to remove the spyware than you’ll have
to find a more involved procedure. A sure fire method of removing a known
spyware file is by booting into an entirely different operating system and
manually deleting it.
When you ran HiJackThis you probably noticed a
file name associated with. This is most likely the file that is run when
windows starts up that activates the evil spyware process. If you thought,
"I’ll just delete this file.” It would be a great idea but if you tried to do
so you probably came across the error, "Access Denied, file may be in use” or
something like that. Don’t ask me why but Windows is unable to delete a file if
it is in use. There is absolutely no reason why this has to be the case. I have
no problems deleting executables of running processes in Linux. Anyway, to
delete this file you need to boot the computer from a different medium, the
most convenient is probably a CD. The best type of bootable CD for spyware
removal purposes is probably Bart’s PE. You can find information on how to
build a bootable CD with windows XP and spyware removal tools here.
If you took a look at that you probably noticed
that it was a rather complicated procedure. It is quite possible that you
already have a boot CD that will do what you need to do. If you have a windows
Installation CD you could boot from it and then press ‘r’ to enter the recovery
console. Sometimes it will ask you for your administrator password. If you
don’t know it try just pressing enter. If that doesn’t work see Windows
Password Recovery Guide for information on how to reset administrator
passwords. Once you are presented with a prompt you can issue DOS commands
like, "del /Path/to/file/filename.exe” to remove the offending file that you
found with HiJackThis.exe (you did wright that file name down, right?).
Hopefully this spyware removal guide has helped
you get your computer working as good as the day you purchased it. Of course
this all would have been avoided if you had just used Linux. Don’t forget to
check out Spyware
prevention once you get all the spyware removed.