Spyware Removal Guide

Viruses, trojans, spyware and malware are ways to compromise computer security, personal data and the usability of computer programs. It is better to remove all of these malicious programs from the computer.

This document refers specifically to Microsoft Windows XP Home and Professional and Internet Explorer 6. The same principles apply to Windows 95\98\ME\NT4.0 and 2000.

Prerequisites

1. Ensure that Windows XP Service Pack 2 is applied.
This can be downloaded from Microsoft and is available on most computer magazine cover CDs.
http://www.microsoft.com/windowsxp/sp2/default.mspx

2. Ensure that Windows Update is run at least once a week to download the latest important security hot fixes.
http://windowsupdate.microsoft.com

Virus Scanner

This protects the computer from viruses and trojans. Free examples:
F-Prot antivirus http://www.f-prot.com/download/home_user
McAfee http://www.mcafee.com

Firewall

This protects the computer by allowing only permitted programs to access the Internet.

Free examples:
ZoneAlarm http://www.zonelabs.com

Once viruses have been removed using a good virus scanner there might still be other spyware programs installed on the computer.


Clean the cache

The cache is a temporary store for Internet files. Some malicious files, web pages containing VB script and other downloadable objects are stored in the cache. It is advisable to clean the Internet Explorer cache of all Temporary Files, Cookies and History before running the spyware removal programs because it will make it clearer to see where the problem lies.

This can be done as follows.

Load Internet Explorer.
Select the menu item Tools\Internet Options...

Press "Delete Files..."


Tick "Delete all offline content", press OK.
This may take a few minutes if the cache is very large or has never been cleaned.


Press "Settings..."


It may be a good idea to set the cache size to a lower value, such as 100Mb to save disk space and to make cache management quicker in the future.

Windows uses a percentage of the hard disk space to set this value by default, and it is usually extremely large and slow to delete over time on large modern drives.

Press "View Files..."

Select the menu item "Edit\Select All..." then press Delete on the keyboard.

Press Yes.

When done, press OK.


Spyware Removal

We can now examine the system and remove Spyware using a combination of programs.

CWS Shredder

http://www.intermute.com/products/cwshredder.html

Press the right mouse button and Save Target As... on the link that says "stand-alone version of CWShredder".
Download and run the program.

Press "Fix ->"


CWS Shredder will display this message box.
Close all instances of Internet Explorer, Windows Media Player and MSN Messenger then press OK.


If all is OK a clean report will be displayed. If not, CWS Shredder may need to reboot the computer to remove suspicious files from memory and delete them from the hard disk.


Spybot Search & Destroy

http://www.spybot.info

Download and install the latest free version of Spybot - Search & Destroy 1.3
Download and install the latest detection updates

Load Spybot Search and Destroy
Press "Check for problems"

This will take several minutes to run and remove all the suspicious files. Follow the on screen instructions.
Windows may need to reboot to allow Spybot Search & Destroy to completely remove malicious programs that may be running in the background.
In general it is best to accept its recommendations.

Note

It has been known for Kazaa to stop working because it contains known Spyware removed by Spybot Search & Destroy, but it can be reinstalled later if required.

Hijack This

http://www.spywareinfo.com/~merijn/downloads.html

Download and install HijackThis

HijackThis is an advanced program to stop certain suspicious programs being loaded when Windows starts, remove browser hijack objects (BHOs) and other system and web browser hooks.

Press "Scan"

If there are any suspicious items listed such as services or programs which should not be there, and are not recognised system objects then tick them and press "Fix checked" to allow HijackThis to remove the item.

HijackThis writes a log so that deleted registry settings can be restored later.


Other programs

Ad-aware

http://www.lavasoft.com

Ad-aware Personal is like Spybot Search & Destroy. It can be good to double check incase the latest definition files contain details of a new threat.

In general Spybot Search & Destroy is quicker and easier to use.

Note

If there is any doubt about things that HijackThis reports then get a friend to check the log before fixing anything.
Search the internet to see if other people recognise the object. If it is known to cause problems then it should be safe to delete it.

Definitions

Virus

A software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the same computer.

Trojan

A program that appears desirable but actually contains something harmful.

Malware

"Malicious software" malware is any file or program that is designed to do harm to the computer.

Spyware

Spyware consists of computer software that gathers and reports information about a computer user without the user's knowledge or consent.

Worm

A computer worm is a self-replicating computer program, similar to a computer virus. A worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found in software such as MIRC.

Back to index.