Last updated 14/05/2005
Copyright © 1999 - 2004, Sandra Hardmeier, All Rights Reserved Worldwide

Spyware Home Page

There are many people who have helped this FAQ improve over time - MVPs and newsgroup users.  I thank all of you who have made the newsgroups, anti-malware websites and dedicated mailing lists into such a wonderful resource.

Read the advice at my prevention link (http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of your computer being infected.

Before trying to remove spyware:

  1. Back up all essential data.

  2. Download the recommended software (points 1 to 6 below)

  3. After all software has been downloaded, installed and updated disconnect the computer from the internet and/or any network to which it may be attached.

The software you should download and have ready to use is:

  1. CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.html

  2. AdAware  (note that Lavasoft have now released Ad-Aware SE Personal Edition, available from http://www.lavasoftusa.com/support/download/ AdAware 6 users should update to SE as soon as possible. All previous versions are NO LONGER SUPPORTED)Lspfix and Winsockfix, available at http://www.cexx.org/lspfix.htm and http://www.spychecker.com/program/winsockxpfix.html

  3. Spybot Search and Destroy - http://spybot.eon.net.au

  4. A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor  (non XP SP2 users only)

  5. Microsoft Antispyware Beta - http://www.microsoft.com/athome/security/spyware/software/default.mspx

  6. LSPFix and Winsockxpfix (XP only)  Note: Windows 95 users must install Winsock 2.

  7. HijackThis - http://aumha.org/downloads/hijackthis.exe. You can also find the latest version at the author's home site, being http://www.merijn.org/downloads.html

Get the latest information about updates to various anti-spyware productions from Siljaline (aka Microsoft MVP Randy Knobloch) at Security Tools Updates and http://www.msmvps.com/

Malware removal (beginner's step-by-step guide)

Some of the following advice may seem pedantic, or unnecessary, but I strongly advise you to do everything in the order given to maximise your chances of a successful outcome.  A lot of modern malware, if given the chance, will try to reinstall itself automatically.  The steps below are designed to minimise the chance of this happening.

A.    Getting ready to disinfect....

  1. Go to Control Panel, Folder Options, View Tab. Turn on the option to show hidden files. Turn off the option to hide protected system files.  ***WARNING!! Files are hidden by Windows for a very good reason.  It is not wise to 'experiment' with these files.  Unfortunately, to successfully remove modern malware we must turn this protection off.  There is a risk to doing this.  Please turn the protection back on when you have finished cleaning your system.***

  2. Go to Control Panel, add/remove programs. Check for malware entries, use the uninstall programs.

  3. Reboot into safe mode:

    Start the computer in safe mode - Windows XP
    Start the computer in safe mode - Windows 2000
    Start the computer in safe mode - Windows 98 and Windows 95 - hold down the Ctrl key while you restart the computer, then choose 'safe mode' from the menu that will appear
    Start the computer in safe mode - Windows 95
  4. Check all 'startup' folders for unwanted malware entries.  Windows 95 and 98 users can examine their startup folder via the Start Menu.  Those of us who are using a later operating system should check ..\Documents and Settings\All Users\Start Menu\Programs\Startup and ..\Documents and Settings\<username>\Start Menu\Startup.  Move any that you find on to your desktop.

  5. Right click the shortcuts that you have moved out of the startup folders and select 'Properties'.  Write down the target path. Use Windows Explorer to navigate to the file being targeted, and rename JUST that file.  Do NOT delete it.  ***WARNING!! Some people have been known to delete an entire folder, or all the contents of a folder, if just one file is malware.  DO NOT DO THIS!!

    A target path has been highlighted with a red box in this screen shot

  6. Empty your IE cache and your other temporary file folders, eg: c:\temp, c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the path to your temp folder will change depending on your name) - sometimes programs can be hidden in there.

  7. Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Program Files. A Windows Explorer window will open.  Obvious malware can be removed by right clicking on the object, and selecting 'remove'.

  8. If you are running Windows XP SP2, go to Tools, Manage Add-Ons.  Examine the list of 'Add-ons that have been used by Internet Explorer' and disable anything that you do not want Internet Explorer to use.  If you wish, the add-ons can be re-enabled at a later time.  If you are not running XP SP2, you can use one of the third party BHO disablers recommended above.

    Make sure you download and install Update KB888240 to solve a known problem for XP SP2 where add-ins will sometimes hide themselves from the Add-On Manager.  The hotfix is available from:
    http://www.microsoft.com/downloads/details.aspx?familyid=d788c59e-b116-4d38-b00c-ff1d529106c8&displaylang=en
  9. Go to IE Tools, Internet Options, Accessibility. Make sure there is no style sheet chosen (under User Style Sheet - format documents using my style sheet). If the option is turned on, turn it OFF.

  10. Once finished, reboot into safe mode.

B.    Cleaning your computer - first sweep

  1. Start CWSHREDDER and fix anything it finds.

  2. Once finished, reboot into safe mode.

C.    Cleaning your computer - second sweep

  1. Start AdAware.  Remember you should have updated it as soon as it was installed, and you should also update it every time it is run (unless you have already checked for updates that day).

  2. Make sure that 'search for negligible risk entries' is turned on.  Select 'use custom scanning options' then select 'customise'.  Make sure the following options are enabled:  'scan within archives', 'scan active processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for banned URLs', 'scan my Hosts file'.

  3. Select the 'tweak' option.  Under 'scanning engine', make sure 'unload recognized processes and modules during scan' is enabled.  Enable 'scan registry for all users instead of current users'.

  4. Under 'cleaning engine' turn on 'always try to unload modules..', 'during removal unload explorer and IE if necessary', 'let windows remove files in use at next reboot', 'delete quarantined items after restoring'.

  5. Use the 'select drives and folders to scan' option to ensure that your ENTIRE hard drive is scanned (if you have more than one hard drive, scan all of them (of course, do not include floppy and CD/DVD).

  6. Once finished, reboot into safe mode.

D    Cleaning your computer - third sweep

  1. Run Spybot S&D.  "Fix" anything marked red.

  2. Once finished, reboot into safe mode.

E    Cleaning your computer - fourth sweep

  1. Run a full system scan using Microsoft AntiSpyware.

  2. Once finished reboot into safe mode.

  3. Complete a second full system scan.

  4. Reboot into normal mode.

If you are unable to get on to the internet after cleaning up your computer, run LSPfix.  If that doesn't work, run Winsockfix. If you are using XP SP2 and are unable to access the internet after removing malware, the following commandline may help - it will reset the winsock catalogue:

netsh winsock reset

Once the computer is clean, and if it applies to the operating system, create a new restore point.  The old ones may, of course, be infected with the malware and cannot be used.  Once the old restore points have been flushed, create a new (clean) one.

Windows XP - Start, All Programs, Accessories, System Tools, Disk Cleanup.  Options Tab, Clean Up.
or
Windows XP - Control Panel, System. System Restore Tab. Enable 'turn off system restore on all drives'. Apply.  Uncheck box. Click ok.

Windows ME - right click My Computer, select Properties.  Performance tab, File System.  Troubleshooting tab. Enable 'Disable System Restore'.  Ok twice, then click yes to reboot your computer.  After rebooting, turn System Restore back on.

If the malware problem comes back further specialised assistance is available via various anti-spyware forums, my preferred forum being http://aumha.net.  Alternative forums include www.lavasoftsupport.com and www.spywareinfo.com.

You will need to post a HijackThis log at the anti-spyware forums for analysis, but please make sure that you have attempted to clean your system as per the advice above before generating the log file.

The following information is for advanced users and for professional technical support - these steps are NOT recommended for the inexperienced.  I have not provided detailed instructions or advice and have assumed a higher than average level of skill....

Remember, do as much as you can in safe mode.

Examine win.ini, autoexec.bat, system.ini, config.nt, autoexec.nt as relevant. Pay specific attention to shell= and load=  Fire up services.msc. Search for unusual or unexpected *.bat files and unexpected autostart entries in the Run, RunOnce, RunOnceEx, RunServices, Services, Winlogon and Scripts registry keys.  MSCONFIG, (Services Tab - hide all Microsoft Services) can be helpful.  Search the rest of the registry for any further references to discovered malware files, in hopes you will find pointers to other files or CLSIDs that can searched for to reveal other keys or pointers.  Invariably if you find a malware key in one of those keys, you'll find a further reference to the component elsewhere.

Also watch out for entries at:

HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

I strongly recommend that unless you have a lot of experience working in this area that until such time as I am able to track down a comprehensive list of legitimate services (or put one together myself), that you post details of the services revealed by services.msc to aumha.net for professional guidance. If you turn off the wrong service you could cause serious problems, and at the very worst, leave the computer unbootable.

An experienced computer technician can use programme such as AutoStart Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Or Process Viewer for Windows:
http://www.teamcti.com/pview/

Or 'Silent Runners':
http://www.aaronoff.com/silent_runners/

Or APM (Advanced Process Manipulation):
http://www.diamondcs.com.au/index.php?page=apm

StartupTracker
www.dougknox.com

Fighting virus.win32.bube/troj/down.admincash?  This utility may be of assistance in replacing the infected explorer.exe http://www3.telus.net/_/replacer/.  More info about this nasty adware can be found at http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41518, http://securityresponse.symantec.com/avcenter/venc/data/downloader.admincash.html

The Microsoft Giant Antispyware beta saved my butt the other day, protecting my system from attempted 180Solution reinstalls that were part of the crapware Intelligent Explorer (aka IEPLUGIN).