Spyware Removal tips

1
Spyware Removal tips
First off you need a few software tools.
Lavasofts Ad-Aware ( http//www.lavasoftusa.com
) CWShredder ( http//www.intermute.com/spysubtra
ct/cwshredder_download.html ) HijackThis (
http//www.spywareinfo.com/merijn/files/hijackthi
s.zip ) Pocket Killbox (http//www.bleepingcomput
er.com/files/killbox.php )NOD32 30 day trial
(http//www.nod32.com/download/trial.htm )
2
Spyware Removal tips

• First thing to do is to pay a visit to your local
  Control Panel and then the Add/Remove section.
• You just have to know what software is installed
  on your computer.
• When you find some unwanted once try to uninstall
  them. Some take over five minutes to remove
  themselves. This is to fool you into thinking
  your computer is either not responding or for you
  to cancel the uninstall. They have a delay built
  into them.

3
Spyware Removal tips

• You can identify them by looking at the last date
  accessed and by the size of the program. They are
  almost all under 2 megs big and used rarely.
• Most of them are represented by the default icon
  for software (looks like a small computer and
  CD). Some are crafty and call themselves Windows
  Tools and Windosw XP (note the spelling!). If you
  dont recognize them as something you have
  installed then take them out.
• A few may not uninstall no matter how long you
  wait, dont worry. Some require reboots and those
  you can just tell it to wait until youve
  finished them all. If its a mandatory reboot and
  it forces you well then go ahead and reboot.

4
Spyware Removal tips

• Now that your Add/Remove is clean lets move to
  the next item, CWShredder. The latest version is
  2.15. This awesome program was purchased by
  Intermute who was then bought out by Trend Micro.
  Double-click on it and run it. It will find any
  CoolWebSearch trojans and their variants and
  remove them Now that your Add/Remove is clean
  lets move to the next item, CWShredder. The
  latest version is 2.15. This awesome program was
  purchased by Intermute who was then bought out by
  Trend Micro. Double-click on it and run it. It
  will find any CoolWebSearch trojans and their
  variants and remove them.

5
Spyware Removal tips

• Next thing to do is to run HijackThis. This tool
  is dangerous. It lists all programs running in
  your computer good or bad. The latest version is
  1.99.1 so make sure you have that one. You also
  want to run this from your Desktop and not a
  temporary location like inside a .zip file.
• Click on it and then click scan.
• You can safely remove all the 01s since those
  are just homepage redirects and hijacks.
• The 02 s can all go also unless you recognize
  them. The only ones that I keep are the Google
  toolbar, MSN toolbar, or else Adobe Acrobat. The
  rest are usually bad.
• The 03s are the various toolbars installed. They
  only one I would keep is the c\windows\system\msd
  xm.ocx one. The rest can go.

6
Spyware Removal tips

• The 04s. These are the programs that run when
  Windows starts up and the ones that are in the
  registry.
• Default processes that are running with Windows
  XP.
• Explorer.exeSpoolsv.exeSvchost.exe (4 or 5
  times!)Taskmgr.exe (youre using
  it)Alg.exeLsass.exeServices.exeWinlogon.exeCs
  rss.exeSmss.exeSystemSystem Idle Process

7
Spyware Removal tips

• Beware of spelling differences! They usually
  target the svchost.exe and make them look like
  scvhost.exe or something similar.
• Also beware of location. Services.exe does not
  run from the Program Files folder or anything
  else critical.
• If you are unsure of anything else running you
  can always Google it and it will tell you. It
  doesnt?? Well then delete it because 99.9234822
  of the time if Google has not heard of it then
  you dont need it.

8
Spyware Removal tips

• Win98 then the only two you need running
  areSystray.exeExplorer.exeAnything else can
  go.

9
Spyware Removal tips

• Now be careful of the RunOnce folder because
  since youve been through the Add/Remove panel
  there may be some uninstallers that want to run
  next time Windows boots up. Hence the RunOnce
  part. Dont remove them

10
Spyware Removal tips

• Next up to bat is the 10s 11s, these are always
  LSP or Winsock hijacks. HijackThis does not
  remove them by itself since it would break your
  internet connection. You need either the Winsock
  Fix from my site ( http//www.five-online.com/file
  s/WinsockFix.exe ) or else HijackThis suggests
  the LSP fix from cexx.org.

11
Spyware Removal tips

• The next ones are the 16s and these are all the
  stuff that IE has downloaded for you in your
  internet travels. You will see baddies in here
  like XXX toolbar and the like. You can tell which
  ones are bad and good by looking at the website
  on the right hand side. If its something you
  like then keep it.
• The new HijackThis also displays 023s. These are
  the Services that are installed after Windows.
  You wont see the default services here. In order
  to remove these then you will have to access
  services.msc from the Run command. First Stop the
  service and then Disable the service from
  starting up. You will then be able to remove them
  from HijackThis.

12
Spyware Removal tips

• Ad-Aware.Fire it up and click on Check for
  updates, connect and download the latest update.
  Once that is done click on the Gear icon
  (Settings) at the top and then the Scanning
  button on the left. Change the red X to a green
  \/. Then click Advanced and check off Move files
  to Recycle Bin. Click on Tweak at the bottom and
  expand the Safety Settings on the right. Put a
  green \/ beside Write Protect System FilesClick
  Proceed, Start, and put the radio button to Full
  System Scan and then hit then Next. Sit back and
  watch your computer get soapy clean. Ideally you
  want to run this in Safe Mode. To easily get
  there in Windows XP click Start Run and type in
  MSCONFIG. Click on the Boot.ini tab and check off
  Safe Boot. If you want an Internet connection
  then put the radio button beside Network. In
  order to change it back you must remove the
  checkmark beside Safeboot.

13
Spyware Removal tips

• If the above hasnt helped you then you missed
  something in the 04 section of HijackThis, check
  it again. If youre absolutely positively sure
  then you may have a .dll hijack which are pretty
  retarded but solveable. You need to boot into
  Safe Mode and turn on your hidden system files.
• Go to your C\Windows folder and sort by Date
  Modified. You can move all .dlls created
  recently to a folder on your Desktop. Do the same
  with your c\windows\system folder. While youre
  there delete everything from your Prefetch folder
  (XP only) and clean out all your temp files from
  your user directory in Documents and Settings
  under Local Settings. Reboot normally and keep an
  eye on your computer. If it complains of any
  missing .dlls then they will be in that backup
  folder. Recently there has been a rash of them
  that drop a few undeletable .dlls in your
  System32 folder.These ones are identified
  usually by wallpaper that tells you to click here
  because you are infected.