These days it may seem as though the short list of unavoidable perils ought to
be expanded to include death, taxes, and spyware. But if you ever do
get infected with some nasty piece of malware, all you need to get rid of it
are the right free tools, some time, and a little know-how.
A couple of warnings first: Removing spyware is as much art as it is science.
The rogues who create spyware make removing their malicious programs as
difficult as they can. In addition, some types of spyware download and install
additional components, often hiding pieces of code from Windows to make
removal even harder. The instructions below will wipe out most forms of
spyware, but your machine's infestation may resist these measures. If so, you
may have to consult a professional PC repair person. Or you can start afresh
by reformatting your hard drive and then reloading Windows, your apps, and
your data files (browse to our article "
Windows
Rejuvenated" for instructions).
_____________________________________________________________
More from MSN Tech & Gadgets
______________________________________________________
Note too that if you perform certain removal steps improperly, your PC could
become inoperable. Our instructions call out these danger spots, but if you
don't feel confident about performing them, ask for help from a knowledgeable
friend or from the experts on a spyware-removal Web forum such as
TomCoyote,
Geeks to Go, or
SpywareInfo.
Make Sure It's an Infection
How do you know whether your PC has an active spyware infestation?
Slower-than-normal performance is the most common symptom people report, but
such behavior can also be due to any number of factors unrelated to spyware,
such as running too many applications with too little system memory, having a
full or very fragmented hard drive, or running buggy software that fails to
free up the memory it uses after you close the application. Your first task is
to determine whether you have a spyware-related problem or just a slow
machine.
Download the latest versions of these tools:
- Microsoft's
Windows Defender. Windows Vista has Defender built-in, but if you
suspect that you have spyware on your PC, update the program so it can find
the newest bad stuff.
Since some spyware applications prevent you from downloading these tools, or
from visiting the Web sites that host them, download the programs to another
PC that you know is free of spyware. Then copy the installers to a portable
USB drive, and plug that drive into the machine you suspect is infected.
Start by running the Malicious Software Removal Tool. This program is designed
to search for and destroy only a small fraction of malware, but the ones it
finds are the most serious strains of spyware and virus you can get.
If that program doesn't find anything, run the installer for Windows Defender
(if it isn't already installed on your PC) and make sure that the program
downloads its updates. Then click the downward-pointing arrow to the right of
the word 'Scan' at the top of the Defender window and choose Full Scan.
If Defender finds malware, follow the on-screen instructions to delete the
harmful files. This may require one or more reboots, because some spyware
won't let you uninstall it while Windows is running.
If Defender fails to find anything, or if it finds spyware that it can't
delete, it's time for a full antivirus scan. If you're using an antivirus
program that is already loaded on your system, make sure that it's updated. If
you're using AntiVir, run the installer, and then reboot. When AntiVir is
running, you'll see an icon in your system tray showing an open umbrella
inside a red square. Right-click the icon and choose Start AntiVir.
Click the Start Update link in AntiVir's program window, and when the
update is complete, click the Scanner tab, choose the Local
Drives option in the lower pane, and press the <F3> key to begin
scanning your hard drive. If it finds anything, AntiVir will pop up a dialog
box. Select either Quarantine or Delete to remove the
suspect files that it identifies.
Manual Analysis
One of these three programs should detect and remove any spyware on
your PC. In the unlikely event that you have picked up a brand-new specimen
that isn't yet included in the antispyware databases, you'll have to do some
cyber-investigating to find and eject the interloper.
First, examine every process running on your machine to determine whether any
of them is a piece of spyware. Window's Task Manager isn't up to this job
because many spyware apps specifically hide themselves from it. Fortunately,
they are less skillful at hiding from the many Task Manager alternatives. Two
of my favorites are
Process Explorer (which is free) and
Security Task Manager
(which comes in free and paid versions). Currently, only Process Explorer,
which is now owned by Microsoft, is compatible with Windows Vista. A
Vista-compatible version of Security Task Manager is coming, according to its
producer, A&M Neuber Software. Either of these programs will show you
everything that's running on your PC, and will help you determine whether a
particular application should be there.
Warning: Stopping system processes and applications in this manner is risky.
In some cases, if you kill the wrong program, Windows will shut down and
reboot as a safety measure. While you probably won't render your system
unworkable, you should back up all important documents and set a System
Restore point (click Start, All Programs, Accessories,
System Tools, System Restore, and follow the on-screen
instructions).
Start one of the alternative Task Managers mentioned above, and closely
examine the list of running applications on your PC. You're looking for
something that's either out of place or behaving oddly. If you're using
Process Explorer, unzip the archive you downloaded and double-click the
ProcExp.exe program. Click OK after you read the initial dialog,
and you'll be presented with a color-coded list of everything that's running:
Programs highlighted in pink are Windows services; those in gray-blue are
applications. Right-click the bar with the column names (it's just above the
list of programs), and choose Select Columns. Check the Command Line
box and click OK. A new column will appear, showing you the full path
to each running app.
If you're using Security Task Manager, double-click the installer and step
through the dialog boxes to complete the installation. The first time you run
the program, it will take a moment to scan your PC. Unlike Process Explorer,
Security Task Manager doesn't list Windows' own system processes (other than
Explorer.exe) on this initial page. If you want to see those, click the
Windows Processes button on the toolbar. The higher the utility's rating
for a program, the more suspect it is. As you click the entries, the program
tells you why it rated the selected application as it did. However, many
legitimate programs engage in activities that Security Task Manager views
suspiciously, so don't just assume that anything with a rating above 50 is
dangerous; instead, use the rating as an indicator of what to look at first.
Here's where it gets tedious: If you don't know what a particular program is,
what it does, or where it's supposed to live on your hard drive, you'll have
to do some research. Check out the list of processes that are known to be
either benign or malevolent at Uniblue Systems'
WinTasks Process Library. Alternatively, you can enter the filename in a
search engine and look through the results for a description of the process.
Some legitimate processes get a bad rap as spyware, so it's important to
corroborate any negative reports you discover.
Remove the Reprobates
If the program you want to remove from your PC doesn't have an entry
in Windows' Add/Remove Programs applet in Control Panel, it has probably
changed your Registry to make itself difficult to find and eradicate.
Enter
HijackThis, a free program designed to remove Registry entries and other
settings that spyware uses to take over your PC. Rather than removing the
programs, HijackThis deletes the Registry entries that prevent you from
deleting the software yourself. To familiarize yourself with how HijackThis
works, read the
Quick Start guide,
but beware: HijackThis, if misused, can render your system unbootable. Be sure
to proceed deliberately, and keep those essential backups close by.
It's a good idea to consult experts before making any changes with HijackThis.
To do so, run the program by double-clicking
HijackThis.exe, and then
click
Do a system scan and save a logfile. HijackThis will make a
record of everything it finds and--in a few seconds--will create a text-file
report that you can post online or send to your expert. Volunteers who use the
message boards at
TomCoyote,
Geeks to Go, and
SpywareInfo
will help you sort through the log if you post it to the Malware Removal
message board on any of those sites.
If you want HijackThis to dislodge a program, fill in the check box next to it
and click Fix Checked at the bottom of the program window to delete
the appropriate Registry entries. Then manually delete the related file.
Reboot your PC into Safe Mode (press <F8> at the beginning of the
reboot cycle, before the Windows logo appears), navigate to the unwanted file
on your hard drive, right-click it, and select Delete. Easy as pie.
Rid Yourself of Rootkits
The nastiest spyware specimens--the worst of the worst--are rootkits.
These programs hide themselves from Windows, from antispyware tools, and from
utilities such as Process Explorer and Security Task Manager. If you suspect
that a rootkit has invaded your PC, you still may triumph. A free utility
called
IceSword can find and remove many kinds of rootkits. The only downside
(for all but about 1 billion of us)? The tool's instructions are in Chinese.
Fortunately, some smart people have created an
illustrated guide in English for using IceSword. If you're considering
using the program, read this guide carefully before you begin. As with
HijackThis, a wrong move can cause serious problems.
_____________________________________________________________
More from MSN Tech & Gadgets
______________________________________________________