How to Remove Spyware and Malware from a Windows computer

Stop Malware From Running

Boot to Safe Mode via F8.

Make a registry backup.

Stop the obvious malware from running at boot time with a utility that controls auto-started programs. This is best done from Safe Mode because I have seen malware that puts itself back into the list of auto-started programs as soon as its removed.

The AutoRuns program from SysInternals is a free program that controls auto-started programs. It is small, safe program from a reliable source. No installation is needed, you can run autoruns.exe from removable media. This June 2007 article by George Ou at Zdnet describes using AutoRuns and includes pictures: How to fully de-gunk a PC of Crapware

June 22, 2006: According to Didier Stevens, some malware can disable Safe Mode. Ugh.
February 9, 2007: Didier Stevens released a .REG file that can be used to restore Safe Mode. See Restoring Safe Mode with a .REG file

Beware of malware with a good name in a bad directory. For example, the real version of winlogon.exe resides in the C:\Windows\system32 directory. A copy of winlogon.exe in the C:\Windows directory is trouble. Likewise, winlogin.exe (slight name change) in the C:\Windows\system32 directory is also bad news.

Check the "hosts" file and if it has any entries other than 127.0.0.1, comment them out. Sample clean hosts file.

For Windows XP and 2000 look in C:\WINDOWS\SYSTEM32\DRIVERS\ETC     
For Windows 98\ME  look in  C:\WINDOWS   
I have seen the hosts file locked by malicious software such that it couldn't be updated, deleted or even renamed.

Check My Network Places and delete anything suspicious, especially FTP sites referenced by IP address. 

If the computer is behind a router, change the administration password for the router and tape the new password to the box. 

Look for BHOs and disable anything you don't recognize. When in doubt disable it, you can always re-enable a BHO later. 

You want to do this early because BHOs are kicked off by both Windows Explorer and IE. For this, I used to like BHODemon from Definitive Solutions. Unfortunately development of BHODemon has been discontinued. :-(  Windows XP SP2 has the IE Add-On manager. However, BHODemon could run off removable media without being installed to Windows, works with all versions of Windows and offers opinions about the BHOs, making it the far better choice. Deleting BHOs can be tricky because they are active if either Windows Explorer or IE is running. I used to suggest running BHODemon from removable media with Start -> Run -> x:\dir\someprogram.exe (modifying as appropriate).

An actively maintained list of BHOs is available at ComputerCops.biz (thanks Larry) but beware, it's a very big page. In the Status column "X" means malware, "L" means benign. Sysinfo.org also has a list of known BHOs but I'm told this is no longer maintained.

Review the list of auto-started Services (for Windows XP/2000) and disable the ones you don't recognize. Pay special attention to services that have no description. 

Services are one of many ways to auto-start a program at boot time. To research Windows 2000 services see Purpose of Windows 2000 Services and Glossary of Windows 2000 Services. For XP see Windows Server 2003 System Services Reference or System Services for the Windows Server 2003 Family and Windows XP Operating Systems. To research the EXE that underlies a service see Windows Startup Online or WinTasks Process Library or Task List Programs at AnswersThatWork.com.

Examine the scheduled tasks for any obvious malware that kicks itself off this way. 

Make sure Windows Explorer is displaying hidden and system files. 

Re-boot back to Safe Mode. 

The previous steps were the low hanging fruit. Rebooting in Safe Mode is to find any malware that auto-starts despite the initial steps above. Eventually, we reboot normally and look for malware that snuck through the steps below. The goal is that by the time we run anti-Spyware software there's a clean playing field for malware removal.

Use a Process monitoring program to examine all the running programs. For each malware program, note the location of the underlying executable file. Kill the process and rename the underlying EXE. If it resides in its own directory rename that too. Give it a name something on the order of: someprogram.DONOTRUN.exe. If you can't kill the process, boot to DOS or the Recovery Console and rename the underlying file from there.

For this, I like Process Explorer, another free program from SysInternals.com. Like AutoRuns, it requires no installation, you can run it directly from removable media. It can also drill down into svchost.exe and report the underlying services. 

Even with newer versions of Windows such as XP, older mechanisms for automatically running a program at startup time still work. If you want to manually inspect these holdovers, check:

The [windows] section of Win.ini looking for an entry such as load=spyware.exe and run=spyware.exe
The [boot] section of System.ini looking for an entry such as Shell = Explorer.exe spyware.exe
Autoexec.bat looking for something like c:\spyware.exe