How to Remove Spyware and Malware from a Windows computer

Repair, Delete and Re-build

This would be a good time to run anti-virus and anti-Spyware software to clean things up. Considering the system is infected, it's best to run the software from outside of Windows, that is, from a bootable CD. Much software can't run this way, but some can.

A good place to start is with Bart's Preinstalled Environment (BartPE). It lets you boot from a CD into a stripped down version of Windows, totally bypassing the corrupted copy of Windows on the hard drive. I have not used Bart PE. For more see: A Must-Have Repair And Recovery Tool by Fred Langa August 8, 2005.

I have used a similar tool, the free Ultimate Boot CD for Windows. It too is a bootable Windows CD with software to repair, restore and diagnose problems. All the software is freeware and it actually uses Bart's PE. It does, however, require a Windows license to create the CD. Specifically, you need a Windows OS disc, preferably with SP2 on it.

A huge amount of free software is included in the Ultimate Boot CD for Windows. For our purposes here, it comes with multiple anti-virus and anti-Spyware programs. As of March 2007, the anti-virus programs are F-Secure Anti-Virus for DOS, AntiVir Personal, Avast!, ClamWin, McAfee Stinger, Dr.Web CureIT and Trend Micro SysClean. Anti-Spyware choices include the popular Spybot and Ad-aware. In addition there is aSquared Free, CWShredder, EzPCFix, Hijack This, Rootkitty, WinSock Fix, XBlock. In theory, these programs can be updated so that they run with the latest definitions. In July 2007 I tried to run AntiVir Personal from a CD created in March 2007 and it couldn't or wouldn't download the latest virus signatures. Still, running with signatures a few months old is way better than not scanning at all. The Ultimate Boot CD includes networking support and you can run IE or Firefox or other web browsers directly off the CD to access the Internet.

I also suggest scanning for rootkits. The two programs below are free and do not need to be installed. They are each a single file and can be run from a flash drive.

In addition:

  • Portable ClamWin is just that, a portable version of ClamWin, a free antivirus program for Windows 98/Me/2000/XP/2003. Alternate Link
  • In October 2005 (more or less) McAfee released a version of their anti-virus software that runs completely off a U3 based thumb drive.
  • F-Prot is a free virus scanner that you can run under a bootable Linux CD such as Knoppix. I haven't tried this. From Knoppix Hacks by O'Reilly.
  • I have not looked into the Ultimate Boot CD.

Next boot normally.

Remove the relatively honest Adware using Add/Remove Programs in the Control Panel.

Use a process monitor to check for any malware that might have been auto-started. Anything that shows up here is pretty darn resistant. It may have detected that its process was being terminated and created a new instance of itself. Or, it may use different names and run from different locations at each startup. Or it may be auto-started from an obscure part of the registry that the software you used to control automatically run programs does not handle (AutoRuns seem pretty complete to me). Note the underlying EXE, reboot to DOS or the Recovery Console and rename this file. Trying to kill the process may only tell it that we are on to its existence and trigger a defense mechanism.

In Windows XP and Me make a Restore Point.

Delete:

  • All ActiveX controls (see below)
  • The web browser cache (Temporary Internet Files) for each user for each browser.
  • Temporary files
  • Cookies (perhaps overkill, I admit)
  • The web browser history
  • Empty the recycle bin for each Windows user
  • Clean out the Java cache folder for each Windows user. The current version of Java (1.5) stores the cache in:
    C:\Documents and Settings\userid\Application Data\Sun\Java\Deployment\cache\
    You can also delete the cache using Control Panel - > Java -> General Tab -> Delete Files button
    How to Clean a Java Cache Folder from F-Secure
  • Disable System Restore to delete the old Restore points, then re-enable it and take a new Restore point
Active X programs/controls reside in C:\WINDOWS\Downloaded Program Files
on Windows XP/ME/98 and in C:\WINNT\Downloaded Program Files
in Windows 2000. With IE6 and Windows 2000 and XP, the cache and cookies
reside in C:\Documents and Settings\userid\Local Settings\Temporary Internet Files
Windows XP SP2 displays the installed ActiveX controls and offers to disabled them, but I would rather delete them.

I have read that Ad-aware can run from a USB thumb drive, but haven't verified this myself. If it can, this would be a good time to run it.

This is great time to run the free McAfee AVERT Stinger. Nice thiing about it is that it does not have to be installed, thus it can be run from a flash drive. In fact, it's a single .EXE file. Down side is that it only detects some viruses, it is not a full anti-virus product. As of July 2007 it detected 187 viruses.

I haven't tried it, but I've read that the free AntiVir PersonalEdition Classic from Avira can also run off a flash drive. This is a full blown anti-malware program.

Reboot normally. Hopefully, no malware is auto-started at this point.

In Windows XP and Me make a Restore Point.

Review the IE Trusted Zone (Tools -> Internet Options -> Security Tab -> Trusted Zones -> Sites button) and delete any web sites there. Review the IE Favorites and delete anything that looks suspicious. If there are too many malicious Favorites, then just rename the directory where they live (see below). Change the IE home page to a blank page (if you can). On the Content tab, click the Publishers button and remove any trusted publishers.

Internet Explorer Favorites live in C:\Documents and Settings\ userid\Favorites

Get a firewall program up and running.

If the machine already had a firewall installed, review the rules, it only takes a single exception to punch a big hole in the protection. Better yet, uninstall the current firewall and do a clean install of the latest version of the free edition of ZoneAlarm. ZoneAlarm is better than the firewall in Windows XP SP2 because it starts out with no exception rules and because it is more resistant to being shut down or disabled by malware.

Log on to the Internet.

Scan the entire hard disk for viruses. I used to like Housecall from Trend Micro but as of March 2006 it hasn't worked for me in months and I've tried it on many machines. Security Check from Symantec only finds bad stuff, it does not delete it. My virus links page has links to other online virus scanners.

Any computer infected with malware, is also likely to be infected with viruses. Better to get rid of the viruses first. Online virus scans should be used because client side anti-virus software may have been crippled.

In Windows XP and Me make a Restore Point.

At this point, none of the installed malicious software should be running automatically at system start-up and the machine should be virus free. This is the time to run a barrage of anti-Spyware programs. Sometimes, however, removing Spyware breaks TCP/IP. If the computer is running Windows XP SP2, then now is the time to display a list of all the software using Layered Service Provider. Run this command and save the output:

netsh winsock show catalog

Finally, it's time for anti-Spyware software. It's a shame that you need to run more than one, but you do. Opinions vary as to the "best" anti-Spyware programs, however, the following are generally respected and free.

If Spyware was detected and removed by the above programs, then you should also remove any Restore Points (Windows XP and Me only) that may include the malicious software. You do this by turning off System Restore. Then turn it back on and make a new Restore Point.

Make sure that you can change the IE home page and security settings and that Internet Options appears in the Control Panel. If not, try HijackThis and/or read this article by Mike Healan.

In a Baltimore Sun article, (Patience, basic toolkit, updates to security can block Spyware July 29, 2004) Mike Himowitz suggested that the cleanup is not done at this point. On NT class machines with multiple users he warns that "Spyware programs embed themselves in each user's personal settings" which requires you to log off the current userid, logon as each of the other users and run the Spyware removal software again. He says "If you don't do this, your Spyware may come back." :-( Makes a clean install look better and better.

Did you create a new problem?

Running the usual anti-malware software can create problems. In the September 21, 2004 issue of PC Magazine, Bill Machrone wrote about malware that infests the TCP/IP stack. The usual anti-malware products removed only half the infection resulting in corrupted TCP/IP software. He found software to fix the problem under Windows XP avoiding the need to un-install and re-install TCP/IP itself. The article: Corruption at the Jersey Shore. The software: WinSock XP Fix 1.2 (alternate link).

The problem has to do with the LSP feature of TCP/IP. The fixes described here reset the TCP/IP stack which will effect software that was using LSP (the software may need to be un-installed and re-installed). But which, if any, software depends on LSP? The output of the netsh command suggested earlier is that list. It may include anti-virus and firewall programs.

In Windows XP SP2 you can reset the LSP feature of TCP/IP with this command:

netsh winsock reset catalog

Then reboot.

Another free program along the same lines is LSP-Fix from Counterexploitation (cexx.org). It too, may help when the removal of Spyware programs disables Internet access. It fixes problems with Layered Service Provider (LSP) software that can be inserted into TCP/IP software. Spybot Search and Destroy may also be able to help with this problem.

And another problem can be created by removing Spyware: