sgCERT Advisory No. 022005 : Steps To Remove Spyware/Adware

Introduction

Spyware scans a system or monitors activity and relay information to other computers. Adware facilitates delivery of advertising content to user, in some cases it gathers infomation related to internet usage and relays this infomation back to a remote computer.

Antivirus software has incorporated spyware and adware removal capabilities. If detected, the antivirus software will attempt to remove them.

If your antivirus software detects the presence of spyware/adware, and cannot remove them automatically, note down all the offending file(s) detected and follow the steps below to remove them manually.

Steps to remove spyware/adware in Windows Environment:

1.      For Windows ME and Windows XP users, please disable system restore. Some infections could return if system restore is enabled. To disable system restore :

                     i.            Windows ME

a.              Locate and right click the "My Computer" icon on the desktop. Select Properties.

b.             Go to the "Performance" tab and click on the "File System" button.

c.              Go to the "Troubleshoot” tab. Check the "Disable System Restore" check box to disable it.

d.             Click OK.

                  ii.            Windows XP

a.              Locate and right click the "My Computer" icon on the desktop. Select Properties.

b.             Go to the "System Restore" tab. Check on the "Turn Off System Restore" check box to disable it.

c.              Click OK.

2.      Close all programs that are running, especially Internet Explorer.

3.      Uninstall spyware/adware and other unnecessary programs using the "Add and remove software" in the Control Panel.

4.      To remove spyware/adware entries from the registry, all of its processes must be stopped. 

                    i.            Windows 95/98/ME

a.     Press  CTRL+ALT+DEL. Windows Task Manager will pop up.

b.     Find the spyware/adware process(es) (as detected by your antivirus software), highlight it and click End Task.

           ii.   Windows XP/2000

a.     Press CTRL+SHIFT+ESC. Windows Task Managerwill pop up. Go to the Processes tab. Click the "Image Name" column header to sort the processes according to its name.

b.     Find the spyware/adware process(es) (as detected by your antivirus software), right click on it and select "End Process Tree".   

5.      Next is registry cleaning. The registry is a hierarchical configuration database maintained by Windows and your applications. The database is stored on disk, and a copy in memory is created when you boot. Most of the time, the spyware/adware is added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

                     i.  Saving Registry before deletion

As a precautionary measure, the registry needs to be saved before deleting any entries from it. Click  on the START button and select RUN. Type REGEDIT in the Open field. Click on My Computer on the Left Panel. From the menu, click on File and select Export registry. Give a name to the file and save it in a folder.

                   ii.  Delete Values in Registry

On the Left Panel, expand the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run. On the Right Panel, find and delete any entry that matches the files detected by your antivirus software. After deleting the entry, press the F5 key to see if the spyware entry comes back. If yes, repeat step 4. If no, proceed to the next step. Check for similar entries in the folder beginning with Run under the CurrentVersion container. 

6.      Install Spybot Search & Destroy antispyware software which can be downloaded free from http://www.safer-networking.org/en/mirrors/index.html

                     i.           Run Spybot Search & Destroy after installing it.

                     ii.          Download new updates to get the latest pattern.

                    iii.        On the left panel, click on the Search & Destroy button and its corresponding menu will appear in the right panel. Find the Check Problem button and click on it. This software will check for any existing spyware in your system. After checking for problems is done, select the option to fix all problems that are found.

                   iv.          Click on the Immunize button on the left panel and the corresponding menu will appear on the right  panel. Click the Immunize button on the right panel. 

7.      Patch your Windows Operating System. Click on START -> Windows Update. This will direct you to Microsoft Updates Center. Follow the steps on the web to complete the patching of your operating system. 

8.      Restart your computer after patching is done. 

9.      Next, scan your computer using antivirus software with the latest virus pattern. If spyware still exists, please repeat step 1 to 9 in safe mode. 

10. If the problem still persists, please contact your Kumpulan Sokongan IT (KSIT) for further assistance.

[ Back to sgCERT Main Page ]