How to Remove Spyware Manually

You've run through all the traditional steps, tried Ad-Aware and Spybot and HijackThis, and you still have spyware. What now? Well, you can try following this manual removal guide. It's not for the faint of heart, and it may actually be less effort to simply back up your files, reformat your drive, and reinstall Windows. Please note that you will need full access to a clean computer in order to repair your infected computer!

1. Turn off the infected computer. Open the case and remove its main hard drive (the one containing the OS partition).
2. If you have a USB/IEEE1394 external drive enclosure, you may connect the infected drive to that instead of completing the next two steps.
3. Turn off the clean computer. Open the case and connect the infected drive.
4. Turn on the clean computer. Make absolutely sure that it boots into the clean OS, not from the infected drive! Most PCs have a boot choice menu which can be accessed via the F11 or ESC key soon after power on.
5. Once the clean computer's OS has booted, you are going to want to clean out temp files from the infected drive, in order to make it easier to search. But first, you want to see all files, even hidden and system files. Go to "Control Panel" -> "Folder Options", and click on the "View" tab at the top of the "Folder Options" window. You are going to want to change the following options:
o Turn ON: Display the contents of System Folders
o Turn ON: Show hidden files and folders
o Turn OFF: Hide extensions for known file types.
o Turn OFF: Hide protected operating system files (Recommended)
6. Take note of the drive letter of your infected drive. It's probably going to be E: or F:, depending on the number of hard drives, partitions, and CD/DVD drives you have in your clean computer. I'm going to assume that we're dealing with the F: drive for this article.
7. Temp files are stored in the following locations. Some of these locations may not exist, some may be in slightly different places. It's important that you find and clear the cache for all of your browsers (IE/Netscape/Firefox/Opera) and that you clear it for every single user! Check the following folders and delete their contents, but not the directories themselves.
o F:\TEMP
o F:\Windows\TEMP or F:\WINNT\Temp (Only NT4 and Windows 2000 use "WinNT")
o F:\WINNT\Profiles\UserName\Local Settings\Temp
o F:\WINNT\Profiles\UserName\Local Settings\Temporary Internet Files
o F:\WINNT\Profiles\UserName\Local Settings\Application Data\Mozilla\Firefox\Profiles\SomeRandomName.default\Cache
o F:\Documents and Settings\UserName\Local Settings\Temp
o F:\Documents and Settings\UserName\Local Settings\Temporary Internet Files
o F:\Documents and Settings\UserName\Local Settings\Application Data\Mozilla\Firefox\Profiles\SomeRandomName.default\Cache
8. At this point, make sure your recycle bin is empty of all files.
9. Now that your temporary files folders have been cleared, there are a lot fewer files to search through. This should make the next few steps a bit less tiresome.
10. Good, you've trimmed some of the bloat, now try backing up the infected drive to a folder on the clean computer, if you have room. If you can possibly back up the entire drive, do it. Otherwise, you should be able to get away with just the "Documents and Settings" folder ("Profiles" under NT4 and Win2K) and maybe a few of the games folders (Some games store their saved games, maps, high scores, etc in their program folder).
11. Now you should perform full antivirus and spyware scans of your computer. This will hopefully find some things on the infected F: drive and remove them.
o Download and install both Spybot Search and Destroy and Lavasoft Adaware. It is important that you use both of these utilities, as they will often find more malware together.
o Update definition files when prompted.
o Scan your machine (this could take a while).
o Remove any spyware that is found.
o Make sure you have an antivirus program installed and up-to-date. Perform a full system scan and remove any viruses, trojans, and worms it finds.
12. When all the scans are complete, go to "C:\Program Files" (on your clean PC's drive) and copy the entire program directories for Spybot, Ad-Aware, and your anti-virus to a new directory on your infected drive, called "F:\Cleaners". Also copy the installers for these programs to the "F:\Cleaners" folder. You may need them later.
13. Hit WindowsKey+F to bring up the find files window. If you see a stupid little animated dog, you may want to turn him off, because he makes searching a lot more annoying.
14. The search options you will want to use for the searches we will perform are "Search for All files and folders" with the following "Advanced Options" turned ON:
o Search system folders
o Search hidden files and folders
o Search subfolders
15. For your first search, I want you to look only in the F:\ drive for file names matching "*.exe" and which have been modified in the past week. Simply enter "*.exe": "asterisk period exe", and specify "within the last week." You may want to try searching for "past month" as well, depending upon how long you've been infected.
o Run the search. Let it run to completion.
o Examine the files it found. Some of them you may recognize, especially if you have recently installed some programs. For example, if you recently upgraded or installed Lavasoft Ad-Aware, you may see "F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" in this list. Ignore this kind of file. The kind of file you're looking for is usually in F:\Windows\system32, less than 100KB in size, and has a funny name like "lkaljya.exe"
o Any files you find should be moved into a temporary directory until you can verify that they are legit. For example, you can create a folder "F:\quarantine" and move them into a subfolder "F:\quarantine\Windows\system32" in there.
o If you have an on-access anti-virus program, it may actually start complaining that it found a trojan the second you select the suspect file. If it does, then don't bother quarantining it, just let the antivirus delete it.
o Pay particular attention to *.exe files with either random or pretentious names. Pretentious names try to appear important by being very close to actual useful programs. For example, a useful program is "svchost.exe", while a suspect program would be "scvhost.exe"
o Another good way of identifying good products from bad is by right-clicking the executable and choosing "Properties", then by choosing the "Version" tab (if there is one). If the file is digitally signed by a company, it will have a "Company Name" property on this tab, such as "Microsoft Corporation" or "Apple Computer Inc" or "Logitech", etc. These files are probably good. If the file is not signed, then you should investigate further.
o When in doubt, go to google and type the full name of the suspect executable: "scvhost.exe", for example. Examine the search results. Often you will see links like "scvhost.exe, good or bad?" or "What does this file do?" and you can see whether or not it is a necessary file or a trojan.
o Pay particular attention to any *.exe files you find in F:\windows\system32 and (especially) anywhere in F:\Documents and Settings. There really shouldn't be many/any executables in the "Documents and Settings" folder.
16. Repeat the previous step, but search for file names matching the pattern "*.dll" instead.
17. Repeat the previous step, but search for file names matching the pattern "*.sys" instead.
18. This last step is fairly complicated, but is usually successful at getting rid of most of the most stubborn worms and trojans. Pay close attention and don't screw up.
19. Go to Start->Run and type "regedit" and hit enter.
20. Load the "SOFTWARE" hive from the infected computer and remove any bad "run on login" entries.
o Select HKEY_LOCAL_MACHINE by left-clicking it.
o Go to the File menu and choose "Load Hive".
o Navigate to F:\Windows\System32\Config and choose the file named "SOFTWARE".
o It will ask you for a key name. Type "INFECTED_SOFTWARE" and hit enter.
o Click the plus sign next to HKEY_LOCAL_MACHINE to reveal the key "INFECTED_SOFTWARE".
o Navigate to HKEY_LOCAL_MACHINE\INFECTED_SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
o Back it up! Right-click on "Run" and choose "Export Data" and save the file as "INFECTED_SOFTWARE,RUN.reg" in the quarantine folder. Note that if you need to restore this backup later on, while the infected computer is running, you'll have to open the reg file in a text editor and slightly change the key path. HKEY_LOCAL_MACHINE\INFECTED_SOFTWARE would need to be changed to HKEY_LOCAL_MACHINE\SOFTWARE, for example. If you merely want to immediately restore the reg file while running on the clean computer, you don't have to edit the file; just make sure that the hive is still loaded and double-click the reg file to re-insert its keys/values into the appropriate places.
o In the right pane you should see a list of entries. Some of these may include Java Update, AOL Instant Messenger, MSN Messenger / Windows Live Messenger, ICQ, Trillian, nVidia / ATI drivers, Sound drivers, Keyboard / Mouse drivers, Antivirus, Firewall software, etc. Again, use your best judgment and the methods described earlier for differentiating good from bad. If you determine that something is bad, grab the EXE file pointed to by the key and throw it into the quarantine folder, and delete the key. You can always restore it later using the registry backup.
o Perform the same steps in "RunOnce" and "RunOnceEx", right next to the "Run" key. They may or may not have entries in them.
o When you are done, it is important that you click on the "INFECTED_SOFTWARE" and then go to the File menu and choose "Unload Hive".
21. Load the "DEFAULT" hive from the infected computer (F:\Windows\System32\Config\DEFAULT) and remove any bad "run on login" entries. Use the same steps as in the "SOFTWARE" step. Note: the "DEFAULT" hive may not even have a "Run" key. If that's the case, skip it. Be sure to unload "INFECTED_DEFAULT" when you're done.
22. Load each user's hive from the infected drive. You will find the hive at F:\Documents and Settings\UserName\NTUSER.DAT -- load it as "INFECTED_USERNAME" and then go through its "Run/RunOnce/RunOnceEx" keys for bad entries. You know the drill by now, right? Be sure to unload each hive when you're done.
23. If you're using an external hard drive enclosure, use "Safely Remove Hardware" to remove it from your PC, turn it off, and remove the (hopefully, by now) cleaned drive. Otherwise, you need to power down your clean PC and remove the cleaned drive from the case.
24. Reinstall the cleaned drive in its own case and power on your cleaned PC.
25. If your PC absolutely refuses to boot at this point, you may have no choice but to wipe the drive clean and reinstall Windows. Make sure you have everything backed up and all your reinstall CDs and license keys handy before you do this.
26. If your PC boots, you should immediately run the anti-spyware programs in the "Cleaners" folder. If there's any spyware left on your PC, it's probably in a weakened state at this point and may succumb now. Also run your currently installed anti-virus program, or try running your anti-virus program from the "Cleaners" folder; it may or may not work. If you're certain that you have removed all malware, you may continue using your Windows install. However, if performance is unacceptable, you may have no choice but to reinstall. Some malware is so persistent that it's less effort to simply start over with a clean slate.

By
Hassan Sohail