Spyware - How do I clean my PC

When my system gets infected by a virus or an adware here are the steps that I take to clean up my computer. I hope that they'll make cleaning of spyware, adware, malware, trojan and other type of viruses easier for you.

Information revealed here concerns beginners as well as advanced Windows OS users. I will emphasize on two types of programs: free (AntivirGuard, SpyBot, HijackThis, Pocket KillBox) and requiring license (Kaspersky Antivirus, AdAware).

I'll use a combination of fast(rescue) cleaning - including removal of viruses affecting the actual system performance and ground(through) cleaning that will check every file on your system to prevent further infection. Without getting into bigger details let's move on to the actual process:

EASY WAY
In wild exists so called "honest" type of spyware/adware so open Add/Remove programs and try to uninstall the suspicious elements. If the problem is solved - be happy, otherwise try the:

HARD WAY

1. Copy&Install the chosen from above antivirus programs to your hard drive and Update them. Update is needed because when equipped with newest antivirus definitions the antivirus program could catch more new viruses.
   
   
2. Unplug the LAN cable and start your Windows distribution in Safe Mode(restart the computer, press continuously F8 and select Safe Mode from the text menu). Then wait until windows loads.
   If you are using any kind of startup manager like MSConfig(For Windows XP users) or another, you must allow all the startup processes to load by stopping the startup manager before running HijackThis. This will allow HijackThis to see all potential problem software that may be on your PC. After scanning with HijackThis you can go back and start System Configuration Utility from: Start->Run->msconfig. From the menu services uncheck hide all. Next uncheck everything that you don't know(looks suspicious). Apply and press OK.


3. Start HijackThis and press Do a system scan only. You'll see lots of results. Those are loaded at startup programs, settings and it is a bit hard to distinguish between a "virus" and valid application. You will see the entries that have hijacked/redirected/ your browser as well as some unneeded and possibly "virus" DLLs.
   To know which entries are illegal start the integrated Process Manager. Here you can see DLL's used by the running applications. Unknown to you entries are the viruses. After you've determined them, mark the suspicious ones and press Clean. Usually viruses are hidden as loadable library modules - DLLs. or executable .EXE files. You can also find entries as .htm .html, .vbs etc... that usually affect your browser's home page.

What if the virus remain in memory?

Still exist a small possibility for some of the viruses will stay in your computer's memory. In such case remember(write somewhere) the "virus" filename either from the antivirus program error message or HijackThis's log. Again:

1. Start the HijackThis Process Manager tool from Open the Misc Tools section->Open Process Manager
2. Find the process created that "filename" and send a Kill Process command.
3. Go to Delete on reboot tool and type the full path to the same problematic "virus" filename.

Alternative
As an alternative for file deletion you can use the program pocket killbox.

1. Start it and enable the option Delete on reboot.
   
2. Now paste the full path to spyware "filename" from Hijackthis in the field Full Path of File to Delete.
3. Press over the red cross button and then 'yes' on Delete on reboot.
   
   Don't let Killbox to restart the system until you've erased all the suspicious filenames. If this procedure doesn't work just rename the infected file/directory. To do this restart in DOS mode or Recovery Console and use the command 'rename' or 'ren'.

Example: ren file.exe new_file.exe will rename the file file.exe to new_file.exe

Actual Cleaning

1. Again restart in Safe Mode. A message will appear that you are using a system configuration utility. Check on 'do not run this at startup' and press OK.
2. At this stage is good to turn off the system restore(in Me, XP) because some viruses are using the restore mechanism to infect again the machine if the virus has been intentionally deleted.
3. Start the preferred from above set of antivirus programs.
4. Press Ctrl-Shift-Esc and turn off the processes iexplore.exe and explorer.exe

How to use HijackThis Process Manager?

HijackThis has its own integrated process manager that can be used to start processes/applications as well to determine loaded DLLs for a specific process. To use this function click on the button Config and then over Misc Tools. Now you'll see a new screen with button Open Process Manager. This screen shows all the running processes at the moment on your machine. By clicking on the process you can select it. The button Kill Process ends the selected process.

To see which DLLs are loaded for a particular process check the option show DLLs. Your screen will split into 2 sections. In the first part will be shown all the running processes. When you click on a process its loaded DLLs(the libraries that are in use) are shown in the bottom part of the window.

How to use HijackThis Delete on reboot?

Surely you've noticed that often is too hard to remove some files. HijackThis has a method by which the Windows itself deletes the file prior its start, so the file don't get a chance to load itself.
To use Delete on reboot:

1. Go to Config-> Misc Tools and press Delete on Reboot button.
2. A new window will open from where you have to choose the file that you want to be deleted. Chose it and press Open.
   
3. You'll be asked whether you like to restart to delete the file. Press Yes.