How to delete spyware manually continued...
Find the following folder in your profile. The Application Data folder is a 'hidden' folder so you will need to tell Windows to show hidden files if you have not already done so.
C:\Documents and Settings\USER\Application Data
Spyware often hides in the Application Data folder. In the example above, the folders that I believe contain spyware have been circled in red. These are:
- WinAntiVirus Pro 2006
- cityobjfive
- HbTools
- ShopperReports
- two memo ref
If unsure of one of them, you can open the folder to see what is inside. No idea what Body Love.exe is supposed to be, other than spyware, which shouldn't be there. Holding the mouse pointer over the file brings up some details. No publisher/software vendor details are shown in the tool tip box, which is suspicious. If it were a legitimate program from, e.g. Microsoft, then it would say "Microsoft" somewhere in the tool tip.
In the example above, one of the files has an unintelligible name. The whole folder has to go. You may see other spyware hiding in there such as Gator, etc. Depending on what software you have installed, you may have other folders for legitimate programs.
In the example above, I also have:
- dvdcss
- Google
- Scansoft
- Macromedia
- Mozilla
- Sun
- Talkback
- vlc
- 'dvdcss', from doing a search for the name, I discovered that it is a component of VideoLAN Media Player, which I know I have installed.
- Google is an obvious one, and I know that I have the Google Toolbar installed.
- I know that I have a program, from the company Scansoft, installed so I know that it is safe.
- Macromedia is a big company and I know I have some of their products installed.
- Mozilla are the ones responsible for the popular web browser, Firefox.
- Sun are responsible for Java components.
- Talkback was a tricky one. After opening the folder, I found that it was to do with Mozilla.
- Finally, there's 'vlc'. I know that VideoLAN Media Player is also known aas 'VLC' so I know that this is genuine.
In the image above, WinAntiVirus Pro 2006 is the only suspect. You should also look in the other folders for suspicious files as sometimes, spyware hides in them.
Typical folders in Common Files include the following:
- Adobe (especially if you have Adobe Reader installed)
- Adobe Systems Shared
- DESIGNER
- InstallShield
- Java
- Microsoft Shared
- MSSoap
- Norton
- ODBC
- Services
- SpeechEngines
- System
Not everybody will have the same programs or the same spyware infections so you will need to be diligent and decide which ones are spyware and which ones are legitimate. If unsure, search for the folder or program name. An easy way to identify some spyware is by the folder they are located in, file names, icons, etc.
In the above steps, if you find that you are unable to delete folders because certain files are in use, browse into the folder you are unable to delete and delete the files inside that you are able to delete. Once you have deleted all that you can, go to the next step.
Go to the following folder:
C:\WINDOWS\system32
In the image above, using 'Details'
(View > Details), I sorted everything
by Date Modified to show all the
most recently created files at the bottom. This makes it easier to
find newly created spyware files. In the image, look at the selected
items, I believe the following four files are spyware.
- jwrknvmy.exe (unintelligible
name)
- winbrume.dat (search results
found this to be spyware)
- winbrume.dll (search results
found this to be spyware)
Afterwards, I spotted tgwkswnju.exe further up. You can also sort the files by
'Type' to group all the .exe files so that you can browse through
them more easily. Spyware scanners may find and remove these spyware
files, but quite often, they can also leave them. They may remove
traces of them in the Registry to stop them from running but the
files may still remain on your system. They may or may not cause any
more problems but it is best to remove them. You may not spot all of
them in the above folder, but you can at least remove the obvious
ones.
Go to the following folder:
C:\WINDOWS\Download Program Files
Delete any suspicious items. It is
safe to delete all items in this folder.
Repeat the manual deletion steps
above for C:\WINDOWS, C:\Program Files and other Common spyware hideouts listed
below:
Common spyware hideouts
- C:\
- C:\temp
- C:\Program Files (without it's own folder)
- C:\Program Files\temp
- C:\Program Files\Common Files\[folder name] or
not in its own folder
- C:\WINDOWS
- C:\WINDOWS\system32
- C:\WINDOWS\Downloaded Program Files
- C:\Documents and settings\USER\Local
settings\TEMP
- C:\Documents and settings\USER\Local
settings\Temporary Internet Files
- C:\Documents and settings\USER\Application Data
- C:\Documents and settings\Application Data
"USER" would be your own profile
name. You may have more than one profile so you should repeat the
steps for each different user account where it involves the C:\Documents and settings\USER\ path listed above.
If you know the name of a spyware
title (or the name of the file associated with a spyware title) that you know is on your system, you
can search your hard drive for it using the Windows search utility.
Start > Search > All files and
folders
Once you find it, delete it.
Check the Start Menu
You can also check your
Start Menu for any programs that look like they could be
spyware. Also, check the following Start Menu folder:
Start > All
Programs > Startup
From there, you can do Right-click > Properties on any suspicious items, to see
where the spyware program is located. Click Find Target.. to go straight to the program folder to remove
the source files. Return to the Startup folder in the Start Menu and delete the
suspicious entries.
|
