Free spyware removal software

Introducing some free spyware removal software and how to use them to remove spyware from your PC.

How to use HijackThis

I am going to show you how to use a tool to remove certain spyware items that keep coming back.

HijackThis is a freeware general browser hijacker detector and removal tool. The downside of it is that you have to use your own judgement to pick out the nasties. Download and run the program.

The image above shows HijackThis, version 1.99.1. Older versions may vary in appearance. Click the 'Do a system scan only button' (or Do a system scan and save a logfile if that's what you want). The log file is useful if you want to send it to someone to get a second opinion on what to remove.

In HijackThis, you will see a list of items ranging from BHOs, Registry key values, Internet Explorer extra buttons, etc. Check the items, which you suspect to be spyware. Let's break the suspicious items down by looking at them more closely. In the above example, we have the following checked in the order they appear:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

At first glance, the list of values look very confusing, but if you look at the lines one chunk at a time, you will be able to make some sense out of them. The above shows a folder path (in the Registry). I have identified the above four as a spyware related because of the value c:\secure32.html. There should not be any HTML files on C:\, unless you put them there.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ ResultsMasterHomeLeftPane.htm

The above suggests to me that it is spyware, at a glance, because of SmartOffers directory. Anything to do with offers, shopping, etc should not be on the computer, unless I chose to install such items. Also, resultsmaster is not something I have come across before in Windows. I have not installed any programs from the website http://resultsmaster.com, nor have I heard of the site.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

The above are more references to the secure.html file in different locations of the Registry.

F2 - REG: system.ini: Shell=explorer.exe "C:\Program Files\Commons Files\Microsoft Shared\Web Folders\ibm00003.exe"

This item, I am suspicious of because of the ibm00003.exe file. I do not have an IBM PC or any IBM software or hardware. Even if I did, I do not think they would put items into the Microsoft Shared folder.

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll

This example has '(no name)' at the beginning. Ignore the long string of letters and numbers in the curly brackets. Legitimate items would have more information than that. Also, spyware like to hide in the system32 folder. I also do not recognise the winbrume.dll file as being a Windows file. If you see a similar file in the system32 or any other folder that you are not sure about, then look it up to make sure.

O2 - BHO: CIEIntegrator Object {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll

I did some research and looked up WinAntiVirus to determine that it was spyware. Any values that you see with the WinAntiVirus name should be removed.

O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\2.0.0\ShprRprt.dll

ShprRprts is short for Shopper Reports and that is my first clue. Reading to the end of the link, I see the Program Files folder with the subfolder ShopperReports and ending with a file with the name ShprRprt.dll, again, short for Shopper Reports and is easily recognised.

O2 - BHO: HbTools - {74CC49F7-EB32-4A08-b204-948962a6e3DB} - C:\Program Files\HbTools\Bin\4.7.7.0\HbtHostIE.dll

HbTools is the giveaway with this item.

O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\IEFWBHO.dll

WinAntiVirus Pro 2006 again.

O2 - BHO: (no name) - {BA066739-3586-3C57-8FF7-3FDD8418C2AE} - C:\DOCUME~1\USER\APPLIC~1\CITYOB~1\Body Love.exe

(no name) gives me the signal to look at this one more closely. Body Love.exe is an obvious program that shouldn't be there.

O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.7.7.0\HbtHostIE.dll

There shouldn't be too many Toolbars installed so you should look at each one closely. The above leads to an HbTools folder, hence will be removed.

O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe

0mcamcap, located in the system32 folder. A quick search returns results of it being malware, so should be removed.

ETC. Go through the whole list, looking at each item. If you do not recognise the companies, name of programs, etc. then look at them more closely and search for the files if unsure. There are times when spyware hides themselves in legitimate folders so look at the whole line and match up the file with the folder.

A spyware scanner may actually be able to remove some of the items that HijackThis finds, but often, it is unable to remove all of them.

Preparing for a spyware scan

The next step, you will delete your temporary files. There will surely be some spyware and even virii and Trojans in your Temporary Internet Files folder but you can think of this step as maintenance too.

Temporary Internet files are not required and are only stored for the purpose of letting you load webpages already visited pages more quickly by reusing the files from a previous session. Deleting them will help speed up virus and spyware scans at a later stage because there would be fewer files on your PC. There may be thousands of files in the Temporary folders and it makes a big different to scan time. Browse to the following folder:

C:\Documents and Settings\USER\Local Settings\Temporary Internet Files

The Local Settings folder is a hidden folder but you should have already set Windows to display them. If you have not, go to the Preparing to remove spyware section.

In the folder, do Edit > Select All (or Ctrl + A) to select all files. If you have thousands and thousands of files and it takes a long time to select or delete the files, be patient but if this fails, delete a few hundred at a time. Click on the file at the top, hold the SHIFT key on your keyboard, scroll down using the scroll bar and click on another file. This will select the two files you chose and everything in between. Repeat this step until you've deleted all the files.

Alternatively, you can try the following:

Go to Control Panel > Internet Options (or Tools > Internet Options in Internet Explorer)

Click Delete Files. You can also Delete Cookies but note that any saved passwords for websites you use will be erased. This is the same if a spyware scanner removes cookies from your system.

Delete the files in the following folder.

C:\Documents and Settings\USER\Local Settings\TEMP

Edit > Select All or Ctrl + A. The files in the TEMP folder are the files that software creates and use.

There may be some that you are unable to delete because they are in use. Delete as much as you can. Exit programs and end processes by doing Alt + Ctrl + Del, if you want to. It is not crucial to delete everything. You may even see suspicious programs in this folder, which you should try to delete.

Scan your PC with Adaware

It will be near impossible to browse the whole computer (including the Registry) looking for spyware so we will employ the help of a spyware scanner. See the Spyware Removal Tools section for the tools if you haven't downloaded them already. Update the definitions.

Install Ad-Aware. Once installed, make sure you update the definition files and perform a full system scan (it should ask you if you want to update them as soon as it's installed).

Once the scan is complete, you can see what you have on your system and what kind of threat they are. Select all entries by Right-clicking > Select All Objects. Click Next to remove the spyware found in the scan. Ad-Aware or any other software may not find all the spyware on your system. If Ad-Aware tells you that some items could not be removed but do you want to remove them the next time you start up Windows, choose 'Yes'.

Scan your PC with Spybot

Next, we will use another good free spyware scanner. Install and run Spybot Search and Destroy.

Create a registry backup when it asks and update the definition files when it asks, and then perform a scan.

Once the scan is complete, you will see something like the image above. You can see details of the files it finds. Select the items you want to remove (Right-click for more options) and click Fix select problems to remove the threats.

If Spybot says that it cannot remove everything and whether you want it to remove the spyware on the next reboot, choose 'Yes'.

After that, look for the suspicious files that you were unable to delete and try again. If you are still unable to delete them, boot into Safe Mode. See the Preparing to remove spyware section for instructions on how to boot into Safe Mode, if required.

The next step will teach you about the Windows Registry. You may need to follow the instructions in that section and then come back to this one.

There are other spyware removal programs in the Software downloads section for you to try.