Use manual removal in case automatic removal methods and tools fail. You should have already identified any malware on your system during the identification and information gathering phases discussed earlier. You should boot to safe mode before removing malware. In Windows 2000, this can be done by pressing the F8 key while the system is booting, then select “Safe Mode” from the menu. You will need to login as a local administrator after booting. To complete the manual removal process, you may need to do one or more of the following:
- Stop running malware processes – In the Task Manager, you can select a process and select “Stop Process”. However, if you are running in safe mode, malware processes should not be active.
- Modify file names – I recommend that before deleting a malware file, you first rename it. After completing the removal process and operating your system for some time, you can go back and delete the renamed file. If you rename a file, and later determine that you needed the file to operate your system, it is easier to boot to DOS mode and name it back to the original name than to try to find it in the trash bin.
- Modify system settings – You may need to modify system settings in configuration files or change file associations. To review file associations, open “My Computer” or Windows Explorer and click on “Tools”, then “Folder Options”. Click on the “File Types” tab. This will show all recognized file types on your computer and show the associated program that is used to read them.
- Modify the registry – If you need to modify your registry, you should have some computer knowledge or get an expert. In any event, it is best to back up your registry. After starting the registry editor (Select “Start”, “Run”, and type “Regedit”), select the “My Computer” selection in the registry editor, click on “Registry” in the menu, and select “Export Registry File”. Select a place to save the file and a name for the file. It is helpful if the file name indicates the date the registry was backed up.
Removal Using a Personal firewall
Use a personal firewall program such as Zonealarm to identify adware processes that may be running on your computer, especially latent processes. This will prevent adware programs from contacting the internet to produce popups, install more programs, or send information to the program creators. Identify any adware program processes then do the following:
- Use your task manager to stop them. You may need to look up the process name on Gigablast or other site such as Task List Processes at http://www.answersthatwork.com/Tasklist_pages/tasklist.htm Also depending on the type of program running, you may need to find special removal instructions since some processes try to restart themselves immediately to prevent their removal.
- Once the processes are stopped, a technical person can search the registry by looking the name of the program such as “adwarename.exe” and remove registry entries that point to these programs, especially the ones that would attempt to run these programs.
- Search your hard drive for the adware executable files programs and delete them. The personal firewall should be left in operation for about two weeks to catch any latent processes that pop up and reload more adware programs on a later date, but in any event any computer connecting to the internet that is not behind a corporate firewall should have a personal firewall.
Manual Removal for Windows 9X.
- You should check for a list of removal or hostile process identification tools in our section about removal tools.
- To begin, start windows 98 in safe mode. There are several ways to get Windows 98 into safe mode. Only one is detailed here. See How to Start a Windows 98-Based Computer in Safe Mode for detailed information.
- Click on “Start”, select “Run”, then type “msconfig” on the run line and press “Enter”.
- The System Configuration Utility dialog box will open. Be sure the “General” tab is selected.
- Click the “Advanced” button.
- When the Advanced Troubleshooting Settings dialog box appears, check the “Enable Startup Menu” selection.
- Click “OK” to exit the Advanced Troubleshooting Settings dialog box.
- Click “OK” to exit the System Configuration Utility dialog box.
- Select “Yes” when prompted to restart the computer.
- When the startup menu appears, select the safe mode option.
- After Windows 98 is in safe mode, click on “Start”, select “Run”, then type “msconfig” on the run line and press “Enter”.
- The System configuration Utility dialog box will open as shown below. Click on the Startup tab.
It is obvious that there are several adware programs running in this example.
- Using the identification and research tips mentioned in this document, look up the application names that are not known to you to determine if they are malware.
- Disable all the suspicious applications shown by unchecking the checkboxes.
- Look up all the suspicious applications program names by using the windows search function (Start-Search-For files or folders). Remove the program names associated with the adware or spyware (You can later remove it from your hard drive when you are sure your system can run without it).
- You may want to check the System registry to find hostile processes running using the registry. Check these keys:
- HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> Run
- HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> Runonce
- HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> Run
- HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> Runonce
- HKEY_USERS -> Software -> Microsoft -> Windows -> Runonce
Select the keys, then delete entries or rename files that they point to if you consider the entries to be suspicious (Back up your registry before doing this). I like to search for the text “runonce” to find all the entries.
- Reboot the machine and check to see it the malware is still running.
System file Checker (SFC)
Another helpful tool provided by Microsoft is the system file checker (SFC). It checks system files to see if they are the correct files. Sometimes malware will modify system files and the system file checker will repair this damage. System file checker will determine if any of your files are not proper or are missing. It will restore them from your Windows installation CD. This can be run by clicking on “Start”, select “Run”, then type “scf /scannow”.