Whether you are removing malware automatically with a removal tool or manually, it is important to follow a proper removal procedure to prevent permanent damage from being done to your computer system. Before removing the malware:
- Identify malware files and processes either automatically or manually before removing them.
- Determine the extent of the threat the malware may pose to your system and neutralize the threat by finding the best removal instructions for the malware.
- Back up your complete system and create an emergency boot disk before attempting any malware removal. Be sure to back up any data files that are important to you and your email files. See the pages called Creating a Windows Emergency Boot Disk and How to Backup your Data and System.
Quick Removal Tip
Removal Tips: To quickly prevent some malware from running inside your browser, if your browser is Internet Explorer version 6 you can disable third party browser Extensions. This will stop all third party toolbars and Browser helper objects from loading and run a clean instance of Internet Explorer after a reboot. This process will not eliminate adware running without the aid of your browser.
To open the Internet options dialog box, with Internet Explorer open, click “Tools” on the menu, select “Internet Options”. When the internet options dialog box appears, click on the “Advanced” tab. If you uncheck the bottom line in the figure below then reboot your computer, third party browser extensions will be disabled.
Use manual removal when removal tools fail or may fail. Identify all hostile processes before attempting any removal either manually or with a removal tool. Methods to do this include:
- Identify all hostile processes running on your computer. Use can use your task manager to identify these processes. To open your task manager, right click your task bar and select “Task Manager”. Click on the “Processes” tab. The name of the process is listed under the “Image Name” field. Don’t worry about the “System Idle Process” or “System”. Processes you should worry about normally end with “.exe”, however the Task manager only displays 15 characters so the end if the complete name may be chopped off. You can also use a personal firewall to find hostile processes over a period of time.
- Determine which processes are legitimate and which ones are possible malware processes. Here are three websites which can help:
- Task List Processes
- Windows Process Library
If these sites don’t help, find the name of the process such as processname.exe at your favorite search engine such as Google or Bing and use articles listed to find it. You can search the Web at Gigablast or Google groups which lists user questions and responses on e-mail and forum groups.
- Make a list of processes that are suspected of being malware and list the locations they are stored on the hard drive. (Use the Windows search function to find them). Check your list of suspected processes that you created these first three steps. Search your favorite search engine to find removal instructions for these processes.
- Boot to safe mode. In Windows 2000, this can be done by pressing the F8 key while the system is booting, then select “Safe Mode” from the menu. You will need to login as a local administrator. If your operating system is Windows XP or Windows Me, turn off Windows System Restore before running the scan because it may restore deleted files which support the removed adware.
- Run automatic removal tools (The first time you run these, they should be setup so they do not remove or quarantine hostile files before they are identified and researched properly). It is worth running several removal tools such as:
- spybot search and destroy
- If the adware is still there or comes back after you have run automatic tools or if you cannot find removal instructions, you may try to remove them manually following the procedure below, but keep in mind that many spyware and adware processes use tricks to prevent their removal such as:
- Changing file associations to make executable files require their program to run effectively crippling your computer if you delete or rename their file that is required to run the malware. You can check this by opening Windows Explorer or My Computer, then on the menu select “Tools”, then “Folder Options”, then click the “File Types” tab. Check to see if there is an entry for EXE extensions. If there is, click on the extension and note the name of the program associated with the entry. Then delete the entry before removing the adware process.
- Making their process restart immediately if someone tries to stop it. Usually you can boot to save mode and remove the file while in safe mode if this is the case. To remove the process:
- The below suggestions may help with manual removal.
- Stop the processes using your task manager (For Windows 2000, XP, and above).
- Determine where on your computer the files that are required to run the suspicious processes are located. You may use the Windows search function (selected by clicking on “Start”, “Search”, and selecting “For Files or Folders…”) to find the suspiciousfilename.exe.
- Delete or rename the files required to run the suspicious process. You may want to rename the files if you are not sure the process is actually a spyware or adware process.
- Save a copy of your system registry, then search your registry for entries using the name of your suspicious process and delete the ones listed in run and the runonce key entries. However, if you are not familiar with the Windows registry, it is best if you get an IT professional to help with this.
- If you still have the adware or spyware program re-appear later, you should consider using a personal firewall to help identify all hostile process when they access the internet.