How to Remove Spyware – Remove Almost All Infections (Free!)

By now you should all know that even the best spyware removal software protects, but seldom removes spyware once it has infected the computer. The main reason for this is that once your computer is infected, the spyware loads itself in memory every time the computer is started. In Windows no program that is actively running in memory can be erased from the hard drive; it has to be stopped first. This is where all antivirus tools fail. Another reason is that the spyware disables most antiviruses and system tools that pose a threat to it, like for example the Windows task manager.

Lately I’ve discovered a technique to remove almost all malware infections. A technique that has been working reliably for me in a surprisingly vast majority of cases and that can be followed step by step and can be replicated for almost all types of adware or spyware. A technique that will work better than any spyware removal tool you can find. This technique works for all versions of Windows XP, Vista and Windows 7. The pictures that you will see in this article are from Windows XP, however, the steps are similar for all other versions of Windows.

How to remove spyware - Method Summary:
- Open Task Manager as soon as you see the desktop.
- Write down the name of the spyware showing up in task manager and kill it.
- Look for spyware on c:\documents and setting\username\local settings\application data and delete it.
- Look for spyware in registry and delete every single entry as it appears.
- Create a new username, log in with new usermane, rename previous username account folder and reboot.
- Log in with your old usernane so that new profile folder can be created.
- Transfer your files from the old account folder to the current.


Step 1: Identify Spyware in memory and kill it

Click to enlarge

Turn your computer on and as soon as you login and see your Desktop hit Ctrl-Alt-Del and click on Task Manager, you have to do this fast otherwise the virus will take control of the computer and task manager will no longer open. Once Task Manager is open the spyware will not be able to close it. Never close Task Manager or else the spyware you will not let you open it again unless you reboot. As soon as you see the spyware appear, (usually a fake anti virus shield on the task bar near the clock) check the Task Manager for any suspicious programs. It also helps if you sort items in the Task Manager by memory usage, this way you will see all new applications as they start popping up. How can you tell the application is suspicious? Use common sense. The application popping up in this example has the name “guxprpnshdw.exe”. As you can see, the name is just a bunch of letters that do not make sense. Now that we have identified our suspicious program, the next step is to get paper and pencil, and write the whole name of the suspicious application making sure not to miss any letters. Then, right click on the application and click “end task” to remove spyware from memory. Once you do this, hover the cursor of the mouse over the fake anti virus shield without clicking on it. If the shield disappears, we know we have killed the fake anti virus in memory. If it does not, we need to continue our search. Repeat the operation with another suspicious-looking file in Task Manager until you find the right one. Make sure to always write down the name of the file before clicking “end task”.


Step 2: Remove spyware from hard drive and registry

Click to enlarge

Once you have the name of the file, go to “My Computer” and click on Tools -> Folder Options -> select “View hidden Files and Folders. In Vista and Windows 7 go to Control Panel -> Folder Options and select “View hidden files and folders”. Go to “C:\Documents and Settings\” or “C:\Users” in Windows 7 or Vista and look for a folder with your username. If your computer logs in automatically or you are unsure of your username, you can find out in Windows XP by clicking Ctrl-Atl-Del and it will display who you are logged in as. In Windows 7 all you have to do is click on “start” and it will display your username on the top right corner of the menu; I am not sure about Vista. Once you have identified your username go to the following path “C:\Documents and Settings\username\local settings\application data\”, and in Vista and Windows 7 it should be either on “C:\Users\username\” or “C:\ProgramData\”. Once there, look for a folder with a suspicious name. In this example our folder name is “xyfbofkle”. Again, notice that its name does not make any sense. Go into the folder and you should find a program with the name of our previously discovered spyware, in this case “guxprpnshdw.exe”. If you find the spyware, write down the name of the folder and delete it. Open the registry by clicking start -> run -> type “regedit” and click enter. Look for every instance of the spyware’s filename using the registry’s search utility and delete it. When you get to the end of the registry repeat the operation, this time using the spyware’s folder name. This should remove the spyware on your computer for good. However, there is one extra step we must take to lessen the possibility of future recurrence.


Step 3: Disable your old profile and create new one

Click to enlarge

To be on the safe side and prevent malware from ever coming back, we are going to create a new user profile folder and delete your current one. To do this, create a username and make sure to give it administrator rights. Reboot your computer, (don’t just log off or switch users) and log into your newly created account. Then, go to your “C:\Documents and Settings\” or “C:\Users\” (in Vista and Windows 7) and rename your previous username account folder. I usually rename it with a “.old” at the end. Example, if my original account folder is named “\administrator\”, I rename it to “\administrator.old\” so it is no longer recognized by Windows. Now reboot your computer again and log in with your old usermane. This will create a brand new account folder with your old usermane. Now, transfer everything you want to save from your “.old” account folder to your new one. Don’t transfer absolutely everything because you run into the risk of transferring whats left of the spyware to your new account. I usually transfer the “My Documents”, “Desktop”, “My Favorites” and nothing else. When finished you can delete the “.old” folder and the account folder you created at the beginning.


And you are done! as easy as that. No more spyware. This will not work 100% of the time because not all spyware behave exactly same, some can’t even be terminated in the task manager; they just won’t close. However it will work in the big majority of cases. and as I said before it will work better than even the best spyware removal program available in the market today. I can say with certainty that 90% (or probably more) of the malware infections you encounter can be removed using this method.

3 comments:

  1. Pablo Garcia, 1. September 2011, 21:00

    Hi Chris
    You can do it however you like, however…. the way i do it is.. I start killing suspicious processes with strange names. I realize that is can be a little hard, especially when you are not familiar with the names of the “normal” processes. But it is the quickest way.

     
  2. Chris, 28. August 2011, 1:44

    “Identify spyware in memory and kill it”

    Sounds easy but is not. Identifying who is “bad guy” vs “good guy” is no easy task. There are a LOT of things that show in task manager that, let’s face it, if you are not familiar with what is normally OK, you would have to do a lot of investigating as to what is spyware and what is not.

    What I do is use “hijack this” and print the list that you get. Then on paper I go to another computer that I know is good and secure and google search all of it one by one. Then you can go back to the infected computer and kill what you now know for sure is spyware.

     
  3. Sugiarto S, 30. July 2011, 4:50

    Nice i like this :), i really need this article tq :p

     

Write a comment:


You will receive an email when your comment is answered


four + = 11

.