How to Remove Spyware From Your PC

Manual Analysis

One of these three programs should detect and remove any spyware on your PC. In the unlikely event that you have picked up a brand-new specimen that isn't yet included in the antispyware databases, you'll have to do some cyber-investigating to find and eject the interloper.

First, examine every process running on your machine to determine whether any of them is a piece of spyware. Window's Task Manager isn't up to this job because many spyware apps specifically hide themselves from it. Fortunately, they are less skillful at hiding from the many Task Manager alternatives. Two of my favorites are Process Explorer (which is free) and Security Task Manager (which comes in free and paid versions). Currently, only Process Explorer, which is now owned by Microsoft, is compatible with Windows Vista. A Vista-compatible version of Security Task Manager is coming, according to its producer, A&M Neuber Software. Either of these programs will show you everything that's running on your PC, and will help you determine whether a particular application should be there.

Warning: Stopping system processes and applications in this manner is risky. In some cases, if you kill the wrong program, Windows will shut down and reboot as a safety measure. While you probably won't render your system unworkable, you should back up all important documents and set a System Restore point (click Start, All Programs, Accessories, System Tools, System Restore, and follow the on-screen instructions).

Start one of the alternative Task Managers mentioned above, and closely examine the list of running applications on your PC. You're looking for something that's either out of place or behaving oddly. If you're using Process Explorer, unzip the archive you downloaded and double-click the ProcExp.exe program. Click OK after you read the initial dialog, and you'll be presented with a color-coded list of everything that's running: Programs highlighted in pink are Windows services; those in gray-blue are applications. Right-click the bar with the column names (it's just above the list of programs), and choose Select Columns. Check the Command Line box and click OK. A new column will appear, showing you the full path to each running app.

If you're using Security Task Manager, double-click the installer and step through the dialog boxes to complete the installation. The first time you run the program, it will take a moment to scan your PC. Unlike Process Explorer, Security Task Manager doesn't list Windows' own system processes (other than Explorer.exe) on this initial page. If you want to see those, click the Windows Processes button on the toolbar. The higher the utility's rating for a program, the more suspect it is. As you click the entries, the program tells you why it rated the selected application as it did. However, many legitimate programs engage in activities that Security Task Manager views suspiciously, so don't just assume that anything with a rating above 50 is dangerous; instead, use the rating as an indicator of what to look at first.

Here's where it gets tedious: If you don't know what a particular program is, what it does, or where it's supposed to live on your hard drive, you'll have to do some research. Check out the list of processes that are known to be either benign or malevolent at Uniblue Systems' WinTasks Process Library. Alternatively, you can enter the filename in a search engine and look through the results for a description of the process. Some legitimate processes get a bad rap as spyware, so it's important to corroborate any negative reports you discover.

Remove the Reprobates

If the program you want to remove from your PC doesn't have an entry in Windows' Add/Remove Programs applet in Control Panel, it has probably changed your Registry to make itself difficult to find and eradicate.

Enter HijackThis, a free program designed to remove Registry entries and other settings that spyware uses to take over your PC. Rather than removing the programs, HijackThis deletes the Registry entries that prevent you from deleting the software yourself. To familiarize yourself with how HijackThis works, read the Quick Start guide, but beware: HijackThis, if misused, can render your system unbootable. Be sure to proceed deliberately, and keep those essential backups close by.

It's a good idea to consult experts before making any changes with HijackThis. To do so, run the program by double-clicking HijackThis.exe, and then click Do a system scan and save a logfile. HijackThis will make a record of everything it finds and--in a few seconds--will create a text-file report that you can post online or send to your expert. Volunteers who use the message boards at TomCoyote, Geeks to Go, andSpywareInfo will help you sort through the log if you post it to the Malware Removal message board on any of those sites.

If you want HijackThis to dislodge a program, fill in the check box next to it and click Fix Checked at the bottom of the program window to delete the appropriate Registry entries. Then manually delete the related file. Reboot your PC into Safe Mode (press <F8> at the beginning of the reboot cycle, before the Windows logo appears), navigate to the unwanted file on your hard drive, right-click it, and select Delete. Easy as pie.

Rid Yourself of Rootkits

The nastiest spyware specimens--the worst of the worst--are rootkits. These programs hide themselves from Windows, from antispyware tools, and from utilities such as Process Explorer and Security Task Manager. If you suspect that a rootkit has invaded your PC, you still may triumph. A free utility called IceSword can find and remove many kinds of rootkits. The only downside (for all but about 1 billion of us)? The tool's instructions are in Chinese.

Fortunately, some smart people have created an illustrated guide in English for using IceSword. If you're considering using the program, read this guide carefully before you begin. As with HijackThis, a wrong move can cause serious problems.

Andrew Brandt is a security expert who originated PC World's Privacy Watch column.