Spyware Removal Procedures For the sake of this procedure all software that causes unnecessary network traffic, involuntary pop-ups, Internet Explorer hijacking, and spyware functions will be classified as spyware. The first step in removing spyware from a PC is installing and running Spybot Search & Destroy. This can be downloaded from http://security.kolla.de. Spybot S & D may not find all of the offending software. If this is the case, you must edit the registry to clean the PC. In order to proceed you will need to be logged in with administrator privileges and have a notepad and something to write with. Step One: Open regedit and navigate to the following key. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run * Look for entries that you don't recognize as valid. When in doubt, look it up. * If there are entries that point to spyware software note the file name and path of each entry and then delete the value from the registry. If no entries were found proceed to Step Two. * If the entries were pointing to an application, open the Task Manager and end each of the processes. e.g. If the entry was pointing to msbb.exe then end the process msbb.exe. * Navigate to the path noted and delete the directory and files. * Open Add/Remove Programs and remove any spyware installed. * Reboot the PC and verify no spyware is running. If spyware is running, repeat Step One. Step Two: Open regedit and navigate to the following key. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows * Look for the value "load", if the value is present and has an entry, verify the entry is valid. If the entry is not valid, note the file name and path and then delete the entry. * Navigate to the path noted and delete the directory and files. * Reboot the PC and verify no spyware is running. If spyware is running proceed to Step Three. Step Three: Open regedit and navigate to the following key. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main * Verify the value "Search Bar" is the desired entry (msn or google, etc.) * Verify the value "Search Page" is the desired entry (msn or google, etc.) * Verify the value "Start Page" is the desired entry (msn or google, etc.) * If any of the entries are not valid, change them to a valid entry. * Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search * If there are entries that point to spyware software or URL note the file name and path of each entry and then change it to a valid entry. * Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl * If there are entries that point to spyware software or URL note the file name and path of each entry and then change it to a valid entry. * Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search * If there are entries that point to spyware software or URL note the file name and path of each entry and then change it to a valid entry. * Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars and branch it out so all sub keys are visible. * If there are entries that point to spyware software note the file name and path of each entry including the ID and then delete the value from the registry. * Navigate to HKEY_LOCAL_MACHINE\SOFTWARE. Look for software that you don't recognize as valid. When in doubt, look it up. If there are entries that point to spyware software note the file name and path of each entry and then delete the keys from the registry. * Navigate to HKEY_CURRENT_USER\Software. Look for software that you don't recognize as valid. When in doubt, look it up. If there are entries that point to spyware software note the file name and path of each entry and then delete the keys from the registry. * Browse to each of the following directories and look for directories/files that you don't recognize as valid. C:\WINNT\Downloaded Program Files C:\\Local Settings\Temp C:\ \Application Data C:\Program Files C:\Program Files\Common Files C:\ * If any are found note the file file name and path and delete the directory (if created by the spyware) and file(s). (If you unable to delete the directory/file note them as such and we will address this below). Step Four: * Search the registry for ALL of the noted files including any Ids you've discovered throughout this entire procedure. (Yes, I know this can be very time consuming). * If there are entries found modify if necessary or delete the keys/values from the registry. * When you are sure that all registry pointers have been removed, reboot the PC. * If you were unable to delete any directories/files previously, navigate to them and delete them. If you are still unable to delete them repeat Step Four. Common Spyware: Gator GAIN MSBB a.k.a. 180 Solutions Xupiter MSIETSLink nCase Btlink BTIEIN MyWay MyBar Spvic BonziBuddy Precision Time Date Manager WeatherBug CasinonetInstaller KaZaa KaZaaLite Morpheus iMesh Cydoor New.net ezula CommonName Comet Systems