Does your Windows machine feel more sluggish than usual? Are you getting little notifications on your taskbar that “You may not be protected”? You may have spyware or malware running a muck on your pc. Malware is getting increasingly crafty and find new places to hide and make it very difficult to get rid of. Some malware even disables your anti-virus protection to avoid being detected. The best way to deal with spyware and malware is stop them from running so anti-virus and anti-spyware programs can better clean your machine. Here are a few steps and places to check to stop spyware and malware before you run a scan.
1. Boot into Safe Mode
Booting into safe mode starts the computer with a minimum set of programs and drivers, which means some Spyware won’t run either. Restart the computer and hit the F8 key repeatedly before Windows starts. Choose Safe Mode when presented with a menu.
2. Log in as administrator
Don’t login with your normal user name. Your profile will automatically run some programs that you are not aware of and that includes malware. Once you have cleaned up you machine a bit you can then login with your account to finish cleaning. If you computer automatically logs in, Click start and Log Off. After you are at the logon screen, hit Ctlr+Alt+Del twice to bring up the user dialog box. Type in administrator and hit Enter since the password should be blank. If this doesn’t work, just login with you account. We’ll still get’em.
3. Edit or Replace your host file windows\system32\drivers\etc\hosts file
This file bypasses DNS and can be used by malware to redirect you to a malicious website. When you type citibank.com it could be taking you to a site that looks like citibank but isn’t. Unless you have a good reason to have any data in this file it is better to delete the contents of the file. Go to Windows\system32\drivers\etc\ and double click on the hosts file. Choose notepad as the program to open this with. Highlight and delete the information in this file and save it.
4. Check the corners of you registry.
Before editing the registry you should save a backup of it. http://support.microsoft.com/kb/322756
Note: you need to log in to each user account on the computer and check the HKEY_CURRENT_USER registry key for each user since it will be different for each user that logs in or you risk getting infected again after that user logs on.
These reg keys will run programs. The key should have a default value of Value “%1 %*”, if this is changed to “program.exe %1 %*”, the program.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @=”\”%1\” %*”
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @=”\”%1\” %*”
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @=”\”%1\” %*”
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @=”\”%1\” %*”
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @=”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @=”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @=”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @=”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @=”\”%1\” %*”
Explorer runs your start menu and desktop and start every time you start windows. Check to see if the registry is pointing to explorer.exe or if it is pointed to another executable.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell
This key starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can’t detect the virus when you boot up. It could even kill your antivirus software before your antivirus starts up.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
5. Start Up
Here are the many places where programs get run at startup. Look at each item carefully. Find the name and path of the program that is being run. If you do not recognize it, search for it on the web to see if it is legit.
Look in the following folders and check that the registry entry to verify that they pointing to the default location listed
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
6. Windows Scheduler:
Scheduled Tasks are a place where normally you can set a program or command to run at a certain time or every 5 minutes, so it’s a good place to check.
Go to Start-> Accessories-> System Tools-> Task Scheduler
Some tasks don’t show up in the GUI so in a command prompt type: “at”
Press enter. You should see a list of tasks that are in the Task Scheduler GUI and some that may not.
7. Batch files
Open the following files in notepad and look for any odd programs that are listed. You can comment out the program by putting REM at the start of the line so it will be ignored.
Removing Spyware and viruses
After checking all these dark corners of you computer and removing any potentially malicious programs from starting, you are giving you anti-virus and anti-spyware software the best chance to find and remove the malware.
AVG Free is a good free Antivirus program that detects many types of malware as well as viruses. Three effective anti-spyware programs are Spybot Search & Destroy, Malware Bytes, and AdAware. One pass of each of theses programs will clear your system of any unwanted processes slowing your machine down. Good Luck.