Remove spyware from Registry
Be very careful when making changes to the registry. Deleting the wrong items could cause big problems. It is recommended that you back up the registry as a precaution.
Many of the values shown in this guide may be different to what you have on your PC, depending on what software you have installed, what spyware/virii your PC is infected with, etc. The instances of such values in this guide are examples. You will need to use your own judgement to determine what is safe and what is a threat. Some research may be necessary if unsure.
The Registry is where Windows and many installed programs store their settings. It can be considered the 'heart' of the operating system and it determines how and what runs, how everything looks, what settings are used, etc. There will be spyware in the Registry on systems that are infected. Some spyware can be sneaky and set up instructions to restore themselves every time they are deleted. Most will add startup instructions to the Registry so that they a run every time
you turn on your computer. To begin with, we will remove the start up. You will need to run the Registry Editor, a program that lets you view and make changes to the Registry. This program is built into Windows.
Start > Run > type "REGEDIT"
Click OK or press ENTER on your keyboard.
The Registry Editor will now look something like the above with the folders opened. The big area will list the items in the Run folder. The tree structure is on the left, you can double click, click on the '+' press ENTER or the Right arrow cursor key to open each directory to display their contents. I recommend using the cursor keys. Press Down to select the folder, then press Right to open it. Repeat until you've found the folder you're looking for.
Finding spyware in the Registry
In the image above, the list of items in the right pane are the programs that run when Windows starts. We have a rather big list and this is normally a bad thing. The smaller the list, the better because having too many programs run on startup will slow down the Windows boot up speed because it has more to load. A big list can also mean that there are a lot of unecessary programs and even spyware running. The items in the example above are listed below.
I have picked out what I believe are legitimate and what I believe are spyware. The red items are possible spyware threats and the blue items are what I believe to be legit. How do you tell them apart? There is no guarantee that you can spot all of them but there are a few ways to spot them, as listed below:
1. Unintelligible names - Look out for items with names like "zhxda6en". These are quite easy to pick out.
2. Items with the following in the name:
- Autocomplete / Autofill
- Peer to Peer / P2P
The above is not an exhaustive list, simply something to give you a better idea of what to look for. Some legitimate programs may use the words above. If unsure, search the Internet.
3. Misspelt words - There are times when you might see something like exxplorer.exe (like explorer.exe) or miccrosoft (like microsoft). This is done in the help that you mistake them for the originals and do not get suspicious.
4. The path - If the path (shown in the Data column) leads to one of the following locations:
- C:\Program Files (without it's own folder)
- C:\Program Files\temp
- C:\Program Files\Common Files\[folder name] or not in its own folder
- C:\Documents and settings\USER\Local settings\TEMP
- C:\Documents and settings\USER\Local settings\Temporary Internet Files
- C:\Documents and settings\USER\Application Data
- C:\Documents and settings\Application Data
Very few or no genuine programs that run on start up would store their files in certain.
- C:\ without a folder is one. Any genuine program would at least have its own folder on C:\. i.e. C:\A-Program-Name but even that can be less common as they would usually be in the Program Files folder.
- It is more common for a program to be in Program Files and within its own folder but if outside of the Program Files folder, then be suspicious.
- Generally, not very many programs located anywhere in the Common Files area are run at startup.
5. Icons - If it has a pornagraphic or 'fun' icon and it's in a system folder or C:\, then consider whether it's supposed to be there.
6. Unrecognised - If you spot a program name that you know you never installed, then look into it as it may be spyware. For example, if you see something like norton.exe or a folder called norton somewhere when you've never installed Norton and use McAfee AntiVirus, you can only be suspicious.
You should try to keep the startup programs list short by deleting non-essential programs. By that, I mean anything that are not relating to drivers. There are not many Windows programs that need to be in the list as they are already services. I often expect no Windows programs to be in the Run list. If you see something that looks like WinUpdates (like Windows Updates), then chances are it is fake. Spyware/virii often try to mimic genuine Windows processes.
Now that you know, combine all the
points, compare, analyse and judge what you have in the Run, RunOnce, etc Registry areas listed below. When you see a suspicious item, delete it. If unsure, search the Internet
When you have selected/opened a folder, you will see the Registry values in the big area. Each folder displayed in the left column is known as a "Key" or "Registry Key".
Where in the registry to look for spyware
Visit the following Registry Keys:
The above is a path. Each folder or Key is separated by a back slash. You would find the folders in the following order.
Once you have found the Key (Run), delete values that you believe are malicious (look up the ones you're not sure about). The values are instructions for Windows to run the programs each value points to when Windows starts up. If you look at the Data column, you will also see where the programs (including spyware) are so you can find them and delete them. Repeat the above for the following areas.
Alternatively, for the above step, you can use the built-in Windows MS Configuration utility.
Start > Run > type "MSCONFIG" > Startup tab
Check the following Registry Key areas. If you have performed the HijackThis step, then you may have already removed the bad values. With the two below, if you see a suspicious value, change it to something you want to use.
At the following locations, delete any suspicious entries.
It is possible for the 'Run' items lists to be empty but you should make sure that you do not delete values that are meant to start up your drivers. What should and should not run depends on what software you have installed, what hardware you have installed, etc. It may not cause fatal problems but the hardware/peripherals the drivers are for, may not work the next time you start up your Windows because you would have deleted the instructions to load the required drivers to use the hardware/peripherals.
You may have programs like as RealPlayer, Nero, QuickTime, etc. in the 'Run' lists. You can delete these since these are non-essential to the running of your PC. In fact, the more of these non-essential programs there are, the slower Windows loads so I recommend removing them and only keeping the essentials and programs you use frequently.
You can also find spyware Keys in the following locations:
Spyware removal tools do not remove these. You can delete them if you want to. Only do this after you've removed the spyware using the other methods (i.e. Add/Remove Programs, Manual deletion of the files, etc). Only delete them if you are absolutely sure that the item is spyware.
Spyware that keeps coming back
There are times when spyware entries in the 'Run' keys restore themselves right after you delete them. No legitimiate program would do this.
cases, try locating the program file (.exe) by looking at the Data column to see where the program lies. Find it, delete it. If it is in use, end the process in Task Manager (Ctrl + Alt + Delete) and then try again.
If that fails, try searching the registry (Edit > Find) and search for the name of the suspicious item.
Each time you find one, delete it and use Edit > Find Next (OR F3 key on the keyboard) to find the next match. Repeat this with the file name at the end fo the Data path. i.e. filename.exe, if it keeps coming back. If you encounter a .exe on your hard drive somewhere that comes back after it is deleted, search for the .exe in the Registry. Unfortunately, there are many other places in the registry where malicious code can hide so it is not possible to list all of it. If you find a suspicious DLL file on the C: or in the System32 directory, you can also search the registry for that particular DLL.