Using AdAware and Spybot to remove malware

These instructions are for users who already have AdAware and/or Spybot installed. If you don't already have AdAware or Spybot installed, check this page.

Instructions:

Restart the infected computer and go into Safe Mode. (This is necessary so that the ad/spyware is not running to stop you from removing it.)

When Windows shuts down and the screen goes blank, after a second or two, the screen will have some text or a graphic (Dell usually has a Dell Graphic that fills the screen).
Start pressing the <F8> key repeatedly and a boot menu screen should appear. (If the Windows boot screen with the scrolling bar appears, you can either hit the reset button on the PC (if it has one) or wait until windows is loaded and reboot again. Start pressing the <F8> key sooner.)

You should see something similar to this:
At the top of the boot menu is an option for "Safe Mode" and another for "Safe Mode with Networking".
1. If you already have AdAware and Spybot installed, you may not have the latest updates. Choose "Safe Mode with Networking".
2. If you have access to another computer with internet access which is not infected and a USB disk or other removable media that both computers can use, then select "Safe Mode".
3. If you have the latest programs and updates on a USB disk, you can also select "Safe Mode".
4. If you have the latest programs, but not the latest updates, select "Safe Mode with Networking".
5. Else, just select "Safe Mode with Networking".
Use the <up> and <down> arrows to select the proper choice and press <Enter> or <Return>. You may have to press <Enter> or <Return> twice.
Windows should boot into Safe Mode. You’ll know because a window will appear and tell you you’re in Safe Mode. Then you will have to click on the OK button.

If you already have the latest versions of AdAware and Spybot installed, skip to Step 4.

To install AdAware or Spybot.

If you have the programs on a USB disk, then plug in the USB disk and copy the files to the infected computer.
Else, if you chose "Safe Mode with Networking" then download the programs from the following links.
- Download AdAware from http://www.lavasoft.com
- Download Spybot from http://www.safer-networking.org/en/index.html
Be sure to remember where you save the files, if you are using the infected computer. Also, be sure to download the updates from the links above.

Install AdAware first, then Spybot.

To update AdAware or Spybot.

If you have the updates on a USB disk, then:
1. For AdAware, you should have a core.zip file. Extract the file to the following location:
  
  C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2008
2. For Spybot, you should have a file named: spybotsd_includes.exe. Run this file and it will update Spybot.
Else, if you chose "Safe Mode with Networking" then allow the programs to update themselves after installing.

Spybot should have an icon on the desktop and it looks similar to this. SpyBot icon

AdAware icons look like either of these.

Both Spybot and AdAware should have folders under the Start/Programs menu. If this is a machine maintained by the Math Department, then the AdAware and Spybot folders might be under the Start/Programs/Accessories/System Tools menu.

Run Spybot first and click Ok for any warning message windows. Click on the Immunize icon and under Permanent Internet Explorer immunity, you should have 2 green checkmarks. If not, click on the Immunize button next to the Check Again button. This will help stop future infections. Then click on the Search & Destroy icon. Click on the Check for Problems icon and wait for the scan to finish. As Spybot finds ad/spyware, it lists them in the white area. Just a few are expected each time you run Search & Destroy as these are permanent. If more are listed, then it should be ok. Click the Fix selected problems button and confirm you want to get rid of all items found. It may ask to run again after a reboot, if so, click yes, but don’t reboot yet.

Run AdAware. Click the Start button and then click on the Perform full system scan option. Then click the Next button. Again, a few are always found and more means certain infection. When it finishes, click the Next button. In the list of found Critical Objects, right click and choose Select All Objects. Then click on the Negligible Objects tab above the list. Again, right-click on the list and choose Select All Objects. Now click the Next button and then click Ok. AdAware then removes the objects and places them in a quarantine file. The icon at the top of AdAware that is a padlock is the Quarantine Manager. If AdAware removed something it shouldn’t have, then it is safely in the quarantine file and can be recovered. This usually isn’t necessary.

10.

On the desktop, you may have an icon for Internet Explorer. If not, go to the Control Panel and choose the Internet Options icon (In XP, you might have to open the Network and Internet Connections icon first.) Open the Internet Options. In the Temporary Internet files area, click on the Delete Files...button. Then check the Delete all offline content and click Ok. Then In the History area, click the Clear History button and then click Yes. This will get rid of any other leftover crap from any unfriendly webpage.

11.

If you use another browser, like Mozilla, Firefox, Opera, or some other one, you might also want to clear it's temporary files. You can do this using the browsers preferences or manually. The temporary files are usually stored in your profile. Check your browsers settings to see the location of the temporary files cache. For an example, Firefox uses subfolders under"C:\Documents and Settings\ {your username} \Local Settings\Application Data\Mozilla\Firefox\Profiles", just look for a sub-folder named "cache".

12.

Also, you might want to delete temp files created by Windows and other programs. Look in "C:\Documents and Settings\ {your username} \Local Settings\Temp" and "C:\WINNT\Temp" or "C:\Windows\Temp" and delete whatever is there. This is just good to do in general as Windows usually keeps temp files forever which uses up disk space.

13.

Go to the Control Panel and open Add/Remove Programs. Uninstall any suspicious programs you don't know about. If you are unsure about some of the programs, either ask someone else or check on the name of the program on another computer. Web searches should give you enough info to know whether you should have it or not.

Using AdAware and Spybot to remove malware

Instructions:

Back to Top

Copyright Dave Branda 2005.
Last revised: October 8, 2008 20:20

1.	Restart the infected computer and go into Safe Mode. (This is necessary so that the ad/spyware is not running to stop you from removing it.) When Windows shuts down and the screen goes blank, after a second or two, the screen will have some text or a graphic (Dell usually has a Dell Graphic that fills the screen). Start pressing the <F8> key repeatedly and a boot menu screen should appear. (If the Windows boot screen with the scrolling bar appears, you can either hit the reset button on the PC (if it has one) or wait until windows is loaded and reboot again. Start pressing the <F8> key sooner.) You should see something similar to this: At the top of the boot menu is an option for "Safe Mode" and another for "Safe Mode with Networking". If you already have AdAware and Spybot installed, you may not have the latest updates. Choose "Safe Mode with Networking". If you have access to another computer with internet access which is not infected and a USB disk or other removable media that both computers can use, then select "Safe Mode". If you have the latest programs and updates on a USB disk, you can also select "Safe Mode". If you have the latest programs, but not the latest updates, select "Safe Mode with Networking". Else, just select "Safe Mode with Networking". Use the <up> and <down> arrows to select the proper choice and press <Enter> or <Return>. You may have to press <Enter> or <Return> twice. Windows should boot into Safe Mode. You’ll know because a window will appear and tell you you’re in Safe Mode. Then you will have to click on the OK button.
2.	If you already have the latest versions of AdAware and Spybot installed, skip to Step 4.
3.	To install AdAware or Spybot. If you have the programs on a USB disk, then plug in the USB disk and copy the files to the infected computer. Else, if you chose "Safe Mode with Networking" then download the programs from the following links. Download AdAware from http://www.lavasoft.com Download Spybot from http://www.safer-networking.org/en/index.html Be sure to remember where you save the files, if you are using the infected computer. Also, be sure to download the updates from the links above. Install AdAware first, then Spybot.
4.	To update AdAware or Spybot. If you have the updates on a USB disk, then: For AdAware, you should have a core.zip file. Extract the file to the following location: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2008 For Spybot, you should have a file named: spybotsd_includes.exe. Run this file and it will update Spybot. Else, if you chose "Safe Mode with Networking" then allow the programs to update themselves after installing.
5.	Spybot should have an icon on the desktop and it looks similar to this.
6.	AdAware icons look like either of these.
7.	Both Spybot and AdAware should have folders under the Start/Programs menu. If this is a machine maintained by the Math Department, then the AdAware and Spybot folders might be under the Start/Programs/Accessories/System Tools menu.
8.	Run Spybot first and click Ok for any warning message windows. Click on the Immunize icon and under Permanent Internet Explorer immunity, you should have 2 green checkmarks. If not, click on the Immunize button next to the Check Again button. This will help stop future infections. Then click on the Search & Destroy icon. Click on the Check for Problems icon and wait for the scan to finish. As Spybot finds ad/spyware, it lists them in the white area. Just a few are expected each time you run Search & Destroy as these are permanent. If more are listed, then it should be ok. Click the Fix selected problems button and confirm you want to get rid of all items found. It may ask to run again after a reboot, if so, click yes, but don’t reboot yet.
9.	Run AdAware. Click the Start button and then click on the Perform full system scan option. Then click the Next button. Again, a few are always found and more means certain infection. When it finishes, click the Next button. In the list of found Critical Objects, right click and choose Select All Objects. Then click on the Negligible Objects tab above the list. Again, right-click on the list and choose Select All Objects. Now click the Next button and then click Ok. AdAware then removes the objects and places them in a quarantine file. The icon at the top of AdAware that is a padlock is the Quarantine Manager. If AdAware removed something it shouldn’t have, then it is safely in the quarantine file and can be recovered. This usually isn’t necessary.
10.	On the desktop, you may have an icon for Internet Explorer. If not, go to the Control Panel and choose the Internet Options icon (In XP, you might have to open the Network and Internet Connections icon first.) Open the Internet Options. In the Temporary Internet files area, click on the Delete Files...button. Then check the Delete all offline content and click Ok. Then In the History area, click the Clear History button and then click Yes. This will get rid of any other leftover crap from any unfriendly webpage.
11.	If you use another browser, like Mozilla, Firefox, Opera, or some other one, you might also want to clear it's temporary files. You can do this using the browsers preferences or manually. The temporary files are usually stored in your profile. Check your browsers settings to see the location of the temporary files cache. For an example, Firefox uses subfolders under"C:\Documents and Settings\ {your username} \Local Settings\Application Data\Mozilla\Firefox\Profiles", just look for a sub-folder named "cache".
12.	Also, you might want to delete temp files created by Windows and other programs. Look in "C:\Documents and Settings\ {your username} \Local Settings\Temp" and "C:\WINNT\Temp" or "C:\Windows\Temp" and delete whatever is there. This is just good to do in general as Windows usually keeps temp files forever which uses up disk space.
13.	Go to the Control Panel and open Add/Remove Programs. Uninstall any suspicious programs you don't know about. If you are unsure about some of the programs, either ask someone else or check on the name of the program on another computer. Web searches should give you enough info to know whether you should have it or not.

Using AdAware and Spybot to remove malware

Instructions:

Back to Top

Copyright Dave Branda 2005. Last revised: October 8, 2008 20:20

Copyright Dave Branda 2005.
Last revised: October 8, 2008 20:20