This article was co-authored by Luigi Oppido. Luigi Oppido is the Owner and Operator of Pleasure Point Computers in Santa Cruz, California. Luigi has over 25 years of experience in general computer repair, data recovery, virus removal, and upgrades. He is also the host of the Computer Man Show! broadcasted on KSQD covering central California for over two years.
The wikiHow Tech Team also followed the article's instructions and verified that they work.
This article has been viewed 541,676 times.
Spyware is a type of malicious software that will perform certain actions without consent, such as: advertising, collecting personal information, or changing the configuration of your device. If you notice slowness on your machine or network, changes to your browser, or other unusual activity, then it’s possible that your computer has been infected with spyware.[1]
Steps
Using HijackThis (Windows)
-
1Download and install HijackThis. HijackThis is a diagnostic tool for Windows used to detect the presence of spyware. Double-click the installer to run it. Once installed, launch the software.
- Other free software like Adaware or MalwareBytes, will also function with a similar process.
-
2Press “Config…”. This button is located in the lower right corner under “Other Stuff” and will take you to a list of options for the program.
- Here you can toggle important options (like file backups) on or off. Making a backup is a good, safe practice when working with removing files or software. They do take up a small amount of storage space, but the backups can always be removed later by deleting them from the backups folder.
- Note that “Make backups before fixing items” is toggled on by default.
Advertisement -
3Press “Back” to return to the main menu. This button replaces the “Config…” button while the configuration menu is open.
-
4Press “Scan”. This button is located in the lower left corner and will generate a list of potentially bad files. It is important to note that HijackThis does a quick scan of likely locations for malicious software. Not all of the results will be harmful.
-
5Select the checkbox next to a suspicious item and click “Info on selected item…”. This will give details about the item and why it was flagged in a separate window. Close the window when you are done reviewing.
- Details will typically include the file location, the likely use of the file, and the action to be taken as a fix.
-
6Press “Fix checked”. This button is located in the lower left and the software will either repair or remove the selected file, depending on its diagnosis.
- You can fix multiple files at a time by selecting the checkbox next to each file.
- Before making any changes, HijackThis will create a backup (by default) so that you can undo your change.
-
7Restore from a backup. If you want to undo the changes made by HijackThis, press “Config” in the lower right, then “Backup”. Select your backup file (marked with the date and timestamp it was created) from the list and press “Restore”.[2]
- Backups persist through different sessions. You can close HijackThis and then restore a file from a backup at a later time.
Using Netstat (Windows)
-
1Open a command line window. Netstat is a built-in Windows utility that can help detect the presence of spyware or other malicious files. Press ⊞ Win + R to manually run a program and enter “cmd”. The command line allows you to interact with the operating system using text commands.
- This approach is good for those who want to avoid using third party software or take a more manual approach to the malicious software removal.
- Make sure you run an elevated command prompt window by choosing Run as administrator.
-
2Enter the text “netstat -b” and hit ↵ Enter. This will display a list of programs utilizing a connection or listening port (i.e. processes connecting to the internet).
- In this context, ‘b’ stands for binary. The command displays the running “binaries” (or executables) and their connections.
-
3Identify bad processes. Look for unfamiliar process names or port usage. If you are unsure about a process or its port, research its name online. You'll find others who have encountered the process and they can help identify it as malicious (or harmless). When you have confirmed a process as malicious, it is time to remove the file running it.
- If you are unsure whether the process is malicious or not after researching, then it is best to leave it alone. Tampering with the wrong files may cause other software to not work properly.
-
4Press Ctrl + Alt + Delete simultaneously. This will open the Windows Task Manager, which lists all of the processes running on your computer. Scroll to locate the name of the bad process you found in the command line.
-
5Right-click the process name and select “Show In Folder”. This will take you to the directory location of the bad file.
-
6Right-click the file and select “Delete”. This will move the bad file to the Recycling Bin. Processes cannot run from this location.
- If you receive an alert that the file cannot be deleted because it is in use, return to the Task Manager, select the process and press “End Task”. This will end the process immediately so that it can be moved to recycling.
- If you deleted the wrong file, you can double-click the recycling to open it and then click and drag to move the file back out.
-
7Right-click the Recycling Bin and select “Empty Recycling Bin”. This will permanently delete the file.
Using the Terminal (Mac)
-
1Open the Terminal. Through the Terminal, you'll be able to run a diagnostic that can detect the presence of spyware on your computer. Go to “Applications > Utilities” and double-click Terminal to launch. This program allows you to interact with the operating system using text commands.
- Alternately you can search for “Terminal” in the Launchpad.
-
2Enter the text “sudo lsof -i | grep LISTEN” and hit ⏎ Return. This will instruct the computer to output a list of processes and their network information.[3]
- sudo gives root access to the command, allowing it to view system files.
- ”lsof” is short for “list of open files”. This allows you to see running processes.
- ”-i” specifies that the list of open files must be utilizing the network interface. Spyware will try to use to the network to communicate with outside sources.
- ”grep LISTEN” is a command to the operating system to filter for those using listening ports -- a necessity for spyware.
-
3Enter your computer’s administrator password and hit ⏎ Return. Your password will not be displayed in the terminal, but it will be entered. This is necessary for the ‘sudo’ command.
-
4Identify bad processes. Look for unfamiliar process names or port usage. If you are unsure about a process or its port, research its name online. You'll find others who have encountered the process and they can help identify it as malicious (or harmless). When you have confirmed a process as malicious, it is time to remove the file running it.
- If you are unsure whether the process is malicious or not after researching then it is best to leave it alone. Tampering with the wrong files may cause other software to not work properly.
-
5Enter “lsof | grep cwd” and hit ⏎ Return. This will list the folder locations of the processes on your computer. Find the bad process in the list and copy the location.
- ”cwd” stands for current working directory.
- To make the lists easier to read through, you can run this command in a new Terminal window by pressing ⌘ Cmd + N while in the Terminal.
-
6Enter “sudo rm -rf [path to file]” and hit ⏎ Return. Paste the location into the bracketed space (do not type the brackets). This command will delete the file at that path.
- ”rm” is short for “remove”.
- Make absolutely sure you want to remove the entered item. This process is irreversible! You may want to perform a Time Machine backup beforehand. Go to “Apple >System Preferences > Time Machine” and select “Backup”.
Detecting and Removing Spyware on Android
-
1Identify suspicious behavior. If you are experiencing frequently slow network speeds, or are receiving unfamiliar/suspicious text messages, then you may have spyware on your phone.[4]
- Text messages with gibberish text or requesting replies with certain codes are good indicators that you may have spyware.
-
2Check your data usage. Open the “Settings” app and tap “Data Usage”. You can scroll down to view the data usage of your different apps. Unusually high data usage may be a sign of spyware.
-
3Back up your data. Connect your phone to your computer via USB, then drag and drop your data (e.g. photos or contact info) to back it up.
- Since the device and your computer are running different operating systems, your computer will not become infected.
-
4Open the “Settings” app and tap “Backup and Reset”. This opens a menu with a number of restoration options, including restoring the phone to factory settings.
-
5Tap “Factory data reset”. This button appears at the bottom of the "Backup and Reset" menu.
-
6Tap “Reset Phone”. Your phone will automatically restart and remove all apps and data, including any spyware, restoring the phone to its factory state.
- Resetting the phone removes ALL of your stored data on the device. Make sure you make a backup first or don't mind losing the data!
Community Q&A
-
QuestionWhat should I do if I cannot download an anti-virus?R2_d2000Top AnswererTry to download different anti-virus programs to see if one works. If this does not work, then try to start Windows in safe mode and install the antivirus, or try the task manager. If all else fails, then you might want to reinstall Windows.
-
QuestionHow do I remove the Spyware on my computer?Community AnswerThe best thing you can do is download an anti-virus or anti-malware program and run a scan. After the scan, the program will prompt you to delete the Spyware.
-
QuestionHow can I remove spyware from an iPhone SE?R2_d2000Top AnswererYou need to do a factory reset to remove spyware off of an iPhone, as Apple does not allow anti-virus apps.
Warnings
- Use caution when removing unfamiliar items. Removing items from the “System” folder on Windows can cause damage to your operating system and force you to reinstall Windows.⧼thumbs_response⧽
- Use similar caution when removing items from Mac with the Terminal. If you think you see a bad process, try researching it on the internet first!⧼thumbs_response⧽
References
- ↑ https://www.microsoft.com/en-us/safety/pc-security/spyware-whatis.aspx
- ↑ http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#HowToUse
- ↑ https://danielmiessler.com/study/lsof/
- ↑ http://arstechnica.com/tech-policy/2011/11/juniper-reports-skyrocketing-android-malware-infections/
- ↑ Luigi Oppido. Computer & Tech Specialist. Expert Interview. 31 July 2019.
- ↑ Luigi Oppido. Computer & Tech Specialist. Expert Interview. 31 July 2019.
- ↑ Luigi Oppido. Computer & Tech Specialist. Expert Interview. 31 July 2019.
About This Article
1. Install and launch HijackThis for Windows.
2. Scan for suspicious items.
3. Select the items you want to delete.
4. Click Fix checked.