Know if You Have Spyware on Your Computer

Spyware is a type of malicious software that will perform certain actions without consent, such as: advertising, collecting personal information, or changing the configuration of your device. If you notice slowness on your machine or network, changes to your browser, or other unusual activity, then it’s possible that your computer has been infected with spyware.[1]

Steps

Detecting and Removing Spyware on Android

  1. Identify suspicious behavior. If you are experiencing frequently slow network speeds, or are receiving unfamiliar/suspicious text messages, then you may have spyware on your phone.[2]
    • Text messages with gibberish text or requesting replies with certain codes are good indicators that you may have spyware.
  2. Check your data usage. Open the “Settings” app and tap “Data Usage”. You can scroll down to view the data usage of your different apps. Unusually high data usage may be a sign of spyware.
  3. Back up your data. Connect your phone to your computer via Universal Serial Bus, then drag and drop your data (e.g. photos or contact info) to back it up.
    • Since the device and your computer are running different operating systems, your computer will not become infected.
  4. Open the “Settings” app and tap “Backup and Reset”. This opens a menu with a number of restoration options, including restoring the phone to factory settings.
  5. Tap “Factory data reset”. This button appears at the bottom of the "Backup and Reset" menu.
  6. Tap “Reset Phone”. Your phone will automatically restart and remove all apps and data, including any spyware, restoring the phone to its factory state.
    • Resetting the phone removes ALL of your stored data on the device. Make sure you make a backup first or don't mind losing the data!

Using HijackThis (Windows)

  1. Download and install HijackThis. HijackThis is a diagnostic tool for Windows used to detect the presence of spyware. Double-click the installer to run it. Once installed, launch the software.
    • Other free software like Adaware or MalwareBytes, will also function with a similar process.
  2. Press “Config…”. This button is located in the lower right corner under “Other Stuff” and will take you to a list of options for the program.
    • Here you can toggle important options (like file backups) on or off. Making a backup is a good, safe practice when working with removing files or software. They do take up a small amount of storage space, but the backups can always be removed later by deleting them from the backups folder.
    • Note that “Make backups before fixing items” is toggled on by default.
  3. Press “Back” to return to the main menu. This button replaces the “Config…” button while the configuration menu is open.
  4. Press “Scan”. This button is located in the lower left corner and will generate a list of potentially bad files. It is important to note that HijackThis does a quick scan of likely locations for malicious software. Not all of the results will be harmful.
  5. Select the checkbox next to a suspicious item and click “Info on selected item…”. This will give details about the item and why it was flagged in a separate window. Close the window when you are done reviewing.
    • Details will typically include the file location, the likely use of the file, and the action to be taken as a fix.
  6. Press “Fix checked”. This button is located in the lower left and the software will either repair or remove the selected file, depending on its diagnosis.
    • You can fix multiple files at a time by selecting the checkbox next to each file.
    • Before making any changes, HijackThis will create a backup (by default) so that you can undo your change.
  7. Restore from a backup. If you want to undo the changes made by HijackThis, press “Config” in the lower right, then “Backup”. Select your backup file (marked with the date and timestamp it was created) from the list and press “Restore”.[3]
    • Backups persist through different sessions. You can close HijackThis and then restore a file from a backup at a later time.

Using Netstat (Windows)

  1. Open a command line window. Netstat is a built-in Windows utility that can help detect the presence of spyware or other malicious files. Press Win + R to manually run a program and enter “cmd”. The command line allows you to interact with the operating system using text commands.
    • This approach is good for those who want to avoid using third party software or take a more manual approach to the malicious software removal.
  2. Enter the text “netstat -b” and hit Enter. This will display a list of programs utilizing a connection or listening port (i.e. processes connecting to the internet).
    • In this context, ‘b’ stands for binary. The command displays the running “binaries” (or executables) and their connections.
  3. Identify bad processes. Look for unfamiliar process names or port usage. If you are unsure about a process or its port, research its name online. You'll find others who have encountered the process and they can help identify it as malicious (or harmless). When you have confirmed a process as malicious, it is time to remove the file running it.
    • If you are unsure whether the process is malicious or not after researching, then it is best to leave it alone. Tampering with the wrong files may cause other software to not work properly.
  4. Press Ctrl + Alt + Delete simultaneously. This will open the Windows Task Manager, which lists all of the processes running on your computer. Scroll to locate the name of the bad process you found in the command line.
  5. Right-click the process name and select “Show In Folder”. This will take you to the directory location of the bad file.
  6. Right-click the file and select “Delete”. This will move the bad file to the Recycling Bin. Processes cannot run from this location.
    • If you receive an alert that the file cannot be deleted because it is in use, return to the Task Manager, select the process and press “End Task”. This will end the process immediately so that it can be moved to recycling.
    • If you deleted the wrong file, you can double-click the recycling to open it and then click and drag to move the file back out.
  7. Right-click the Recycling Bin and select “Empty Recycling Bin”. This will permanently delete the file.

Using the Terminal (Mac)

  1. Open the Terminal. Through the Terminal, you'll be able to run a diagnostic that can detect the presence of spyware on your computer. Go to “Applications > Utilities” and double-click Terminal to launch. This program allows you to interact with the operating system using text commands.
    • Alternately you can search for “Terminal” in the Launchpad.
  2. Enter the text “sudo lsof -i | grep LISTEN” and hit Return. This will instruct the computer to output a list of processes and their network information.[4]
    • sudo gives root access to the command, allowing it to view system files.
    • ”lsof” is short for “list of open files”. This allows you to see running processes.
    • ”-i” specifies that the list of open files must be utilizing the network interface. Spyware will try to use to the network to communicate with outside sources.
    • ”grep LISTEN” is a command to the operating system to filter for those using listening ports -- a necessity for spyware.
  3. Enter your computer’s administrator password and hit Return. Your password will not be displayed in the terminal, but it will be entered. This is necessary for the ‘sudo’ command.
  4. Identify bad processes. Look for unfamiliar process names or port usage. If you are unsure about a process or its port, research its name online. You'll find others who have encountered the process and they can help identify it as malicious (or harmless). When you have confirmed a process as malicious, it is time to remove the file running it.
    • If you are unsure whether the process is malicious or not after researching then it is best to leave it alone. Tampering with the wrong files may cause other software to not work properly.
  5. Enter “lsof | grep cwd” and hit Return. This will list the folder locations of the processes on your computer. Find the bad process in the list and copy the location.
    • ”cwd” stands for current working directory.
    • To make the lists easier to read through, you can run this command in a new Terminal window by pressing Cmd + N while in the Terminal.
  6. Enter “sudo rm -rf [path to file]” and hit Return. Paste the location into the bracketed space (do not type the brackets). This command will delete the file at that path.
    • ”rm” is short for “remove”.
    • Make absolutely sure you want to remove the entered item. This process is irreversible! You may want to perform a Time Machine backup beforehand. Go to “Apple >System Preferences > Time Machine” and select “Backup”.

Tips

  • If you find the scan results of HijackThis too intimidating, press “Save Log” to create a text file of your results and post them to the HijackThis forums for interpretation.
  • Port 80 and 443 are very common ports used in web browsing. Although technically spyware can use these ports, they are likely to be in frequent use by other applications, meaning it is unlikely that spyware will be using them.
  • Once you detect and remove spyware, you should change your passwords on every account you access with your computer - it's better to be safe than sorry.
  • Some mobile apps advertised as spyware removal for Android may be unreliable or even fraudulent. Restoring the factory settings is the best way to ensure your phone gets clean of spyware.
  • A factory reset is a viable option to remove spyware on an iPhone as well, but getting spyware is exceedingly unlikely unless you have jailbroken your iPhone.

Warnings

  • Use caution when removing unfamiliar items. Removing items from the “System” folder on Windows can cause damage to your operating system and force you to reinstall Windows.
  • Use similar caution when removing items from Mac with the Terminal. If you think you see a bad process, try researching it on the internet first!

Related Articles

Sources and Citations