How to remove any Spyware / Adware Toolbar
Infopackets Reader 'SweetImage' writes:
" Dennis is there any way to get rid of the Mirar toolbar once and for all? I have searched sites where I have found loads of people having the same problem. I have used at least 8 different Adware-blocking programs to remove the toolbar from my system, but none of them can get rid of this rotten thing!
Mirar support has not answered my emails and I am going absolutely crazy trying to remove it from my system. I cannot use the Windows System Restore because it won't allow me to roll back (except for today's date) -- and furthermore, Dell can't help me. Am I stuck with this toolbar? I don't even know where it came from! Thank you very much if you can help! "
According to kephyr.com, the Mirar toolbar is an Internet Explorer [Browser Helper Object] that causes ads to be displayed. Moreover, kephyr.com reports that Mirar Toolbar does not offer an uninstaller -- so once it's installed, it's very difficult to remove. As of today (5/25/2004), I did not see removal instructions on getmirar.com (the site which hosts the Mirar toolbar).
Although Mirar toolbar removal instructions are available on the kephyr.com web site, I would like to suggest a systematic approach to removing *any* BHO from a system since I am frequently asked how to remove similar Adware / Spyware toolbars.
Side note: a Browser Helper Object is a 'plug-in' for Internet Explorer which allows software developers to customize and control browsing sessions. BHO's are typically instantiated [initialized] by .DLL files which are located in the Windows System / System32 folder. When Internet Explorer is launched, the System Registry is referenced and the BHO is injected into the browser (typically visible with a toolbar or a button). Once a BHO is active, it has access to all the events and properties of a browsing session (and may cause popup ads to appear, or hijack your home page, etc).
How to remove *any* Browser Helper Object from your Computer
What I am about to suggest may not be the most correct method to remove a BHO from your system. In fact, there is no guarantee that instructions below will resolve your issue. What I can tell you, however, is that I have used the following methods to safely remove and restore many systems that have been infected with scumware / Spyware / Adware toolbars.
Before proceeding, please make a backup of your most critical files.
1. Attempt to disable the BHO.
A little while back, I came across a program called BHODemon which can disable BHO's from launching when Internet Explorer starts. BHODemon can also be used to identify the main 'plugin' file associated with the BHO (typically a .DLL or .OCX file located in the Windows System folder). A full explanation of BHODemon (and the link to download the freeware program) is available in a recent Gazette issue.
2. Identify other 'plugin' file(s) associated with the BHO.
Some BHO's are despicably stealthy and will reinstall themselves after your system is rebooted / restarted -- even after the BHO has been disabled. Obtaining the list of files associated with the BHO will require some research:
- Use BHODemon to identify the main .DLL or .OCX file (as seen in the picture above).
- Go to Google.com and type in the BHO filename followed by the word 'remove' (example: "NN_BAR.DLL remove"). 9 times out of 10, Google will provide a list of web sites that have manual removal instructions, along with the list of files associated with the offending BHO.
- Finally, write down the file names and folder locations of the BHO 'plugin' files (example: %SystemDir%\winnb40.dll).
Side note: %SystemDir% is a generic path (I.E. folder) variable. By default, the System Directory for Win95 /98 / ME is C:\Windows\System; for Windows NT/2000, it is C:\WINNT\System32; and for Windows XP, it is C:\Windows\System32.
3. Reboot into Safe Mode and remove the BHO files from your computer.
In order to permanently remove the BHO files from your computer, you must reboot into Safe Mode (or DOS mode) or your system will report a 'sharing violation' error when attempting to delete the file(s). To access Safe Mode:
- Click Start -> Shutdown (or Turn Off).
- Select 'Restart'.
- Once the computer restarts, press F8 repeatedly on the keyboard until a Boot Menu appears. This *must* be done before the Windows boot screen appears.
- Choose to boot Windows in Safe Mode.
Once you are in Safe Mode, use your notes detailing the file names and paths of the offending BHO's and rename (or remove) the files from your system. Renaming the .DLL / .OCX file will allow you to undo your changes -- whereas deleting a file is not easily undone.
Side note: A safe way to rename a file is to place a few harmless characters in front of the real file name (example: if the file is popups.dll, rename it to zz_popups.dll).
4. Remove the BHO references from your System Registry.
- Click Start -> Run -> type in "regedit" (no quotes, and press Enter).
- Once RegEdit appears, click File -> Export to make a backup of your registry. In case you make a mistake, you can import your old registry to reverse the proceeding changes.
- Now you're ready to remove the BHO references from your Registry. In the RegEdit window, press F3 to search. Next, type in the name of each BHO file you recorded in Step #2 -- minus the file extension (for example: search for 'popups' instead of 'popups.dll').
- When a match is found, look on the left side of the RegEdit Window. Left click the expanded folder which encapsulates the BHO entry. Press DEL on your keyboard to delete it.
- Press F3 and until no more matches are found; repeat this process for all BHO files you recorded in Step #2.
5. Remove any suspicious references from your Startup locations.
Download Startup_CPL.exe from Mike Lin's web site. This program will list multiple startup locations that launch programs when Windows is booted. If you see anything suspicious, disable it from launching in your startup. If you are unsure of whether or not a program entry is safe to disable, you can research it using Pac's Portal web site.
Side note: Startup_CPL is zipped. In order to use Startup_CPL, you will first need to extract it using WinZip. I have a free downloadable video tutorial on how to use WinZip available here.
6. Reboot your computer.
The offending BHO should now be removed from your computer. If, however, you are unable to resolve your problem, you can:
- Attempt a System Restore (if applicable).
- Import your Registry backup and reboot your computer (if you think you may have accidentally deleted the wrong registry entry and have inadvertently caused your system to become unstable), or
- Backup your most critical files and reinstall Windows. I have a downloadable eBook and video guide which explains how to do this in great detail.
Side note: If you own a web site / web page and found this information to be useful, please link to this page. I'm sure there are plenty of folks who could benefit from this information.