- slide 1 of 5
What is WinRar?
WinRar is actually the name of a popular archiving program used to compress and decompress files. It is the second most widely used archiving utility after WinZip. However, spyware often uses the names of legitimate programs, such as WinRar, so that users are less likely to disable them when they see them running on their computers.
What if you didn't install WinRar on your system and you see it running on your computer? This guide will help you determine if it really is malicious, cover the tools to help you remove WinRar spyware and give you a complete guide for removing the WinRar spyware from your system.
- slide 2 of 5
Step 1: Equip Yourself
You need the right tools for any job. This is especially true for spyware removal. Thankfully, Windows provides several programs to help us with troubleshooting. I prefer these tools to several alternatives, because they are more user friendly. More information and download links can be found on these URLs.
Process Explorer (Alternative: Task Manager) - http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
TCPview (Alternative: Netstat) - http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
Autoruns (Alternative: Regedit) - http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
- slide 3 of 5
Step 2: Use TCPview
Once you have the necessary tools, you need to check if the WinRar running on your system makes remote connections. Run TCPview and see if "winrar.exe" or something similar is on the list. By the way, the list you see on TCPview is of all the programs on your computer that are attempting or have already established remote connections. It doesn't mean that these programs are malicious. However, if you find that a file named WinRar is making consistent remote connections, which the legitimate version of it won't do, that's very suspicious.
So what should you do if you find winrar on this list? Terminate it.
1. Take note of the name with Winrar exe (you'll need this later)
2. Highlight the WinRar program on TCPview
3. Right click and then choose End Process
If you didn't see anything suspicious on the TCPView list, continue with step 3.
- slide 4 of 5
Step 3: Use Autoruns
Autoruns is a program from Sysinternals that allows you to see all of the programs that load when you start your PC. Using this tool, you'll be able to disable an entry in your registry. Here's how to use it: Find the name of an entry you would like to remove and uncheck the box for that corresponding entry. You might ask, "I can see several winrar entries here, which of them should I remove?" The legitimate WinRar compression program defaults its installation to c:\Program Files\Winrar. If you see a winrar.exe in c:\winrar.exe or c:\windows\system32\winrar.exe or c:\Program Files\Wirar\winrar.exe, then you'll know what to remove.
- slide 5 of 5
While this process should deal with WinRar .exe spyware, you should really choose an anti-virus program that suits you and always update your virus definitions.
If you need help picking a good free anti-virus program, then check out our lists and reviews for the best in the field.
Image Credits: Screenshots by Author