Standard Procedure for Removing Spyware, Adware, Malware or Other Parasites -<<Updated May - 04 - 2005>>-

Archived From: Technology
  • Text Only
The instructions contained in this post will help you to remove any unwanted
parasites from your system.

Make sure you read this entire article BEFORE you do anything. Removing
Spyware and other parasites is not as easy as you might think it would be and
there is a whole lot more to it than many people realize.

An up to date page can usually be found at this website by clicking on "Spyware Help"
in the menu on the left.
Richard the Lion Hearted

Spyware, Adware, Malware and other parasites should not be taken lightly and you
should always get professional help to remove any stubborn parasites that you
may have on your system.

In this article you will find provisions for:

  • Help Resources
  • Specific Tools
  • Various Online Scanners
  • Instructions on what you should do
  • Forums in which to get help from trained personnel
  • Important Information

    Tools Which You Will Need

    Ad-Aware SE
    SpyBot - Search & Destroy
    McAffee Stinger

    Other Tools and Software can be found listed further down in this article.

    Instructions on What You Should Do

    Scan your system using Ad-Aware and SpyBot-S&D.

    It makes no difference which order you run these two tools as they will each
    detect and remove what the other misses.

    Always make sure the reference files are up to date.

    SpyBot-S&D: Let it fix anything that is listed in red.
    Ad-Aware: Let it fix anything that it finds.

    After you complete these scans, you will want to run a good Anti-Virus scan on
    your system. Panda Anti-Virus has a good online scanner which should detect and
    remove anything on your system.

    If you are unable to go online or run any Anti-Virus you may currently have
    installed on your system, then don't worry about it as this can be taken care
    of later.

    Another alternative if you have access to it would be to boot from a Knoppix
    CD and do an Anti-Virus scan From Knoppix. Knoppix is a Linux distribution
    which can be booted from a CD without the need to install it.

    Once you complete the above steps, you will want to run HiJackThis, then post
    the contents of the resulting HJT log to one of the Forums listed below.

    Once you post your HJT log, you need to be patient and check back periodically
    because the personnel who are there to help you can get quite busy working on HJT
    logs posted by other users.

    It is also very important that any forum you decide to visit for help, that you
    read their FAQ before doing any posting if you want their help.

    If you are a skilled computer user who is technically oriented and feel
    confident about your skills, then you could try using one of the HiJackThis
    tutorials which are listed below. I would suggest reading both of them as this
    tool can very easily mess up your system if you are not careful.

    Forums Where You Can Post Your HJT Log

    Anti Spyware Offensief
    Bluetack Internet Security Solutions
    Calendar of Updates
    Common Sense Security
    Geeks to Go
    Gladiator Security
    JSKYs XP Support
    Linha Defensiva
    MalWare Removal
    PC Pitstop
    Pipex Support
    Spyware 911
    SpyWare BeWare!
    SpywareInfo My Personal Favorite
    Spyware Warrior
    Tech Support Forum
    Tech Support Guy
    TeMerc Internet Countermeasures
    That Computer Guy
    The Spykiller
    Wilders Security

    Important Information

    When running HiJackThis, it is very important that you follow any directions
    you may be given by Qualified personnel. You should not try fixing anything
    yourself unless you know what you are doing. This program can very easily make
    a mess of your system if you screw up.


    Always run HiJackThis from its own directory such as C:\\HJT

    The reason for this is so HJT can create backups of anything removed in case
    you should need to restore something.

    HiJackThis and SpyWare Removers

    Anytime you run HiJackThis or any other tool for removing parasites, you should
    always close ALL Windows, especially any browsers and Windows Explorer.

    The reason for this is if you leave any of these windows open, you may find the
    parasite to still be installed on your system.

    If you are Unable to Run SpyBot-S&D, Ad-Aware, CWShredder or HiJackThis

    There is a variant of the Coolwebsearch trojan spreading that closes several
    anti-spyware apps when you try to open them.

    If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool (v1 and v2)
    first and run it. After it does its job, CWShredder and HijackThis will run
    properly (as well Spybot S&D, Ad-aware and several anti-spyware forums)

    Fake Programs

    One of the biggest things to watch out for is bogus programs which claim to be
    Ad-Aware or SpyBot when they're not. Or other programs which claim to remove
    parasites from your system. You can check this link to check to see if a
    program is legitimate or not. Rogue/Suspect Anti-Spyware Products & Web Sites

    Sytem Restore

    Any time your system is infected by a bad parasite such as a Virus, Trojan
    or Worm, you should disable "System Restore" before attempting to clean your
    system. Otherwise, the infection will remain to reinfect your system.

    Internet Explorer Users

    Go into "Internet Options > Advanced" tab

    There will be 2 "Install on Demand" items and 1 "Enable third party extension"

    Uncheck all three items as these present a security risk which makes it easier
    for parasites to install themselves on you system

    Tools You May Be Asked To Use

    ADS Spy For 2K and XP Only
    CWS HiddenDLLFinder
    CWShredder Version 2.1 or newer by InterMute
    CoolWWWSearch.SmartKiller (v1 and v2)
    FINDnFIX For 2K and XP Only
    GetService For 2K and XP Only
    LSP-Fix Fixes broken WinSocks
    PeperFix Removes the Peper Trojan
    Pocket KillBox
    Winsock Fix

    RootKit Tools

    F-Secure Blacklight
    RootKit RevealerDO NOT USE These RootKit tools unless you are directed to use them
    or you know what you are doing.

    Useful Tools

    a-squared HiJackFree
    Aranea Spyware Wizard
    ewido Security Suite
    Gibson Research
    Itty Bitty Process Manager
    Microsoft Windows AntiSpyware
    Prevx - Intrusion Protection software
    Privacy Keyboard Anti-keylogger which will prevent any type of keystroke recording
    Richard the Lion Hearted's Hosts files
    System Safety Monitor
    System Safety Monitor is a system monitoring tool with additional application
    firewalling. You can keep a list of trusted applications and be alerted each
    time a program, that is not on your trusted list, is executed. The optional
    black-list allows you to specify programs that will be prevented from running.
    You can also have System Safety Monitor alert you whenever a new start-up key
    is added to the registry. This allows you to prevent software from installing
    itself as an auto-start item in the registry without your knowledge. The
    included logging feature enables you to view a log of all changes that have
    been made to the registry.

    SpyBot - Search & Destroy
    TDS-3 Trojan Defence Suite
    The Cleaner
    Trojan Remover
    Webroot Spy Sweeper

    Bootable Disks for Diagnostics and Repair

    BartPE Builder Bootable Windows CD/DVD
    Bartís PE Builder is a free tool that allows you to create a bootable
    Windows CD or DVD from an existing install CD of Windows XP or Windows
    Server 2003. This Windows boot CD runs a cut down version of XP, with
    network, gui and FAT/NTFS/CDFS file system support. Since you can run
    Windows applications from this boot CD itís a useful tool for fixing
    various problems on Windows 2000/2003/XP/9x system that can not easily
    be fixed while booted from the copy of Windows on the hard drive.

    Using Bartís PE Builder to Make an Anti-Spyware and Rescue CD
    One great use for a PE Builder CD is to remove spyware from a computer
    and that is the task that site will help you with.

    With Knoppix, you can boot from the CD and perform an Anti-Virus scan on your
    system without the need for loading MS Windows.

    UBCD for Windows
    UBCD4Win is a bootable CD which contains software that allows you to
    repair/restore/diagnostic almost any computer problem. All software included
    in UBCD4Win are freeware utilities for Windows.

    Self Help Resources

    169 IP Address
    BHOindex Service Configurations and more
    CLSID BHOList ToolbarList
    LEGEND for Both of the Above Links

    The listed Parasites are tagged
    [ X ] for certified spyware / foistware, or other malware
    [ C ] Cookies, remove/rename.
    [ D ] Dialer, remove/rename.
    [ K ] Keyloggers, remove/rename if any problems.
    [ T ] Tracker, remove/rename if any problems.
    [ L ] for legitimate items
    [ O ] for 'open to debate'
    [ ? ] for BHOs of unknown status.

    CounterExploitation (
    HiJackThis Quick Start
    HijackThis Tutorial
    Merijn's HijackThis Tutorial
    Inside Spyware: A Guide to Finding, Removing and Preventing Online Pests
    PC Hell
    Rogue/Suspect Anti-Spyware Products & Web Sites
    Startup Programs and Executables Listing

    Alternative Browsers that are Not Based on Internet Explorer

    Mozilla FireFox
    Opera Browser

    Various Online Scanners

    HouseCall AntiVirus
    Command on Demand
    McAfee FreeScan
    Panda Active Scan
    RAV AntiVirus
    Symantec Security Check

    Interesting Articles to Read

    Introduction to Spyware Keyloggers Includes Links to other Interesting Articles
    LearnIT: Malware
    Macromedia Flash Player Settings Manager Use to Disable United Virtualities's PIE Tracking
    Malware: what it is and how to prevent it
    Webhelper4u Transponder News

  • Member Summary
    Most Recent Posts
    dealmaster00 said: <blockquote><hr>if u want a really fast response try this:<br><br><a target="_new" href="http://www.f... (more)

    DragonsLore (Sep. 05, 2005 @ 6:03p) |

    Thanks for the replies.<br><br>So I guess I should just wait the 3 days to get the removal instructions from SWI?

    dkong (Sep. 05, 2005 @ 8:38p) |

    More tools that should be added are Kaspersky <a target="_new" href=" (more)

    titewad (Sep. 16, 2005 @ 12:29p) |

    Quick Summary is created and edited by users like you... Add FAQ's, Links and other Relevant Information by clicking the edit button in the lower right hand corner of this message.
    Staff Summary
    Thanks for visiting Join for free to remove this ad.

    I may be crazy but weren't there a lot of replies to this thread?

    This thread has recently been rewrote and updated to provide more information and better help to those who need it.

    As such, the previous replies were all removed to leave room for any other problems which may need to be addressed in the above article instead of users having to wade through a bunch of replies which have since been addressed with the rewrite.

    Also, periodically, I am updating the above article to reflect new spyware fighting tools or information which may be needed.

    There are a lot of spyware scanners out there, some real and a lot of fake ones, so I'm not about to list all the scanners. Instead, I just llist the tools which best serve the purpose for fixing one's system. These are also the tools you will find are used every day at the different forums where people can go to get help with trying to erradicate these parasites.

    DragonsLore said: Wilders SecuritySmall correction: As indicated in this post, the Wilders Security forum no longer allows posts of HijackThis logs.

    chuq said: Small correction: As indicated in this post, the Wilders Security forum no longer allows posts of HijackThis logs.
    Thank you for letting me know about this.

    I'll remove them from the forum list soon as I finish this reply.

    Small typo noted:

    Tools Which Will Needed

    ***LOL*** Thanks! I hadn't noticed. Not bad, all things considered. <img src="i/expressions/face-icon-small-smile.gif" border=0>

    Would you consider adding the Webroot Spy Sweeper to your listing of spyware tools, please? It is NOT free, BUT it does have a 30 day trail available. PC magazine just named it editor's choice in spyware detection and removal and prevention.

    PC Mag review.

    Download site.

    I just tried it, seems pretty nice, but of course I don't have any spyware on my system to see how effective it is at removal <img src="i/expressions/face-icon-small-happy.gif" border=0>

    P.S. They also have 2 basic online free scans available on their homepage, near the top right.

    I've been thinking of adding Webroot Spy Sweeper, yes. Just forgot to do so. <img src="i/expressions/face-icon-small-smile.gif" border=0>

    There are a lot of different ones out there with many of them being fraudulent which you can find out by checking the Rougue programs lists above.

    I mostly try to list the best ones for use with fixing your system along with tools that are routinely used for parasite removal and repair.

    PestPatrol is one which I will not list because their program will detect legitimate items as parasites and there have been other problems with their software. So this one is not for the average user as you really need to scrutinize the results before you fix anything with PestPatrol. They also are very terrible with trying to contact if there is a problem which in itself is not good.

    Developement of CWShredder has been taken over InterMute who has recently acquired it.

    As to their SpySubtract software, I'm waiting to hear a little more about this company before I add it to the list of useful tools as I do not want to add anything that may unknowingly be a rogue program. Hopefully, by the end of the week I will know enough as to whether or not it can be added.

    The link for the newest version of CWShredder has been added to the list of "tools you may be asked to use"

    DragonsLore, I was wondering about installing Spyware Guard, as it is one of your recommended tools.

    Wanted to know, though, what issues you might be aware of, considering their prominent warning SpywareGuard is a work-in-progress.
    We cannot guarantee that it will not conflict with other security software on your machine. However we do strive to fix any compatibility problems that may arise.

    If you are worried about potential compatibility issues with SpywareGuard, we recommend you download SpywareBlaster instead.

    Dragonslore, this remains one of the most helpful, informative threads I've ever seen on FW. You rule.

    DragonsLore, you kick the booty out of adware/spyware.

    Thanks! I needed your help on this. Caught a adware just checking Football stats and news.

    Sites visited before adware and spyware:

    ARG!!! This thread will help!

    Bluerain210 Best place to start is by reading the first post in this thread and following the instructions.

    That may include running HiJack This when you get to that point, and posting the log on the appropriate forum

    Thanks to DragonsLore.
    Thanks ellory.
    Thanks to MaddieBeagle!

    Post was edited, didn't want to mislead or confuse those that need this type of information.

    One of the best stickys on FW!

    maddiebeagle said: Good Article - "Malware: what it is and how to prevent it"

    Realy good basic info, Thanks

    Ę <img src="i/expressions/face-icon-small-happy.gif" border=0>

    If you need a copy of Hijack This!, which is useful for the removal of several Malware/Spyware programs, check out that link from DragonsLore or download it from MajorGeeks. Also, this post on the same site has an in depth removal tool. Any dummy (and I do mean dummy...we all all at risk to these hacker scumbags who want to flood our computers with junk advertisements) can follow the steps to remove the software.

    One thing that really, really bothers me. I have an I.T. degree (OK it's only an Associates, but I know quite a bit) and I was hit with TVM.exe and randreco.dll/.exe malware. These hackers/programmers have made it almost impossible to remove such garbage!

    This is a great Post. Thanks a lot OP


    PepiMK's CoolWWWSearch.SmartKiller removal tool~~ when i click on that link, i get a 'no page to display' message.
    i need that fix very badly.
    btw, all my pop-up windows are sticking on the lower 1/3 of my screen. why & how to fix.

    ohsexygirlfriend said: PepiMK's CoolWWWSearch.SmartKiller removal tool~~ when i click on that link, i get a 'no page to display' message.
    i need that fix very badly.
    btw, all my pop-up windows are sticking on the lower 1/3 of my screen. why & how to fix.

    Try the link for "CoolWWWSearch.SmartKiller (v1 and v2)" as this is the same thing, but a different link.

    Very nice post DragonsLore. <img src="i/expressions/face-icon-small-smile.gif" border=0> I would also highly recommend people to use Firefox browser or any other browsers out there instead of Internet Explorer whenever possible, since they don't have Active X in them which can let spyware in too.

    Firefox Browser (free)

    i ran spyware S&D and adware and the new microsoft thing and my comp still runs abnormally slow

    redroomblackout said: i ran spyware S&D and adware and the new microsoft thing and my comp still runs abnormally slow

    Those tools and many others are mostly for system maintenance and protection.

    There are many things that can cause your system to run slow including parasites.

    But if you are having a problem, the best thing you could do is to run HiJackThis, then post the resulting HJT log to one of the security forums and wait for a response. The trained personnel there will be able to help you.

    If you do post your HJT log to the Spywareinfo fourms, it would need to be posted in the first forum which is the Malware Forum. Also be sure to read the first sticky which is by PGPhantom.

    Good Luck

    OD, you need to update the year on the title, we're at the new year of 2005 now.


    I must have been tired not to have noticed I put the wrong year! <img src="i/expressions/face-icon-small-happy.gif" border=0>

    I spent 2 hours disinfecting a trojan from a system today. Every scanner with most recent updates missed it. It installs itself in c:\\\\system volume information\\\\upnpclient.exe. It appears to use port 25, the MS UPnP port as a back door. It runs two services, both UPnP clients. It's easy to remove if you disable simple file sharing to access that folder. It was blocked by my firewall, but was eating enough cycles that I noticed a typing lag. Heres the relevant hijackthis log line:

    O23 - Service: Universal Plug and Play Device Client - Unknown - c:\\\\System Volume Information\\\\upnpclient.exe (file missing)

    I've seen this type of exploit before, but this appears to be a new one the scanners are missing. I even run Pestpatrol in active mode and it blew past it. It apparently came packaged in a small file viewer installer I downloaded from a newsgroup post. The file passed the AV scan as clean. In this case I broke my own rules about knowing the source and got burned. <img src="i/expressions/face-icon-small-blush.gif" border=0>

    edit: If you have this thing it's a bigger security risk than I originally thought. One package is a password/CC# logger. There's a good discussion on Wilders Security on detection/removal: link
    This thing hasn't been added to any of the AV software updates as of this entry.

    bonkers said: Very nice post DragonsLore. <img src="i/expressions/face-icon-small-smile.gif" border=0> I would also highly recommend people to use Firefox browser or any other browsers out there instead of Internet Explorer whenever possible, since they don't have Active X in them which can let spyware in too.

    Firefox Browser (free)

    If anyone needs anymore convincing then read this, Three unpatched flaws in Internet Explorer now pose a higher danger!


    From another post:

    Yahoo is now using something called "Web Beacons" to
    track Yahoo Group users around the net and see what you're doing
    and where you are going, similar to cookies.

    Yahoo is recording every website and every group you
    visit. Take a look at their updated privacy statement:
    Here's how to opt out!!!

    About half-way down the privacy statement page, in the
    section on cookies, you will see a link that says web beacons.

    Click on the phrase web beacons. That will bring you
    to a paragraph entitled "Outside the Yahoo Network."
    In this section you'll see a little "click here to opt
    out" link that will let you opt-out of their new
    method of snooping.

    Once you have clicked that link, you are exempted.

    Notice the "Success" message on the top of the next

    DO NOT hit the "Cancel Opt-out" button ... if clicked,
    it will *undo* the opt-out. Feel free to forward this
    to other groups or folks you know have Yahoo accounts Yahoo

    Web beacons are not spyware at all.

    Instead, they are similiar to a cookie as it can be used to track your movements across the web.

    This is also not a new technology as it has been in use for a while now, but Yahoo has decided to give them a new name.

    A web beacon is basically a small image such as a 1 x 1 pixel clear image which is used in conjunction with a cookie.

    Matter of fact, such tools as Hosts Files, SpyBot-S&D and SpyWareBlaster can block web beacons simply by blocking the Host address the web beacon originates from.

    But if the image used for the web beacon uses the same address as the web site you're visiting, then you'll lock yourself out of the website if you try to block it.

    Typically, many websites will use subdomains for such stuff as images, cookies and other items. So instead of blocking the website domain, you would block the subdomain that the image comes from.

    Matter of fact, I think there is some tools out there which can specifically block web beacons themselves, but I do not remember the names of these particular pieces of software. They should be easy enough to find though.

    Web beacons are not something that infects your system and as I have said, they are not spyware, so as such, there has been no need to cover web beacons in the above article.

    Windows XP has done it again.

    The beta version of windows antispyware is out.
    It rocks. Nothing like PK2. I am surprise by the number of hits it had despite the regular other programs already running (Spybot, adaware etc).
    I am convinced its a must for every xp user. Gives you a full description of the catches and even references to read more about the property of the malwares. Has a protection against the hijacking your home page, severity gauge etc. Best of all its free.

    Here is the link:
    Microsoft's beta v. antispyware

    If you had read the article above, you would have seen that there is already a link to the MS AntiSpyware webpage.

    This tool hold some real promise, but at the same time, do not rely on this tool alone as no single tool can handle all of the various parasites out there. Especially if yoiu happen to get infected by some of the really bad ones.

    Also, knowing Microsoft, this tool will most likely only remain free until it is no longer a beta after which they will most likely chatge for it.

    If they decide not to chare for this tool, then this would be something very unusual for them to do.

    Here's some software that is being offered for free to home users:

    It pro-actively prevents spyware, adware, worms, etc. from being installed on your PC in the first place.

    Note some of the links to the tools, like FindnFix now lead to a dead link.

    hi, for some reason, the idle time set before my screensaver turns on changed to 180 minutes from 1 minute.
    why would something like this happen?
    i live in a dorm, and my door is usually unlocked. do you think someone came in and did something to my computer when i went out, but before the 1 minute idle time and changed the idle time from 1 min to 180?
    i set the password required for logging in back from the screensaver.
    i scanned my computer with mcafree virus scanner, adaware, and spybot and found nothing unusual.
    i hope no one took my files off my computer.

    RShea said: Note some of the links to the tools, like FindnFix now lead to a dead link.
    The link in this article is still good as it leads to another website.

    If you look at the download link on that site, it's for

    Either that site is having a problem or they misplaced the file. needs to be alerted as to the problem.

    titewad said: Here's some software that is being offered for free to home users:

    It pro-actively prevents spyware, adware, worms, etc. from being installed on your PC in the first place.
    DragonsLore - what are your thoughts on this tool?

    From what I could find out about it, it is a good tool which is being used in the security forums.


    I thought I had replied to this question in another thread which was posted asking about this tool? <img src="i/expressions/face-icon-small-happy.gif" border=0>

    As I stated earlier, when I get around to updating this thread, I will be adding this tool to the list along with some others.

    Skipping 44 Messages...
    More tools that should be added are Kaspersky online scan/file submission and trial versions.

    The online scan does not clean infections, but it does inform you that you are infected. You have to download the trial version to remove them.

    The online file submission allows you to submit a suspicious file and Kasperksy scans it on their server and tells you if it is infected and provides the name of the virus.

    I scanned my neighbor's heavily infected PC with AVG (installed), Trend (online), A2 (trial, installed) and Kasperksy (trial, installed) in that order and each found infected files after the previous scan said the machine was clean. Surprisingly, Kasperky found 22 infected files in the Windows\\system folder after the machine had already been scanned by three other programs.

    I know everyone here recommends and uses AVG, but I checked the cache on my neighbor's PC and his family was not doing any kind of risky surfing and they still got infected with viruses that AVG did not detect when I used it as a tool to clean up existing infections. Granted their PC did not have MS auto updates on and they did not have a firewall and they were not using any AV programs until it was too late, but I have much less confidence in AVG after this experience.

    Disclaimer: By providing links to other sites, does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to

    Thanks for visiting Join for free to remove this ad.

    While FatWallet makes every effort to post correct information, offers are subject to change without notice.
    Some exclusions may apply based upon merchant policies.
    © 1999-2017