Ask Windows XP Expert Walter Clayton About Spyware

  • Thread starter Thread starter Guest
  • Start date Start date
Andrew said:
I already know what Spyware can do and all to your computers but
what is the best Spyware and Ad-aware remover programs out there I'm
using Spybot 1.3 and Ad-aware 6.0 from Lavasoft and I heard having
two good Spyware and Ad-aware remover programs that it will remove
about 90% of Spyware and Ad-aware off your computer and keep it out.

The best applications I have found for spyware removal and prevention are
found in the spill below. Along with other application for avoiding and
preventing other types of infections/problems. Matter of fact, these
applications are not based merely on my experience (although if they are on
the list below, I have used them in one form or another) - but also based on
suggestions seen in and around these forums and throughout the Internet.

If you don't wish to follow all of the advice immediately, just want to
get rid of your current dilemma, then you are welcome to scroll down to
the section titled "SPYWARE/ADWARE/POPUPS", where your problem as
stated should be resolved by the applications and suggestions found in
that section. If this helps solve your problem then I again HIGHLY
suggest you follow the rest of the advice below (matter of fact, I
suggest it either way.)

Suggestions on what you can do to secure/clean your PC. I'm going to try
and be general, I will assume a "Windows" operating system is what is
being secured here.


There are annoyances out there you can get without
trying. Your normal web surfing, maybe a wrong click on a web page, maybe
just a momentary lack of judgment by installing some software packages
without doing the research.. And all of a sudden your screen starts filling
up with advertisements or your Internet seems much slower or your home page
won't stay what you set it and goes someplace unfamiliar to you. This is
spyware. There are a whole SLEW of software packages out there to get rid
of this crud and help prevent reinfection. Some of the products already
mentioned might even have branched out into this arena. However, there are
a few applications that seem to be the best at what they do, which is
eradicating and immunizing your system from this crap. Strangely, the best
products I have found in this category ARE generally free. That is a trend
I like. I make donations to some of them, they deserve it!

Two side-notes: Never think one of these can do the whole job.
Try the first 5 before coming back and saying "That did not work!"
Also, you can always visit:
For more updated information.

Spybot Search and Destroy (Free!)

Lavasoft AdAware (Free and up)

CWSShredder (Free!)

Hijack This! (Free)
( Tutorial: )

SpywareBlaster (Free!)

IE-SPYAD (Free!)

ToolbarCop (Free!)

Bazooka Adware and Spyware Scanner (Free!)

Browser Security Tests

The Cleaner (49.95 and up)

That will clean up your machine of the spyware, given that you download and
install several of them, update them regularly and scan with them when you
update. Some (like SpywareBlaster and SpyBot Search and Destroy) have
immunization features that will help you prevent your PC from being
infected. Use these features!

Unfortunately, although that will lessen your popups on the Internet/while
you are online, it won't eliminate them. I have looked at a lot of options,
seen a lot of them used in production with people who seem to attract popups
like a plague, and I only have one suggestion that end up serving double
duty (search engine and popup stopper in one):

The Google Toolbar (Free!)

Yeah - it adds a bar to your Internet Explorer - but its a useful one. You
can search from there anytime with one of the best search engines on the
planet (IMO.) And the fact it stops most popups - wow - BONUS! If you
don't like that suggestion, then I am just going to say you go to and search for other options.

One more suggestion, although I will suggest this in a way later, is to
disable your Windows Messenger service. This service is not used frequently
(if at all) by the normal home user and in cooperation with a good firewall,
is generally unnecessary. Microsoft has instructions on how to do this for
Windows XP here:


This one is the most obvious. There is no perfect product and any company
worth their salt will try to meet/exceed the needs of their customers and
fix any problems they find along the way. I am not going to say Microsoft
is the best company in the world about this but they do have an option
available for you to use to keep your machine updated and patched from
the problems and vulnerabilities (as well as product improvements in some
cases) - and it's free to you.

Windows Update

Go there and scan your machine for updates. Always get the critical ones as
you see them. Write down the KB###### or Q###### you see when selecting the
updates and if you have trouble over the next few days, go into your control
panel (Add/Remove Programs), match up the latest numbers you downloaded
recently (since you started noticing an issue) and uninstall them. If there
was more than one (usually is), install them back one by one - with a few
hours of use in between, to see if the problem returns. Yes - the process
is not perfect (updating) and can cause trouble like I mentioned - but as
you can see, the solution isn't that bad - and is MUCH better than the
alternatives. (SASSER/BLASTER were SO preventable with just this step!)

Windows is not the only product you likely have on your PC. The
manufacturers of the other products usually have updates as well. New
versions of almost everything come out all the time - some are free, some
are pay - some you can only download if you are registered - but it is best
to check. Just go to their web pages and look under their support and
download sections.

You also have hardware on your machine that requires drivers to interface
with the operating system. You have a video card that allows you to see on
your screen, a sound card that allows you to hear your PCs sound output and
so on. Visit those manufacturer web sites for the latest downloadable
drivers for your hardware/operating system. Always (IMO) get the
manufacturers hardware driver over any Microsoft offers. On the Windows
Update site I mentioned earlier, I suggest NOT getting their hardware
drivers - no matter how tempting.

Have I mentioned that Microsoft has some stuff to help secure your computer
available to the end-user for free? This seems as good of a time as any.
They have a CD you can order (it's free) that contain all of the Windows
patches through October 2003 and some trial products as well that they
released in February 2004. Yeah - it's a little behind now, but it's better
than nothing (and used in coordination with the information in this post,
well worth the purchase price..)

Order the Windows Security Update CD

They also have a bunch of suggestions, some similar to these, on how to
better protect your Windows system:

Protect your PC


Let's say you are up-to-date on the OS (operating system) and you have
Windows XP.. You should at least turn on the built in firewall. That will
do a lot to "hide" you from the random bad things flying around the
Internet. Things like Sasser/Blaster enjoy just sitting out there in
Cyberspace looking for an unprotected Windows Operating System and jumping
on it, doing great damage in the process and then using that Unprotected OS
to continue its dirty work of infecting others. If you have the Windows XP
ICF turned on - default configuration - then they cannot see you! Think of
it as Internet Stealth Mode at this point. It has other advantages, like
actually locking the doors you didn't even (likely) know you had. Doing
this is simple, the instructions you need to use your built in Windows XP
firewall can be found here:

If you read through that and look through the pages that are linked from it
at the bottom of that page - I think you should have a firm grasp on the
basics of the Windows XP Firewall as it is today. One thing to note RIGHT
NOW - if you have AOL, you cannot use this nice firewall that came with
your system. Thank AOL, not Microsoft. You HAVE to configure another
one.. So we continue with our session on Firewalls...

But let's say you DON'T have Windows XP - you have some other OS like
Windows 95, 98, 98SE, ME, NT, 2000. Well, you don't have the nifty built in
firewall. My suggestion - upgrade. My next suggestion - look through your
options. There are lots of free and pay firewalls out there for home users.
Yes - you will have to decide on your own which to get. Yes, you will have
to learn (oh no!) to use these firewalls and configure them so they don't
interfere with what you want to do while continuing to provide the security
you desire. It's just like anything else you want to protect - you have to
do something to protect it. Here are some suggested applications. A lot of
people tout "ZoneAlarm" as being the best alternative to just using the
Windows XP ICF, but truthfully - any of these alternatives are much better
than the Windows XP ICF at what they do - because that is ALL they do.

ZoneAlarm (Free and up)

Kerio Personal Firewall (KPF) (Free and up)

Outpost Firewall from Agnitum (Free and up)

Sygate Personal Firewall (Free and up)

Symantec's Norton Personal Firewall (~$25 and up)

BlackICE PC Protection ($39.95 and up)

Tiny Personal Firewall (~$49.00 and up)

That list is not complete, but they are good firewall options, every one of
them. Visit the web pages, read up, ask around if you like - make a
decision and go with some firewall, any firewall. Also, maintain it.
Sometimes new holes are discovered in even the best of these products and
patches are released from the company to remedy this problem. However, if
you don't get the patches (check the manufacturer web page on occasion),
then you may never know you have the problem and/or are being used through
this weakness. Also, don't stack these things. Running more than one
firewall will not make you safer - it would likely (in fact) negate some
protection you gleamed from one or the other firewalls you ran together.


That's not all. That's one facet of a secure PC, but firewalls don't do
everything. I saw one person posting on a newsgroup that "they had
never had a virus and they never run any anti-virus software." Yep - I used
to believe that way too - viruses were something everyone else seemed to
get, were they just stupid? And for the average joe-user who is careful,
uses their one-three family computers carefully, never opening unknown
attachments, always visiting the same family safe web sites, never
installing anything that did not come with their computer - maybe, just
maybe they will never witness a virus. I, however, am a Network Systems
Administrator. I see that AntiVirus software is an absolute necessity given
how most people see their computer as a toy/tool and not something
they should have to maintain and upkeep. After all, they were invented to
make life easier, right - not add another task to your day. You
can be as careful as you want - will the next person be as careful? Will
someone send you unknowingly the email that erases all the pictures of your
child/childhood? Possibly - why take the chance? ALWAYS RUN ANTIVIRUS
SOFTWARE and KEEP IT UP TO DATE! Antivirus software comes in so many
flavors, it's like walking into a Jelly Belly store - which one tastes like
what?! Well, here are a few choices for you. Some of these are free (isn't
that nice?) and some are not. Is one better than the other - MAYBE.

Symantec (Norton) AntiVirus (~$11 and up)

Kaspersky Anti-Virus (~$49.95 and up)

Panda Antivirus Titanium (~$39.95 and up)
(Free Online Scanner:

AVG 6.0 Anti-Virus System (Free and up)

McAfee VirusScan (~$11 and up)

AntiVir (Free and up)

avast! 4 (Free and up)

Trend Micro (~$49.95 and up)
(Free Online Scanner:

RAV AntiVirus Online Virus Scan (Free!)

Did I mention you have to not only install this software, but also keep it
updated? You do. Some of them (most) have automatic services to help you
do this - I mean, it's not your job to keep up with the half-dozen or more
new threats that come out daily, is it? Be sure to keep whichever one you
choose up to date!


This one can get annoying, just like the rest. You get 50 emails in one
sitting and 2 of them you wanted. NICE! (Not.) What can you do? Well,
although there are services out there to help you, some email
servers/services that actually do lower your spam with features built into
their servers - I still like the methods that let you be the end-decision
maker on what is spam and what isn't. If these things worked perfectly, we
wouldn't need people and then there would be no spam anyway - vicious
circle, eh? Anyway - I have two products to suggest to you, look at them
and see if either of them suite your needs. Again, if they don't, Google is
free and available for your perusal.

SpamBayes (Free!)

Spamihilator (Free!)

As I said, those are not your only options, but are reliable ones I have
seen function for hundreds+ people.


I might get arguments on putting this one here, but it's my spill. There are
lots of services on your PC that are probably turned on by default you don't
use. Why have them on? Check out these web pages to see what all of the
services you might find on your computer are and set them according to your
personal needs. Be CAREFUL what you set to manual, and take heed and write
down as you change things! Also, don't expect a large performance increase
or anything - especially on todays 2+ GHz machines, however - I look at each
service you set to manual as one less service you have to worry about
someone exploiting. A year ago, I would have thought the Windows Messenger
service to be pretty safe, now I recommend (with addition of a firewall)
that most home users disable it! Yeah - this is another one you have to
work for, but your computer may speed up and/or be more secure because you
took the time. And if you document what you do as you do it, next time, it
goes MUCH faster! (or if you have to go back and re-enable things..)

Task List Programs

Black Viper's Service List and Opinions (XP)

Processes in Windows NT/2000/XP

There are also applications that AREN'T services that startup when you start
up the computer/logon. One of the better description on how to handle these
I have found here:


That's it. A small booklet on how to keep your computer secure, clean of
scum and more user friendly. I am SURE I missed something, almost as I am
sure you won't read all of it (anyone for that matter.) However, I also
know that someone who followed all of the advice above would also have less
problems with their PC, less problems with viruses, less problems with spam,
fewer problems with spyware and better performance than someone who didn't.

Hope it helps.
Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
Walter Clayton said:
Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
Walter Clayton said:
Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
My Internet Exp has been hijacked by CoolWebSearch and AdAware, Spybot &
SpywareBlaster have not detected it or removed it! What can I do??
Have you made sure that you updated products? Are you running these
programs in safe mode? Have you disabled system restore *before* running
these programs? Try these steps and see if they help.
Michel said:
My Internet Exp has been hijacked by CoolWebSearch and AdAware,
Spybot & SpywareBlaster have not detected it or removed it! What can
I do??

There is a tool made specifically for this nasty application.

Download the utility CWShredder:

Unzip, close all instances of IE & OE, start the executable and follow the

Ronnie Vernon
Microsoft MVP
Windows Shell/User

Please reply to the newsgroup so all may benefit.
Like zippy said update AdAware and Spybot *before* scanning and run them in
safe mode. If that still doesn't solve the problem the you can try
CWShredder but don't be surprised if it doesn't work. The developer has quit
maintaining it so depending on exactly what flavor you have that might not

Give that a try first.

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
I meant just to disable it while doing the scans, then put it back on. I've
found this method the only way to completely rid the system. If he had to
repair to a previous date, guess what he's going to get back? Coolweb. I
thought you were the expert?
Even Norton says to disable system restore.........

Trust me or not. Disabling SR during the weed out is dangerous. Once the
machine is clean *then* purge SR and snap a base line. Yes, if a system
restore must be done because the weed out trashed the machine, then yes,
you're back with the crapware but at least the system is usable so that you
can try a different approach that won't leave the machine in worse shambles.

Or to rephrase it, why do think Spybot, by default, takes a SR snapshot
prior to altering anything on the system?

Ripping some of this stuff out is dangerous and NT kernels are rather
fragile in this regard. SR is the only graceful mechanism that people have
to restore functionality if something in the TCP stack gets ripped out
incorrectly leaving the machine DOA as far at getting on the 'net is
concerned. Unless they happen to have the proper repair tools on hand in
advance. Or if they hook the shell in such a manner that GUI fails on normal

Frankly I'm concerned about what Norton says. They have less than a stellar

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
I have been having challenges with adware.iefeatsl & winshow. Norton
identifies entries to remove from the registry(most of them not there) they
also suggest that I delete files manually that norton will not. Bottom line
is that I am going to have to delete alot of files to de-possess my IE. I
have already deleted some of the files and noticed some system instability .
My search function in explorer craters .(as an example) I have tried Spybot
etc... No luck. Any suggestions? I am about to reload windows xp. I am
looking into linux as well.

Well I hear what you are saying. But I wouldn't want to have to restore to
a point where I had the scumware and have to start back at ground zero
trying to get rid of it. I'd lose all my hair. Guess I've just got lucky
with the way I have been doing it for a while. I have found that this
Coolweb thingy has many variants and some variants are easier to get rid of
with just adaware, spybot, CWShredder, and HijackThis. While on other
computers I've worked on weren't quite so easy. The version I had even got
past my firewall. Mistyped an address and got directed to a malicous
website and before I knew it I had programs like NotePad and Windows Media
player asking for permission to access the net through ZoneAlarm. Right
then and there I knew something was wrong as these shouldn't have been
asking for permission. I tried running Spybot, Adaware, and Hijack this,
even from safe mode. But I was unable to get rid of it totally till I
disabled system restore and then scanned in safe mode. It was still asking
for permission. I usually use AVG free for virus scans, but this program is
unable to scan in safe mode normally and was not detecting any viruses so I
ran norton from CD, incase the variant I had disabled installed Scanners.
This also found Trojan Downloader that was created on the same day as
Coolweb. I'm thinking these two went hand in hand. I was still getting
Pop-ups, programs still asking for permission. Once I disabled restore and
then ran all these programs again it was able to quarentine most items.I was
no longer getting all the pop-ups. Programs were no longer asking for
permission. But I still had to manually remove Content.IE5. These infected
items were found in the index dat file that Norton was unable to remove.
Had to fix Notepad. So, I've found that even with Virus Scanners, spyware
removal tools and a firewall doesn't mean you are protected 100%. To date,
they still don't have software for Operator Error :-)) That's why now I've
been very dilligent backing up to CD any information that I really really
need, and something does go wrong, it's just as easy for me now to just do a
clean install of XP rather than restore. Although this is a last resort.
Yep, t'ain't nothing can be done about the person at the keyboard. BTDTBTTS

Depending on how compotent you are you can do what I do when I'm on site. Go
to and grab Bart's PE. You'll need either a standard
retail/oem CD (not a restore set) or an I386 directory on disk. Following
the instructions and you can create a stand alone XP environment that has
AdAware, command line AV scanners, and other tools you feel you need. It's a
lot easier to nail some of the tricker variants that load themselves in safe
mode. And since it has full networking support you can push data across a
network to another machine if things get really nasty.

I've tussled with some of the more willey varieties myself and never had to
disable SR. I have hand massaged the registry and clipped nasties off the
drive either in safe mode when AdAware and Spybot were prohibited from
correcting the registry (and that gets tricky with an active nasty :-) or
via Bart's.

TrendMicro has stepped up to the plate and offers a free tool
( that I've started to use. Also
there's a tool at that identifies stuff
launching with the system that isn't part of a default virgin install. Use
extremely care when interpreting the results. Some people have
unintentionally shot themselves in the foot extremely badly (flat lined the
system) when hacking the wrong thing out of the registry. Couple that with and, if you're
really compotent at you'll find a Trojan
Finder tool that will let you determine what is preventing you from
terminating a task. It will also let you kill tasks. There's some other
handy stuff there as well.

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
Linux will simply leave you with a different set of vulnerabilities and a
hefty learning curve initially. Staying with Windows and switching to a
different browser, although less of a learning curve, will simply change the
vulnerabilities with regard browser hijacking. They are alternatives, but
for the average user, not what I would call as attractive as some people
would like to think.

Go to and download the Sysclean
package. You'll also need the template file linked on the same page. Read
the instructions on how to run this.

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|
Walter: NAV found a trojan horse called pwsteal.banker.b on my machine. NAV
has denied access to the file but NAV always generates a pop up. It seems to
me that the trojan horse is succesfully isolated but a program is constantly
calling for it....therefore the NAV popup. The suggested Symantec fix says
to repair the registry in safe mode. I've never edited the registry before.
I have a couple of questions:

1) how do you backup the registry in WinXP Home Edition, and

2) Symantec says to delete certain values after navigating to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft NT\CurrentVersion\Winlogon\Notify\f3dsl
and to HKEY_LOCA-MACHINE\System\CurrentControlSet\Control. I can't seem to
find these. Are these in XP?

I have been using ZoneAlarmPro firewall and from time to time receive an
alert: "Microsoft Windows Based Script Host is trying to connect to the
internet..." - no information is available...
so I have been denying access but I wonder if this is an authentic Microsoft
Update download - and should be allowing access.
You can read the message as
"A program is trying to connect ... "

Not helpful. Need the program name. WSH is a program that hosts other programs.
Registry back up is part of system restore. Just force a manual system
restore point before proceeding. Counter to Symantec instructions, disabling
SR is not a good idea at this point.

Regardless, looking at the instructions the Symantec has, yes those registry
keys will be present on HE when you're machine is infected. I noticed you
typoed some of the branches so double check.

I'm still amazed that Symantec expects people to have to hack the registry.

There's a couple of free tools you can try as well. One is the sysclean tool
from TrendMicro located at -
download the 'damage cleanup engine template (link on the same page) and
follow the instructions or their online scanner at - you can also try Panda's online scanner

Walter Clayton - MS MVP(WinXP)
Associate Expert
Any technology distinguishable from magic is insufficiently advanced.|