How to delete the hard-to-remove malwares, spywares and trojan downloaders?

Posted on 2005-04-06
Last Modified: 2013-12-04

a friend of mine had the computer full of sh1t. You know what I mean... (read title)

I'm not new in cleaning malware etc., I've used Adaware Pro, then I found PestPatrol, which works better than Adaware...

Anyway, PestPatrol is not perfect. With PestPatrol I removed lots of spyware from a computer, rebooted, and new spyware was detected. I removed it again, rebooted, and still the same. Obviously there was a spyware downlaoder somewhere else.

The news spyware and trojan downloaders (onm my computer i have none of them) are really hard to kill. So I'd like to know better systems to clean them.

I used Xraypc, which is similar to hijackthis. But this tool didn't help that much.
I had to manually search in the registry file, regedit... and found lots of interesting entries that I removed from "Run".

I also deleted some suspect files inside c:\Windows\Downloaded Program Files

I tried The Cleaner, which found a trojan and removed it inside c:\Windows.

I deleted some .exe files inside c:\Documents and Settings\Myprofile\

But some .exe files couldn't be deleted.

Now, I searched the registry file to find where these files are executed at startup and found nothing, I searched win.ini, system.ini and found nothing.


So now my qustions are the following:

1) how can I get rid of this suspect file .exe inside c:\Documents and Settings\Myprofile\Local Settings\Temp ? If I try to delete, it says "file in use".

2) How can I see where all the processes are started, and deactivate them? Is there a program better than xraypc and hijackthis?

3) Where are the locations to run files at startup?
I know these ones:

- Start > Programs Startup
- Regedit > Software > Microsoft > Windows > CurrentVersion > Run, RunOnce
- Win.ini
- System.ini
- Windows Services (can some spyware or trojans be installed as Windows Services? I didn't investigate this on my friend's PC)

4) Can you provide a tutorial or a guide to clean also the most messed up computer full of sh1t like the one that has my friend?
My friend is not the only one, other people may ask my help and I'd like to help them to remove everything.

I'd prefear links of guides/tutorials online: no need to copy and paste here all the text, just put the links.

5) Can you provide me a list of programs (also non-free) that I should ahve with me when I go to a friend that has the computer full of this sh1t?

The programs I already have in my collection:

- Stinger
- PestPatrol 4.4 + updater (I don't use Adaware, as Adaware finds less spyware than PestPatrol)
- The Cleaner
- Xraypc (I prefear this one instead of hijackthis... do you know if one is better than the other?)

Do you know a better program then PestPatrol 4.4, because it doen't seem effective with the new hard-tokill malwares...?

6) Once I cleaned all the trojans, or if I give a PC to a new computer user... what should i install to protect him against all the spyware, malware etc?

As basic protection I use the following:

- Service Pack 2, Autoupdates turned on, SP2 Firewall turned on
- AVGFree antivirus autoprotect turned on, autoupdate turned on
- Mozilla Firefox to surf, coz IE is the main hole where spyware gets in, am I right?

Should I add something more?

Thanks for letting me know, I really need more techniques to efficiently clean computers affected with the hard-to-kill spyware, malware etc. around.


Question by:firepol
    LVL 25

    Assisted Solution

    Hello Paolo,

    Have you tried booting into Safe Mode, then removing all the sh1t from there? I know how frustrating all this is; when you've got a little bro, who insists on turning his firewall off for online gaming, and downloads everything he finds on KaZaA....  ;)

    I'm assuming you know how to boot into Safe Mode? If not, let me know. Anyway, once you're in Safe Mode, just run PestPatrol, AdAware, etc.. And also, go through things yourself; such as checking MSCONFIG, and removing any entries from there..

    Also run a decent AV scan, such as McAfee, or Norton.

    Ensure that all your firewall(s) are configurated properly also.

    If that fails, do you have a Restore Point that you can use?

    I hope that helps a bit. :)

    LVL 25

    Expert Comment

    ...And just keep reminding youself: "No system is 'secure'"... I find that this helps lower the blood pressure a little ;)
    LVL 30

    Assisted Solution

    and give him a limited account locked down with local policy

    run stinger from in safe mode
    LVL 25

    Expert Comment

    > Mozilla Firefox to surf, coz IE is the main hole where spyware gets in, am I right?
    Yeah, it's partially to blame.. But so are XP vulnerabilites. But you seem to have that covered:

    > Service Pack 2, Autoupdates turned on, SP2 Firewall turned on

    You don't seem to mention a firewall (other than SP2's one -- which doesn't really count! :P).
    Download an install one of these:

       ZoneAlarm FREE:


       Sygate Personal Firewall:

    I recommend Sygate if this machine is an ICS host, on a Network. But for a single user, ZoneAlarm is very neat. :)
    LVL 22

    Assisted Solution

    First you must disable system restore.If you do not then Windows will just recreate previous image of your files.
    Then you must check the running processes.
    The reason you can not delete the file(s) is because the hidden process is running on your system without you knowing it.So hit CTRL_ALT_DEL and see the running processes.Stop every process you do not what it is about.
    If you were succesfull then you should be able to delete those files.
    Then go to the registry:
    and delete any entry that you find suspicious.
    Also go to :
    and also delete it from there.

    Then run Adaware and do like you used to..
    LVL 22

    Expert Comment

    and of course check the classic:  Start/Programs/Startup folder
    LVL 25

    Expert Comment

    >"and of course check the classic:  Start/Programs/Startup folder"
    No need; check MSCONFIG instead. That will show *all* startup items, from the Startup folder, *and* the registry, etc.
    Start => run => "msconfig" => ok => "startup" tab
    LVL 22

    Expert Comment

    Just be careful which processes you stop and the entries in registry you delete.If you do not know what the process is  or the registry entry,just ask...
    LVL 8

    Expert Comment

    by:nader alkahtani
    Use Safe mode , in RUN type %temp% then delete all files then disable System Restore , then scan your machine , just
    LVL 32

    Assisted Solution

    Here's one general tip for difficult cases:

    Sometimes, the suspect executables are locked by hidden processes and services, which you cannot see. If you try to delete or move the suspect executables, an "access denied" message shows up.

    What to do in such a case? I have found that the following approach is highly effective:

    Right-click on each suspect executable, select Properties, then select the Security tab and remove all permissions for all users (including System and Administrators) to access that file. Do this for all the suspected executables. (You may first have to uncheck the box that reads "Inherit from Parent..." or something like that).

    After the above, when you reboot, the suspect executables will fail to launch, and can be easily removed or deleted (after changing permissions one more time).

    Of course, this is only recommended for the intermediate level user who can tell apart the suspect executables from critical system files. Mistakes can result in unknown problems.
    LVL 2

    Author Comment


    thanks, I didn't know MSCONFIG (or i forgot about is existence ;) ) it seems very handy.

    SP2 firewall: I had it myself and i think that for a typical user this firewall is enough. Why do you say that it doesn't count?

    For me the important thing about a firewall is that it blocks all ports; then it should be possible to open specific ports (which is quite difficult, with SP2 firewall, but it's possible).

    I had ZoneAlarm (free and pro) and my computer became unstable and slower with it. That's why I prefear to give to my friends the default SP2 one.

    I also didn't think about the Safe Mode. Usually I access my friend's PC remotely with TightVNC, so I'm not sure I can help him during Safe Mode startup, but if I have physical access to the machine I'll try it.

    >...And just keep reminding youself: "No system is 'secure'"... I find that this helps lower the blood pressure a little ;)

    I personally don't have an AV installed, I don't have a firewall but I have a Zyxel Prestige 650-R router which blocks all the ports by default (I jsut opened a few ones to play games or for a few other programs I use) I use Firefox and Thunderbird. Of course my system is not anti-hacker. I just had one time a problem, because I didn't open the proper ports (I opened a too large range) and a trojan downlader entered I don't know how. It was a pain but I could manage to remove it. It was a few months ago.


    I tried a random .exe file in my temp (of my personal -and clean- PC) folder (an installation file), right clciked on it, entered "Properties", but found no "Security" tab. Does the security tab show only for files exectured at startup? Or does it apply only to specific files? Can you give me an example of file (a Windows XP service, or whatever) where I can see the security tab?

    Nobody answered to my question if there is a better anti-spyware than PestPatrol. I found an article that Microsoft antispyware is finding lots of sh1t that PersPatrol doesn't detect...

    Thanks to everybody for the answers. I guess if you add a few more information I can close this question very soon and split the points.

    LVL 4

    Assisted Solution

    Here is my standart list of all the software someone needs to have:

    Avg antivirus is probally the best free one: (

    Spybot, search and destroy ( This one is one of the only freewares, that actually outmatches payed one by far in tests
    Ad-aware (
    Microsoft Antispyware (

    The free edition of zonealarm is probally best (

    1) First download the Antivirus scanner, and make sure its up to date. Then boot the system in safe mode (press F8 at boot) and do a full system scan, and remove what can be removed. After that, do another scan in normal mode (The safe mode might not be needed, depending on hopw bad you are virused. (if it runs in normal mode, there is most likely no worry)

    2) After that, download both Microdoft antispyware, and Spybot, and make a full system scan with both, all options for scanning enabled

    3) Download ad-aware and make a full system scann

    4) Download Zonealarm and install it

    NOTE: I noted the guide from dangerous to less dangerous. Its better to remove virusses before spyware, since they are more lethal. Ad-aware is just adware, wich is lower lethal. The firewall is just a keep it of option, rather then a clean it

    LVL 32

    Assisted Solution

    Re. the missing Security tab in file properties, (a) Verify that your file system is NTFS and not FAT, and (b) then see:

    Re. Firewall, I think the SP2 firewall is adequate for most users. It has less features than Zonealarm, but is also a lot less bothersome and intrusive.

    Re. Microsoft anti-spayware, do get it by all means (, though from your description I am not sure that any one program will be able to clean your system without manual intervention. Don't give up on the technique I mentioned for changing file permissions.

    Good luck.
    LVL 4

    Assisted Solution

    r-k WROTE:

    Re. Firewall, I think the SP2 firewall is adequate for most users. It has less features than Zonealarm, but is also a lot less bothersome and intrusive.

    Adequate: Yes i agree with that. Bothersome and intrusive: No. If you configure zonealarm a bit ( and i say a BIT) you wont even notice its running. It bothers a lot when you set it up, since it needs to know what programs you do and dont want to allow to use the internet, but after a few days it knows the most common programs and is just running nicely in the background.
    LVL 21

    Accepted Solution

    From my experience in regards to anti spyware programs I can tell you from experience my standard toolkit of getting rid of garbage on the system consists of the following


    I have had systems with 7,600 traces of spyware removed by webroot alone then in addition another 500 found by Pest Patrol and yet another 300 by adaware and an additional 30 - 100 by spybot s&d

    I have had housecall, norton, and panda scan the same system and these are the number of infected files they have found...

    norton found 60
    housecall found 78
    Panda found 131 after housecall already removed 78 infected files.
    in order of use

    So to answer your question yes some programs work better then others that is true yes their is better then pest patrol but yet what is better ??? because it finds more if it misses one that pest patrol picks up but yet detected more then pest patrol who is really better ???  

    see my point. Not one program alone is better some have strengths and weaknesses

    Pest Patrol is slow and alot of overhead also uninstalls dirty
    Webroot is fast but can lock up at times
    adaware is a good general purpose cleaner but has problems removing very bad ones
    Spybot has lock up problems with certain spywares or if the registry has virus code in it but the virus is not active it will still have problems.


    1. Download and Hijack This you can get it at
    Do the scan and save logfile option... if you still cannot remove the pests posting a logfile here will help us to see what is going on

    2. Download and run DLL compare  this will find DLL files that do not belong in your system.

    3. Go to and run an online scan for viruses this also checks for spyware nasties NOTE: DISABLE PEST PATROL BEFORE RUNNING THIS IT WILL PICK UP PPMEMCHECK AS A TROJAN VIRUS RUNNING IN MEMORY

    4. Go to asp?  run active scan make sure you have it use heuristics

    5. go to download the 30 day trial of spysweeper update it and run it

    6. Run Pest Patrol  update it first and have it check all files ignore its warning

    7. Download update and run adaware use the custom scan option and select all files and search within archives option

    8. Download update and run spybot s&d from do a full system scan

    9. download and run VX2 Finder

    10. once all this is done rerun Hijack this and check to see if suspicious entries still remain...

    11. If still you have files that you cannot access hit ctrl,alt,delete and go to processes look for anything strange like X9U76Nm.exe or something like that if you find something like that end task it and then find it and delete it using the find files or folders

    12. Delete ie.5 content folder, delete all temp folders and files inside temp also clear out the internet temporary files.

    13. go into internet explorer go to tools then options click settings - view objects - then look at the different active x controls installed anything that is not Microsoft get rid of it if you are unsure right click on it and check the properties.

    this method has about a 96% success rate on XP systems.

    after all this is done if I.E. still is not acting right you may have to run the i.e. repair tool, however if you have sp2 then you would have to unload sp2 providing you selected to cabinet the old files so you can uninstall then you would have to uninstall sp2 repair ie and reload sp2 and all the updates...

    if it is not worth it to you then you are better off formatting the machine running all the updates and using AVG anti virus which is free spyware blaster and zone alarm free edition available at   you will need to load Zone alarm first then load the AV and when ZA comes up with the warning that AVG wants access select "remeber this seting or something to that affect and hit ALLOW.

    hopefully this helps
    LVL 4

    Assisted Solution

    Great post briancassin. You just wrote down what im trying to tell my environment, and also the main problem with a lot of computers. Most people think: I got an Antivirus so i am safe(some have defination from stoneage while saying that even). Other thing they indeed fail to see is that you at LEAST should have 2 AV and even more anti spyware programs. They dont have to be in resident mode at the same time, but just scanning every now and then will sure find a lot of little bugs.

    Still, id like to point out, a lot is on the users shoulder. They gotta make the scans, and they should at least find a slow system suspicious. If the user doesnt know how a computer works (even most primary security knowledge is enough), the system is a ticking bomb, that will soon self destruct
    LVL 32

    Expert Comment

    Here's another tip for anyone looking to delete files that are "in use" by unknown program:

     Get Dr. Delete from:

    and use it.
    LVL 2

    Author Comment


    I read the article you posted, and found out how to show the security tab, thanks. i didn't know this thing.


    really really thanks for your nice tutorial. hat was what I was looking for! Next time I go to a disater-pc I'll tra steop by step all the techniques you posted there. I'll also install 2 antiviruses. Norton disappointed me lots of times, but the combination in this order 1) Stinger (to remove the most famous viruses) 2) AVG (to remove other infamous viruses) 3) Panda (or another AV) to remvoe eventually what is still missing


    now I see what you mean. There is not the perfect antivirus, the perfect antispyware, the perfect antytrojan. If a machine is really in a buig mess, it's better to clean wirh several programs to be sure to remove everything malicious.

    But as braincassin told: instead of loosing all my afternoon removing all the sh1t, I could easily reformat directly and achieve a better and cleaner result in the same amount of time.


    locking a user and give limited power... it would work well on a mac, or on linux. But Windows is made so bad that people can't really have a root user and a normal user. If you instal some programs with the administrator account, these programs can work only with the administrator account. I'm talking about some games in example... anyway, your idea is quite good, but I'm not sure on Windoze it can really work smoothly.

    With this quesion i learnt these new things/techniques:

    - try to clean in safe mode
    - disabling system restore
    - running several programs (2-3 different AV, 2-3 different antispyware...)
    - security tab, to get rid of used .exe files that are in use
    - mindset to have + tutorial on how to make a systematic cleanup

    You guys helped me to learn new things. I really thank you!

    And I really like this forum, it's giving me really a lot of new knowledge.

    THANKS again.


    LVL 21

    Expert Comment

    There is other ways to delete files

    Their is one problem with a lot of the delete file on reboot programs is you have disabled startup in msconfig is essentially disables them too. or if you run the pc in diagnostic mode in msconfig  a good example is Spybot S&D or Adaware will not load on reboot and do a scan before windows loads...

    I have tried a utility called killbox but it seems very flawed...

    Best method I have found to get rid of viruses if the pc has at least 128 - 256MB of RAM which it should if running XP... is to use a PE bootdisk such as Barts PE bootdisk.... boot the computer from that and then seek and destroy all those nasty files that start when windows starts because Barts PE is a virtual version of Windows XP running from your CD-ROM drive and ram. I have deleted a lot of nasties that have me locked out by this method you can also load utility programs into it and make it work just like a full blown version of windows XP.

    This bypasses all the nasties starting up and also ignores the permission settings on the file in addition if they have the hidden attribute turned on and you cannot reset it from a command prompt by typing attrib -h "filename.etc" they will appear when you use barts PE bootdisk.

    A lot of new nasties are using two tricks in windows XP
    One is assigning remote permissions to a file it will show two people and then have a number assignment such as
    S-15-5673-2928  they can be files that have been loaded to take remote access of the machine. In Addition they will assign them as a SYSTEM PROCESS which means you cannot change the attribute delete it or do anything with it no matter if you are in safe mode or not. the only way to see them and kill them is by using a PE BOOTDISK more information is available here


    AND IT CAN EVEN ACCESS THE INTERNET IN THIS ENVIROMENT so if you have enough ram you can do online Virus Scans...
    You are only limited by your RAM.

    Some other things I would like to point out

    Check Windows/System , Windows\System32 and  C:\ and C:\Windows for odd files especially .exe files

    you also need to check for odd dll files I recently had an unknown version of a malware that created 15,000 bogus 0KB files in the C:\Windows\System Directory    it had named files aaabod.dll aaabbod.dll aaacbod.dll   etc....      

    your biggest weapon in finding spyware is look at the dates of the infection you will usually find a range
    in other words if you run a spyware scan but do not delete the files yet and go to the directories in windows where they are located right click on them select properties and look at the date created write it down do this with several others until you think you have found your range usually you will find it is a 3 - 4 ,month range for example the infection on the pc that had 15,000 bogus files it started in Nov around the 14th and went until March 23rd because by that time the system was unuseable. so we have a 4 month window roughly so if I go to start find files or folders go to the advanced search option and tell it to search by date created say 3/22 to start with and work back you can usually then know you have gone far enough back.

    Check the properties to see who the company is that made the DLL if their is no name be suspicious check it with

    if it is not found in google their is no name for the company who made it, it is around the same time as other files that are known as spyware or infected and possibly has an odd name then chances are it is an invalid file, possibly zombie files.


    Hopefully this helps

    Your brother In ARMS

    Even though all this junk acts like roaches and tries to survive like one these bugs aren't immune to
    C:>FORMAT C: /U

    at least not yet anyways
    give it a few months their will MBR based spyware / malware next
    LVL 21

    Expert Comment


    yeah like a new computer that comes with Norton anti virus for 90 days and the End User never purchases a subscription but thinks they are still protected 2 years later.

    Or like the cable companies and DSL companies that are now providing free of charge anti spyware, anti virus, and firewall....

    If you read the fine print they can cancel it at any time, and EZ TRUST EZ ARMOR is ZONE ALARM repackaged and watered down. You would be better off getting a free version of ZA at least it is a current version the freebie they were giving out was version 4.5 of ZA while ZA was actually at 5.5 version. that is over 2 versions old...

    and the EZ Trust Anti virus is a joke
    the only thing Computer Associates has that is decent is Pest Patrol but even that has problems like not uninstalling clean and several months ago after an update it would lockup or crash while intializing then they released an update again and suddenly that problem stopped.

    I feel sorry for a lot of end users they are being mislead and taken advantage of... so many people have gotten on broadband cable connections and they are getting port scanned and broken into on a regular basis...

    if you are going to be on broadband you have to have
    a router with firewall preferably ingress filtering in additon
    zone alarm firewall or something equal in performance and price
    a good anti virus and not mcaffee, or EZ trust. they miss a lot I have tested them...
    some people will argue with this so I will point out now

    I am talking about the home versions not corporate editions. Coporate editions are specifically tailored to your corporate network enviroment. Of course the corporate version works your company is paying $10,000.00 or more per year for it.

    Norton is up and down like a yo yo they will work good for 3 - 6 months and then suddenly miss a bunch of bad trojans... they do not have a good track record with trojans. speaking from self experience The other problem is try to get Norton System Security Suite to work with Zone Alarm you have to turn off just about every option to get it to work.

    In addition to that try to uninstall Norton sometime and install someone elses AV or firewall product ... I can bet that your system crawls, crashes, freezes, lockups or that the new anti virus does not work properly... Try taking a look sometime on symantecs site how to manually remove Norton AV and see all the registry keys they leave behind.

    And finally try to get ahold of their tech support you gotta pay!!!!
    you can CALL TREND MICRO FOR FREE for tech support. I use Housecall to check against norton. In the past year norton has missed 17 different viruses that trend micro housecall picked up on.  

    Granted no one can be 100% but some are better then others.

    LVL 21

    Expert Comment


    let me correct one thing

    you do not want to install 2 anti virus programs

    you want one resident on the machine and run the other two web based such as the free version of housecall and panda anti virus and running NAI stinger....

    Don't try to install AVG and norton together the system will crash if it even does allow you to install both.

    You should only have one anti virus actually installed in the machine running the web based ones will not cause problems but if you were actually install them to the hard drive you would have problems

    personally I would dump norton for avg its free and it works better then norton I have on my wireless computer AVG free edition and Zone Alarm free edition with spyware blaster active. I have had no problems at all no viruses no malware no spyware. If any does get on there AVG takes care of it the pay for version has better features though besides I'd rather support a company that's anti virus works versus one that has become a big old company... Like they say old companies die slowly... norton and mcafee are not going to be the big players in the home AV market much longer unless they can provide more reliablilty and scalability. People are sick of paying $50.00 per year for something that does not work. I should know my customers complain about norton and mcaffee to me all the time.
    LVL 2

    Author Comment


    also if I can't give you more points for your additions, you can get my gratitude! Really, brother in arms ;) THANKS for sharing your knowledge.

    Thanks for the correction: I didn't see that the link of Panda was pointing to an online version.

    I didn't know there are online antiviruses. Well, with Firefox it told me "browser not supported" so I guess they use ActiveX, like Windows Update...
    Anyway, better to run Interent Explorer one time to make an online scan than installing 2 AV that will crash the system.

    I agree that Norton has become really unreliable. The last good version of norton AntiVirus that I remember is norton Antivirus v4.0. From 5.0 and up, it's the slowest antivirus that I've seen, and untrustworthy: I saw many users got some infected files that NAV could not repair, nor quarantine, nor delete... so I'm telling to all my friends to get a free AV instead of paying such a crappy commercial AV that doesn't work when you need it.

    >Try taking a look sometime on symantecs site how to manually remove Norton AV and see all the registry keys they leave behind.

    Here I should give you feedback from my personal experience ;) i was recently to a friend that had NAV installed (and expired, of course). I simply uninstalled it, rebooted, installed AVGFree. The computer doesn't look unstable, freezing or so... maybe i should ask her if sometimes it freezes, but she didn't tell me anything.
    i don't mind about registry key let behind... lots of games or programs let lots of registry keys behind. So it's a generic problem.

    Anyway, there are for sure registry cleaners too. Do you know a good one? Or, some good ones? ;)

    Thanks again, bro ;)
    LVL 2

    Author Comment

    About PE Boot Disk...

    I know ERD Commander. It's a boot CD with a minimal live XP that I use it to enter a Windows XP installation where I forgot the admin password ;)

    I will give PE a try.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now