General manual removal of spyware bullshit.

Steps to take if the basic instructions didn't resolve your problems. You should already have system restore disabled, have run your choice of spyware removal programs , virus removal programs, etc.

This is assuming you are running Windows XP - if you are running Windows 95, 98 or Millennium, or XP or 2000 on a FAT files system (unlikely), I also would recommend running the DOS version of F-prot from a safe mode command prompt prior to anything. It can save a lot of time & grief. Then proceed through the rest of the steps below.

Before anything, set your computer to view all files, including hidden & system files, and protected operating system files and unhide extensions for known file types. For a more detailed explanation on how to do this, read the part here about setting your computer to view all files.


Boot into safe mode command prompt. (By hitting F8 BEFORE Windows boots, then choosing with your up/down arrow keys safe mode command prompt.

Logon (as the user that can see all the files, as described above)

When windows boots, type exit at the command prompt.

Hit Ctl-Alt-Del. In task manager, go to new task, browse. Set files of type to "all files".

Go to the windows directory, change your view to detail, sort the columns by date, clicking the column until the newest files are at the top.

Look at the list of files. Starting at the top, hover your cursor over each file. Remember, you should only worry about the files with recent dates. There are a lot of files in this directory you actually NEED. You should get a popup description of the file, who it's author is, etc. If not, right click on each file hit properties, click version. Delete anything with strange names, or obvious spyware (read some of the file version descriptions, you'll see what I mean). There may only be a few, or there could be dozens of them. The best way to delete them is by holding you shift key down while clicking delete. This deletes them directly, without sending them to the recycle bin. DO NOT DELETE THE WPA.DBL, or WPA.BAK files! These are the windows product activation files. Remember to check the product description on each one before deleting it, and only worry about the recent files, usually within the last several weeks by date.

Go back to the task manager. If you've closed it, just hit control, alt & delete at the same time. Go to file / new task, type in regedit. Hit enter. In the left column, hit the plus sign on HKEY_CURRENT_USER. Under that, hit the plus sign next to Software. Under that, hit the plus sign next to Microsoft. Under that hit the plus sign next to Windows. Under that, hit the plus sign next to Currentversion. Under that, scroll down to run. Highlight run. In the right column, you will se a list of programs that start with windows. Right click & delete obvious virus or spyware references. Be careful! You may be removing something your computer actually NEEDS to have running. Only remove the obvious stuff! Under run, highlight the next run whatever. Do the same. Repeat through all the run_whatevers.

Now, go to HKEY_LOCAL_MACHINE and do the same under software / microsoft / windows /currentversion /run and all the run_whatevers.

While still in the registry editor, go to hkey_local_machine\software\microsoft\windows\currentversion\windows\currentversion\explorer\browser helper objects. Hit the plus sign under it. Highlight each key under it. Delete any key under it with no description, and anything else suspicious. Personally, I delete all browser helper objects I find, but you may actually want something in there. You can highlight each one on the left, and look in the right to get an idea of what it is installed by, and where.

Hit control-alt-delete again. Go to file / new task, run. Browse for your favorite spyware removal program. Run it (while still in safe mode command prompt). It will help clean up the remnants of your manual removal.

This is still very incomplete.. Updating as I have time. Thanks for your patience!

Print This Page

Return to home page


Note to self: still need to put parts in about hklu\softwarems\..\IE , hklm\software\ms\windows\currentversion\internet settings, etc stuff. Also put section in about about hosts files.