Finding and removing spy/adware on your computer

A “spyware” is a software that sends back computer usage data to its creators; some companies do this to sell user click-throughs and/or online surfing habits to ad agencies and such. In worst case scenario, it provides a backdoor for hackers to keep a tab on your key strokes and mouse clicks.

Some softwares don’t necessarily send usage data back to its creator, however, they do “serve” you ads that you don’t ask for. Those are called “ad-wares”. They are just as equally annoying.

Another type of softwares are like parasites. They are fully self sufficient programs that are installed during the process of installing the main program. Those you can detect and remove easily.

In this thread, I’d like to share some tips and tricks on how to:

  1. avoid spy/adware installing themselves on to your computer
  2. methods to detect these spy/adwares
  3. methods to remove these spy/adwares

The following methods apply to Windows 2000/XP. Since I haven’t dealt much with Windows 98/ME, these tips may not apply.

[color=darkred]How to avoid having spy/adware installing itself on your computer[/color]
[color=blue]1. Read Before Click[/color]
When installing software, free or commercial, do read the installation procedures carefully. Do not click “Next” without knowing what is being done to your computer.
[color=blue]2. Be An Advanced User[/color]
“Nice” programs usually tell you what is being installed and provide checkboxes for the user to NOT install a feature, or in some cases, a spy/adware. Always choose the “Advanced” option if given one. Additional checkboxes are almost always hidden in the advanced mode. A good example is Netscape Navigator; it installs WinAmp (popular mp3 player), AOL Instant Messenger and a few other programs on your computer. But Netscape does allow you to uncheck them.

[color=darkred]How to detect spy/adware[/color]
[color=blue]1. Windows Task Manager[/color]
There are two ways to bring up the Task Manager window: 1.) right click on the tool bar at the bottom of the screen, in the menu option, select “Task Manager”. 2.) Hit “Ctrl + Alt” and then “Delete” keys at the same time; you should see a pop up window with six buttons – “Lock comptuer”, “Logout”, “Shutdown”, “Change Password”, “Task Manager” and “Cancel”. Select “Task Manager”.
In the Task Manager, there are 4 tabs, each tells you important information.
[ul]“Applications” – what software is being run currently. Usually spy/adwares don’t reveal themselves here.
“Processes” – what are being run behind the scene to keep your computer running (kind of like what your brain does in regulating body temperature, breathing… etc). This is where spy/adwares show up. More on this later.
“Performance” – tells you how hard your CPU is working and how much total memory is being occupied over time.
“Networking” – shows network activities of your network setup.[/ul]

[color=blue]2. Processes[/color]
At any given time, there are probably at least 15-25 processes taking place on your computer, even if you are not even running an application. So what are all the processes?! This tab provides a lot of information: what processes are being run, how much CPU time are they each taking and how much memory is required to run each.
[ul]System processes
csrss.exe, explorer.exe, lsass.exe, rundll32.exe, services.exe, smss.exe, spoolsv.exe, svchost.exe (sometimes a few of this), System, System Idle Process, taskmgr.exe, winlogon.exe
Common program processes
acrobat.exe (if running Adobe Acrobat), aim.exe (if running AOL IM), ccapp.exe (if running Norton Antivirus), cutftp.exe (if running CuteFTP), dreamweaver.exe, frontpage.exe, icq.exe, iexplore.exe (internet explorer, different from "explorer.exe), realschedu.exe (if Real player is installed), netscape.exe… etc. The list can go on forever.[/ul]
Did you spot a pattern? Most commercial applications name their processes according to the package name. How nice. If you find something abnormal (say a program name you are not aware of but is taking up CPU/memory), you need to double check what it is, and what it is doing. More on this later.
[color=blue]3. Communication Activities[/color]
Now that you know WHERE and HOW to monitor various activities and processes taking place on your computer, let’s see how to spot “Spyware”.
[ul]Bring up a DOS window. (Bottom left and side of the screen; “Start” --> “Run…” --> in the new window, type “cmd”, hit enter.)
In the DOS window, type “netstat” and hit enter.
There, you will see a list of network activities, complete with IP numbers followed by alphabetical characters (or just strings of characters separated by dots).[/ul]
If you notice any “suspicious” connections to/from your computer, go back to the Task Manager under the “Processes” tab, and see if there’s a process you didn’t initiate and is not part of the system processes. To find out more about a specific process, type the process name (e.g. nvsvc32.exe) in Google to search. If there are multiple “svchost.exe” processes, go back to the DOS window, and type “tasklist /svc” and see what are some of the programs or services currently using the process (e.g. Dhcp, EventSystem, lanmanserver… ). Some spy/adwares name their processes quite obviously. Keep an eye out.

[color=darkred]How to remove spy/adware[/color]
[color=blue]1. Add/Remove Programs[/color]
Open Add/Remove Programs (“Start” --> “Control Panel”, in the new window, 2x click on “Add/Remove Programs”). This is the best way to remove software installed from you system. Look over the list of programs and make sure you know what and why something is installed. Not all spy/adwares leave a trail here. But this is a good place to start.
[color=blue]2. Third Party Software[/color]
There are a number of spy/adware detection and removers that can help you detect other spy/adwares that don’t show themselves in the Task Manager or leave a trail in the Add/Remove Programs. They can also help you detect future spy/adwares. Here’s a couple:
Ad-Aware (free for personal use)
SpyBot (free)

Hope this helps.

Any feedbacks, comments welcomed. Please do post your own tips as well.

Included in Knowledge Base

thanks scchu for an informative post! already managed to extract remnants of “hotbar” that I had previously uninstalled but seemingly resurrected itself. still digging around in there.

does anyone know any good “whois” resources? indeed there seem to be a few weird net connections, would like to try to track down some of the addy’s.

Yes, a very informative post. Thanks!

“Smart” spyware that disables your spyware-monitor software!! Here’s a few paragraphs from

[quote]Some of the more infamous spyware applications like Xupiter, NetPal and Lop, have been circulating for a while. Recently, some nasty new programs have joined the arsenal.

The most worrisome of the recent releases is ClientMan, an application that appears to be able to change settings on older versions of the popular free ZoneAlarm firewall program without user consent.

When ClientMan tries to connect to the Internet, ZoneAlarm flashes a warning and asks the user to confirm whether the program should be allowed to connect or not.

Instead of waiting for user approval, ClientMan clicks the Yes button and checks the Always checkbox. Now ClientMan has permission to access the network whenever it chooses.

It appears ClientMan doesn’t do much more than fiddle with the firewall, but it may soon be used to report browsing habits. Spyware programs are updated frequently and given evil new abilities by their authors.[/quote]
The full article is here:, … 23,00.html

Thank you for posting this scchu, very imformative.

I usually haev at least 46 processes running and I would like to know what the following processes are for Win 2000 if anyone knows.

Some of these may be programs that I have, but the name of the process does not look familiar.


I found this site useful when looking to see which services and background applications I could safely remove. … sklist.htm

Wow, Soddom, thanks. I’ve been looking for something like this for ages.

:smiley: :smiley: :smiley:


[color=blue]smc.exe = This is an odd one. It appears to be some kind of scientific calculation program. And it is a standalone program. Unless someone or a service executed it, it shouldn’t be running.

svchost.exe = Service Host Process; this is started if an application or service is being run from the infamous Microsoft DLL file types. At any given time, you see at least 1-5 depending on what is installed on your computer.

WROS.exe = If the spelling on this is right, this looks like its a service being run by the modem software installed on your computer.

spoolsv.exe = Printer Spooler Service; this is a service always watching out for printing jobs and sends it to the default printer it finds.

msdtc.exe = Microsoft Distributed Transaction Coordinator; do you have MS personal web server or MS SQL Server installed? If you do, this sevice is required by either/both of them to handle tasks accross multiple servers. Unless you are running a server, you don’t need this turned on.

FYI, 46 processes for a home computer are way high. On the other hand, if this is a server (either for home or office use), it’s an entirely different situation. For home computer, I’d say anywhere from 28-38 is healthy.

Interesting thread!

Well, I like to use Realplayer, but it does load a lot of junk.

Any ideas how I can listen to Realmedia streams WITHOUT using Realplayer…?

Will WinAMP work?


Real Audio/Media, like Quicktime, is a fairly closed media type. However, there’s one player you can try: … g=lst-0-10

I haven’t tried it… but it claims to be able to play RealAudio.


But you have to have Realplayer first! So it’s not really a Realplayer-free piece of software!


One package to avoid that is jam packed with spyware is Hotbar for Outlook or Outlook Express. You often see it appended to the bottom of an e-mail with “Upgrade Outlook: add color to your e-mails” It is indeed a great way of sprucing up e-mails but after installing it and running Ad-Aware, I found it had installed over 50 spywares. Even after uninstalling it, it’s still not fully gone.

Yes, I had the same experience with hotbar…

Be careful, if its free! There are usually strings somewhere!


I use Spybot Search and Destroy. People say it’s more up-to-date than Adaware. It’s certainly easy to use.