Cleaning your PC In many cases, simply running scanners virus and spyware/adware scanners will result in the scanners automatically cleaning the unwanted program off your PC for you. This guide is aimed at providing an effective "full service" method of eliminating spyware, adware, viruses and other potentially unwanted software. If you’re unsure of any of the steps in here, please feel free to create a thread about in in this forum. Thanks Download your weapons of choice )1 The obvious first step. If you have virus/spyware/adware scanners already, you may need to update them with the latest definitions. If you don’t have these scanners, go through our Links section and pick a few out. The common choice for spyware and adware detection/removal would be Spybot Search and Destroy and AdAware. We’ve listed a few options in our Software Links. The more antispyware and antivirus programs you run, the better chance you have of finding everything. You may find it advantageous to boot to Safe Mode with Networking before updating definitions for your choice of adware/spyware tools. The reasoning behind this is the same as the next section's emphasis on only essential services running during the update process. Some malware is capable of monitoring updates to the tools that could remove them and will take steps to negate the work you are doing. Although not as secure as Safe Mode, Safe Mode w/ networking is better than normal mode for this type of work. After updating, you can either stay in this mode (physically disconnect from the network and skip to step 3) or Boot into Safe Mode )2 The purpose of Safe Mode is to boot Windows with minimal overhead, meaning only essential system files and drivers. This practise helps stop many unwanted programs from starting when Windows starts (when they start as well, they must be stopped before you can delete them). Some unwanted software may still manage to start even in Safe Mode. When you power up your PC, you need to hit F8 just at the end of the initial hardware displays (P.O.S.T.) and before the first Windows loading screen .'appears. You should see a few options listed, including 'Safe Mode View all files and folders )3 Many viruses and unwanted software will hide in Windows system folders or will be hidden. To delete them, you need to be able to see them. Open Windows Explorer and go to Tools > Folder Options > View (tab) and select 'Show hidden files and folders' and uncheck 'Hide extensions for known file types', 'Hide protected operating system .'files' and 'Use simple file sharing'. Click 'Apply' then 'OK Delete Temporary Files, Cookies and Browser Cache )4 Doing this serves two purposes. One, it can speed up the process of the scan and two, it can remove some unwanted software before the scans start (tracking cookies for example). If you’ve just installed or uninstalled some software, you should restart .your PC before doing this
:In Windows 2K/XP, the folders you should empty are C:\Documents and Settings\{username}\Local Settings\Temp C:\Documents and Settings\{username}\Local Settings\Temporary Internet Files C:\Documents and Settings\{username}\Cookies You should do this for each user name - and also for all System accounts (Local Service, Network Service, etc.) In addition, on Windows 2000 and XP, the system has it's own profile where the Cookies, Temp and Temporary Internet Files folders are :located in systemroot%\system32\config\systemprofile\cookies % systemroot%\system32\config\systemprofile\Local Settings\Temp % systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet % Files These should also be emptied. %systemroot% is most often named Windows, but may .not be - it is the directory in which Windows is installed Additionally, C:\Downloaded Program Files should be emptied as virus installation programs may hide in there. Many of these locations can be conveniently cleared out :using the Disk Cleanup feature
:In Windows 9X/ME, the folders to empty are C:\Windows\Temp C:\Windows\Cookies C:\Windows\Temporary Internet Files )Preliminary Report )HijackThis )5 HijackThis (HJT) can catch many undesired startup items that may be the cause of your frustrations or may still start in Safe Mode. Do a scan and create a log file. Save :the logfile somewhere then analyse it through this website (www.hijackthis.de (you can also download HJT from here Scroll down to see the analysis results. If you're unsure about any of the results it returns, err on the side of caution and leave it alone while you go an search for .information on it on Google or here in this forum :Logfiles from HJT can usually be split into three distinct sections Processes currently running • Internet Explorer add-ons • Software initiated through the registry •
NOTE: These are merely the most common things that HJT detects. If your problem .that is not listed here, please continue through this guide If the site returns any “Nasty” results, take note as to whether they have any related files on your hard drive and take note of their exact names and locations. Find and tick those “nasty” entries in HJT, then click ‘FIX’ to remove their startup functions. If you have “Unknown” entries, be wary of removing them. They may in fact be safe or .(even important entries (like DNS Server Addresses for your Internet connection Malicious Processes (eg. EXE files) usually need to be stopped before removing them. You can do this in Task Manager. Press CTRL+ALT+DEL and click the 'Task Manager' button. Open the 'Processes' tab then right-click the "nasty" processes and select 'End process tree'. Once you have done that you can refer to your “nasty” files .list and delete those files IMPORTANT: RUNDLL32.EXE is an important Windows system file which is also !sometimes used to load various viruses, etc. DO NOT DELETE IT Once you’re done doing that, restart your PC (be sure to return to Safe Mode) to let changes take effect. If you’re unsure about whether entries in HJT are safe or not, try .Googling the files or post you HJT log in a new thread in this forum Disable System Restore Service )6 The System Restore Service provides a mechanism to restore your Windows installation to older registry settings and system files. It stores these "backups" under '[Drive]:\System Volume Information' and restricts access to that folder to users of the PC. Consequently, lots of viruses and the like choose to hide in System Restore’s backup folders. Disabling System Restore while you do your scans allows some programs to scan these folders when they otherwise would be denied access. You can disable the System Restore Service by going to Start Menu > Run and typing services.msc. In the right-hand pane, scroll down and double-click 'System Restore Service'. Set the 'Start-up Type' to 'Disabled', then click 'Apply' then 'OK' to set the change. This step is particularly important because, not only can malware and viruses hide in these folders, inadvertantly restoring your system to an earlier point .after cleaning your system can result in the reversal of all your work Scan PC with your weapons of choice )7 Now you’re ready to run some antivirus and antispyware software. Allow them to clean anything that they deem to be malicious. If one of your weapons finds and cleans anything, you should reboot your PC (don’t forget to get back into Safe Mode!) before running the next program. This makes the changes stick and ensures the next .program doesn't try to fix the same problem Sometimes programs can't remove (or don't completely remove) nasty software. It can pay to write down the names of unwanted files that were found, so you can do searches on Google for them or use parts of their names in searches on you drives for associated files. Often a Google search for bits of information can turn up full detailed .instructions or specialised patches for fixing that particular problem
.Repeat the scanning stage until you are confident that your PC is clean If you're still having trouble with particular file, write down as much detail as you can :about them then make a thread about it. Useful information includes File names, file properties info, file locations, any associated files as well as virus .names and strains (a,b,c, etc.) and any websites they may be linking to Boot To Normal Mode )8 Once back in Normal Mode, see if the machine is acting the way it should. If not, you .(may want to repeat step 7 (in Safe Mode Turn On System Restore )9 In the same manner that a contaminated System Restore store can work against you, conversely, a clean and well maintained System Restore store can help facilitate the repair of a variety of system errors. When you're sure that your PC is clean, you can follow the instructions above to set System Restore Service’s 'Start-up Type' to .Automatic and reboot Windows Updates )10 Use Windows Update to update your machine and, at this point, your machine should !be running the way it was when you first built/bought it