General discussion
-
Topic
-
Spyware and Virus Cleaning Tutorial. Any any Ideas what to add?
LockedIf you think of some software/step that is needed for this Tutorial that Im working on, please post it. Thank You. The Tutorial in *very rough daft* Be ready for bad grammar. Please note the details on how to use the software and reason for it has been removed for a simple daft version.
How to remove Spyware and Virus:
XP Only
Because spyware and virus in bed themselves into windows system like network and so on by removing them could cause the internet or computer to stop working!!! By following these steps of removing spyware/virus it possible, if not likely spyware virus could break your computer. Happy Hunting!
Before cleaning your computer you should backup your data. Also, Download (on a clean computer is very helpful) the following programs: [URL=http://www.snapfiles.com/get/winsockxpfix.html]WinSock XP Fix[/URL], [URL=http://www.belarc.com/free_download.html]Belarc Advisor[/URL], [URL=http://www.lavasoft.de/software/adaware]Ad-Aware Personal[/URL], [URL=http://www.safer-networking.org/en/download/index.html]Spybot – Search & Destroy[/URL], [URL=http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en]Windows Defender (Beta 2)[/URL].
*Note* Unless I say I say differently all the steps should be in safe mode by hitting F8 during the computer reboot.
Up back all data you want to save!!
[b]Install and Run Belarc Advisor[/b]
The software creates a local dynamic webpages that has information about hardware, CD-Key for Microsoft software and so on. If you having problems displaying the website or if Internet Explorer (IE) broken for some reason, install Firefox at Firefox.com.
Find the software keys Belarc Advisor doesn?t pickup!
Some programs you can get the CD-key by going to Help => about. It is very import to get the CD-Key incase during spyware/virus removal the OS/etc dies. After getting the software CD-Key check to see if you have all the software CD needed to reinstall the OS and other software.
[b]Del Temp, Temp Internet Files, and Cookies[/b]
Why?
Virus/spyware are download and installed from website using drive-by-install.
(Must remove all files)
C:\Documents and Settings\(All the user on the PC)\Local Settings\Temp
C:\Documents and Settings\(All the user on the PC)\Local Settings\Temporary Internet Files
C:\Documents and Settings\(All the user on the PC)\Cookies
(*Note* Removing cookies will cause your browser to lose all Saved Username/Password).C:\WINDOWS\Downloaded Program Files
(checking on)C:\WINDOWS\Temp
(checking on)C:\WINDOWS\Offline Web Pages
(May be pointless to have this one)[b]Remove files/Program Icon from Startup Menu[/b]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\\Start Menu\Programs\Startup Disable System Restore
Why?
This will cause any possible system restore to be lost, however spyware/virus love handing around in the system restore.
To open System Properties, click Start, click Control Panel, and then double-click System. In the System Properties dialog box, click the System Restore tab and select the Turn off System Restore check box. Click Yes when you receive the prompt to the turn off System Restore.
Remove Program using Add/Remove Programs
Why?
Some software that comes with ad-ware will remove it once you remove the software.
Write down the location where the Programs you removed are location at.
To open Add or Remove Programs, click Start, click Control Panel, and then double-click Add or Remove Programs. Also, try going to the programs Uninstall in Startup, All Program, and then in the Program folder. If you don’t know if the program good or bad try google the name of the program. Some spyware/virus programs only do half or fake removal.
After use the Add or Remove Programs go to the Program folder and remove any folder/file that remains.
Run msconfig
Why?
Stop the software from starting up in reboot and possible reinfection
Start -> run -> type msconfig
Do not reboot unless I say!
Click the Startup tab; uncheck all startup Item you wish to stop. If you don’t know if the startup item is good or bad, try google.com. Example is Vptray is for Norton, or could be virus sometimes.
Click the Services Tab and check Hide all Microsoft Services. Click Disable All. This will disable all non-Microsoft service, as some virus/spyware could setup them as service.
Click OK. When small box comes up, click Exit Without Restart.
HijackThis
If you don?t know what this does/etc it best if you skip this step. Hijackthis is very powerful registry and has various other files editor. HijackThis could damage the OS, so best leave alone unless you know how to use it.
Reboot back into safe mode with network connect
(In safe mode there are min windows software running, the reason for about steps is to less the BS later one)Ad-Aware Personal
Install (www.lavasoftusa.com) Ad-Aware Personal, update it, and then Run.
Ad-ware Personal can only remove spyware it knows about!! Update it!!To update Ad-Aware Personal by using the software updater or the Ad-Aware SE Personal Definition File from http://www.download.com.
Spybot – Search & Destroy
Install (www.safer-networking.org/en/download/) Spybot – Search & Destroy, update it, and then Run it (Best if run in safe mode)
To update Spybot – Search & Destroy by using the software updater or get the Spybot – Search & Destroy Definition File from download.com
Windows Defender (Beta 2)
Download Windows Defender (Beta 2). Install in safe mode if you. If you can?t install windows Defender by reboot the computer in normal mode (unplug the network cable) and install Windows Defender. After installing, reboot back into safe mode with network connect. Update Windows Defender by using the ??? (Help icon) -> Check for updates. Read the Windows Defender (Beta 2) tutorial from microsoft.com if need be.
Check the host table
Why?
Some spyware/virus writes to the host table to force the browser/internet connect to go to incorrect website/IP. The computer check the host table first to find the IP address of the website, if its not there then goes to the DNS to get the IP address of the website. Example of problem is when you try to visit notorn.com, but the host table has IP address to hacker website. The Browser will go to the hacker website and could infect you computer again. Or they could stop you from updating you antivirus and antispyware.
(In case anti-spyware didn?t clean most of it out)
C:\WINDOWS\system32\drivers\etc
Open the file name “hosts” with word pad.
Enter the following at the bottom:Should look like this
# Copyright ? 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost[/spoiler]
Scan for Virus/more spyware by using Online anti-virus scanner!!
Trendmicrio Housecall Online Anti-virus scanner will help remove what it find.
Norton Online Scanner Norton will not remove the files for you. You need find the location and delete the files by hand. Click the Symantec Security Check
[URL=http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym]http://security.symantec.com/sscv6/default…id=ie&venid=sym[/URL]If spyware/virus is founded rerun the scan until you find none.
Run Rootkit scanner
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx%5D RootkitRevealer
Why?
Rootkit is software that attempt to hide their presence from scanners and system management utilities. Rootkits can be executes in user mode or kernel mode.
Playing hook with the network connect
If you lose network connect during any of these step try running WinSock XP Fix. This should replace all the stocks for the network, hoping will fix it. The spyware/virus may have edit the software for the network connect and by removing the spyware/virus destroy the software.
You may need to reinstall Your OS or Drives
You may need to reinstall the OS on top of its self, or may need to wipe everything and reinstall a clean copy of the OS. You need the windows cd-key for both option. For the Driver you need to test them in order find out if they working or not, have fun in this step.
Reinstall anti-virus and scan your computer
Please note that the spyware/virus may have disable or kill your anti-virus!! You may need to remove the anti-virus and reinstall, then update and rescan for virus/spyware. Go to antivirus website to find the tool to full remove the antivirus.
Scan the Hard Drive for Errors (scandisk)
Scan Disk will take sometime; best go do something else for few hours after the scan started. It could taker longer if its larger hard drive.
Update Windows
Updates, Updates, Updates, and more updates.
Defrag the hard Drive
(Run Scandisk first!! This step will take sometime)Before starting Defrag you should be in Safe mode or if you?re in normal mode stop all unnecessary programs that are running. Disk Defragmenter needs a min of 15% of free space on the hard drive in order to defrag.
Misc
Enable System Restore
Enable Service in msconfig
Enable Startup in msconfig
Clean Dust from the computer<<<
>>>> Please say if needs added steps and what/where need be.
