Cleaning your PC

In many cases, simply running scanners virus and spyware/adware scanners will result
in the scanners automatically cleaning the unwanted program off your PC for you.
This guide is aimed at providing an effective "full service" method of eliminating
spyware, adware, viruses and other potentially unwanted software. If you’re unsure of
any of the steps in here, please feel free to create a thread about in in this forum.
Thanks

Download your weapons of choice )1

The obvious first step. If you have virus/spyware/adware scanners already, you may
need to update them with the latest definitions. If you don’t have these scanners, go
through our Links section and pick a few out. The common choice for spyware and
adware detection/removal would be Spybot Search and Destroy and AdAware. We’ve
listed a few options in our Software Links. The more antispyware and antivirus
programs you run, the better chance you have of finding everything. You may find it
advantageous to boot to Safe Mode with Networking before updating definitions for
your choice of adware/spyware tools. The reasoning behind this is the same as the
next section's emphasis on only essential services running during the update process.
Some malware is capable of monitoring updates to the tools that could remove them
and will take steps to negate the work you are doing. Although not as secure as Safe
Mode, Safe Mode w/ networking is better than normal mode for this type of work.
After updating, you can either stay in this mode (physically disconnect from the
network and skip to step 3) or

Boot into Safe Mode )2

The purpose of Safe Mode is to boot Windows with minimal overhead, meaning only
essential system files and drivers. This practise helps stop many unwanted programs
from starting when Windows starts (when they start as well, they must be stopped
before you can delete them). Some unwanted software may still manage to start even
in Safe Mode. When you power up your PC, you need to hit F8 just at the end of the
initial hardware displays (P.O.S.T.) and before the first Windows loading screen
.'appears. You should see a few options listed, including 'Safe Mode

View all files and folders )3

Many viruses and unwanted software will hide in Windows system folders or will be
hidden. To delete them, you need to be able to see them. Open Windows Explorer and
go to Tools > Folder Options > View (tab) and select 'Show hidden files and folders'
and uncheck 'Hide extensions for known file types', 'Hide protected operating system
.'files' and 'Use simple file sharing'. Click 'Apply' then 'OK

Delete Temporary Files, Cookies and Browser Cache )4

Doing this serves two purposes. One, it can speed up the process of the scan and two,
it can remove some unwanted software before the scans start (tracking cookies for
example). If you’ve just installed or uninstalled some software, you should restart
.your PC before doing this
:In Windows 2K/XP, the folders you should empty are

C:\Documents and Settings\{username}\Local Settings\Temp

C:\Documents and Settings\{username}\Local Settings\Temporary Internet Files
C:\Documents and Settings\{username}\Cookies

You should do this for each user name - and also for all System accounts (Local
Service, Network Service, etc.) In addition, on Windows 2000 and XP, the system has
it's own profile where the Cookies, Temp and Temporary Internet Files folders are
:located in

systemroot%\system32\config\systemprofile\cookies %
systemroot%\system32\config\systemprofile\Local Settings\Temp %
systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet %
Files

These should also be emptied. %systemroot% is most often named Windows, but may
.not be - it is the directory in which Windows is installed

Additionally, C:\Downloaded Program Files should be emptied as virus installation

programs may hide in there. Many of these locations can be conveniently cleared out
:using the Disk Cleanup feature
:In Windows 9X/ME, the folders to empty are
C:\Windows\Temp
C:\Windows\Cookies
C:\Windows\Temporary Internet Files

)Preliminary Report )HijackThis )5

HijackThis (HJT) can catch many undesired startup items that may be the cause of
your frustrations or may still start in Safe Mode. Do a scan and create a log file. Save
:the logfile somewhere then analyse it through this website
(www.hijackthis.de (you can also download HJT from here
Scroll down to see the analysis results. If you're unsure about any of the results it
returns, err on the side of caution and leave it alone while you go an search for
.information on it on Google or here in this forum

:Logfiles from HJT can usually be split into three distinct sections
Processes currently running •
Internet Explorer add-ons •
Software initiated through the registry •
NOTE: These are merely the most common things that HJT detects. If your problem
.that is not listed here, please continue through this guide

If the site returns any “Nasty” results, take note as to whether they have any related
files on your hard drive and take note of their exact names and locations. Find and
tick those “nasty” entries in HJT, then click ‘FIX’ to remove their startup functions. If
you have “Unknown” entries, be wary of removing them. They may in fact be safe or
.(even important entries (like DNS Server Addresses for your Internet connection

Malicious Processes (eg. EXE files) usually need to be stopped before removing
them. You can do this in Task Manager. Press CTRL+ALT+DEL and click the 'Task
Manager' button. Open the 'Processes' tab then right-click the "nasty" processes and
select 'End process tree'. Once you have done that you can refer to your “nasty” files
.list and delete those files
IMPORTANT: RUNDLL32.EXE is an important Windows system file which is also
!sometimes used to load various viruses, etc. DO NOT DELETE IT

Once you’re done doing that, restart your PC (be sure to return to Safe Mode) to let
changes take effect. If you’re unsure about whether entries in HJT are safe or not, try
.Googling the files or post you HJT log in a new thread in this forum

Disable System Restore Service )6

The System Restore Service provides a mechanism to restore your Windows
installation to older registry settings and system files. It stores these "backups" under
'[Drive]:\System Volume Information' and restricts access to that folder to users of the
PC. Consequently, lots of viruses and the like choose to hide in System Restore’s
backup folders. Disabling System Restore while you do your scans allows some
programs to scan these folders when they otherwise would be denied access. You can
disable the System Restore Service by going to Start Menu > Run and typing
services.msc. In the right-hand pane, scroll down and double-click 'System Restore
Service'. Set the 'Start-up Type' to 'Disabled', then click 'Apply' then 'OK' to set the
change. This step is particularly important because, not only can malware and
viruses hide in these folders, inadvertantly restoring your system to an earlier point
.after cleaning your system can result in the reversal of all your work

Scan PC with your weapons of choice )7

Now you’re ready to run some antivirus and antispyware software. Allow them to
clean anything that they deem to be malicious. If one of your weapons finds and
cleans anything, you should reboot your PC (don’t forget to get back into Safe Mode!)
before running the next program. This makes the changes stick and ensures the next
.program doesn't try to fix the same problem

Sometimes programs can't remove (or don't completely remove) nasty software. It can
pay to write down the names of unwanted files that were found, so you can do
searches on Google for them or use parts of their names in searches on you drives for
associated files. Often a Google search for bits of information can turn up full detailed
.instructions or specialised patches for fixing that particular problem
.Repeat the scanning stage until you are confident that your PC is clean

If you're still having trouble with particular file, write down as much detail as you can
:about them then make a thread about it. Useful information includes
File names, file properties info, file locations, any associated files as well as virus
.names and strains (a,b,c, etc.) and any websites they may be linking to

Boot To Normal Mode )8

Once back in Normal Mode, see if the machine is acting the way it should. If not, you
.(may want to repeat step 7 (in Safe Mode

Turn On System Restore )9

In the same manner that a contaminated System Restore store can work against you,
conversely, a clean and well maintained System Restore store can help facilitate the
repair of a variety of system errors. When you're sure that your PC is clean, you can
follow the instructions above to set System Restore Service’s 'Start-up Type' to
.Automatic and reboot

Windows Updates )10

Use Windows Update to update your machine and, at this point, your machine should
!be running the way it was when you first built/bought it