Well, I thought I'd share some of my experience with computers with you guys who have been quite helpful in the past. I've spent quite a bit of time working on PC's and doing software work, and here's a bit of what I know.
Detection
First things first, determine the cause of the problem. I won’t get into hardware issues, so I’ll give you a few things to check. These mainly apply to Windows XP/2000, but some can also apply to earlier versions.
Hit CTRL+ALT+DEL and click on “Task Manager.” Click on the “Processes” tab. How many does it say are running? A fresh install should have right around 25. Your average install with all hardware running shouldn’t be more than about 35. Laptops might have slightly more due to processes needed to interface the hardware devices with Windows. If you’ve got more than 40, consider running a spyware or virus scan. I’ve seen computers with upwards of 90 processes running; these were definitely infected. Other flags are programs that say things like “Bargains,” “Shopping,” “Adult…” or random things like “SVKLSYE38.” Those are signs of Spyware or Viruses as well.
Go to START > RUN (or Windows Key+R) and type in “msconfig.” Click on the “Startup” tab. How many programs are starting up with this computer? Again, fresh installs usually have less than 5, and your average install really shouldn’t have more than 10. Like the “Processes” check, look out for suspicious filenames. Also, look for unnecessary startup items, such as Realplayer, Quicktime, MSN Messenger, and other things. If you are unsure as to what is necessary, visit http://www.sysinfo.org/startuplist.php for a comprehensive list. The best program I’ve seen for management is “Startup Inspector.” It is free and automatically tells you what is and is not necessary.
Go to START > RUN and type in “services.msc.” Look for anything unnecessary or suspicious. Now this is quite dangerous to mess with, so I recommend using “HijackThis!” to disable services. HijackThis! is a great program that you will become familiar with when you do virus and spyware removals. It shows all the startup items for the computer, as well as services, LSP issues, web hijackers, and other useful things. Visit http://www.theeldergeek.com/services_guide.htm for more info regarding necessary and unnecessary services.
For virus scans, go to http://housecall.trendmicro.com. It is a very helpful and free virus scanner and remover.
For quick spyware scans, go to http://www.geeksquad.com and use their Spyware Scanner. It won’t remove anything, but it will help determine if there are any issues quickly.
Removal
If you still have access to the internet, you will need to download some tools. I recommend the following free utilities:
• Spybot - http://www.safer-networking.org
• Ad-Aware - http://www.lavasoftusa.com/software/adaware/
• HijackThis! - http://www.spywareinfo.com/~merijn/
• LSPFix - http://www.spywareinfo.com/~merijn/
• CWShredder - http://www.spywareinfo.com/~merijn/
• Kazaa-Be-Gone - http://www.spywareinfo.com/~merijn/
• McAfee Stinger - http://vil.nai.com/vil/stinger/
• CleanCenter - http://www.cleancenter.net/
Once these programs are downloaded, save them to a directory on the computer that can be accessed by all users (i.e. a folder in the root drive, e.g. C:\DOWNLOADS).
Restart the computer in safe mode. This is done by pressing F8 repeatedly after booting up the computer. Select the “Safe Mode With Networking” option and press ENTER. Notice how you have an Administrator user now…we will have to perform the following steps on not only your regular user(s), but the Administrator as well.
First things first, right-click on “My Computer” and select “Properties.” Click on the “System Restore” tab. Disable System Restore for all drives. This will prevent certain viruses and spyware programs from reinstalling themselves.
Install CleanCenter, run it, and remove all temp/junk files and clean out your internet history/temp files and empty the Recycle Bin. This will not only remove some of the problem files, but it will also speed up your file scans dramatically. You can have thousands of files lurking in your temporary folders.
Run HijackThis!. It will bring up a list of a bunch of items. Some of these are good, some are bad. If you are familiar with computers, you will know what not to remove, but if you are not, check my links above for safe and unsafe startup items and services. Obvious ones to kill are anything related to bargains, shopping, assistants, etc. Random letters and numbers (especially 8-characters long) are also usually safe to remove. You can also remove anything that you don’t want to run anymore from this menu. If any search pages or home pages come up, I usually delete them, as well as any additional menu items or buttons. If there is a hijacker (like NewDotNet), it may prompt you to run LSPFix to remove it. Be sure to do a Google search regarding this program, as it is very easy to break Windows by removing the wrong things. Read the help file regarding LSPFix as well if you need to run it.
Install Spybot, run the program, download the updates, and search for spyware. Spybot is a very quick program because it does not do a comprehensive file search. Remove all detected items.
Install Ad-Aware, run the program, download the updates, and go to the options. Be sure to perform the in-depth file scan. Search for and remove all detected items.
Run CWShredder. It will automatically find and remove all traces of Cool Web Search.
Run Kazaa-Be-Gone. Chances are, if you have spyware, you have some version of Kazaa, and vice-versa. Delete all detected items.
At this point in time, restart your computer and scan for spyware online again. Usually it takes about two full sweeps to remove all items. Stubborn items may require special tools, in which case Google is your best friend. Be sure to do all removals in safe mode.
After cleaning the spyware out of your system, run the Stinger.exe program in safe mode for all usernames. This searches for and removes the most common worms and viruses. Then, visit Trend Micro’s website (above) and perform the online virus scan/removal. This will help clean up any extra viruses that may crop up. Again, if something is stubborn, do a Google search on the item for removal.
Once you have done all of the spyware and virus removal, restart your computer in normal mode. Hopefully, you should be problem free. Now, be sure to protect yourself with a good antivirus software (I like Symantec Corporate edition), a good antispyware software (Microsoft Antispyware is the best and is free), and a good firewall (the Windows XP SP2 one is adequate and free, but ZoneAlarm is a nicer free firewall). Be sure to download all the latest Windows updates (Internet Explorer > TOOLS > WINDOWS UPDATES).
Detection
First things first, determine the cause of the problem. I won’t get into hardware issues, so I’ll give you a few things to check. These mainly apply to Windows XP/2000, but some can also apply to earlier versions.
Hit CTRL+ALT+DEL and click on “Task Manager.” Click on the “Processes” tab. How many does it say are running? A fresh install should have right around 25. Your average install with all hardware running shouldn’t be more than about 35. Laptops might have slightly more due to processes needed to interface the hardware devices with Windows. If you’ve got more than 40, consider running a spyware or virus scan. I’ve seen computers with upwards of 90 processes running; these were definitely infected. Other flags are programs that say things like “Bargains,” “Shopping,” “Adult…” or random things like “SVKLSYE38.” Those are signs of Spyware or Viruses as well.
Go to START > RUN (or Windows Key+R) and type in “msconfig.” Click on the “Startup” tab. How many programs are starting up with this computer? Again, fresh installs usually have less than 5, and your average install really shouldn’t have more than 10. Like the “Processes” check, look out for suspicious filenames. Also, look for unnecessary startup items, such as Realplayer, Quicktime, MSN Messenger, and other things. If you are unsure as to what is necessary, visit http://www.sysinfo.org/startuplist.php for a comprehensive list. The best program I’ve seen for management is “Startup Inspector.” It is free and automatically tells you what is and is not necessary.
Go to START > RUN and type in “services.msc.” Look for anything unnecessary or suspicious. Now this is quite dangerous to mess with, so I recommend using “HijackThis!” to disable services. HijackThis! is a great program that you will become familiar with when you do virus and spyware removals. It shows all the startup items for the computer, as well as services, LSP issues, web hijackers, and other useful things. Visit http://www.theeldergeek.com/services_guide.htm for more info regarding necessary and unnecessary services.
For virus scans, go to http://housecall.trendmicro.com. It is a very helpful and free virus scanner and remover.
For quick spyware scans, go to http://www.geeksquad.com and use their Spyware Scanner. It won’t remove anything, but it will help determine if there are any issues quickly.
Removal
If you still have access to the internet, you will need to download some tools. I recommend the following free utilities:
• Spybot - http://www.safer-networking.org
• Ad-Aware - http://www.lavasoftusa.com/software/adaware/
• HijackThis! - http://www.spywareinfo.com/~merijn/
• LSPFix - http://www.spywareinfo.com/~merijn/
• CWShredder - http://www.spywareinfo.com/~merijn/
• Kazaa-Be-Gone - http://www.spywareinfo.com/~merijn/
• McAfee Stinger - http://vil.nai.com/vil/stinger/
• CleanCenter - http://www.cleancenter.net/
Once these programs are downloaded, save them to a directory on the computer that can be accessed by all users (i.e. a folder in the root drive, e.g. C:\DOWNLOADS).
Restart the computer in safe mode. This is done by pressing F8 repeatedly after booting up the computer. Select the “Safe Mode With Networking” option and press ENTER. Notice how you have an Administrator user now…we will have to perform the following steps on not only your regular user(s), but the Administrator as well.
First things first, right-click on “My Computer” and select “Properties.” Click on the “System Restore” tab. Disable System Restore for all drives. This will prevent certain viruses and spyware programs from reinstalling themselves.
Install CleanCenter, run it, and remove all temp/junk files and clean out your internet history/temp files and empty the Recycle Bin. This will not only remove some of the problem files, but it will also speed up your file scans dramatically. You can have thousands of files lurking in your temporary folders.
Run HijackThis!. It will bring up a list of a bunch of items. Some of these are good, some are bad. If you are familiar with computers, you will know what not to remove, but if you are not, check my links above for safe and unsafe startup items and services. Obvious ones to kill are anything related to bargains, shopping, assistants, etc. Random letters and numbers (especially 8-characters long) are also usually safe to remove. You can also remove anything that you don’t want to run anymore from this menu. If any search pages or home pages come up, I usually delete them, as well as any additional menu items or buttons. If there is a hijacker (like NewDotNet), it may prompt you to run LSPFix to remove it. Be sure to do a Google search regarding this program, as it is very easy to break Windows by removing the wrong things. Read the help file regarding LSPFix as well if you need to run it.
Install Spybot, run the program, download the updates, and search for spyware. Spybot is a very quick program because it does not do a comprehensive file search. Remove all detected items.
Install Ad-Aware, run the program, download the updates, and go to the options. Be sure to perform the in-depth file scan. Search for and remove all detected items.
Run CWShredder. It will automatically find and remove all traces of Cool Web Search.
Run Kazaa-Be-Gone. Chances are, if you have spyware, you have some version of Kazaa, and vice-versa. Delete all detected items.
At this point in time, restart your computer and scan for spyware online again. Usually it takes about two full sweeps to remove all items. Stubborn items may require special tools, in which case Google is your best friend. Be sure to do all removals in safe mode.
After cleaning the spyware out of your system, run the Stinger.exe program in safe mode for all usernames. This searches for and removes the most common worms and viruses. Then, visit Trend Micro’s website (above) and perform the online virus scan/removal. This will help clean up any extra viruses that may crop up. Again, if something is stubborn, do a Google search on the item for removal.
Once you have done all of the spyware and virus removal, restart your computer in normal mode. Hopefully, you should be problem free. Now, be sure to protect yourself with a good antivirus software (I like Symantec Corporate edition), a good antispyware software (Microsoft Antispyware is the best and is free), and a good firewall (the Windows XP SP2 one is adequate and free, but ZoneAlarm is a nicer free firewall). Be sure to download all the latest Windows updates (Internet Explorer > TOOLS > WINDOWS UPDATES).
