Tech-Dumps Spyware Removal Guide

This guide has been intended to help you remove spyware, malware, viruses, rouge software, root kits and much more on Microsoft Windows XP. Be advised that this guide may not remove all known and unknown spyware, malware; viruses, rouge software, root kits and whatever else that may be out there. This is an ever changing field of software which new techniques and tools need to be discovered to remove such infections. This can be a frustrating time as you may not be able to access the internet, any system devices or even login to your computer/laptop. You are then asking the question, How do I get these programs to my infected system? If your PC is that bad you may need to transfer these programs via a USB stick, external hard drive, CD, DVD, ETC. If this is still not possible then a bootable spyware CD is needed to start you off and hopefully get you back on your feet to install and run these programs. If that is your case then go directly to the bootable spyware CD at the end of this guide and follow the instructions. There will be several to choose from so you may need to make more than one if one spyware CD is not able to remove the infections. To start off it is recommended that you make a complete backup of your system. If you decided not to make a backup then that is your call. If you dont know how to but would like to learn then visit How to backup my computer which is a Microsoft website. One last question you may have, How did I get infected? To answer your question, visit So how did I get infected in the first place? This is also another reputable site. Im going to add one thing, dont go downloading all those programs before you start this guide. Ill update you on this at the end of this tutorial. Our first step in the cleanup process will be to disable all Add-ONs by resetting the Internet Browser. You can go back in at a later time to re-enable legitimate Add-ONs. If you are using IE7 to go:

Start

Settings>Control Panel

Internet Options

Click the Advanced tab and then click Reset

Uh oh, did you forget to close the browser? If so close the browser and try again.

Click Reset

The Internet Browser is now being reset.

You can now close the Internet Options applet and open Add/Remove Programs

Since I cant see what is in here, you will need to determine what programs you installed and did not install. If you see any suspicious programs uninstall them. If you are unsure please ask in the forum and include the entire name. Some examples may include WinAntivirus2009, WinAntivirus2008 and below, hot Bar, Gator, XP Antivirus 2009 and below, and many more. Please remove these programs. You may receive an error message upon removing, if this is happens then ignore it and continue on with the next. If the Internet Browser opens automatically for you to fill out a form, download an uninstaller, etc please close this immediately and do not proceed any further with the Internet Browser. And whatever you do, if you have a program telling you that your computer is infected and in order for you to remove the infections you need to buy the software, disregard this!!! All they are trying to do get money from you! Let me know if you are getting those notifications as well.

A lot of Spyware, Viruses, etc like to infect System Restore. I dont use this myself, it can be helpful and it can cause issues. Lets say System Restore has been infected. We remove all Spyware, etc on your system, then you reboot and its back or you use System Restore and you are back where you started. I tell most users to turn it off and then when we are finished they can turn it back on creating a new clean Restore Point. To learn about System Restore visit How to turn off and turn on System Restore in Windows XP Now we need to check what is in your Startup folder. Close Add/Remove Programs and then close Internet Options. Follow the instructions below Go to Start

Run

Type msconfig and click OK

Click the Startup Tab Here is where you can see all the programs that startup each time Windows reboots. 99% of the programs listed are generally not essential which means they are safe to disable. The only item we will leave checked in your Antivirus. Im using AVG so if I was to disable all entries but AVG; I would leave avgtray checked as shown in the next screenshot. Now click Disable all and then Apply and OK

You can see below all entries have been disabled except AVGTRAY which belongs to AVG.

Be careful here not to just click away because you may click restart. You need click Exit without Restart

This will be the first piece of software to download. Click the link below to download Msconfig Cleanup Msconfig Cleanup Utility

Install as shown below

Here are the entries you disabled via Msconfig>Startup. Items that you left enabled will not show up in this view. Once again make sure you dont need any of these in your startup, otherwise a re-installation may be needed for that program.

Here is where you click Select All and then click Clean up Selected

All entries should now be removed

Now its time to reboot. Once you are back at the desktop there will be a dialog box called System Configuration Utility.

Now all you need to do is put a check mark in the box and click OK. If you dont do this each time you reboot this will appear.

Now you need to download: Cleanup!

Installation is easy and fast; just use the default settings by clicking Next, Next, Next, etc Cleanup Installation

Cleanup! Should open automatically We need to click Options on the right hand side of Cleanup! Select Delete Prefetch Files and then click OK

Now click Cleanup! and select NO if the message below appears

And click OK if the second message appears

Its up to you if you want to donate but do this after we have finished this tutorial so click NO

Click Close

Select No

CCleaner

CCleaner Installation

Uncheck the last 2 check boxes unless you really want them, then click Install

Launch CCleaner and make sure all boxes are checked and then click Run Cleaner

Put a check mark in the box as shown below and click OK

The scan has started and is now complete showing you the results

Next click the Registry icon under Cleaner and then click Scan for Issues

When its finished, click Fix selected issues

Click Yes if you want to save a backup, otherwise click No

Click Fix all selected Issues

Issues have been fixed, now click Close

Once again you need to reboot. Once you are back at the desktop continue with this tutorial At this point I have no idea what kind of infection you have and you possibly dont either so without knowing what specific threat you have, there are a few programs to download that cover almost everything. All these programs are FREE, even if they refer to as a trial they are fully functional and only needed for a short period unless you want to buy them but thats up to you. The links below are directly from legitimate websites and should always be the most current version. Hijackthis 2.02

For now just close Hijackthis

Smitfraud Fix

Some infections will not allow certain programs to run, if this is your case please inform me in the forum and then follow to the next program to download.

Press any key to continue after you have read the message

To run this tool it is recommended to run it in SAFE MODE. If you are unsure how to boot into SAFE MODE follow the link

How to boot into SAFE MODE If you cant boot into SAFE MODE then you will need to run this tool in Normal Mode. The only option you need to run is # 2

The tool will now run

It will then prompt you about cleaning the registry, type in Y and press Enter. Your system may or may not reboot; so dont be worried if it shuts down suddenly. When its finished a log report will be generated. Save this log report because you will need to post it on the forum when we are finished.

Press the Q button to Quit the program and press Enter

Vundo Fix

Most of the time direct links to the downloads are not available for update purposes Vundo Fix Installation

To start the Vundo Fix scanning process, click Scan for Vundo

Vundo Fix is now scanning your system. This might take a while; so be patient.

Results will be displayed. If you are infected click Fix Vundo I dont have a screenshot yet since Im not infected

Now close Vundo Fix Malware Bytes Download

Make sure both are checked

MBAM will automatically update

Click the Settings Tab Check Terminate Internet Explorer during removal

Select Perform full scan and then click Scan

Select the drives you want to scan and click Start Scan

MBAM will now scan your system which may take a while. If infections are found it will show up next to Objects Infected; Then click Show Results and then remove the infections.

ComboFix Download

A guide and tutorial on using ComboFix ComboFix Installation

You may here a BEEP, disregard this BEEP, ComboFix initiated the BEEP Select Yes

Select No for the Recovery Console Installation

Your screen may black out for a second and then go thru the cleaning stages

The scan has been completed. You will need to post the log into the forum when we are finished so dont delete it. You can see the location of the log report above.

Trojan Remover

Trojan Remover Installation

Make sure both boxes are checked and then click Finish

Click Update

It will then download new update files

Click Close when it is finished

If you want to buy this software you can do so at a later time. This is a fully functional trial program. Click Continue

Click Scan

The scan is now complete

For advanced scanning, click Utilities and then Rest Internet Explorer Home/Start/Search Page Settings

Click Reset Internet Explorer Settings

Internet Explorer has been reset

Click Reset Windows HOSTS file

Click Yes

HOSTS file has been reset

Select Reset Windows Update Policies

Click OK

Windows Update Policy has been reset

Select Repair Layered Service Provider Registry Values

Click OK

If errors were present, they have been fixed and rest. Otherwise no action will be made as you can see from my machine

Select Reset Windows Explorer Policies

Click OK

Explorer Policies have been reset

We are now finished with Trojan Remover ``````````````````````````````````````````````````````````````````````````````````````````````````````` ````````````````````````````````````````````````

SDFIX
I mainly suggest SDFIX when we are dealing with the ROOTKIT tdss tdssserv TDSSserv.SYS Service_TDSSSERV.SYS Legacy_TDSSSERV.SYS Unless I tell you to run SDFIX you dont need to run it. But if you are instructed to do so, then follow here for the time being: How to use SDFix ``````````````````````````````````````````````````````````````````````````````````````````````````````` `````````````````````````````````````````````````

Now I know a lot of people have paid for their Antivirus subscription which is a shame, especially if you use Norton or Symantec products and now McAfee. There are FREE alternatives out there that are 100% better. Why use a product that can only eliminate certain viruses but not spyware, malware, etc only leaving you prone to such attacks? Wouldnt you feel much safer if you used a product that can cover you in all directions? If so then you need to look into AVG. Take a look at Tech-Forums.net/pc Tech-Forums Top Rated Antivirus yourself. If you need to pay for software, then pay for AVG. AVG 8 Download and see for

I prefer not to install the AVG Security Bar, Ill leave it up to you if you decide to install

AVG is now installed. If your system is infected; AVG may be finding them right now. Always HEAL the infection. Make sure all features are up to date and Green as shown below.

To manually start a scan click Computer Scanner and then click on Change Scan Settings

Make sure all scan options are selected and then click Start Scan

AVG is now scanning your system

We are now near the end of this tutorial. The next step is to launch Hijackthis There should be an icon on your desktop like the one below. Double click the icon

Click Do a system scan and save log file

Hijackthis is now scanning your system

When it is completed it will automatically create a log file and pop up on the screen. This is the log you need to post in the forum along with the other two logs mentioned above.

Post your log here http://www.tech-forums.net/pc/f70/ I will analyze your log and list the entries you need to remove. There is a 7 day window meaning if you post your log, I reply with entries to remove and you dont get back to me within 7 days, the post will be removed. If you want it back open either PM me, OSIRIS, or start another post with a fresh Hijackthis log. When posting your log I need to see the COMPLETE LOGS of HIJACKTHIS 2.02 and COMBOFIX This is what should be displayed at the top of each and every log. This shows me what version of Hijackthis you are using (just a side note; I will not analyze your log unless it is with the current version of Hijackthis 2.0.2.) what Service Pack of Windows you are on and what version of Internet Explorer you are using.

Also make sure there are no gaps in between entries like shown below. This makes it harder to read.

R0 - HKCU\Software\Microsoft\Internet Explorer \Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer \Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer \Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer \Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer \Main,Local Page = They should all be one line as seen below

So how do you remove these entries? Lets say I have selected the entry below for you to remove O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present All you need to do is rescan using Hijackthis, scroll down to 06 and find the entry I posted. Put a checkmark in the box and click Fix Checked.

Select Yes to delete

Hijackthis goes blank. Now rescan and the entry should be gone.

The entry I selected is no longer there

Now this doesnt work all the time. There will be some entries that cant be removed until we run some other programs. So now you have removed all entries using Hijackthis, scanned with all programs, etc and I gave you the thumbs up on a clean system. What you need to do is double check to make sure you are not receiving any pop-ups, notifications, redirects, etc. The log will not show everything so I need to depend on you to give me that info. So if you are clean from the log and you feel confident to perform the next step; then lets finish this up. You may have noticed when you launched Internet Explorer that you need to reconfigure some settings. Set the options as I did below unless you want to use your own options. Then click Save Your Settings

The default website is www.msn.com, you can change this to whatever you want. If you dont know how to change the Home Page Website, follow below: Go back to Internet Options via Control Panel. Now type in the website address you want to be your default. I will use www.google.com

Next click Settings under Browsing History and set is as shown and then click OK

Then click Settings under tabs and add a check mark where is reads Open Home page for new tabs instead of a blank page and click OK

Now close Internet Explorer, open it back up. You may need to click the Home Page button which looks like a HOUSE

Now click the TAB which is circled in RED

Put a check mark where is reads Dont show this page again and then click Close

Then press the Home Page button and the Home Page you set will be displayed.

Next we will configure Internet Explorers pop-up blocker. Go back to Internet Options, click the Privacy tab and then click Settings under Pop-up Blocker.

I usually set mine to medium and uncheck the Notifications; then click Close

You may have noticed your time has switched to Military Time. This probably happened after one of the scans. This is a simple fix. Open Regional and Language Options

Click Customize and then click the Time tab. See where is reads Time Format, that needs to be changed to H:MM:SS:TT This view is Military

This view is Standard, which is what you are probably looking for.

Now click Apply, OK, and APPLY and watch the time change. We have a few things left to do here. The most important is to run Windows Updated. Make sure you are 110%, completely updated with all patches from Microsoft, including SP3 and IE7. Even if you dont use IE7, it is considered an update which fixes security issues so download it at least and continue using whatever browser it is that you use.

Update Sites
Microsoft Update

Microsoft Windows XP SP2

Microsoft Windows XP SP3

Adobe Flash Player

Java Update

IE7 Pro

Firefox

Opera

Spyware Boot CD
This section is intended for severe infections meaning you are unable to do nothing at all on your system. There are several bootable CDs to try. Just pick one and see what happens. If it doesnt work then try the next. Hopefully one will remove some of the infections to make your system usable. Download the Kaspersky Rescue Disk Size 95.6MB You will need a program to burn the .ISO file to CD. So download the file and then we will go thru the steps to burn it to CD. So make sure you have some blank CDs. Kaspersky Rescue Disk

Click Close

For this tutorial I will use Nero Burning ROM Make sure you are one CD-ROM ISO>Multisession Click Open

Select the .ISO you just downloaded and click Open

Now click Burn

Nero is now burning Kaspersky to CD

Click OK and youre finished

When you try to start the CD within Windows, this is what you will see below. In order for this work you will need to reboot, press F12 and select Boot from CD drive.

When Kaspersky has finished booting from the CD, it will automatically start loading all the files needed. Then you will be at a GUI. All you need to do is make sure all boxes are checked and then click Start Scan. This may take a while to complete since it is running from a CD. If a threat is found when completed, click Fix it now. When finished, close the box and Kaspersky will exit and then shut down your system. Power it back up, remove the CD and see if you can now access your computer. Avira Rescue CD

Click Save

Click Save

Avira Rescue CD is now downloading

Click Close

Double click Rescuecd.exe

Select your burning device which is your CD burner. Make sure you have a blank CD-R in the CD burner and click Burn CD

When finished, reboot your computer and boot from the CD.

Other Spyware Tools

Spyware Terminator

Avira

Rootkit UnHooker

Spyware Doctor

Free Online Virus Scanners

Trend Micro House Call

Kaspersky Virus Scanner

Bitdefender Online Scanner

F-Secure Virus Scanner

ESET Virus Scanner