Escolar Documentos
Profissional Documentos
Cultura Documentos
This guide has been intended to help you remove spyware, malware, viruses, rouge software, root kits and much more on Microsoft Windows XP. Be advised that this guide may not remove all known and unknown spyware, malware; viruses, rouge software, root kits and whatever else that may be out there. This is an ever changing field of software which new techniques and tools need to be discovered to remove such infections. This can be a frustrating time as you may not be able to access the internet, any system devices or even login to your computer/laptop. You are then asking the question, How do I get these programs to my infected system? If your PC is that bad you may need to transfer these programs via a USB stick, external hard drive, CD, DVD, ETC. If this is still not possible then a bootable spyware CD is needed to start you off and hopefully get you back on your feet to install and run these programs. If that is your case then go directly to the bootable spyware CD at the end of this guide and follow the instructions. There will be several to choose from so you may need to make more than one if one spyware CD is not able to remove the infections. To start off it is recommended that you make a complete backup of your system. If you decided not to make a backup then that is your call. If you dont know how to but would like to learn then visit How to backup my computer which is a Microsoft website. One last question you may have, How did I get infected? To answer your question, visit So how did I get infected in the first place? This is also another reputable site. Im going to add one thing, dont go downloading all those programs before you start this guide. Ill update you on this at the end of this tutorial. Our first step in the cleanup process will be to disable all Add-ONs by resetting the Internet Browser. You can go back in at a later time to re-enable legitimate Add-ONs. If you are using IE7 to go:
Start
Settings>Control Panel
Internet Options
Uh oh, did you forget to close the browser? If so close the browser and try again.
Click Reset
You can now close the Internet Options applet and open Add/Remove Programs
Since I cant see what is in here, you will need to determine what programs you installed and did not install. If you see any suspicious programs uninstall them. If you are unsure please ask in the forum and include the entire name. Some examples may include WinAntivirus2009, WinAntivirus2008 and below, hot Bar, Gator, XP Antivirus 2009 and below, and many more. Please remove these programs. You may receive an error message upon removing, if this is happens then ignore it and continue on with the next. If the Internet Browser opens automatically for you to fill out a form, download an uninstaller, etc please close this immediately and do not proceed any further with the Internet Browser. And whatever you do, if you have a program telling you that your computer is infected and in order for you to remove the infections you need to buy the software, disregard this!!! All they are trying to do get money from you! Let me know if you are getting those notifications as well.
A lot of Spyware, Viruses, etc like to infect System Restore. I dont use this myself, it can be helpful and it can cause issues. Lets say System Restore has been infected. We remove all Spyware, etc on your system, then you reboot and its back or you use System Restore and you are back where you started. I tell most users to turn it off and then when we are finished they can turn it back on creating a new clean Restore Point. To learn about System Restore visit How to turn off and turn on System Restore in Windows XP Now we need to check what is in your Startup folder. Close Add/Remove Programs and then close Internet Options. Follow the instructions below Go to Start
Run
Click the Startup Tab Here is where you can see all the programs that startup each time Windows reboots. 99% of the programs listed are generally not essential which means they are safe to disable. The only item we will leave checked in your Antivirus. Im using AVG so if I was to disable all entries but AVG; I would leave avgtray checked as shown in the next screenshot. Now click Disable all and then Apply and OK
You can see below all entries have been disabled except AVGTRAY which belongs to AVG.
Be careful here not to just click away because you may click restart. You need click Exit without Restart
This will be the first piece of software to download. Click the link below to download Msconfig Cleanup Msconfig Cleanup Utility
Here are the entries you disabled via Msconfig>Startup. Items that you left enabled will not show up in this view. Once again make sure you dont need any of these in your startup, otherwise a re-installation may be needed for that program.
Here is where you click Select All and then click Clean up Selected
Now its time to reboot. Once you are back at the desktop there will be a dialog box called System Configuration Utility.
Now all you need to do is put a check mark in the box and click OK. If you dont do this each time you reboot this will appear.
Installation is easy and fast; just use the default settings by clicking Next, Next, Next, etc Cleanup Installation
Cleanup! Should open automatically We need to click Options on the right hand side of Cleanup! Select Delete Prefetch Files and then click OK
Its up to you if you want to donate but do this after we have finished this tutorial so click NO
Click Close
Select No
CCleaner
CCleaner Installation
Uncheck the last 2 check boxes unless you really want them, then click Install
Launch CCleaner and make sure all boxes are checked and then click Run Cleaner
The scan has started and is now complete showing you the results
Next click the Registry icon under Cleaner and then click Scan for Issues
Once again you need to reboot. Once you are back at the desktop continue with this tutorial At this point I have no idea what kind of infection you have and you possibly dont either so without knowing what specific threat you have, there are a few programs to download that cover almost everything. All these programs are FREE, even if they refer to as a trial they are fully functional and only needed for a short period unless you want to buy them but thats up to you. The links below are directly from legitimate websites and should always be the most current version. Hijackthis 2.02
Smitfraud Fix
Some infections will not allow certain programs to run, if this is your case please inform me in the forum and then follow to the next program to download.
Press any key to continue after you have read the message
To run this tool it is recommended to run it in SAFE MODE. If you are unsure how to boot into SAFE MODE follow the link
How to boot into SAFE MODE If you cant boot into SAFE MODE then you will need to run this tool in Normal Mode. The only option you need to run is # 2
It will then prompt you about cleaning the registry, type in Y and press Enter. Your system may or may not reboot; so dont be worried if it shuts down suddenly. When its finished a log report will be generated. Save this log report because you will need to post it on the forum when we are finished.
Vundo Fix
Most of the time direct links to the downloads are not available for update purposes Vundo Fix Installation
To start the Vundo Fix scanning process, click Scan for Vundo
Vundo Fix is now scanning your system. This might take a while; so be patient.
Results will be displayed. If you are infected click Fix Vundo I dont have a screenshot yet since Im not infected
Click the Settings Tab Check Terminate Internet Explorer during removal
Select the drives you want to scan and click Start Scan
MBAM will now scan your system which may take a while. If infections are found it will show up next to Objects Infected; Then click Show Results and then remove the infections.
ComboFix Download
You may here a BEEP, disregard this BEEP, ComboFix initiated the BEEP Select Yes
Your screen may black out for a second and then go thru the cleaning stages
The scan has been completed. You will need to post the log into the forum when we are finished so dont delete it. You can see the location of the log report above.
Trojan Remover
Make sure both boxes are checked and then click Finish
Click Update
If you want to buy this software you can do so at a later time. This is a fully functional trial program. Click Continue
Click Scan
For advanced scanning, click Utilities and then Rest Internet Explorer Home/Start/Search Page Settings
Click Yes
Click OK
Click OK
If errors were present, they have been fixed and rest. Otherwise no action will be made as you can see from my machine
Click OK
SDFIX
I mainly suggest SDFIX when we are dealing with the ROOTKIT tdss tdssserv TDSSserv.SYS Service_TDSSSERV.SYS Legacy_TDSSSERV.SYS Unless I tell you to run SDFIX you dont need to run it. But if you are instructed to do so, then follow here for the time being: How to use SDFix ``````````````````````````````````````````````````````````````````````````````````````````````````````` `````````````````````````````````````````````````
Now I know a lot of people have paid for their Antivirus subscription which is a shame, especially if you use Norton or Symantec products and now McAfee. There are FREE alternatives out there that are 100% better. Why use a product that can only eliminate certain viruses but not spyware, malware, etc only leaving you prone to such attacks? Wouldnt you feel much safer if you used a product that can cover you in all directions? If so then you need to look into AVG. Take a look at Tech-Forums.net/pc Tech-Forums Top Rated Antivirus yourself. If you need to pay for software, then pay for AVG. AVG 8 Download and see for
I prefer not to install the AVG Security Bar, Ill leave it up to you if you decide to install
AVG is now installed. If your system is infected; AVG may be finding them right now. Always HEAL the infection. Make sure all features are up to date and Green as shown below.
To manually start a scan click Computer Scanner and then click on Change Scan Settings
Make sure all scan options are selected and then click Start Scan
We are now near the end of this tutorial. The next step is to launch Hijackthis There should be an icon on your desktop like the one below. Double click the icon
When it is completed it will automatically create a log file and pop up on the screen. This is the log you need to post in the forum along with the other two logs mentioned above.
Post your log here http://www.tech-forums.net/pc/f70/ I will analyze your log and list the entries you need to remove. There is a 7 day window meaning if you post your log, I reply with entries to remove and you dont get back to me within 7 days, the post will be removed. If you want it back open either PM me, OSIRIS, or start another post with a fresh Hijackthis log. When posting your log I need to see the COMPLETE LOGS of HIJACKTHIS 2.02 and COMBOFIX This is what should be displayed at the top of each and every log. This shows me what version of Hijackthis you are using (just a side note; I will not analyze your log unless it is with the current version of Hijackthis 2.0.2.) what Service Pack of Windows you are on and what version of Internet Explorer you are using.
Also make sure there are no gaps in between entries like shown below. This makes it harder to read.
R0 - HKCU\Software\Microsoft\Internet Explorer \Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer \Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer \Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer \Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer \Main,Local Page = They should all be one line as seen below
So how do you remove these entries? Lets say I have selected the entry below for you to remove O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present All you need to do is rescan using Hijackthis, scroll down to 06 and find the entry I posted. Put a checkmark in the box and click Fix Checked.
Hijackthis goes blank. Now rescan and the entry should be gone.
Now this doesnt work all the time. There will be some entries that cant be removed until we run some other programs. So now you have removed all entries using Hijackthis, scanned with all programs, etc and I gave you the thumbs up on a clean system. What you need to do is double check to make sure you are not receiving any pop-ups, notifications, redirects, etc. The log will not show everything so I need to depend on you to give me that info. So if you are clean from the log and you feel confident to perform the next step; then lets finish this up. You may have noticed when you launched Internet Explorer that you need to reconfigure some settings. Set the options as I did below unless you want to use your own options. Then click Save Your Settings
The default website is www.msn.com, you can change this to whatever you want. If you dont know how to change the Home Page Website, follow below: Go back to Internet Options via Control Panel. Now type in the website address you want to be your default. I will use www.google.com
Next click Settings under Browsing History and set is as shown and then click OK
Then click Settings under tabs and add a check mark where is reads Open Home page for new tabs instead of a blank page and click OK
Now close Internet Explorer, open it back up. You may need to click the Home Page button which looks like a HOUSE
Put a check mark where is reads Dont show this page again and then click Close
Then press the Home Page button and the Home Page you set will be displayed.
Next we will configure Internet Explorers pop-up blocker. Go back to Internet Options, click the Privacy tab and then click Settings under Pop-up Blocker.
I usually set mine to medium and uncheck the Notifications; then click Close
You may have noticed your time has switched to Military Time. This probably happened after one of the scans. This is a simple fix. Open Regional and Language Options
Click Customize and then click the Time tab. See where is reads Time Format, that needs to be changed to H:MM:SS:TT This view is Military
This view is Standard, which is what you are probably looking for.
Now click Apply, OK, and APPLY and watch the time change. We have a few things left to do here. The most important is to run Windows Updated. Make sure you are 110%, completely updated with all patches from Microsoft, including SP3 and IE7. Even if you dont use IE7, it is considered an update which fixes security issues so download it at least and continue using whatever browser it is that you use.
Update Sites
Microsoft Update
Java Update
IE7 Pro
Firefox
Opera
Spyware Boot CD
This section is intended for severe infections meaning you are unable to do nothing at all on your system. There are several bootable CDs to try. Just pick one and see what happens. If it doesnt work then try the next. Hopefully one will remove some of the infections to make your system usable. Download the Kaspersky Rescue Disk Size 95.6MB You will need a program to burn the .ISO file to CD. So download the file and then we will go thru the steps to burn it to CD. So make sure you have some blank CDs. Kaspersky Rescue Disk
Click Close
For this tutorial I will use Nero Burning ROM Make sure you are one CD-ROM ISO>Multisession Click Open
When you try to start the CD within Windows, this is what you will see below. In order for this work you will need to reboot, press F12 and select Boot from CD drive.
When Kaspersky has finished booting from the CD, it will automatically start loading all the files needed. Then you will be at a GUI. All you need to do is make sure all boxes are checked and then click Start Scan. This may take a while to complete since it is running from a CD. If a threat is found when completed, click Fix it now. When finished, close the box and Kaspersky will exit and then shut down your system. Power it back up, remove the CD and see if you can now access your computer. Avira Rescue CD
Click Save
Click Save
Click Close
Select your burning device which is your CD burner. Make sure you have a blank CD-R in the CD burner and click Burn CD
When finished, reboot your computer and boot from the CD.
Avira
Rootkit UnHooker
Spyware Doctor