If you get some kind of a mass mailer or DDOS virus and its flooding you of the interwebnet, this is my manual procedure I use to clean up an infested system. I am hate waiting for the apps to do the scan (especially Norton)
The Following applies to mostly Win2k and WinXP. You can use parts of this to fix WinME and Win98. ME is just a pain tho.
First off all go disable your system restore Viruses Love to hide there...(Right Click on My computer go to properties them System Restore Tab)
Download the following software and install them and update all of them as well.
Adaware
CCleaner @ www.ccleaner.com
Spybot Search and Destroy
Beta MS Antispyware tool.. www.microsoft.com
If you don't have anti-virus you can get one from www.grisoft.com (avg7 free) Its really quite good.
Reboot into Safe mode:
1. Make sure you Unhide all system folders and files
2. Go into (x= your drive) X:\Documents and Settings\%User%\Local Settings\Temp (Delete all files)
3.Go into (x= your drive) X:\Documents and Settings\%User%\Local Settings\Temporary Internet Files\Content.ie5(I forgot this one The Brophyte remided me *Note You will not see this dir if your loged on your own profile, if your cleaning other users profile using your own account you will see it (Delete all files)
Note: I suggest that you perform this on each user, Viruses like to spread to all temp dirs on every user. If you can't see your own Temp or Temporary Internet Files Folder then type the folder name into the address bar or log onto another user. Or Creat a Temp account just to clean your system.
4. Go to X:\windows\prefetch (Delete All files in here)
5. Go to x:\WINDOWS\system32\config\system profile\Local Settings\Temp (Delete all files)
6. Go to x:\WINDOWS\system32\config\system profile\Local Settings\Temporary Internet Files\Conent.ie5 (Delete all files)
7. Go to Start -> Run -> Msconfig (hit OK) Go to start up tab. See what progs are starting, the location will tell you where it is. DO NOT disable anything from here.
Common Startup = Start Up folder on your Programs list (Some viruses like to make them selves invisible so you Explorer to go that folder) Delete anything you don't need.
HKLM = Hkey Local Machine
HKLU = Hkey Local User
To access these go to start start -> run -> regedit (hit OK)
Go to Hkey Local Machine\Software\Microsoft\Windows\Run (delete anything you don't need if you don't know what it is you might need to google it, or the path will tell you where its located)
Also Check RunOnce, RunService, RunOnceService if they exist.
Do the same for Hkey Local User\Software\Microsoft\Windows\Run
You can now close msconfig Hit Cancel not OK otherwise it will recreate all your registry settings.
8. Check your Hosts File x:\WINDOWS\system32\drivers\etc. You can open your hosts file with notepad, check if you got entries like 127.0.0.1 www.google.com etc (remove them if you got any). Spybot will add bunch of entries later to block certain websites, but before that you can straight out delete this file (back it up first if you unsure) Windows generates this file automatically.
9. Run Adaware.
10. Run SpyBot.
11. Run CCleaner
13. Run MS Antispyware (if you can in safe mode)
14. Reboot into normal mode then run anti-virus
15. Optional - turn on your system recovery again. ( I don't ever use this cause viruses always hide there and Anti-Virus scanners and adaware type programs have no access to that dir, very hard to remove them)
The Following applies to mostly Win2k and WinXP. You can use parts of this to fix WinME and Win98. ME is just a pain tho.
First off all go disable your system restore Viruses Love to hide there...(Right Click on My computer go to properties them System Restore Tab)
Download the following software and install them and update all of them as well.
Adaware
CCleaner @ www.ccleaner.com
Spybot Search and Destroy
Beta MS Antispyware tool.. www.microsoft.com
If you don't have anti-virus you can get one from www.grisoft.com (avg7 free) Its really quite good.
Reboot into Safe mode:
1. Make sure you Unhide all system folders and files
2. Go into (x= your drive) X:\Documents and Settings\%User%\Local Settings\Temp (Delete all files)
3.Go into (x= your drive) X:\Documents and Settings\%User%\Local Settings\Temporary Internet Files\Content.ie5(I forgot this one The Brophyte remided me *Note You will not see this dir if your loged on your own profile, if your cleaning other users profile using your own account you will see it (Delete all files)
Note: I suggest that you perform this on each user, Viruses like to spread to all temp dirs on every user. If you can't see your own Temp or Temporary Internet Files Folder then type the folder name into the address bar or log onto another user. Or Creat a Temp account just to clean your system.
4. Go to X:\windows\prefetch (Delete All files in here)
5. Go to x:\WINDOWS\system32\config\system profile\Local Settings\Temp (Delete all files)
6. Go to x:\WINDOWS\system32\config\system profile\Local Settings\Temporary Internet Files\Conent.ie5 (Delete all files)
7. Go to Start -> Run -> Msconfig (hit OK) Go to start up tab. See what progs are starting, the location will tell you where it is. DO NOT disable anything from here.
Common Startup = Start Up folder on your Programs list (Some viruses like to make them selves invisible so you Explorer to go that folder) Delete anything you don't need.
HKLM = Hkey Local Machine
HKLU = Hkey Local User
To access these go to start start -> run -> regedit (hit OK)
Go to Hkey Local Machine\Software\Microsoft\Windows\Run (delete anything you don't need if you don't know what it is you might need to google it, or the path will tell you where its located)
Also Check RunOnce, RunService, RunOnceService if they exist.
Do the same for Hkey Local User\Software\Microsoft\Windows\Run
You can now close msconfig Hit Cancel not OK otherwise it will recreate all your registry settings.
8. Check your Hosts File x:\WINDOWS\system32\drivers\etc. You can open your hosts file with notepad, check if you got entries like 127.0.0.1 www.google.com etc (remove them if you got any). Spybot will add bunch of entries later to block certain websites, but before that you can straight out delete this file (back it up first if you unsure) Windows generates this file automatically.
9. Run Adaware.
10. Run SpyBot.
11. Run CCleaner
13. Run MS Antispyware (if you can in safe mode)
14. Reboot into normal mode then run anti-virus
15. Optional - turn on your system recovery again. ( I don't ever use this cause viruses always hide there and Anti-Virus scanners and adaware type programs have no access to that dir, very hard to remove them)