*Virus and Computer Cleanup Schedule*
This is a step by step article of methods you can use to perform a system cleanup. The processes may differ per computer, some processes may be redundant, and others may not be required at all. It depends on the level of virus infection, the experience of the user performing the tasks, the amount of malware present, and even upon the operating system being used. This article will be a blanket resource to cover all possible scenarios.
Start computer normally and allow for full automatic boot action to come to a complete stop. Allow all processes to run and for the computer to become immediately responsive to user input.
Write down a list of programs that present windows or dialog boxes immediately upon boot.
ctrl+alt+del for Task Manager. Under the "processes" tab, click on "show processes from all users". Write down the number of processes running, as well as the resting CPU usage.
Restart the machine. Allow the brand logo to disappear from the screen before pressing F8 repeatedly until the option to start in Safe Mode appears. Windows 8 users, see note* below. Depending on the level of infection, safe mode with command prompt may be required. If this is necessary, see note** below.
Within safe mode, go to "start", "run", and type "msconfig". In the box that comes up, click on the "startup" tab. For now, disable everything. Leave nothing running. Click on the "Services" tab. Check the box to "hide all Microsoft Services", and then "disable all" of the remaining services. Leave nothing running. Apply and OK to close msconfig. A message may appear saying that you do not have Administrator privileges to make these changes. This is irrelevant and will not affect this task.
Restart the machine in normal mode. All windows and dialog boxes from startup programs should now be de-activated. Any still running are likely to be malicious or viral. Attempt to end those processes in the normal fashion, or by ending each task individually within Task Manager. (ctrl+alt+del)
Make sure the computer is disconnected from the internet.
Click on Start, and for Vista and Windows 7 machines, type in "Programs and Features". XP users will go to Control Panel and click on "Add/Remove Programs". From the list, remove things which are known to be problematic. The level of success in determining potentially harmful software in this list can only come from experience, but a level of common sense can be used to remove a good deal of junk. Remove all toolbars. Remove all anti-virus programs. Remove software for hardware which is no longer used, such as old printers. Remove anything that promises to speed up, clean, fix, boost, turbo, or otherwise modify the computer or its registry. Examples include Uniblu Registry Booster, PCfixSPEED, MEMturbo, SpeedupmyPC, etc. Un-practiced users may wish to write these programs and publisher names, as these programs are likely to leave directories which will need to be removed manually in a later task. When a program is removed, it will likely open a browser window to express their sorrow at seeing you go. These likely contain links to malware, which is why you are disconnected from the internet. Close these pages immediately as they appear (some pop up in the background), as they will prevent further action until they are closed. Decline every offer to restart the computer when a piece of software is removed; that would add unnecessary time to this process. Pay close attention, some things (Norton) present very small buttons to "restart later". When this list is cleaned of unnecessary programs, restart the computer into normal mode.
The removal of programs and applications manually by deleting individual directories is not typically advised. However, in some cases it may be necessary to completely remove potentially harmful viruses and malware from a computer. To begin, re-run msconfig and look at some of thee things which were running. Expand the "command" field under the "startup" tab to discover the locations of some of these things. Anything that appears to be random alpha numerics, for example "adsg8uasdg74.exe" is likely a virus. Make note of these locations. To view hidden folders, in XP, open "My Computer" and click on "Tools" and "Folder options." In the "View" tab, "show hidden files and folders." In Vista/7, click on Start and type "folder options". In the "view" tabk, "Show hidden files and folders."
The best way to search out junk is to start on the root directory and visit each of the directories where junk is likely to be found. Again, experience is the best teacher. Start with Program Files, Program Files (x86), and Program Data, if present. Within each of these, look for either the name of the software or the name of the publisher, and delete directories as they become uncovered. For example, if Norton has already been deleted, remove all folders containing the names "Norton" or "Symantec". Within Program Files and Program Files (x86), also visit the "common files" directory, and remove junk from there as well. Going back "up" or "back" to root directory, click on "Users" in Vista/7 or "Documents and Settings" for XP users. This folder contains directories for each of the users, guests, administrators, and default accounts for this computer. Often present are "ghost" accounts for programs which may need administrator access over the network, such as Quickbooks or other 3rd party server/client software. Delete nothing from the "Users" folder, but visit each one, focusing primarily upon "Local Settings" and "Application Data" for junk. Any executable programs/applications found in Local Settings or Application Data (sometimes simply "appdata") directories are typically viruses, and may or may not be named with random alphanumerics. Some examples include, adsg8uasdg74.exe, Avir.exe, AV2013.exe, etc. No legitimate executable exists in either of these directories. Follow each of the "local", "locallow" and "roaming" directories, as well. It is not typically necessary to go too deeply into the system beyond these directories to find the more common problems. Clear out the "Temp" folders, as well as the "downloads" directories found either within the "user", "Documents and settings", or "Documents" folders.
Once these executables/directories are deleted, restart the computer. There should now be NONE of the former popups, windows or dialog boxes appearing on startup. If some still exist, or to further clean the startup procedure, download the following and follow the on-site directions for use: autoruns
Restart the computer.
For Vista and Windows 7 machines, click on Start and search for "internet options". Within internet options, click on the "advanced" tab, and click the "reset" button to reset internet explorer settings. With the internet disconnected, run Internet Explorer and not any other browser at this time. Make certain the address bar contains the Microsoft default home page, likely http://www.msn.com or similar. If not, there is a homepage hijack program still active and may present an alternate homepage, likely a google-like search site. If the Microsoft default homepage address is in the address bar, connect to the internet and download and run each of the following, in this order:
Note* Windows 8 made Safe Mode very difficult to access. Continue in normal mode unless absolutely required to enter Safe Mode.
Note ** When "Safe mode with command prompt" is entered, users will be presented with a command prompt. "msconfig", "Taskmgr", "combofix" and "explorer" can all be run from this console. It is not necessary to run explorer, if it has been infected by a rootkit or the launching of explorer prompts other malware to load alongside.Scotto
All materials at this site not otherwise credited are Copyright © 1996 - 2014 Trip Williams. All rights reserved. May be reproduced for personal use only. Use of any material contained herein is subject to stated terms or written permission.