12 Step Spyware Virus Removal Procedure

Prevention 12 Step Virus Removal Desktop Hijack Malware Removal «ø»

12 Step Removal Procedure - updated 2008

This step by step procedure evolved from combining several separate removal methods for spyware, trojans and viruses. While all of these steps are not required for each case, they should be beneficial to all. In general, these steps should work on all versions of Windows XP, but some may not apply to older operating systems like Windows 98.

Part 1 - Prepare Infected Computer for Cleaning
        Step 1 : Disable System Restore temporarily
        Step 2 : Check for hard to remove Hijacks
        Step 3 : Enable viewing of Hidden Files, Folders and Extensions
Part 2 - Download FREE Cleaning and Removal Programs
        Step 4 : Configure main Anti-Virus scanning program
        Step 5 : Downloading FREE Tools
Part 3 - Malware Scanning and Cleaning Procedure
        Step 6 : Virus And Trojan Scanning
        Step 7 : Safe Mode Clean Your Hard Drive
        Step 8 : Safe Mode Main Spyware Virus Scan And Removal
        Step 9 : Safe Mode Secondary Spyware Scan And Removal
Part 4 - Keeping your Computer Safe and Secure
        Step 10 : Windows Update
        Step 11 : Remove the insecure Microsoft Virtual Java Machine browser plugin
        Step 12 : Install Sun Java browser plugin
Part 5 - Completion of the 12 Step Removal Procedure

PART 1 - Prepare Infected Computer for Cleaning

STEP 1 Disable System Restore temporarily (WinXP only) if you are infected; Any trojans, spyware, etc. you may have picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your antivirus tools can not access it to delete files, trapping viruses inside.

STEP 2 Check for hard to remove Hijacks: Network Security Service, Workstation Netlogon Service & Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT);
Only do this step if you have the about:blank or home search hijack.
You need to check to see if any of the following three Windows services are running:

• Network Security Service
• Workstation Netlogon Service
• Remote Procedure Call (RPC) Helper

To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now, in the Services window that pops up look for exactly the following service names (no others) "Network Security Service" or " Workstation Netlogon Service" or "Remote Procedure Call (RPC) Helper". (NOTE: DO NOT DISABLE: Remote Procedure Call (RPC) or Remote Procedure Call (RPC) Locator. They are both required services and are unrelated to the hijacker). You could have more than one of the 3 mentioned bad services, so look for all of them. If you find these services, you must right click on it to bring up the service Properties window and do the following.

If you do not find these exact services, do not worry and just skip this step.
DO NOT DISABLE anything unless the EXACT wording of the service is MATCHED.

Step 1: Stop the service by click the Stop button.
Step 2: Now, disable it by changing the Startup type to Disabled and click Apply.

STEP 3 Enable viewing of Hidden Files, Folders and Extensions: Some programs can hide this way by not being visible in Windows. Start Windows Explorer and click on your main hard drive, usually c:\. Then select Tools from the top of Windows Explorer and then Folder Options. Go to the View tab. Scroll down to the folder icon that says Hidden files and folders and check show hidden files and folders. Also, right below this option, uncheck the hide file extensions for known types. Also for Win NT, 2000, & XP systems, uncheck the Hide protected operating system files (recommended) option. Not doing this could allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible.

PART 2 - Download FREE Cleaning and Removal Programs

STEP 4 Configure main Anti-Virus scanning program: If you do have several Anti-Virus programs (McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky) installed make sure only one is set to Auto-Protect mode, this prevents multiple scanners loading when the PC is Started/powered-on causing then to scan each other and possibly detecting a false virus positive in the other Auto-Protect Anti-Virus program resulting in high processor loads as one program attempts to clean-out the other "good" scanner.
If you do not have an Anti-Virus Program installed currently download then install and set Auto-Protect feature on the Free AVG Anti-Virus Program.

AVG Anti-Virus, Free Edition 8.0 .......Install, click Check for Updates now and get any updates, then exit. Do the complete system scan in Safe-Mode. Its extremely important after downloading and installing any of these cleaning tools to only UPDATE that tools virus definitions file then close the cleaning tool and exit that program. This prevents any virus or trojan from infecting or disabling the tool before booting into Safe-Mode where all the scans will be performed. (see Steps below)


STEP 5 Downloading FREE Tools: Download the following tools and save in your favorite download folder or create new one. Then install, update, and configure as indicated below. While this may seem like overkill, there currently is no one perfect removal tool. Because of this, to properly find and fix your problem, you need to try a variety of programs.

TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your C:\ folder and create a right click on a blank spot in the window > choose New > Folder. Name this folder SpywareTools. Now you can save the tools you will be downloading to this folder and if you prefer, create sub-folders named for each individual utility.

Ad-Aware 2007 7.0.2.6 .......Install, click Check for Updates now and get any updates, then exit.

CCleaner v2.05 .............optional tool see STEP 7 below. otherwise install only, then exit.

Spybot 1.5.2 ................Install, do the search for updates now and get any updates and then exit. Do not use the TeaTimer function. It can be a resource hog and also makes removal of certain problems more difficult.

SpywareBlaster 4.0 ...Install, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites.

McAfee AVERT Stinger 3.8.0 .....No installation required! Ready to run as is. Save to folder, do not click file until in Safe-Mode.

Trend Micro CWShredder 2.19 ......No installation required! Just unzip it to a folder. Wait to run in Safe-Mode.

Your system is now ready to be properly scanned for Spyware, Trojans and Viruses.

PART 3 - Malware Scanning and Cleaning Procedure

STEP 6 Virus And Trojan Scanning

a) Windows 95, 98, 98SE, NT, ME, 2000, XP users boot Normal Mode.

NOTE: To run Online Scanners, you must use Internet Explorer.
• Perform an Online Scan running Windows in Normal Mode with your Firewall running using any of the major Anti-Virus websites, some scanners require your personal information (you can always use random info). Online Scans are useful as secondary tests to verify a PC is clean without buying or installing another complete program along side your main Anti-Virus Security. Example Online Scans are: Trend Micro,    Trend Micro's Java Scan for non-IE browsers,    Bitdefender,    Norton/Symantec,    Panda . . .
  • start by clicking Scan your PC
  • in new window select type of scan, allow ActiveX Control to begin session
  • input survey info if prompted, then begin Scan
  • depending on scanner it will either scan while online or download 1-3meg program which you must click to start the scan locally which no longer uses the internet.
  • once finished view then save Report
  • if Malware is detected the scanner may offer to clean/remove threat, or you will have to search for the matching removal tool to clean the named-threat and repair damaged files. In either case Online Scans are a great tool to verify the PC is clean.


b) Boot to "Safe Mode" (and remain in there)

then click and run McAfee AVERT Stinger

How to boot in safe mode: To boot into safe mode, restart your computer and press F8 key rapidly (after first black and white screen, but before the Windows logo screen) until you get to a black and white screen asking you what to do. Depending on your system BIOS you may see 2 menus. If you are asked which storage device to start select your main hard drive then immediately press F8, the Boot menu should now appear.


• Select the first option, to run Windows in Safe Mode. Do not select Safe-Mode with Network Support.

Booting in safe mode is important because it disables most drivers and startup programs.
If you have a problem trying to run these scans in Safe Mode, do them later in Normal Mode. Some free scanners won't run in Safe-Mode and display an error, skip to the next tool or step.

Important Note Before continuing with scans:
To provide the greatest ability for the scanners to properly detect and remove all forms of malware, make sure to close any other applications that are running on your system especially browsers before you run these tools. So disconnect from the internet now (unplug LAN cable or disable wireless connectivity)and close all browsers and any other applications you have running now and then continue with Step 7 below.

STEP 7 Safe Mode Clean Your Hard Drive: Remove temporary internet and other files not needed with CCleaner.
Run CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete Index.dat" checkbox. Only use the Windows tab and select Run Cleaner. Do not run any other options from other tabs.
CCleaner is a powerful file deleteing program which can delete many parts of Windows seldom used but still needed in the future. If you have never used CCleaner before and don't want to risk deleteing by accident all your desktop icons or seldom used Windows applications use this alternate method:

Instead of downloading and running CCleaner use Windows Disk Cleanup utility in the System Tools menu. Only the following 3-Temp-Folders need to be emptied: Temporary Files, Temporary Internet Files, and Recycle Bin.

STEP 8 Safe Mode Main Spyware Virus Scan And Removal:
Start the first FULL/COMPLETE scan using your main Antivirus applications like McAfee, Norton/Symantec, AVG, Avast, AntiVir, Kaspersky, etc. These programs generally scan only for Viruses anything left over will be caught by the other tools below.

Scan your machine with Ad-Aware and then Spybot. Do NOT use the Immunize feature in Spybot, it can damage the IE browser's blacklist (this bug is detailed here )

STEP 9 Safe Mode Secondary Spyware Scan And Removal:
Run the other programs you downloaded; CWShredder (make sure you select Fix)


Normal Mode: requires you Reboot back to Normal Startup Mode.

Regardless if your system seems virus free or not rerun the main Scanning Programs.

• Ad-Aware (deep scan)
• Main Anti-Virus program (McAfee, Norton/Symantec, AVG, Avast, AntiVir, Kaspersky)
• Run 2 of the Online Anti-Virus scanners

OPTIONAL : Scan With Hijack This; If you have gotten this far without success in completely cleaning your PC, you may need to download an advanced user utility program.
Hijack This! ........the hijackers detector and remover utility for advanced users.
Novice users are suggested to read the HiJackThis tutorial to better understand the program reports and identify how malware/spyware/virus is starting up on your system. Optionally you can paste your LOGfile into an online analyzer: Hijack This Analysis does a fair job of figuring out many potential problems for you. Simply paste your LOGfile there and click analyze.
If your LOGfile has many suspicious entries you may want to save or print a copy for future reference. Always perform a Google Search on flagged entires using the end file name either .DLL or .EXE to see if they are known malware entries or safe system processes. Never use the Free Scan/Removal tools found on pages while Google Searching the suspected filenames, just note if they are known threats or safe processes. Rerun your Anti-Virus and Spyware tools for cleaning. If unsuccessful use Norton/Symantec's Removal Tool webpage and download a specialized utility or procedure for these harder to clean threats.

Alternative Scans - If still having problems

If you are still having problems after performing all the above, these alternative scans below may prove to be useful. As mentioned above, it would be good to perform these in safe mode since it may assist in the ability to remove an infection. However, there are cases where a problem does not show itself completely until you boot in normal mode. So first run these scans in normal boot mode, and if they have problems cleaning any particular items repeat the scan in safe mode to see if it helps. Always keep track of what these scans find (save logs or take notes), and report them back in your thread to anyone helping you.

TrojanScan online scan

ADS SPY - Alternate Data Streams Spy from Merijn

Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app also displays legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious!
You should consult with an expert before deleting any files with this tool.

PART 4 - Keeping your Computer Safe and Secure

STEP 10 Windows Update: Update Windows at Microsoft Windows Update. Just click on Start, then Windows Update. Many security loopholes are found and exploited and Microsoft patches for these. Millions of people were affected by the Blaster worm because they were not up to date, as an example. If you're not up to date, you're at risk. You can setup automatic updates in your control panel; go to Start, Settings, Control panel.

Verify Windows XP has Service Pack 2 or 3 installed from Windows Update. Service Pack 2 provides a free security Firewall program and should be active by default. To check this, go to 'start\control panel\windows firewall' and ensure that the Firewall is set to the 'on (recommended)' position. The 'Windows Firewall' icon in control panel is only available to Service Pack 2 users. Visit our MyXpSecurity website for more Security recommendations.

Enable the Free Windows Firewall or another third party Firewall such as ZoneAlarm while your computer is connected to the internet. This stops hackers and will block most non-requested data from entering your system. For extra high security its recommended to purchase and connect a $50 hardware Router if your using a high-speed Cable or DSL modem. This small box connects between your high-speed modem and your PC providing a hardware Fireware to prevent Hackers from finding your computer. The Router also provides 4-6 LAN ports for other computers in your home to access the internet creating a local network. See our MyXpNetwork website for Home Network details.

STEP 11 Remove the insecure Microsoft Virtual Java Machine browser plugin which translates embedded <applet></applet> webpage code. Java enables playing some online games, chatting, webcam viewing, online accounting, and more. These applications, written in the Java programming language and accessible from your browser, are called "applets". This is the default Java plugin Microsoft includes in Win95,98,98se,ME,2000 and XP. Microsoft does provide limited updates for MSJVM using Windows Update but no longer supports installing the MSJVM application. MSJVM has minimal security featues to prevent Spyware and browser Hijacks from installing by malicious webpage coding. To improve Internet Browser Security it's recommended to remove Microsoft Java Virtual Machine browser plugin and install a Free third party High-Security Featured plugin such as Sun Java.

Restore IE's ability to run Java applets.

ISSUE 1: If your PC is still using running the insecure Microsoft Virtual Java Machine browser plugin (MSJVM) proceed to Method 1 or 2 below for the correct uninstall procedure.
ISSUE 2: If you've previously run the Microsoft MSJVM v1.0a Removal Tool and need to restore IE's ability to run applets:
• manually delete this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
This is the registry key which directs Internet Explorer to the Java installation on your system but is not removed by the MSJVM v1.0a Removal Tool or overwritten by the SUN Java if it is already present. However if it is removed manually before installing the SUN Java then the SUN installer adds the correct key for the SUN Java installation and all is well.
ISSUE 3: If the third party SUN Java is already installed, applets may not load. An "Install on Demand" dialog may appear asking you to install Microsoft's virtual machine. (Of course, when you click on the install button, it transports you to a webpage saying the Virtual Machine is no longer available.)


Do the following to solve this issue:
1. open Control Panel
2. open Java
3. click the Advanced tab
4. click the + next to "<applet> tag support"
5. uncheck "Internet Explorer"
6. click the Apply button
7. make sure all browers are closed
8. check "Internet Explorer"
9. click the Apply button again to reset this setting

Method 1 - automatic removal of Microsoft Virtual Java Machine

1. Download and run the Microsoft's original MSJVM v1.0a Removal Tool
   
2. Save to empty folder then double click the UNMSJVM.EXE selfextracting secure-file from Microsoft, accept the license then select the same folder to extract the tool
3. then double click and RUN the tool. All older operating systems Win95,98,98se,ME,2000 or XP should run this MSJava VM Removal Tool.
4. Find and Delete this troublesome Registry subkey which the MSJVM Removal Tool missed:
   Note: Using REGEDIT incorrectly will damage your system preventing it from restarting.
   Select Start > Run then type the command: REGEDIT , maximize the Registry Editor window and using the mouse navigate your way to the indicated registry subkey location. If an exact match is found click to hi-lite subkey entry then right-click the subkey and select EXPORT to make a backup copy (which you can restore later by double clicking to merge if needed), reselect subkey then press DELETE key on keyboard.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
5. From the FILE menu at top select EXIT which will save and close the Registry Editor.
6. Reboot the computer then install 3rd party Java client application.

Method 2 - manual removal of Microsoft Virtual Java Machine
To remove MS Virtual Machine manually follow these steps.

1. Select Start > Run then type the command(without quotes): " RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall " in the Open box, and click ok.
2. Click Yes to confirm that you want to remove the Microsoft VM
3. When prompted, reboot the computer
4. Find and Delete the following items:
   (Any files or registry entries not found or errors can be ignored and go to the next step)
• The C:\WINDOWS\JAVA folder
• The file JAVA.PNF from the C:\WINDOWS\INF folder
• The files JVIEW.EXE and WJVIEW.EXE from the C:\WINDOWS\SYSTEM32 folder
5. Find and Delete the following Registry subkeys:
   Note: Using REGEDIT incorrectly will damage your system preventing it from restarting.
   Select Start > Run then type the command: REGEDIT , maximize the Registry Editor window and using the mouse start to navigate your way to the indicated registry subkey locations. If an exact match is found click to hi-lite subkey entry then right-click the subkey and select EXPORT to make a backup copy (which you can restore later by double clicking to merge if needed), reselect subkey then press DELETE key on keyboard. From the FILE menu at top select EXIT which will save and close the Registry Editor.
• HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Java VM
• HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ InternetExplorer \ AdvancedOptions \ JAVA_VM
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
6. Reboot the computer then install 3rd party Java client application.

STEP 12 Install Sun Java browser plugin: Download and install the third party Java browser plugin application here: http://java.com/en/ TIP: Verify there isn't more than one version of Sun Java application installed using Add & Remove Programs. Uninstall all prior versions before installed latest version to improve Java application performance.

      

Optionally, consider replacing your Microsoft web browser with a free alternative like FireFox or a shareware browser like Opera, for example. These are not as prone to Microsoft targeted browser malware and use less resources for improved performance on slower systems and faster browsing for dialup users.

PART 5 - Completion of the 12 Step Removal Procedure

Once you have double and triple checked your system and its programs to verify it's clean of all Virus and Spyware and operating normally we recommend doing the following:

• Enable your XP or ME System Restore if disabled in Part 1.
• Run any regular Backup utilities and mark as Virus Free.
• Run Windows Update for any updates to damaged modules.
• Write down the date and time Cleaning Procedure started and Completed.
• Open Regedit and select My Computer at top of tree, select Export from the File menu and select a Folder and File name (eg:backup09) to save an emergecy backup copy of your spyware/virus clean registry.
• Along with regular monthly computer maintenance run Windows Disk Cleanup in Step 7 then perform complete Anti-virus and Anti-Spyware scans in normal mode before doing Disk Defragmentations.

«ø» WindowsXP Wisdom WindowsXP Security Virus Removal Home Networks «ø»
® 2007 2008