• When you uninstall something or uninstall something or apply an update that tells you to restart/reboot you do not have too unless it appears to be affecting your ability to uninstall something else.
  • While installing Flash and other things watch out for any toolbars or other unwanted add-ins.  Do not install them.
  • When downloading files and tools download them to the users “Downloads” folder or on XP “My DocumentsDownloads”.  Then move them to your personal Tech folder elsewhere.  If you download them to your own folder, 12 months later when you work on the computer you will find that the user has been downloading stuff to your folder and it is full of their crap because they did not know to change the folder and they could not find the stuff after they downloaded it.
 
  1. Turn Off UAC (User Account Control).
    • If this is Vista or Win7 turn off UAC from the “User Accounts” in the “Control Panel”.  At the bottom select “Change User Account Control settings” and set it to “Never Notify”.
  2. Install remote control access.
    • We use LogMeIn.  Also, TeamViewer is very good.
  3. Disable or uninstall any virus scanners running on the computer.
    • Some virus scanners will interfere with or disable the tools used to take out the more aggressive root kits.  We cannot give you directions on how to disable them because it is different for different scanners.  You can always uninstall them from the “Programs and Features” or “Add Remove Programs” area of your “Control Panel”.  Many virus shields can be disabled by right clicking on their system tray icon (by the clock in the lower right corner).
  4. Boot into safe mode with networking support.
    • If you are in front of the computer then….  Turn off your computer.  Turn it back on and while booting at the post screen (first screen that shows up) press the F8 key every half second until you see the Safe Mode screen (Menu).  If you see windows loading you did it wrong or the keyboard is not working properly.
    • At the Safe Mode Screen choose “Safe Mode with Networking” with your arrow keys on the keyboard and hit enter.  If you get prompted to Choose an Operating System hit Enter again.
    • If you are working through remote control: use your remote control program to boot into safe mode.  On LogMeIn it is under “Preferences” -> “Advanced” -> [View Reboot Options] > “Safe-mode Reboot”.
    • After choosing the safe mode with networking support menu option if you see another option asking you what operating system to boot to, you should simply press enter choosing the default option.
  5. Download and install the Desktop Masters Tech Tools executable.
    • If you are a D$M Tech go to http://Cleanup.DesktopMasters.com and download the most recent version of “Tech Tools” to the Downloads folder.  After you install and update it then delete the install exe file.
  6. Clean with SmitFraudFix.
    • Found here or off the “Clean-Up” / “Root Kits Removers” folder in the Tech Tools Menu.
    • Choose option 2 to execute the clean.
    • Note: If you are running a x64 bit system line Windows 7 64 bit the SmitFraud tool may disappear/crash during the clean process.  If this happens bring up the Task Manager with CTRL-SHIFT-ESC (Or right clicking on a blank area of the taskbar) and select “File” -> “Run” and Enter “Explorer.exe”.  This should return the taskbar at the bottom.
    • When/If the temp folder cleanup process pops up cancel it we user our own.
    • Answer “y” when prompted to clean the registry.
    • When it is done you can quite with “Q”.
  7. Clean with The Avenger.
    • Found here or off the “Clean-Up” / “Root Kits Removers” folder in the Tech Tools Menu.
    • Click “Ok” till you are at the main dialog.
    • Checkbox both options at the bottom.
    • Click the “Execute” button and allow it to reboot (Yes).
  8. Let it boot back into Windows Normal mode then reboot back into safe mode.
    • Found here or off the “Clean-Up” / “Root Kits Removers” folder in the Tech Tools Menu.
    • Note:  If it reboots then boot back into safe mode before doing the next steps.
  9. Clean with Panda Quick Remove
    • Download it from here or select it from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu.
  10. Cleanup Temp file areas with CClean (Wait till it completes).
    • Download it from here or select it from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu.
    • Note:…_
      • UNcheck/Disable: Any web browser options to remove cookies or history or typed URL’s or auto complete history etc.. (on both Advanced/Application tabs).  To be clear you do not want to delete their tracking cookies.  There is no need to waste time deleting or scanning them since they are just harmless text files.
      • Checkbox/Enable: At the bottom of the Advanced Tab “Old Prefetch Data” and “Menu Order Cache”
  11. Cleanup Temp file areas with Cleanup.exe (Wait till it completes)
    • Download it from here or select it from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu.
    • Note: Be sure to UNcheck everything except: “Empty Recycle Bins”, “Delete Newsgroup Cache”, “Delete Newsgroup Subscriptions”, “Delete Prefetch files”, “CleanUp! All Users” (are checked).
    • Do not bother to logout when it completes. Also you should be able to answer “No” to almost any prompt it gives you.  Unless you are compelled to donate, if so, then please do so.
  12. Try to create a system restore point.
    • If the machine is not manageable yet you can skip this step.
    • Note: If you are using the Desktop Masters Tech Tools there is quick option on the Menu to create one.  Or you can run “System Restore” from the Windows Programs Menu.  Choose “Accessories” -> “System Tools”.
  13. Set the flag to run a CheckDisk on reboot (but do not reboot).
    • In “(My) Computer” right click on the “C:” Drive and select properties.
    • On the Tools Tab look for the “Check Now” button and select it.
    • On the resulting popup check “Automatically fix the file system errors”.
      • (System errors are common and not a bad sign.  They are usually caused by not properly shutting down the computer.  This can happen often with invected computers.)
    • Do not check (Leave unchecked) “Scan and attempt to recover bad sectors”.  This will take a very long time to complete and should only be done as a last resort and may be a sign that the drive is crashing if you need to run this.
    • After you click the “Start” button you will be told the computer cannot run the check now.  Choose the [Schedule disk check] button.  Do not restart the computer at this time as we will do it after or during the next step.
  14. Clean most rootkits with ComboFix (From Safe Mode).
    • Note: You will want to answer yes to just about everything ComboFix prompts you for.  If it finds a rootkit it may want to reboot and start over.  If it does, after you reboot go back to Safe Mode and try again.
    • When running ComboFix, if prompted to install the Microsoft Recovery Console it is recommended that you choose “Yes” and install it.
    • Once the removal process is started you will see lines referring to stages “STAGE_#”.  As part of the process it takes the network adapter off line so you will lose connection for 5 to 45 minutes depending on the speed of the computer and how slow the virus is making it.
    • If ComboFix finds any nasties it will restart your computer.  So you may find yourself in Normal Mode after the scan then you likely just removed something.
    • During the second phase of ComboFix you will star at a blue screen while it Finds changes.  This can sit for a very long time while it does its thing so expect that.
    • After ComboFix is done you will see Notepad on the screen with lots of cool but complicated info.
  15. Make sure you are in Normal Operation Mode.
    • If ComboFix has not rebooted you into Windows Normal Mode then do so now.
  16. Disable or uninstall all virus & spyware shields.
    • If Norton is on the computer you will want to remove that as it will slow the computer down like a virus all by its self.  You can use the Nortan Remove Tool from the “Clean-Up” -> “Virus Scaner Removers” folder in the Desktop Masters Tech Tools Menu or you can download it from the Norton Site here.
    • If this is a Desktop Masters supported computer you will want to remove all virus scanners and sheilds using the Removers or Uninstall.  When this is done we will install Micrsoft Security Essentials.
    • If the machine already has Microsoft Security Essentials on it then double click on the green house in the system tray and uncheck “Turn on real-time protection” from the “Settings” -> “Real-time Protection” Menu.
  17. Do a Quick Scan with Malwarebytes
    • Note: After all the scans complete you will be instructed to repeat these steps doing Full/Complete scans.
    • You can launch Malwarebytes from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu or download it from here.
    • Configure it as follows…
      • Settings -> General Settings: Enable everything except “Anonymously report statistics” and “Create right click context menu”, “Open log file immediately after saving” (unselected).
      • Settings -> Scanner Settings: Enable everything.
      • Settings -> Updater Settings: (If you are using the portable version) Disable “Download and install program update if available.”
    • From the Update tab, check for Updates to make sure the definition file is up to date.  You may get a short hang as it copies the update into place.
    • Start your quick scan.  Once the scan is going I like to configure and update the other scanners while I am waiting for it to finish.
  18. Do a Quick scan with SUPERAntiSpyware.
    • When you run the setup wizard choose “Next” until you get to the “Help stop the spread of Spyware and Viruses” / “Free System Diagnostic Report” section.  If you choose send information back you will have to sit for while during the collection process.  So disable “Send a diagnostic report to our research center” (unchecked).
    • When asked to “Protect Home Page from Being Changed”, disable “Display a notification windows” (unchecked) and choose [Do Not Protect].
    • [Preferences]
      • General and Startup: Disable/Uncheck all Start-Up Options.  Enable Check for updates before scanning on startup.
      • Scanning Control: Enable/Check everything except: “Close browsers before scanning”, “Scan for tracking cookies”, “Display scan option in Explorer context menu”, “Ignore System Restore/Volume Information” (Unchecked)
      • Hijack Protection: Uncheck “Display notification when home page changed”, “Protect home page…”.
      • Updates: Uncheck/Disable “Automatically check for program and definition updates every 8 hours” and Uncheck/Disable items under “Definition Updates Reminder”.
    • On the Updates tab click the [Check for Updates Now..] button and make sure the app is current.  You may have to click “Download and install the Updates Now” link that shows up in the lower right corner after clicking the button.  There are two update buttons one on the main dialog and one in the preferences update tab.  You must choose both buttons in both areas one after another several times till both report no more updates.
    • Run the quick scan.
    • Do not reboot yet after you clean the viruses.
    • After completing the scan, assuming all the really nasty virsus are no longer in memroy.. In the “Prefrences” -> “Repairs” run the following repairs without a restart:
      • Run everything that starts with “Enable”…
      • Remove Explorer Policy Restirctions
      • Remove Internet Explorer Policy Restirctions
      • Run everything that starts with Repair Broken… (Do not restart yet)
      • Reset Desktop Policies (Do not restart yet)
      • Reset Windows Clock display to 12 hour format. (Do not restart yet)
      • User Agent Post Platform Reset
      • User Agent Reset
      • (The above fix a lot of common issues and should be harmless.  If you are still having other issues feel free to run the fix that may apply to resolve that issue)
  19. If you found any viruses restart the computer at this time.
    • When you log back in you may see an error box: “vbAccelerator” / “runtime error” or a “Malwarebytes Automation Error”, this is expected from Malwarebytes Portable, we will remove it out of the startup later.
  20. Scan with Spybot – Search & Destroy
    • If you see the setup wizard…
      • Uncheck everything on Additional tasks
      • Do not bother to backup the registry.  (We use the system restore)
    • (Select [Ignore] if prompted/warned about Ad-Aware.)
    • Note: If using the portable version, every you run the program including after updates you must disable and exit the SD-Resident in the system tray.  If you do not you system will be halted every time there is a change to the registry.
    • Update ALL definitions (Do not scan/check system with SpyBot until other scans are completed).
    • Do not Immunize at this time.
    • Change some Settings..
      • On the menus choose “Mode” -> “Advanced Mode” (Answer yes).
      • “Settings” -> “Scan Priority” = “Highest”
      • “File Sets” -> “Spybot Search & Destroy” -> “Cookies.sbi” = Unchecked
      • “Tools” -> “Resident”: Uncheck all resident options
    • After the scan completes and you have removed the nasties it has found, restart the computer.
    • Now that you have restarted run SpyBot again and immunize.  After you immunize “Unprotected” should show a “0” (Zero).  Immunizing will modify the hosts file.  If you get notifed of changes to the hosts file by WinPatrol or another watchdog app, accept the change.
  21. If the system still appears infected run Norman (NOT NORTON) and do a Quick scan.
    • Norman can be found here and is also in the Desktop Masters cleanup file page under Virus Cleaners.
  22. If the system still appears infected run DrWeb cureit.exe
    • You can download it here and is also in the Desktop Masters cleanup file page under Virus Cleaners.
    • Note: Start Virus Scan (When prescan is done configure: Uncheck Prompt on Action, Set Move for Adware and Dialers.) Do a complete scan.
  23. If the sytem still appears infected run LSPFix.exe
    • Note: You may have to drag out the lower left corner to click the “Finish” button
  24. Run full Scans with Malwarebytes and SUPERAntiSpyware. 
    • (Be sure to ignore any Tech Tools if notified about hacking tools from them.)
    • If they find any viruses restart the computer after they are done cleaning.
  25. Uninstall / Remove the bad stuff with “My Uninstall”.
    • Uninstall all toolbars and programs that might be a threat including Norton, virus scanners, and ISP Software. Do not restart computer if prompted. Rarely but sometimes you do have to reboot in order to continue uninstalls. Especially if Norton is slowing you down.
    • Note: Toolbars like Google Toolbar and Yahoo toolbar are NOT a threat leave them unless they want to be Optimized too.
  26. Set windows to download updates and then let you choose whether to inntall them..
    • On XP: “Control Panel” -> “Automatic Updates”
    • On Vista/Win7: “Control Panel” -> “Windows Updates”
  27. Run Windows Update and install updates if needed.
    • DO NOT INSTALL NOT SERVICE PACKS.  If XP is not at SP3 then that should be installed at the proper time however that is billed separately as it has the potential to blue screen the computer.  It is VERY IMPORTANT the computer has the most current service pack so notify the owner that this should be done.
    • Do not install or upgrade Internet Explorer (That is part optimizing not cleaning).
    • We usually skip installing the Genuine Advantage if I can help it.
    • If Windows update fails use this doc (note to self to write doc) to repair windows update.
  28. Make sure MSConfig is set to “Normal startup”.
    • Do not restart the computer if prompted to do so when you exit MSConfig.
  29. Clean with  HiJackThis
    • You can download it from here or select it from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu.
    • At the first menu choose the button [Do a system scan and save a logfile].  This will open a file in notepad.
    • Copy the contents of the notepad document and paste it into the box at http://WWW.HiJackThis.de then click the [Analyze] button below.
      • In the list if you see anything referencing “Norton” or “McAfee” then run the appropriate cleanup tool make sure all entries for that app are removed.
    • Close Notepad once you have results up.
    • Scroll down and using the user ratings decide what to remove by looking at the results on the web page and checking the items to remove in the HiJackThis application.  Mostly choose stuff tagged with a big red or yellow “X”.  If the “X” is Yellow you can investigate what it is before removing it but clicking on the rating and seeing what people have written about the item.
    • Close the Web Browsers and then on HiJackThis Select [Fix Checked] and then close HiJackThis when it completes.
  30. Check the Startup with “Startup Inspector”
    • You can download it from here or select it from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu.
    • Remember to remove the bad script that Malwarebytes puts into the startup.
  31. Using the System File Checker verify the system files are all proper.
    • (Optional) On WinXP move the i386 folder to the Windows folder and On Windows XP: Apply Registry hacks to make Windows use the “C:WINDOWSi386” folder instead of the CD in the drive.
    • Apply Registry hacks to configure SFC to turn off prompting.
    • Run the System File Checker: SFC.exe /ScanNow
  32. Look for suspicious files.
    • In a Command Prompt (cmd) go into the Windows System32 “cd C:WINDOWSSystem32” Folder and do a “dir /ah” and “dir /as” and “dir /ash”.  Look for suspicious hidden and system hidden files ending in  .exe or .ini or .sys and occasionally .dll files. Look for files that are recent.
    • You may need to remove these files from the Recovery Console or safe mode.
  33. Remove any orphaned links
    • You can download it from here or select it from the “Clean-Up” folder in the Desktop Masters Tech Tools Menu.
    • Check all the options in Orphan Remover before scanning
    • Scan with Orphans Remover and remove any orphaned links.
  34. Create a Windows System restore point.
  35. Look through the non-micorosft services and determine if any should be set to manual.
    • Finding 3rd Party services is most easily done by running MSConfig and checking the box to hide  Micorsoft Services.  Be sure to set the services to manual from “Computer Management” and not MSConfig.
  36. Reboot
  37. Install and configure MSSE “Microsoft Security Essentials” (If you plan to optimize skip this step for now)
    • You can download it from Microsoft here.
    • Allow to update
      • Note: May require a reboot if  it refuses to update
    • In Options, configure it in the following manner.
    • “Scheduled Scan” -> “Run a scheduled Scan” = Unchecked (Leave this checked and people will start calling you complaining that their computer is slow because the scan is running and they do not realize it.)
    • “Excluded files & locations” -> (Exclude the following directories if they exist)
      1. C:Program FilesLogMeIn
      2. C:Program FilesTech Tools
      3. C:System Volume Information
    • Remove the Desktop Icon the install created.
  38. Putting things back..
    • Reset the time display format. (This step may have been accomplished in SuperANTISpyware) Some of the virus cleaners reset the time display in the tray to military time. In the “Control Panel” go to “Region and Language” (On XP choose “Customize”) set the time format to “hh:mm:ss tt” to include the AM/PM in the display.
    • Set Windows backup to Automatic Mode – Only if you are not going to be supporting this computer or it is not under service contract.
    • Hide extensions for known file types. Make sure that this is checkmarked in “(My) Computer” -> “Folder Options” -> “View” -> “Files and Folders”.
    • Remove Remote Control if warranted. If you have installed LogMeIn or some other remote control and this is a one time job then uninstall it.
    • Re-Enable UAC? If you disabled UAC and this is not a computer you normally support you might want to turn it back on. If this is a computer you support then you decide. (: On DesktopMasters computers for now I leave it off.