A few threads have mentioned the current plague of 'antivirus popups' and also loss of desktop settings tab and other problems.
A customer had one of those this afternoon and I've had a half dozen or more in the last two or three weeks.
I do it manually, which also speeds the whole system up, but before summarizing how to do that, I'll suggest one click solutions for immediate relief for completely non-tech people, which may or may not work - but at least it's easy....
First download this: www.malwarebytes.org and save to your desktop.
Also download this: http://siri.geekstogo.com/SmitfraudFix.php
also to your desktop. Even if the 'Smitfraud' type malware is not your problem it runs a fixup procedure that will restore your desktop settings tab and other settings without you twiddling with the system registry (as long as the spyware is not active ie. run this after the other one). I use it quite often.
You can run them normally, or better, you can go into 'Safe Mode' by restarting your computer and either (people tell me) by continually hitting F8, hoping it doesn't conflict with a BIOS function; or the surefire way of pressing and holding the power button for 4 seconds (to force a rough shutdown) while the moving LED Windows startup is in progress, followed by powering up again and moving the up/down arrows to the 'Safe Mode' option when presented. Normally not good for your disk, right now we don't care and can run a disk check afterwards.
After running the two programs, restart and reset your theme to standard by right clicking the desktop>Properties. Sometimes a lingering 'antivirus' image is just your desktop background picture.
This might solve at least some of the current crop of 'antivirus' popup problems, but if you want or need the full job I charge for every day, here is the basic procedure:
In addition to the above: download 'HiJackThis!' http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Also download CCleaner: http://www.ccleaner.com/
You may also need 'winsockxpfix': http://www.snapfiles.com/download/dlwinsockxpfix.html
Before beginning, you would be better off uninstalling Norton/Macafee (and unfortunately now AVG) or any other complex 'security' suite. They almost always slow things down massively and/or become part of the problem. Search my other posts for links to special removal tools if you have any problem uninstalling. Restart.
Then, go into Safe Mode as described above. Then go Start>Run (in Vista use the Windows Search box above the start button)and enter 'msconfig' (without the quotes). This gets the easy superficial stuff: go to the Startup tab and untick everything (if you have not removed Norton/Mac etc. you are on your own sifting through which ones to untick or not).
Then go to the 'Services' tab and make sure the tickbox (above the OK button) 'Hide All Microsoft Services' is ticked. All of the remaining entries should be unticked except: 'Office Source Engine' (if present) and maybe a printer related entry (especially 'Lexbce') and maybe 'synaptics' touchpad stuff. Anything mentioning 'HD Audio' can also be left. You can always retick later if something stops working. Click OK. Ignore/refuse any restart prompts.
Now run HiJackThis! and click 'Do a System Scan'. You will then see pages of junk entries, all you need are a handful - tick everything else (to remove) leaving only any possible printer related entries, anything mentioning ..windowsupdate..., any licensing services for specialist software (eg adobe) and Synaptics touchpad entries. You can always reinstall a printer (though never tick/remove 'Lexbce server') Vista users can leave more entries - my cleaned up HP vista laptop has a few innocent ....Internet Explorer/Main..Start.. Page entries. Also an entry containing .... 'Hosts' and another containg ...'Gopher'
Click on 'Fix checked' and respond with OK if prompted about BHO entries.
Run HiJackThis! again and check for any stubborn entries, particularly random looking names with a .dll or .exe suffix, often but not always located in C:\Windows\System32 folder. These are viruses and if they can't be removed using HiJackthis! there is a more difficult operation necessary. Sometimes a complete reinstall is necessary if these have damaged the system and things aren't right even after a cleanup.
You can now run CCleaner. With the 'Cleaner' button selected the left pane entry under Advanced, 'Old Prefetch data' can be ticked. Also (assuming you removed 'security' suites earlier and restarted after that) select the Options button on the left Tab>Advanced> untick 'Only delete....48 hours' Now go back to 'Cleaner' side tab/button and click 'Run Cleaner'. Probably you will then remove a few hundred MBs of junk files.
I have also found that the current crop of popups create a folder in C:\Program Files, but be careful not to delete an essential program. Inside the folder is an installer for the malware. Delete nothing if in doubt.
Restart the computer and for 90% of you all will be well. Reset your Theme to standard and reset Internet explorer (Tools>Internet Options>Advanced) You could also run winsockxpfix if there is still any Internet trouble.
Open CCleaner and choose the 'Registry' side tab and then 'Scan for Issues' followed by 'Fix Selected Issues' (ignore backup prompts) and choose Fix all. Repeat a couple of times.
Also, go to Control Panel>Internet connections. Right click>Properties on any Local Area or Wireless connection. Highlight and uninstall any entry except these four: 'Client for Microsoft..', 'File and Printer Sharing', 'QOS Packet...' and 'Internet Protocol (TCP/IP)' On a wireless connection go through the tabs and make sure a 'Use Windows to configure wireless' option is ticked.
You can repeat this whole procedure again if necessary and restart.
If you still have stubborn entries in HiJackThis, then removal is not easy. You could just install Antivir (see below) and manually scan, but things can get complicated once viruses are already active and embedded. There are brute force removal programs but I don't use them.
The way I do it is to make a note of the virus names and location from HijackThis, then boot the system using 'Ultimate Boot CD' (http://www.ubcd4win.com) for Windows. This allows the system to run, albeit slowly, from a CD and allows acces to the hard disk in order to delete the noted files manually. You could use a Linux CD also. Another way I use is to remove the laptop or desktop hard drive and put it in a USB external enclosure. This can be plugged into a good computer and the files manually deleted. It is often good to look at C:\Windows and C:\Windows\system32 and sort by date. Usually the newest files, especially if using random looking names are viruses, but some judgement and risk is involved, to be on the safe side just delete the noted files. There are also USB to IDE and/or SATA cables you can buy which just plug into the bare hard drive without placing in an enclosure.
Once your system is functional, don't go back to bloatware security suites, use the free Avira Antivir, http://www.free-av.com along with Spybot (1.4 recommended for now - http://www.tucows.com/preview/310138 . Only version 1.6 is at spybot.com) Don't use 'SDHelper'/'immunize' just scan weekly. Spybot 1.4 is still the best basic spyware remover as far as I'm aware. Also go to Control Panel>Windows Firewall to make sure it is turned on (do allow exceptions). If you have a router, that acts as a double hardware firewall and no other firewall is necessary anyway. Once the antivirus is up and updated, do a one off manual scan of your whole system, thereafter it will protect you in the background and update itself. Also do a one off error check on the C:\ drive: Go to My Computer, right click the C drive>Properties>Tools>Error Check. Tick the top of the 2 tick boxes only, restart. It is then safe to defragment.
If you have decided a reinstall is the way forward and you have the disc or preinstalled Recovery feature (often F10 on startup), make sure you do a destructive reinstall that formats the disk and loses your data (which should be backed up). The other non- destructive way just overwrites windows and leaves viruses in place. If you haven't got the disk, you could download a torrent from piratebay, mininova or demonoid, search for 'XP SP3' and choose one with a high number of sharers. Read sharer comments first.
A customer had one of those this afternoon and I've had a half dozen or more in the last two or three weeks.
I do it manually, which also speeds the whole system up, but before summarizing how to do that, I'll suggest one click solutions for immediate relief for completely non-tech people, which may or may not work - but at least it's easy....
First download this: www.malwarebytes.org and save to your desktop.
Also download this: http://siri.geekstogo.com/SmitfraudFix.php
also to your desktop. Even if the 'Smitfraud' type malware is not your problem it runs a fixup procedure that will restore your desktop settings tab and other settings without you twiddling with the system registry (as long as the spyware is not active ie. run this after the other one). I use it quite often.
You can run them normally, or better, you can go into 'Safe Mode' by restarting your computer and either (people tell me) by continually hitting F8, hoping it doesn't conflict with a BIOS function; or the surefire way of pressing and holding the power button for 4 seconds (to force a rough shutdown) while the moving LED Windows startup is in progress, followed by powering up again and moving the up/down arrows to the 'Safe Mode' option when presented. Normally not good for your disk, right now we don't care and can run a disk check afterwards.
After running the two programs, restart and reset your theme to standard by right clicking the desktop>Properties. Sometimes a lingering 'antivirus' image is just your desktop background picture.
This might solve at least some of the current crop of 'antivirus' popup problems, but if you want or need the full job I charge for every day, here is the basic procedure:
In addition to the above: download 'HiJackThis!' http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Also download CCleaner: http://www.ccleaner.com/
You may also need 'winsockxpfix': http://www.snapfiles.com/download/dlwinsockxpfix.html
Before beginning, you would be better off uninstalling Norton/Macafee (and unfortunately now AVG) or any other complex 'security' suite. They almost always slow things down massively and/or become part of the problem. Search my other posts for links to special removal tools if you have any problem uninstalling. Restart.
Then, go into Safe Mode as described above. Then go Start>Run (in Vista use the Windows Search box above the start button)and enter 'msconfig' (without the quotes). This gets the easy superficial stuff: go to the Startup tab and untick everything (if you have not removed Norton/Mac etc. you are on your own sifting through which ones to untick or not).
Then go to the 'Services' tab and make sure the tickbox (above the OK button) 'Hide All Microsoft Services' is ticked. All of the remaining entries should be unticked except: 'Office Source Engine' (if present) and maybe a printer related entry (especially 'Lexbce') and maybe 'synaptics' touchpad stuff. Anything mentioning 'HD Audio' can also be left. You can always retick later if something stops working. Click OK. Ignore/refuse any restart prompts.
Now run HiJackThis! and click 'Do a System Scan'. You will then see pages of junk entries, all you need are a handful - tick everything else (to remove) leaving only any possible printer related entries, anything mentioning ..windowsupdate..., any licensing services for specialist software (eg adobe) and Synaptics touchpad entries. You can always reinstall a printer (though never tick/remove 'Lexbce server') Vista users can leave more entries - my cleaned up HP vista laptop has a few innocent ....Internet Explorer/Main..Start.. Page entries. Also an entry containing .... 'Hosts' and another containg ...'Gopher'
Click on 'Fix checked' and respond with OK if prompted about BHO entries.
Run HiJackThis! again and check for any stubborn entries, particularly random looking names with a .dll or .exe suffix, often but not always located in C:\Windows\System32 folder. These are viruses and if they can't be removed using HiJackthis! there is a more difficult operation necessary. Sometimes a complete reinstall is necessary if these have damaged the system and things aren't right even after a cleanup.
You can now run CCleaner. With the 'Cleaner' button selected the left pane entry under Advanced, 'Old Prefetch data' can be ticked. Also (assuming you removed 'security' suites earlier and restarted after that) select the Options button on the left Tab>Advanced> untick 'Only delete....48 hours' Now go back to 'Cleaner' side tab/button and click 'Run Cleaner'. Probably you will then remove a few hundred MBs of junk files.
I have also found that the current crop of popups create a folder in C:\Program Files, but be careful not to delete an essential program. Inside the folder is an installer for the malware. Delete nothing if in doubt.
Restart the computer and for 90% of you all will be well. Reset your Theme to standard and reset Internet explorer (Tools>Internet Options>Advanced) You could also run winsockxpfix if there is still any Internet trouble.
Open CCleaner and choose the 'Registry' side tab and then 'Scan for Issues' followed by 'Fix Selected Issues' (ignore backup prompts) and choose Fix all. Repeat a couple of times.
Also, go to Control Panel>Internet connections. Right click>Properties on any Local Area or Wireless connection. Highlight and uninstall any entry except these four: 'Client for Microsoft..', 'File and Printer Sharing', 'QOS Packet...' and 'Internet Protocol (TCP/IP)' On a wireless connection go through the tabs and make sure a 'Use Windows to configure wireless' option is ticked.
You can repeat this whole procedure again if necessary and restart.
If you still have stubborn entries in HiJackThis, then removal is not easy. You could just install Antivir (see below) and manually scan, but things can get complicated once viruses are already active and embedded. There are brute force removal programs but I don't use them.
The way I do it is to make a note of the virus names and location from HijackThis, then boot the system using 'Ultimate Boot CD' (http://www.ubcd4win.com) for Windows. This allows the system to run, albeit slowly, from a CD and allows acces to the hard disk in order to delete the noted files manually. You could use a Linux CD also. Another way I use is to remove the laptop or desktop hard drive and put it in a USB external enclosure. This can be plugged into a good computer and the files manually deleted. It is often good to look at C:\Windows and C:\Windows\system32 and sort by date. Usually the newest files, especially if using random looking names are viruses, but some judgement and risk is involved, to be on the safe side just delete the noted files. There are also USB to IDE and/or SATA cables you can buy which just plug into the bare hard drive without placing in an enclosure.
Once your system is functional, don't go back to bloatware security suites, use the free Avira Antivir, http://www.free-av.com along with Spybot (1.4 recommended for now - http://www.tucows.com/preview/310138 . Only version 1.6 is at spybot.com) Don't use 'SDHelper'/'immunize' just scan weekly. Spybot 1.4 is still the best basic spyware remover as far as I'm aware. Also go to Control Panel>Windows Firewall to make sure it is turned on (do allow exceptions). If you have a router, that acts as a double hardware firewall and no other firewall is necessary anyway. Once the antivirus is up and updated, do a one off manual scan of your whole system, thereafter it will protect you in the background and update itself. Also do a one off error check on the C:\ drive: Go to My Computer, right click the C drive>Properties>Tools>Error Check. Tick the top of the 2 tick boxes only, restart. It is then safe to defragment.
If you have decided a reinstall is the way forward and you have the disc or preinstalled Recovery feature (often F10 on startup), make sure you do a destructive reinstall that formats the disk and loses your data (which should be backed up). The other non- destructive way just overwrites windows and leaves viruses in place. If you haven't got the disk, you could download a torrent from piratebay, mininova or demonoid, search for 'XP SP3' and choose one with a high number of sharers. Read sharer comments first.
