General Computer Information

Hardware Troubleshooting
Not all computer problems are caused by viruses and malware. While I like to think of
computers as my little silicon-based lifeform friends, they are really just machines and
machines break down. Here are some basic hardware troubleshooting steps:

Open the computer and run it open after cleaning out all dust bunnies. Be careful when
you clean; use compressed air and be gentle. Observe all fans (overheating will cause
system freezing and/or crashing). This includes the fan on your video card if you have one.
Obviously you can't do this with a laptop, but you can hear if the fan is running and feel if the
laptop is getting too hot. For a desktop, without touching anything, hold your hand close to
the inside of the case and feel how hot things are getting.

Test the RAM - I like Memtest 86+ from http://www.memtest.org. Obviously, you have to get
the program from a working machine. You want the pre-compiled bootable ISO (.zip). Unzip
the file you download by double-clicking on it and drag the contents out. You will now have a
file called memtest86+-4/00.iso (the version number may be different). You can delete the
.zip file now. Put in a CD-R disc and start a third-party burning program such as Nero, Roxio
or the free ImgBurn (unless you have Windows 7, which can burn .isos natively). You will
need to burn the file as an image, not as data. Refer to your burning program's Help if you
don't know how to do this.

Leave the CD-R in your optical drive and restart your computer. When you restart the
computer you will see messages:

1. Possibly a message that says something like "Press F12 for temporary boot menu". If you
have this message, press that function key. Use your arrow key to select the CD/DVD drive
and the computer will boot from the Memtest86+ CD you made.

2. If you don't see a message about a boot menu you will need to go into the BIOS to
change the boot order. This message will say something like "Press F2 to enter Setup".
Press that function key and you will enter the BIOS. Find the section about boot and change
the boot order to CD/DVD drive first, hard drive second. Save your changes and exit Setup.
The computer will boot from the Memtest86+ CD you made.

The test will run immediately. You can remove the CD while the test is running. Let the test
run for an hour or two unless errors are seen immediately. If you get any errors, replace the
RAM. It is extremely important that you get RAM that is compatible with your motherboard
(and the RAM already in the machine). Crucial Technology has a Memory Selection Tool on
their website.

Test the hard drive with a diagnostic utility from the drive manufacturer. If you aren't
sure what drive you have or can't find a utility for it, Seagate's SeaTools for DOS can test
non-Seagate drives. Download the file and make a bootable floppy or CD with it. If you are
using XP or Vista you need third-party burning software such as Nero, Roxio or the free
ImgBurn. Windows 7 can burn .isos natively. Burn as an image, not as data. Boot with the
media you created and do a thorough test. If the drive has physical errors, replace it.

http://www.seagate.com/www/en-us/support/downloads/seatools/seatooldreg
http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=201271 (how-to)

The power supply may be going bad or be inadequate for the devices you have in the
system. The adequacy issue doesn't really apply to a laptop, although of course the power
supply can be faulty. For a desktop, test by swapping out the PSU for a known-working one.
If you have one of the higher-end video cards that requires a separate power supply
Balwinder Randhawa
Plz take good care of your Health
connector, make sure it is in place.

Test the motherboard with something like TuffTest from http://www.tufftest.com or

programs from the Ultimate Boot CD. Sometimes this is useful, and sometimes it isn't.

If you have an OEM machine (HP, Dell, etc.) and it is still under warranty, use the OEM's
hardware diagnostics if there are any. For instance, on some of its machines Dell has a
small diagnostic partition on the hard drive accessed by pressing F12 (usually) at startup.
Although my experience is that OEM diagnostics aren't always accurate, running them will
often produce an error code which you can give to the technical support person. Then you
don't need to argue with some bottom-tier rep about why reinstalling Windows on a broken
hard drive is useless.

Another good way to test if problems are caused by hardware or software (Windows) is to
boot with a Linux Live CD (or Linux on a USB thumb drive). If the system behaves beautifully
under Linux then you know Windows (software) is at fault. If you can't run Linux, then you
know the hardware is bad. I use Knoppix but there are plenty of other Linux Live distros. A
"Live" CD/USB distro means that the Linux operating system runs entirely in RAM (memory)
and doesn't touch your hard drive. You might want to use the bootable USB thumb drive
when you have a computer with a single optical drive (like a laptop) and the optical drive is
what you want to test. Obviously you can't burn a DVD in the drive if it is in use by the Live
CD.

http://www.knoppix.net
http://www.pendrivelinux.com/
http://www.livecdlist.com/

Testing hardware failures usually involves swapping out suspected parts with known-good
parts. If you can't do the testing yourself and/or are uncomfortable opening your computer,
take the machine to a professional computer repair shop (not your local version of
BigComputerStore/GeekSquad).
What to do if you didn't back up
Let's face it, sometimes disaster strikes and you didn't back up your data. A lot of the data
recovery success (and cost of the process) depends on what caused the disaster. Please
note that data recovery is time-consuming and therefore not cheap. Even if we are able to
recover data, we cannot warrant that all of the data you need will be recovered. We will do
our best, which is a lot better than that Very Big Computer Store will do for you (they will
normally not attempt to save your data, but simply reinstall Windows); however, we do not
take responsibility for your data. There's no sweet way to say this: you should have made
backups.
If the hard drive is unbootable or too badly corrupted and the data on it is important, then all
is still not lost. The data recovery wizards at DriveSavers can perform what certainly look
like miracles. If you decide to use DriveSavers you are eligible for a discount. Data recovery
from a company like DriveSavers is not inexpensive, but in our admittedly awed opinion
completely worth it if your data is vital. It is my understanding that some insurance
companies will now cover data recovery expenses so check with yours.
Reinstalling Windows

Post-disaster - either because of hard drive failure or because of viruses/malware that have
damaged the operating system beyond repair - you will be faced with the necessity to
reinstall Windows. Whether we do this or you do this, you will need:

1. A CD/DVD of the Windows operating system and a Certificate of Authority bearing

the Product Key - If you bought the computer from a system builder, the Product Key is
Balwinder Randhawa
Plz take good care of your Health
normally on a sticker on the side or back of the computer (it will be on the bottom of a
laptop). If you bought a retail copy, the Certificate of Authority with Product Key was in the
box, usually on a brightly colored sticker marked "DO NOT LOSE THIS". We hope you didn't
lose it, because without the proper Key it is not possible to reinstall Windows without buying
a new copy. If you have proof of purchase, you can contact Microsoft for a replacement
copy; otherwise you will be stuck buying one. For this reason, I strongly suggest that you do
not buy a computer at a yard sale or flea market. You won't have any assurance about what
you are getting, whether it will work, and whether you have a legal copy of Windows. If you
have an OEM ("Original Equipment Manufacturer") computer such as one from HP, Sony,
Compaq, eMachines, etc. you may not have physical disks or you may have a Recovery
Disc.

Legally, a system builder who preinstalls a Windows operating system must give the
customer a way to return the computer to factory condition. They can do this by
providing:

A. A physical CD/DVD with the actual operating system on it. If an OEM version (as opposed
to retail), there must be a Product Key sticker on the computer. If you have the Product Key
sticker, a local computer shop may be willing to install Windows for you since the product
key is your license, not the physical media.
B. A physical CD/DVD with an image of the operating system as installed at the factory -
sometimes known as Recovery or Restore Discs.

C. An image of the operating system on a special partition, sometimes hidden, on the hard
drive. When an OEM does this, they give you a utility with which to make physical restore
discs, usually only one time. DO THIS. DO IT NOW. Label the discs you make and put
them somewhere safe where you will find them again.

Refer to your computer manual for which method was used. You can start the Factory
Restore process on most OEM machines by pressing a Function key (like F10) or a
combination of keys (like Alt+F11) when the computer starts up. The key(s) press varies
from computer manufacturer to computer manufacturer and sometimes even for different
models made by the same company. If you don't have a computer manual, you can find out
how to restore your computer to factory condition on the computer manufacturer's website or
call its tech support.

If you purchased a used computer from "a friend", yard sale, or unscrupulous local computer
shop and did not receive the Product Key, I'm afraid you will have to buy a copy of Windows.
The only other alternative is to install a free operating system like one of the Linux
distributions. This is not as horrible as you might think. ;-)

2. Various drivers - All hardware inside your computer (or connected to the outside, like a
printer) including the motherboard (the large circuit board that everything plugs into) has
related software called a "driver" which tells the operating system (Windows) how to use the
hardware. For example, Windows might recognize that you have a sound card plugged into
the motherboard, but if the proper drivers aren't installed Windows won't know what to do
with the sound card and you won't have any sound. You should have received installation
media for the drivers when you bought your computer.
3. CD/DVDs (or installation executables backed up for programs you downloaded
from the Internet) for whatever programs you would like to reinstall. An operating
system (Windows) does not come with word processors, spreadsheets, etc. If you have
Microsoft programs such as Works or Office, be sure you have the necessary Certificate of
Authority with Product Key. OEM machines normally come with bundled preinstalled
software and you should have received a way to reinstall that software - you might have
separate CDs or it might be included on a Recovery Disc.

Balwinder Randhawa
Plz take good care of your Health
4. Information regarding how you connect to the Internet - your Internet Service Provider
(ISP), your settings, your user name and password.

5. Information about other specialized software you use - reinstallation media, serial
numbers, etc.

Maintenance
I really don't suggest using a maintenance suite on Windows XP, and certainly not on Vista
or Windows 7. Registry cleaners cause more harm than good. Stay away from so-called
"system optimizers". They are not necessary. At best they will do nothing and at worst they
can be malware and/or trash your system. XP, Vista, and Windows 7 have far better built-in
maintenance tools than earlier Microsoft operating systems did.

Run Disk Cleanup once a week. Go to Start>Run>cleanmgr [enter].

Run Disk Defragmentor once a quarter in XP unless you routinely work with very large
files; in that case once a month is better. Vista's Defragmentor runs in the background. XP is
usually installed using the NTFS file system which doesn't get as fragmented as the FAT16
or FAT32 file systems of DOS, Win9x/ME. Vista only uses NTFS. In XP, go to
Programs>Accessories>System Tools to find the Defragmentor. Be sure no other programs
are running in the background, particularly antivirus programs or screensavers. Unlike in
Win9x/ME, it isn't necessary to defrag in Safe Mode in XP or Vista. Vista and Windows 7 run
Defragmentor in the background when the computer is idle so normally you don't need to
manually run a defrag in these operating systems.

Scan for spyware with programs like Malwarebytes' Anti-Malware (MBAM) weekly.
While you certainly can pay for MBAM to get more options (like automatic updating and real-
time protection), it isn't necessary and the free version removes malware just the same as
the commercial version does. Vista and Windows 7 have Windows Defender built in and this
is adequate for most people although I like to have MBAM (free version that doesn't run in
the background) on Vista/Win7, too. There are links and more information in the
Viruses/Malware section.

Always have a current version (not more than 2 years old) antivirus installed and keep
the definitions updated. Weekly scans are fine, but the most important thing is to have an
active subscription so your virus definitions are up-to-date. McAfee and Norton are garbage.
I recommend NOD32, Kaspersky, Avast (free version available), or Avira (free version
available).

Do not run unknown programs. Only install programs you need and which come from a
trusted source. Be extremely cautious about opening email attachments; they are not safer if
they come from someone you know. Do not EVER run a program that you received from an
instant message and do not click on links in an instant message. Be extremely cautious on
websites that are known vectors for infection such as Facebook and MySpace. Do not do
file-swapping. See the section on Viruses/Malware for more information.

Uninstall unwanted programs by using the Add/Remove Programs applet in Control

Panel. Do not simply delete the folders. Add/Remove Programs is called Programs and
Features in Vista and Windows 7.

Thou Shalt Not Run Beta Software. Beta software is still in the experimental stage. All the
bugs have not been found and fixed. Even if the program is tempting, it is better to wait until
the final version is available, unless you like Living On The Edge. Or reinstalling Windows.

Basic Security
Balwinder Randhawa
Plz take good care of your Health
Do not connect a Windows computer to the Internet without a firewall in place.

Protect yourself by -

1. Turn off File/Printer sharing if you don't need it. Remember that when you are on the
Internet, you are connected to everyone else in the world who is online at that moment.

2. Most people have a broadband Internet connection (DSL or cable) now. Even if you only
have one computer, it is a good idea to purchase a router to sit between ytour computer and
the cable/DSL modem.

3. Use a firewall. Windows XP Service Pack 2/3, Vista, and Windows 7 all have built-in
firewalls which are adequate for most people.

4. Keep your operating system current with Service Packs and updates. Keep important
programs which are vectors for attack updated. Examples are browsers (the software that
lets you "see" the Internet), Adobe Reader, Adobe Flash, and Java.

Spyware - A good definition of spyware, taken from the excellent Wikipedia is:

"In the field of computing, the term spyware refers to a broad category of malicious software
designed to intercept or take partial control of a computer's operation without the informed
consent of that machine's owner or legitimate user. While the term taken literally suggests
software that surreptitiously monitors the user, it has come to refer more broadly to software
that subverts the computer's operation for the benefit of a third party.

"In simpler terms, spyware is a type of program that watches what users do with their
computer and then sends that information over the internet. Spyware can collect many
different types of information about a user. More benign programs can attempt to track what
types of websites a user visits and send this information to an advertisement agency. More
malicious versions can try to record what a user types to try to intercept passwords or credit
card numbers. Yet other versions simply launch popup advertisements."

To see what, if any, spyware you have on your system, go through at least some of the
steps in the "Removing Malware" section. Bear in mind that many ad-supported programs
will not work if you disable the spyware components. The choice is yours.

File-Swapping (or File-Sharing) - Another common security breach is the practice of peer-
to-peer ("P2P") file-swapping. Most people have heard of Napster, which brought file-
swapping into the mainstream consciousness. Basically, people could connect to a special
network and swap files with each other. Although Napster no longer exists in its earlier form,
there are many other popular file-swapping programs such as Lime Wire, Bearshare, Ares,
and the like. Music files in the popular mp3 format are the most commonly traded but any
file can be swapped, such as movies and pirated commercial software. Peer-to-peer file-
swapping is an extremely controversial issue.

I'm not going to address the morality of the practice, but you should know that if you are file-
swapping, your computer's security is potentially breached. File-swapping programs create a
"Shared Folder" on your hard drive where you put the files you wish to make available to
others. Windows 9x and ME are inherently insecure operating systems. If you are still(!)
using one of those operating systems and you enable file sharing of one folder, your entire
hard drive is open to the world. Windows XP can be made more secure, but it is still risky to
do file-swapping. While Vista and Windows 7 are more secure operating systems, they are
not bullet-proof. If you use your computer for business or have important personal
information on it, those files may be compromised, along with all your passwords.
Additionally, you take the chance of downloading some sort of malware with your mp3's.
Balwinder Randhawa
Plz take good care of your Health
Trojan horses and viruses have frequently been found in P2P programs. If you decide to
participate in file-swapping, be aware of the risks. I tell clients that file-swapping is like being
in bed with 50,000 teenage boys. You are basically bringing a file into your computer and
you have no idea whether the computer it came from is clean (virus-free), whether the file-
swapper you got it from is malicious or not. The best thing, aside from refraining from file-
swapping, is to use a separate dedicated computer containing no important data. A
separate hard drive is not a good solution, because it is vulnerable to infection from the main
drive. Or do your file-sharing from a computer running Linux. There are now many legitimate
places to download music, such as iTunes, Real's Rhapsody, or Amazon's MP3 Download
Service.

I've written two informational articles about security and staying safe on the Internet that I
often give to clients. You can download them in .pdf form by right-clicking on the links and
choosing "Save Link As".

"Staying Safe or How to Not Have This Happen Again"

"Too Much Security"
Viruses/Malware
All viruses, trojan horses, and worms are malicious pieces of code (known collectively as
"malware") which can damage your data. Viruses are designed to spread themselves from
one file to others in a single computer. They can cause everything from lost data to
inaccessible files. In some cases, a virus can do permanent damage to the computer.
Worms are like viruses in that they also replicate themselves, but they are designed to
spread from computer to computer, infecting an entire network. Trojan horses are aptly
named - they are programs usually disguised as something useful or desirable, but their true
nature comes with a hidden surprise. The Trojan might "phone home" all your passwords
and/or financial information. It might enable the Bad Guy to control your PC and steal or
damage your data, or even turn your PC into a zombie to attack websites.

Before Internet use was as widespread as it is now, viruses were most often passed from
user to user by infected floppy disks. Now the most common way of malware transmission
is by opening email attachments, file-swapping, clicking on links from a malicious source
(either on a website or in an instant message), and downloading "free" programs that are
either supported by malware or not what they seem.

Virus hoaxes are usually passed on as email messages, and are intended to scare people
about a non-existent threat. Users often forward these "alerts" to everyone they know,
thinking they are doing a good deed. However, virus hoaxes cause lost productivity, panic,
and clog email servers. Hoaxes can be a serious threat to email systems. If enough
messages are sent, they can bring down a server. There are many Internet sites devoted to
hoaxes. Check at the Symantec Antivirus Research Center or at one of the other antivirus
sites before you click that "Send" button.

All the security programs in the world won't help you if you don't practice "Safe Hex".

Make sure your antivirus program is a current version and the subscription is active.
Antivirus programs work by looking for known virus-like activities/characteristics. The
antivirus program "learns" about all the new viruses by checking with the program's server
for new virus definitions. When it finds the new definitions, it will download them and install
them automatically so now instead of knowing about 215,000 viruses (for example) your
antivirus program knows about 235,000. You get the right to new definitions by subscribing.
Running an antivirus program with an expired subscription (and hence having outdated virus
definitions) is almost worse than having no antivirus at all because it gives a false sense of
security; you think you're protected when you're really not. As I said in the "Maintenance"
section, I recommend NOD32 (commercial), Kaspersky (commercial), Avast (free version

Balwinder Randhawa
Plz take good care of your Health
available), or Avira (free version available). I emphatically do not recommend Norton,
McAfee, or Panda. I also prefer not to use all-in-one "security suites" but rather just the
antivirus and the free version of MBAM (which doesn't run resident). Vista and Windows 7
have Windows Defender built in, which is fine. I don't install Defender on XP machines. If
you really feel you must have a security suite, I have found Eset's Smart Security to be
excellent without being heavy on system resources.
Removing Malware
Please understand that cleaning up malware can require a lot of patience and skill.
We're seeing malware that does things like make itself into a service on Windows XP/Vista
computers, be guarded by another piece of the malware and respawn with a random name,
break antimalware applications, and lots more destructive behavior. Some malware installs a
rootkit (which is hidden) and these infected computers are extremely difficult, if not
impossible, to clean. If you look at the instructions below and think, "Whoa - too hard!" then
do yourself a favor and take the machine to a professional computer repair shop (not your
local equivalent of BigComputerStore/GeekSquad). There is no shame in doing this. Please
be aware that not all local shops are skilled at removing malware and even if they are, your
computer may be so infested that Windows will need to be clean-installed. Have all your
data backed up before you take the machine into a shop.
I must stress that these are general removal steps. When I clean a client's machine, I
examine the files on the machine very carefully. Because I have worked on Windows
operating systems for many years, I am able to distinguish between an operating system file
and Something Else. An end user cannot do this. I'm not dissing your Mad Skilz, but frankly
if you really have Mad Skilz I doubt you're reading this.

Note: The tools I suggest using for malware removal are free. If you are getting popups
saying that your computer is infected and you can get it cleaned up for a price, this is not
legitimate. This type of malware is called a "rogue antispyware program" because it pretends
to be A Good Guy but is really Evil. Do not pay them! Rogues are extremely common. You
can look for removal steps for your particular malware here:

Bleeping Computer removal how-to's -

http://www.bleepingcomputer.com/forums/forum55.html
or here - Malwarebytes' malware removal guides - http://tinyurl.com/5xrpft

Bleeping Computer has a page with removal steps for numerous variants of rogues here -
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

These may work for you and all may be well. However, in many cases the computer will also
be infected with trojans and protected by a rootkit. As I said, these machines are extremely
difficult to clean.

If your machine is one of these cases, either get guided help at one of the specialty forums
listed here OR back up your data and do a clean install of Windows. It is your choice. If you
are unsure how to back up your data or how to do a clean install, you can take your machine
to a local computer professional .If you decide to back up your data yourself and do a clean
install of Windows.
A. Preliminary Preparation
1. Before anything else, take the machine into Safe Mode. To get to Safe Mode,
repeatedly tap the F8 key as your computer is starting up. This will get you to the correct
menu where you can choose "Safe Mode". Use your Arrow keys to navigate; the mouse will
not work here. After you've cleaned up your computer, simply allow the machine to boot
normally and it will go into Regular Mode.

Since you will be scanning in Safe Mode with no Internet access, this means that you should
get any tools and updates from a different, known-clean computer which has Internet
Balwinder Randhawa
Plz take good care of your Health
access. Either use that computer's CD/DVD-RW drive to burn the files you get onto a CD-R
or transfer the files using a USB thumbdrive with enough capacity to do the job. If you don't
have another computer, then get what you need from a friend's computer or take the
machine to a professional. If absolutely pressed, you can go into Safe Mode With
Networking. This will give you Internet access but some malware can be active even in Safe
Mode and/or has already done the damage to prevent you from getting to the malware-
fighting websites.

I do not suggest using online virus scanners because viruses and malware will be active in
Regular Mode and while the machine is on the Internet. A computer infected with one of the
many trojans that spews spam and/or virus-laden emails or malware that downloads even
more bad stuff to the infested machine has no business being on the Internet.
Note: There are a few exceptions to this. If you scan with Multi-AV as suggested below,
you will need to start out by updating its modules in Regular Mode. In addition, the
Malwarebytes people and other malware removal experts suggest that the first scan with
MBAM be the Quick Scan done in Regular Mode. For myself, I usually go into Safe Mode
With Networking first and if that works I install/update MBAM and do a full scan with it from
there. Depending on the results, I will do another full scan with MBAM in Regular Mode. I
say "depending on the results" because after my first scan I have a pretty good idea if the
malware can be successfully removed or if I need to back up data and do a clean
install/factory restore of Windows.

2. Disconnect any suspect computers from all networks. This means disconnecting from
the Internet and your Local Area Network (LAN) if you have one. If you have multiple
computers on a network and one computer was infected with a network-aware worm, you
will need to clean all computers on that network before connecting the LAN again. If you
connect your nice, clean computer to a LAN with infected machines, it will just get infected
all over again. Trust me on this. Yes, this is a lot of work but if you try and cut corners you'll
wind up spending even more time on the job.

3. Make sure you are able to see all hidden files and extensions (View tab in Folder
Options). In XP, Vista, and Windows 7 there are four checkboxes to deal with:

a. Check "Display the contents of system folders".

b. Check "Show hidden files and folders".
c. Uncheck "Hide extensions for known file types".
d. Uncheck "Hide protected operating system files" and click "OK" to the dialog box.

4. Delete all Temporary and Temporary Internet Files, uninstall older versions of Java
(removing all Java files/folders).

a. For Internet Explorer's Temporary Files, go to Control Panel>Internet Options>General

tab. You'll see where you can delete cookies and files.
b. For Firefox, clear its cache by going to Tools>Options>Privacy>Cache> Clear.
c. For Windows Temporary files, run the Disk Cleanup. In XP you can find the shortcut for
Disk Cleanup in your Start Menu under Programs>Accessories>System Tools>Disk
Cleanup. In Vista and Windows 7, just type "Disk Cleanup" without the quotes into the Start
Orb>Search box.
d. To clear Sun Java's cache, Start>Settings>Control Panel>Java applet>Cache>Clear or
follow the same path to the Java applet and then to General>Settings>Delete files. You
should also make sure that you have the latest version of Java. Uninstall all older versions
and get the latest version from the Java website here:
http://www.java.com/en/download/index.jsp
A very good utility for cleaning things out is CCleaner. CCleaner is a powerful tool and I
strongly urge you not to use the more advanced tools unless you totally know what you're

Balwinder Randhawa
Plz take good care of your Health
doing. I never use the registry cleaner portion of this utility and I do know what I'm doing! If
you don't know how to work in the registry by hand, you shouldn't be playing in there.
5. Uninstall any known malware from Add/Remove Programs (XP) or Programs and
Features (Vista, Win7) if there is an entry for it. This usually will do no good (the Bad
Guys commonly lie about the effectiveness of their uninstaller), but nevertheless you can try
it. A lot of malware will attempt to open your browser during the "uninstall" process - often to
download more garbage - but since you are in Safe Mode and can't connect to the Internet,
just close out of the browser and move onto the rest of the cleanup.
B. Scanning for viruses
1. You should have a full-featured current version antivirus installed using updated
definitions. If you do not have a full-featured antivirus installed or you let your subscription
lapse, there is a high probability that your computer is infected. In that case, do not try and
install an antivirus until you have run either TrendMicro's Sysclean (instructions below) or
David Lipman's Multi_AV (see details here).

2. After you have done the initial scanning with one of these first-line tools, get and install a
full-featured antivirus. Update its definitions and do a thorough scan in Safe Mode. Again,
you should get all applications and updates from a different, known-clean computer because
you should still be working in Safe Mode, not online or connected to a LAN. If you are in
doubt about how infected the computer still is, wait to do this until after you've run scans
using MBAM and/or SuperAntiSpyware (see below).

C. Scanning for non-viral malware

1. Install and update Malwarebytes' Anti-Malware (MBAM). As mentioned in the Note

above, start by updating it and doing the Quick Scan in Regular Mode. There is a free
version of MBAM and although you can purchase it later if you like it and want to support its
creators, it is not necessary to buy it in order to use it.

1a. You can also check to see if there are targeted removal steps for your malware
here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html
or here: Malwarebytes' malware removal guides - http://tinyurl.com/5xrpft

2. Install and update Super AntiSpyware ("SAS") Sometimes MBAM won't install/run well
on a machine or I feel scanning with another tool would be A Good Thing. In those cases I
use the free version of SAS. I don't normally leave SAS installed on clients' machines but if
you want to keep it, configure its options so it doesn't run resident. In the past, I've used
Spybot Search & Destroy but I don't normally use it any more. Certainly you can try it, but
Spybot S&D has an Immunize and TeaTimer feature that I find causes more trouble than it's
worth for end users. If you decide to use Spybot S&D anyway, don't enable the
Immunization or TeaTimer functions. I haven't used Lavasoft's Ad-aware for a long time and
no longer recommend it.

3. If the malware remains even after you've done all this, it is time to get guided help.
Choose one of the specialty forums listed here (in no particular order). Register and read its
posting FAQ. You will generally be asked to:

1. Download and execute HiJack This! (HJT) - http://www.trendsecure.com/portal/en-

US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word wrap"

3. Download/run Deckard's System Scanner -

Balwinder Randhawa
Plz take good care of your Health
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the forum you chose.

But follow the instructions in the posting FAQ of whatever forum you are going to use.
D. Recap of what you will need to have on-hand before you start the cleanup process

1. LSPFix or WinSockFix for XP - see links - in case the malware removal breaks your
Internet connectivity. If you have XP SP2/SP3, you don't need either program since you can
repair the connection from the commandline:

Start>Run>cmd [enter]
netsh winsock reset catalog [enter]
1a. To repair or reset Winsock in Vista/Win7:
a. Start Orb>Search box>type: cmd.exe.
b. When cmd.exe appears in the Results above, right-click it and choose "Run as
administrator". Supply authentication in answer to UAC prompts and you'll get the command
prompt box. At the command prompt, type:
netsh winsock reset [enter]
When the command is completed successfully, a confirmation appears followed by a new
command prompt. Type:
exit [enter]
2. Sysclean or Multi-AV
3. Full-featured antivirus with updates downloaded separately for manual update
4. MBAM
5. SuperAntiSpyware
6. HijackThis
7. Possibly Process Explorer and Killbox. The free Autoruns program is excellent to
have, too.

E. After the machine is clean

1. If you are running Windows ME (is anyone still doing this?!!) or XP, Vista, or
Windows 7 you should disable/enable System Restore after the system is clean
because malware will be in the Restore Points. With ME, you must disable System Restore
completely. With the others, you can delete all but the most recent System Restore point
from the More Options section of Disk Cleanup so make a nice new clean Restore Point and
delete all the others.

2. Make sure you've visited Windows/Microsoft Update and applied all security
patches. Do not install driver updates from Windows/Microsoft Update.

3. Run a firewall. The Windows Firewall built into XP, Vista, and Windows 7 is fine for most
people. Third-party firewalls usually cause more problems than they are worth.

4. Practice "Safe Hex"! See these sites for information on not getting infested again.

http://www.getsafeonline.org/
http://www.getnetwise.org/
http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get Infected
Anyway?
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
Balwinder Randhawa
Plz take good care of your Health
http://www.microsoft.com/protect/default.aspx - Microsoft Online Safety

I've written two informational articles about security and staying safe on the Internet that I
often give to clients. You can download them in .pdf form by right-clicking on the links and
choosing "Save Link As".

"Staying Safe or How to Not Have This Happen Again"

"Too Much Security"

F. Additional notes

Malware writers have gotten even more clever and their evil products more complex. Other
steps I normally take with more complex malware are:

1. See if the malware is running as a service and if so, stop and disable it. To examine
services in XP:
Start>Run>services.msc [enter]

To do the same in Vista/Win7, Start Orb>Search box>type: services. When Services

appears in the Results above, right-click it and choose "Run as administrator". Respond to
the UAC prompts as required.

2. Use a combination of HijackThis, Systernals' free Process Explorer, and Killbox to stop
any malware that has put hooks into explorer.exe (the Windows shell). I also use the
advanced HijackThis tools and the excellent Autoruns program from Systernals.

3. Manual examination and deletion of bad files.

4. Various other magical procedures, burnt sacrifices, and rituals. And no, I'm not going to
tell you what they are.

Important - Again, if the infestation requires the use of HijackThis and/or any other
advanced tools, you must know what you are doing. Unless you have a high level of
computer skills with an emphasis on removing malware (and if you do you probably aren't
reading this!), if you are at the point of needing to run HijackThis you should post your log to
one of the HJT forums listed below and let the experts there help you - OR take your
machine to a professional.
G. Links to help with malware

Software/Methods:
http://www.malwarebytes.org/index.php - MalwareBytes
http://www.superantispyware.com/ - SuperAntiSpyware
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download -
HijackThis
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html
More on this
http://aumha.net/viewtopic.php?t=4075 - Posting FAQ
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

Balwinder Randhawa
Plz take good care of your Health
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://www.thespykiller.co.uk/index.php?board=3.0
http://forums.subratam.org/index.php?showforum=7
General:
http://aumha.net - look under "Security" for various forums
http://mvps.org/winhelp2002/unwanted.htm
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html
Malwarebytes malware removal guides - http://tinyurl.com/5xrpft

TrendMicro's Sysclean

TrendMicro's Sysclean is an extensive antivirus tool which has the advantage of not needing
to be installed. It requires two parts - the scanning engine and the virus pattern files. Delete
all Temporary and Temporary Internet Files before running the program.

1. Create a new folder on your Desktop or the C: drive named something useful like
"Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like WinZip) or if you have
XP, you can just open the folder. You need to put the extracted files in the Sysclean folder
you made. For a more automated way to get Sysclean, use Dave Lipman's Sysclean_FE
from http://www.ik-cs.com/got-a-virus.htm .

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly tapping the F8
key as the computer is starting up to get to the proper menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com. Start the scan.
After the scan is finished, look at the log. You may need to make a note of where any viruses
were found if they were not able to be removed so you can manually delete them.

David Lipman's Multi-AV

If you are using Vista or Windows 7, you must run elevated. The download link is here:
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
and some additional instructions are here:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-
virus-for-free/
To use this utility, perform the following in Regular Mode:
Execute: Multi_AV.exe (Note: You must use the default folder C:\AV-CLS)

Choose: Unzip
Choose: Close

Execute: C:\AV-CLS\StartMenu.BAT (or double-click on "Start Menu" in C:\AV-CLS)

Balwinder Randhawa
Plz take good care of your Health
This will bring up the initial menu* of choices and should be executed in Regular Mode first.
This way all the components can be downloaded from each respective AV vendor’s web site.
The menu choices are Sophos, Trend, Kaspersky, McAfee. Exit the menu and reboot the
PC.

*When the menu is displayed hitting ‘H’ or ‘h’ will bring up a PDF help file.

The package includes three additional DOS BAT files: C:\AV-CLS\DOSCLEAN.BAT; C:\AV-
CLS\KAVCLEAN.BAT; and C:\AV-CLS\SOFCLEAN.BAT. They are for use on a Win9x/ME
PC or on a Win2K/WinXP PC that is using FAT32 after you have booted from an Emergency
Boot Disk (EBD) or DOS disk and have already executed C:\AV-CLS\StartMenu.BAT and
selected McAfee and or Sophos from the menu. These batch files will execute their
respective DOS CLS. If needed, DOS disk boot images can be obtained from
http://www.bootdisk.com/bootdisk.htm

If you are on a NT4, Win2K, WinXP or Win2003 Server that is using NTFS partitions, you
can obtain a free, personal copy of NTFS4DOS and create a NTFS compliant DOS boot disk
from http://www.datapol-technologies.com/dpe/freeware/index.html

After you boot from the DOS Boot Disk you would execute;

C:\AV-CLS\DOSCLEAN.BAT -- for the McAfee DOS Command Line Scanner

C:\AV-CLS\SOFCLEAN.BAT -- For the Sophos DOS Command Line Scanner
C:\AV-CLS\KAVCLEAN.BAT -- For the Kaspersky DOS Command Line Scanner

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode (F8 key
during boot) and re-run the menu again and choose which scanner you want to run in Safe
Mode. In each scanning module you will be prompted if you want to scan at that moment or
not; if you choose to perform a scan, the McAfee and Sophos modules will prompt you if you
want to scan a specific folder or location. The Trend Sysclean module uses the Sysclean
GUI which also provides the ability to scan a selected folder or location. So with this utility
one has the ability to scan in Normal Mode, Safe Mode, a selected folder or location and to
scan FAT32 and NTFS partitions after booting from a DOS Boot Disk. The application and
usage will depend upon the needs to disinfect the system. To improve the efficacy of the
scanning process, it is suggested that you also read the following information:

"How to perform a clean boot in Windows XP" - http://support.microsoft.com/kb/310353

To start the use of the Multi AV scanning front end:

Execute: C:\AV-CLS\StartMenu.BAT (or Double-click on 'Start Menu' in C:\AV-CLS)

NOTE: You may have to disable your software firewall or allow WGET.EXE to go through
your firewall to allow it to download the needed AV vendor-related files.

Each Command Line Scanner (CLS) will create a log of what has been done.

Sophos - The files for the Sophos CLS are located in C:\AV-CLS\Sophos and the log file is
called C:\AV-CLS\Sophos\ScanReport.TXT. At the end of the scan, it will be displayed in in
your text editor, NOTEPAD.EXE.

Kaspersky - The files for the Kaspersky CLS are located in C:\AV-CLS\KAV and the log file
is called C:\AV-CLS\KAV\ScanReport.TXT. At the end of the scan, it will be displayed in in
your text editor, NOTEPAD.EXE.
Balwinder Randhawa
Plz take good care of your Health
Trend - The files for the Trend Sysclean CLS are located in C:\AV-CLS\Trend and the log file
is called C:\AV-CLS\Trend\Sysclean.log. At the end of the scan, and when you close
Sysclean, it will be displayed in in your text editor, NOTEPAD.EXE.

McAfee - The files for the McAfee CLS are located in C:\AV-CLS\McAfee and the log file is
called C:\AV-CLS\McAfee\ScanReport.HTML. At the end of the scan, it will be displayed in
your browser (Opera, FireFox or Internet Explorer).

It is suggested that you move each repective report out of the vendor’s folder (C:\AV-
CLS\<AV vendor>) or save a new copy of the report before performing another scan. It
would be good practice to scan in both Safe Mode and in Normal Mode and to save a copy
of the report representing each session for comparison of the results.

Process Killer - Included in the C:\AV-CLS folder is a file called killproc.txt which is used to
shutdown or kill running processes prior to scanning the platform. There are two processes
already in the text file. Iexplore.exe (Internet Explorer) and firefox.exe (FireFox).

The objective would be to add any more names in the text file, making sure the last line is a
blank line. For example if the following files needed to be shutdown - mszx23.exe ,
w32tm.exe , Tibs3.exe and rundll32.exe

They would be appended to the list in killproc.txt - again, make sure that the last line of the
text file is a blank line. Then prior to scanning the platform, all of the processes listed in the
text file will be shutdown (killed).

Further notes:

1. If a hosts file is found by this utility, it will be renamed from "hosts" to "hosts.bak" since
malware has a tendency to modify the hosts file to block access to antivirus vendor web
sites and thus possibly blocking the ability to download the needed Sophos, Trend Micro or
Balwinder Randhawa
Plz take good care of your Health
McAfee files.

2. The directory C:\AV-CLS is hard coded and should not be changed.

3. Due to the fact that malware corrupts AUTOEXEC.NT and CONFIG.NT, these files will be
renamed to have the .BAK extension and the OS default files restored. This will help to make
sure that other software will run correctly and without errors when using those files.

4. You may have to disable your software firewall or allow WGET.EXE to go through your
firewall to allow it to download the needed AV vendor related files.

5. On Win9x/ME platforms a backup of WIN.INI and SYSTEM.INI will be made (with the BAK
extension) and both will be examined such that the SYSTEM.INI SHELL= statement is set to
shell=explorer.exe and the WIN.INI LOAD= and RUN= statements are set to null. If the
SHELL= line is other than shell=explorer.exe, it will be set to shell=explorer.exe and if the
LOAD= and/or RUN= lines are not set to null then they will be set to null since these are
vectors for loading malware.

6. If you run the McAfee CLS from a DOS boot disk or from a DOS boot disk with
NTFS4DOS, the HTML log file will be truncated to conform to the DOS 8.3 naming
convention and the resultant file will be called; C:\AV-CLS\McAfee\ScanRepo.HTM.

7. If you run the Sophos CLS from a DOS boot disk or from a DOS boot disk with
NTFS4DOS, the log file will conform to the DOS 8.3 naming convention and the log file will
be called C:\AV-CLS\Sophos\AVReport.txt.

8. If you run the Kaspersky CLS from a DOS boot disk or from a DOS boot disk with
NTFS4DOS, the log file will conform to the DOS 8.3 naming convention and the log file will
be called C:\AV-CLS\KAV\AVReport.txt.

9. Continued use of the respective AV scanners will keep them current since they will
download the most recent signature and engine files for you.

Courtesy: Elephantboys

Balwinder Randhawa
Plz take good care of your Health