Windows cleanup

From HelpDeskWiki

This is a list of things you can do to clean up both a "normal" Windows system and one infested with viruses, spyware, and other malware. It is geared to Windows XP, especially SP2, but most of it applies to other Windows versions with little or no modification, and the same principles apply to operating systems (OSes) other than Windows.

Note that this article does NOT discuss tweaks and software for general speedup and to prevent future infections; for this, see the article on fine-tuning Windows.

If possible, perform the following steps (except where mentioned otherwise) in Safe Mode (http://www.computerhope.com/issues/chsafe.htm). (Tap F8 about once a second after turning on the computer.) Be sure to restart the computer normally (NOT in Safe Mode) before performing these steps, to be sure that any pending (un)install is complete. If you see anything unusual happen when the computer starts up, restart it one more time.

  • Uninstall all unneeded software in normal mode (NOT in Safe Mode). Restart the computer in Normal mode afterwards, then restart again in Safe Mode for the remainder of the steps. Surprisingly often, malware is actually listed in the Control Panel's Add or Remove Programs and can surprisingly often even be removed using this normal method for uninstalling software. Many times, people unnecessarily spend hours learning to deal with difficult new concepts and geeky programs like HijackThis and/or complicated help offered in help forums. So it's best to always first go through the list in Add or Remove Programs carefully and slowly and to uninstall anything that is unknown or at least anything that is suspicious. Do NOT uninstall anything which came preinstalled on the computer, unless advised to do so by an expert.
  • Install and run CCleaner (http://www.ccleaner.com). Either let this program make a backup or first make a new System Restore point (Start > (All) Programs > Accessories > System Tools > System Restore). You will probably want to turn OFF the IE options, except for Temporary Internet Files and INDEX.DAT file, and turn ON all of the Advanced items (but leave Hotfix Uninstallers turned off). If you use Firefox / Mozilla, you'll probably want to turn OFF all of those options, except for Internet Cache. Use both the Cleaner button (+ Run Cleaner button) and the Registry button (+ Scan for issues + Fix selected issues + Fix all selected issues buttons). The registry scan will need to be run at least twice.
  • On most computers, many programs unnecessarily start automatically. Some ask for permission to do this during installation, some don't. It is usually easy to prevent legitimate programs from starting automatically by using their own settings, for example by right-clicking on icons in the area next to the clock. In case you don't want to spend time looking for the different location of this setting in each program, this can be done much more easily by using a good startup monitor like Startup Control Panel (http://www.mlin.net/StartupCPL.shtml). It is very important to NOT disable the startup of any unknown program this way because it can be an essential part of a security program or of Windows! Windows has its own startup monitor MSCONFIG (Windows button + R), but this is much less user friendly.
  • Check that anti-virus software is reputable, updated, and not expired. Be wary of online virus scanners; most do not seem to find as much as the version installed on your computer, they seem to give more false positives, and many do not offer cleaning capability. BitDefender (http://www.bitdefender.com/scan8/ie.html) seems to be the best online scan by far, and it also removes what it finds. (Be sure to read the warning and check the settings!) Kaspersky's (http://www.kaspersky.com/virusscanner) online scan often finds even more malware, but it does not remove anything.
  • According to the Virus Bulletin test (http://www.virusbtn.com/vb100/about/index.xml), Avast! (http://www.avast.com/eng/avast_4_home.html) is consistently the top-rated (free registration required) antivirus program, and it has a free version. Computer scientists criticize that test because it allows vendors to improve their ratings retroactively through program improvements and because it places too much emphasis on old, no longer circulating viruses instead of the ability to clean computers with current real-life malware. The less industry-based and more scientific tests provided here (http://www.av-comparatives.org/) give a much higher detection rating to other programs. In these tests, the highest detection rate is achieved by AntiVir (http://www.free-av.com), which uses the same technology and virus definition files in its free version. AntiVir did not achieve an excellent overall rating in the most recent of those tests due to some false positives, but these were not critical and most if not all have been corrected in the current version. This graph (http://winnow.oitc.com/AntiVirusPerformance.html) based on testing carried out by the reputable Malware Incident Reporting & Termination (MIRT) team at CastleCops also shows that AntiVir is by far the best antivirus, especially in dealing with new threats. The methodology of the tests is explained here (http://winnow.oitc.com/avcentral.html) and praised here (http://sunbeltblog.blogspot.com/2007/02/recognizing-paul-and-robin-laudanski.html). Do a full scan of your computer, and clean as necessary. Most antivirus and other antimalware programs are currently only fully effective when run in Windows's safe mode and in all user accounts.
  • Install the latest version of a good antispyware program (see Anti-spyware_software). Do an immediate update. If you believe the system is contaminated, do an intelligent quick scan, if provided, for faster results. Set the program to Always Ignore anything that you are pretty sure is legitimate (increasingly unlikely), and remove anything else. Repeat until the computer appears to be clean; it often takes multiple passes. Once the system appears to be clean, run a FULL scan. Note that sometimes WinSockFix (see below) needs to be run after cleaning with some antispyware programs. In case any antispyware program finds any real infection, i.e. not just tracking/"spyware" cookies, run at least two other antispyware programs. Most antispyware and other antimalware programs are currently only fully effective when run in Windows's safe mode and in all user accounts.
  • Scan with at least one antitrojan program: See antivirus software (http://www.local.nu/HelpDesk/index.php/Anti-virus_software) for links to free ones and to ones that are free for a trial period.
  • In case you need more detailed help in installing and running antimalware programs, follow a comprehensive malware removal guide like this (http://www.geekstogo.com/forum/Must-Read-Before-Posting-Hijackthis-Log-t2852.html) or this (http://forums.majorgeeks.com/showthread.php?t=35407). Especially the first link also takes you to an excellent online forum where you can get help for free from friendly experts.
  • Most antivirus and antispyware programs do not clean an infested hosts file (http://en.wikipedia.org/wiki/Hosts_file). Opinions differ on whether it is good to use the default file or to add long lists of sites that one wishes to block. Normal users have trouble finding and removing rogue entries placed there by malware, and many do not even have the necessary skills to replace an infected file with a clean version.
  • Click Windows-key + R to pop up the Run box, and type in SFC /SCANNOW. You'll probably need your Windows CD. This tool scans the Windows system files and replaces any which appear to not be incorrect. You will probably need to check for and re-install security updates afterwards.
  • If the above antimalware programs cannot (yet) get rid of some infection, and/or if something seems to keep reinstalling itself everytime you restart the computer, or if any other program runs at startup that you cannot figure out how to disable (see note below), try AutoRuns (http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx) from SysInternals (now part of Microsoft). This is the most comprehensive startup monitor available, and it can at least prevent malware from starting automatically until updated versions of your antimalware programs know how to get rid of it. This is a very powerful and therefore also dangerous security program intended for technicians. Do NOT use it to disable *anything* that you are not sure about, without assistance! Note that this utility is updated frequently, so be sure to get the latest version. Instead of Autoruns, you may prefer something easier to use but less comprehensive like Startup Control Panel (http://www.mlin.net/StartupCPL.shtml). Almost any startup monitor is better than Windows's MSCONFIG (Windows button + R) due to its lack of program info and user friendliness. (Note: Legitimate programs are usually best prevented from starting automatically by using their own settings, for example by right-clicking on icons in the area next to the clock.)
  • Only if some malware remains after performing all the above steps, download and run the latest version of HijackThis (http://merijn.org/downloads.html)* in a new folder of its own after unzipping it. This is a very powerful and therefore also dangerous security program. Do NOT use it to delete *anything* that you are not sure about! If you're not familiar with interpreting HJT logs, there's a manual here (http://www.bleepingcomputer.com/tutorials/tutorial42.html) and a log analyzer here (http://hjt.iamnotageek.com), although these are not substitutes for getting help from someone who's familiar with the subject, for example in one of these forums specialised in helping normal users: TeMerc (small forum, fast response) (http://temerc.com/phpBB2/viewforum.php?f=12&sid=c1414fccdeb96df63463e697dc695b01), Geeks To Go (http://www.geekstogo.com/forum/Malware-Removal-HijackThis-Logs-Go-Here-f37.html), Bleeping Computer (http://www.bleepingcomputer.com/forums/forum22.html).
  • For bad cases, especially with connectivity problems, use WinSockFix (http://www.majorgeeks.com/download4372.html)* (the original homepage seems to have gone away) or LSP-Fix (http://www.cexx.org/lspfix.htm).
  • For bad cases, especially with branded (customized) versions of IE from an ISP, use UnBrand.vbs (http://www.dougknox.com/utility/scripts_desc/unbrand.htm)*.
  • For bad cases, especially when an infestation seems to keep coming back, try the latest version of CWShredder (http://www.intermute.com/spysubtract/cwshredder_download.html)*.
  • For bad cases, especially when IE seems to have trouble with specific sites, open IE, click on Tools > Internet Options, go to the Security tab and click on the "Default Level" button for each of the zones. Then, click on the "Default" button on the Privacy tab. Then, on the Content tab, click on the Disable button, if it exists. Then, on the Programs tab, click on the "Reset Web Settings" button. Lastly, on the Advanced tab, click on the Restore Defaults button.
  • If IE continues to have trouble with specific sites, rename the %SystemRoot%\SYSTEM32\DRIVERS\ETC\HOSTS file.
  • For strange problems, or if you're feeling paranoid, run Rootkit Revealer (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx)*, which, in addition to identifying possible stealthed rootkits, can also identify odd corruptions of the file system and registry. This is the utility that was used to discover the DRM software (http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html) which became Sony BMG's public relations headache (http://www.sonysuit.com) in 2005 November. Note that this utility is updated frequently, so be sure to get the latest version. Be sure to follow the instructions when using it, to avoid false positives. The site has other free utilities which may be useful for other problems. For more info on rootkits, see this link (http://www.spywarewarrior.com/viewtopic.php?t=17607). Avira AntiRootkit Tool (http://www.avira.com/en/support/support_downloads.html) and AVG Anti-Rootkit Free (http://free.grisoft.com/doc/5390/us/frt/0?prd=arw) are easier to use.
  • Check for and delete 0-byte fonts in the FONTS folder (click View > Details to see file sizes).
  • Download and install and run RegVac Trial Version (http://regvac.com/regvac.htm)* in Novice mode. After that, turn on Expert mode and use the Pack option. Technicians may want to note that this can be run from a USB flash drive.
  • Run Chkdsk or its equivalent, ScanDisk (Windows 95, 98, ME). In XP, right-click on each hard disk in My Computer > properties > tools > error checking.
  • Defragment. If only the built-in defragmenter is available, then install and run the trial version of Diskeeper (http://www.diskeeper.com/diskeeper/home/trialware.aspx)*. Use the option to expand the MFT to recommended size. Set the defragmentation method to Max Performance and schedule a boot-time defragmentation for all drives; set the options to defragment the MFT and paging file on all drives. Restart the computer so that the defragmentation starts. If you choose to keep this program, note that this otherwise-excellent program has (had) problems with background defragmentations. You may also want to try PerfectDisk (http://www.raxco.com/products/downloadit/perfectdisk_download.cfm) - although it only has a 30-day free trial - because it seems to be better according to this (http://www.raxco.com/products/perfectdisk2k/comparedk.cfm) and this (http://www.raxco.com/products/perfectdisk2k/best.cfm) and this (http://discussions.virtualdr.com/showthread.php?t=195978) information provided by the manufacturer. PerfectDisk also performs significantly better than Diskeeper according to this (http://www.raxco.fi/doc_images/Balder_FreeSpace_WhitePaper.pdf) independent comparison by Balder. Other possibilities include VoptXP, which is compared to PerfectDisk here (http://discussions.virtualdr.com/showthread.php?t=150498) and DIRMS (http://www.dirms.com/). Other choices are discussed here (http://forum.worldstart.com/showthread.php?t=12041).

After cleaning a system, you should, if possible, adjust system settings and install and configure appropriate software in order to help prevent further problems. For this, see the article on fine-tuning Windows, especially the parts for improving security.

Explore the options in your anti-spyware program; many contain tools which are useful for cleaning systems. Sunbelt's CounterSpy, Microsoft Antispyware, Spybot Search & Destroy, and Webroot SpySweeper contain such tools.

Technicians will find that all of the utilities listed here will fill less than half of a 1 GB USB flash drive; 4 GB drives are available online for under US$80, and a model which hides the connector when not in use (instead of a removable/losable cap) is recommended. These devices are much more convenient than CDs, hold more, are easily updated, are harder to damage, and will work with any computer which has a USB port (few do not nowadays). You'll need a driver floppy for computers that have Windows 98. The problem with USB drives is that they tend to die after a while.


* The software listed on this page is listed here because it currently appears to be among the best available for the task in question. There may be other tools that are even better. If you find any that you honestly think are better for the job, and which preferably are free or have usable trial versions, feel free to update this article to include them.

Retrieved from "http://local.nu/HelpDesk/index.php/Windows_cleanup"