View Single Post
Unread 12-22-2008, 04:31 PM   #1
Forum BOB-Erator
ArchangelX's Avatar
Additional Info
Kalihi, Oahu, HI
Wii Friend Code: 0793 7742 9373 2923
Credits: 85,157.50
ArchangelX is on a distinguished road
Exclamation Repairing WinXP/Vista - Guides, tools, & links to help get you back on your feet!

Hi all,

Recently, I had a rough time after visiting a specific site (that shall not be named lest you destroy your computer with it) without having my anti-virus up, and I've paid the price with some absolutely horrendous malware, spyware, rootkits, and trojans that literally took over my computer completly in a day. Even if you have an anti-virus program running in the background, there's still a chance that your PC can become horribly infected. And sometimes, even for the most avid power user, figuring out just what's going on can be a huge problem.

I'm going to post some links to some FREE tools and guides that may help you get back on your feet, so if you ever have a problem, just take a look at this thread for a head start instead of searching all over the internet like I've had to do. I've decided to host the latest versions of some of these tools on Hawaii Talks, just in case you ever experience a virus that denies you access to the most common and important AV websites or even takes over your web browsers. I've experienced this, which makes it incredibly frustrating and near impossible to download what you need to get things working again, so this should be a nice way to get around that. Please realize that this might not be the most updated version nor is it the "trusted" version. It's only provided in the eventuality that you're locked out from downloading from the main sites like I have been in the past! Try the primary download links first! All files are packed in .zip format. WinXP should be able to extract them, but if not, try WinZip.

First off, please remember that if you use any of these tools you do so at your own risk. I cannot be held responsible if you muck up your computer, so make sure you read thoroughly and understand the processes you're about to undertake before you press the "go" button. Also, if you don't have a copy of WinXP/Vista residing on your hard disk somewhere, I highly suggest that you copy it over pronto in case you ever lose it (like I did). You can even use an image with Daemon Tools as a backup.

Secondly, I'll cover the most frustrating experiences and the tools I use to get rid of them. Most of these tools have online guides and tutorials, so I'm not going to reinvent the wheel but will just link directly to the guides. This will still provide the same effect of saving you time searching all over the intarweb. Also, my primary system is still WinXP but I will try to cover Vista as well.

And finally, remember, I'm just a mid-range power user, and there are many ways to go about fixing your computer. This is just something I hope can help you out if you need it, but I'm not the expert so don't hang me if you have a different opinion.

So here we go!

Scanning & Cleaning Your Computer

Links to recommended Free Anti-Virus and Anti-Mal/SpyWare Programs

Here are a few recommended free utilities that can help to keep your computer clean and free of viruses. I'd recommend doing your best using these tools before trying any of the following fixes, just to try and have as clean of a slate as possible. They're usually very straightforward and easy to use, but if you have questions please feel free to ask.

Also a MAJOR word of caution: Be very careful about what type of protection you download from the internet, as there are TONS of spyware/malware disguised as tools to help clean your computer, when in fact they're the same thing you're trying to get rid of! Don't ever download any anti-whatever if you're forced to, or if you encounter pop-up ads telling you that your system is infected/whatevers. That's a huge no-no! Only use trusted tools and utilities such as the ones below. If you have doubt, do a search on it to see if it's a reputable and reliable company!!!

AVG Free - One of the best free tools on the net for protection against viruses & spyware. (HT Download Link)

Ad-Aware Free - Probably the definitive resource against Spyware, A must have for cleaning your system of the crap you encounter everyday while surfing. (HT Download Link)

avast! - Another great, free alternative that provides both anti-virus and spyware protection. (HT Download Link)

Trend Micro HouseCall - A free, online-based alternative.

There are tons more sites that I could add, but these are some of the most common ones I use to scan my computer. If you have favorites, please feel free to list them!

Logging in as Administrator/Safe Mode

It is highly recommended to login as an Administrator using Safe Mode. To access Safe Mode, reboot your computer and Press F8 at the blinking cursor that appears right before booting into WinXP/Vista. More information on this process can be found at this link: A description of the Safe Mode Boot Options in WinXP and Start your computer in safe mode (Vista)

The reason for logging in as an Administrator in Safe Mode is two-fold. First, you'll need to be an Administrator to perform many of the fixes listed below otherwise you might not have the necessary permissions. Second, performing these operations in Safe Mode can help protect you from malware & spyware that may have infected your computer. Safe mode is really just the OS with a limited set of default files and drivers, so any malicious programs you've installed have a reduced chance of causing problems.

See what Processes are running using Windows Task Manager

A handy-way to check out the health of your PC is to look at what processes are running in the background. Without any additional programs to install, you can do this by hitting CTRL-ALT-DEL...which will bring up the Windows Task Manager. Take a look by clicking on the Processes Tab. You can see what's being run, how much RAM it's taking, who the owner is, as well as look at how much it's affecting your performance. The other tabs, such as Applications, Performance, Networking, and Users provide additional insight into what your computer is doing in realtime. This can help you troubleshoot problems!

For example, when you're computer isn't doing anything, the System Idle Process should have most of the CPU appropriated to it. It's called Idle for a reason, because when your computer is idling, these "free" processes are here waiting to be used. Anytime a process is begun, such as outlook.exe (Microsoft Outlook) or winword.exe (Microsoft Word), CPU time is taken from the System Idle Process and put towards operating that particular program.

If you've ever opened up a program, only to have it hang, become sluggish, while watching your performance slow to a crawl...using CTRL-ALT-DEL and the Windows Task Manager is one way to fix the problem. Simply find the process that's hanging and using up all the processes, select that item, and then hit the End Process button at the bottom right. You can also do this for Applications that are hanging as well using the End Task button.

Windows Task Manager is a great tool to use. Perhaps explorer.exe has hung or crashed, forcing you to "End" the process...leaving you a blank space at the bottom of your screen where your taskbar should be? A quick fix is to hit the New Task button and type in "explorer.exe" to restart explorer back to it's original format. For example, sometimes my Windows Media Player hangs...and no matter how many times I click the WMP button, it never launches. Sometimes that process is "hung" so a quick fix is to simply hit CTRL-ALT-DEL and End Task all instances of "wmplayer.exe". That usually fixes the trick, and it's applicable to alot of problems sometimes.

But a word of caution...there are definetly some processes that you don't want to "kill" as they're necessary for the performance and operation of your operating system (OS). You should never kill a program unless you are absolutely sure that it's safe to do so! Most programs that are owned by yourself, aren't usually necessary...and are safe to kill to free up additional memory. If you screw up, your system may hang, but a fresh restart (reboot) will restore these processes. One way I use the Task Manager is in my "Games" profile that I created specifically to play games...once within this profile, I usually hit CTRL-ALT-DEL and kill any processes that aren't necessary to speed up my computer. This is usually great for older, slower computer that need every bit of oomph they can get!

Looking Deeper Using Process Explorer

Viruses, Trojans, Malware, Spyware, and other malicious logic sometimes install themselves as running processes that can scoop up valuable processing time and hang your computer or even worse, make itself integral to your system by connecting itself to "legal" processes. You can see what is what, and where it's at by using Process Explorer (procexp). This is an additional tool that's basically an expanded version of Windows Task Manager.

Taken from Microsoft TechNet...

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
Using procexp, you can track down spyware running in the background, and by right-clicking on the process, then selecting Properties, you can go through several tabs listing some very valuable information to track what's going on with your OS. Check out the guide below to get started using this fantastic program.

Process Explorer Links

Primary Download
Process Explorer

Secondary Download
Process Explorer @ HT

Instructions for use of Process Explorer can be found here:
Sysinternals Forums: Process Explorer Guide For Newbies

Sysinternals Forums for Process Explorer

Secondary Guide Download Links:
uploads/ - part 1 (DLLs) @ HT
uploads/ part 2 (Process Explorer) @ HT
uploads/ part 3 (Process Explorer) @ HT

Using HiJackThis

HiJackThis has long been a staple of the online community's fight against malicious programs, and is one of the best places to start off to really clean up your computer. Sometimes a virus/malware/spyware/trojan will be cleaned out by whatever anti-whatever scanner you're using, but it hides itself on your computer somewhere, and upon reboot...a command hidden in your registry tells it to re-install itself. It can be a real pain to get rid of this situation. That's where HiJackThis comes in.

HiJackThis scans specific areas of the Registry and the Hard Drive, and then lists their contents in an easy to read list. This list allows you to check and remove entries at will. It is VERY important that you take care when using HiJackThis as you can seriously mess up your computer by removing essential services. I recommend using this program with the utmost care. Make sure to research every process that you intend to remove before doing so! If you have doubts, simply look up the program or file it is referring to on the internet! Or if you need help, post your logfile here and I'll take a look, or check out BleepingComputer's community forums for help. They've got some really great people that can check out your logfile and tell you what you should and shouldn't remove!

HiJackThis Links

Primary Download:

Secondary Download:
HiJackThis @ HT

Instructions for use of HiJackThis can be found here:
Official Trend Micro HiJackThis Quick Start Guide

Repairing WinXP/Vista

Sometimes after a long period of use or encounters with malicious logic certain systems in WinXP/Vista can become corrupted causing what would seem like irrepairable damage. Usually the most relaible way of getting your system back into working shape is to do an In-Place Reinstallation of your OS, but for some people that's just not something to do lightly due to the amount of programs and the headaches starting over can cause. The following tools can help you to getyour system back in working order without forcing a re-install.

Restoring WinXP Administrator Permissions & Default Settings using Smart Virus Remover

If you've had a particurally nasty virus, sometimes your Administrator permissions and priviledges can be completly restricted, which prevents you from doing the simplest tasks, such as changing your Internet Options, View Files, or a myriad of other permissions that are even more important like the Windows Task Manger and the Registry Editor. Without access to these important tools, it's very hard to work on repairing your OS!

A good way to restore these permissions is to use the Smart Virus Remover tool. It can restore Task Manager, Registry Editor, Command Prompt, Folder Option - Show Hidden Files and Folder, and even all the Folder Option Settings. It also takes care of several of the more nasty viruses you can come across, but it's far more useful for just getting your permissions back in place, mainly. It is a very straightforward and extremely easy tool to use, but as always, use at your own risk.

To use, simply install/load the SVR tray and take a look at the options presented. You have the option to delete autorun.inf files that could be taking over your computer, but the one you're probably most interested in is the restoring your default settings. Simply click on Restore Default Windows Settings, select the options you wish to restore, and voila, you're done! You can also scan for 23 specific viruses in whatever folder you wish, as well as protect USB drives from being infected.

Smart Virus Remover Links

Primary Download
Smart Virus Remover

Secondary Download
Smart Virus Remover @ HT

Instructions for use of Smart Virus Remover can be found within the Help Tab within the program. See ReadMe.

Repairing WinXP/Vista using SFC.exe

First off, assuming you've scanned your computer already using the latest Anti-Virus programs (see above), try using the basic tools that are provided with your system, such as System File Checker (SFC)

Taken from Wikipedia...

System File Checker is a utility in Microsoft Windows that allows users to scan for and restore corruptions in Windows system files. This utility is available on Windows 98, Windows 2000, Windows XP, Windows Server 2003, Windows Vista although in the Windows NT family of operating systems, it scans files using Windows File Protection.

In Windows Vista, System File Checker is integrated with Windows Resource Protection, which protects registry keys and folders as well as critical system files. Under Windows Vista, sfc.exe can be used to check specific folder paths, including the Windows folder and the boot folder.

Windows File Protection worked by registering for notification of file changes in Winlogon. If any changes were detected to a protected system file, the modified file was restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. In Windows Vista, Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files.
Using SFC.exe is fairly straight forward. You will most likely need to have your original WinXP disc on hand. There's a few ways you can do this. You can ether run SFC/ scannow by itself, or you can include this extra step before hand:

To run SFC and have the cleanest install possible in case of a severely corrupted cache (be warned, you'll be deleting your entire cache and possibly updated files) , go to Start -> Run and then type in the following command:

SFC /purgecache

Once this process has completed, repeat the steps Start -> Run and type in the following command:

SFC /scannow

SFC.exe will then scan your DLL cache and replace your corrupted files with verified ones directly from your original disc.

For a more in-depth look at how to use SFC as well as some really great hints at making this process much easier, check out UpdateXP's in-depth guide here:
Learn how to use SFC.EXE

Repairing WinXP using Dial-A-Fix

Usually, getting your system back into order requires getting back to your original default installation. Sometimes this can take hours and hours of searching through Microsoft's Knowledge Base just to find out how to fix a certain DLL (DLL Hell, yepz) or conflict by reparing or replacing the corrupted files. This is painstaking work that requires alot of reading and searching which can be extremely frustrating for novices. A unique program I've encountered that really does alot of the hard work for you (a serious understatement if there ever was one) is a program created by a gent with the handle of DJLizard. It's called Dial-A-Fix (DAF). This program is able to dynamically un- and re-register files while applying fixes to return your system to the default installation.

Taken from the Lunarsoft Wiki...

Dial-a-fix is an advanced utility for 32-bit versions of Microsoft Windows written by DjLizard in Borland Delphi 7 that repairs various Windows problems, such as:
  • Windows Update errors and problems with Automatic Updates
  • SSL, HTTPS, and Cryptography service (signing/verification) issues
  • COM/ActiveX object errors and missing registry entries
  • and more.

Dial-a-fix (hereafter known as "DAF") is a collection of known fixes gleaned from Microsoft Knowledgebase articles, Microsoft MVPs, and other important support forums, that will assist you in repairing problems with your system. Although this tool is ordinarily meant for power users, technicians, and administrators, it is quite safe to use even without technical guidance (although guidance is recommended). Simply choose the solutions you wish to apply via checkmarks, and click GO. There are other buttons and tools present on the main dialog as well, such as the policy scanner. All tools and checkmarks identify their purpose when you mouse over them.

DAF's primary philosophy is to fix problems by setting various things back to their original Microsoft defaults. DAF currently does not interface with or repair any third party programs (and there are no plans to do so).

DAF works on all pertinent 32-bit versions of Windows: 98, 98SE, Me, 2000, XP, and Server 2003. Dial-a-fix dynamically disables functions that are not applicable to your version of Windows. The version of Windows with the most support and functionality is currently Windows XP.
An example of DAF use is my last encounter with a virus that corrupted by vbscript and javascript DLLs plus activex, which completly disabled my ability to run javascript in all of my browsers, including IE, FF, and Safari. With DAF, I was able to re-register these DLLs and get my system back into working order.

Dial-A-Fix Links:

Primary Download:

Secondary Download
Dial-A-Fix @ HT

Instructions for use of Dial-A-Fix can be found here:
Dial-A-Fix - Lunarsoft Wiki

Lunarsoft Forums: Dial-A-Fix

Troubleshooting Vista

The official source for troubleshooting Windows Vista can be found here:

Windows Vista Solution Center

Dealing with Rootkits using ComboFix

Taken from Wikipedia...

A rootkit is malware which consists of a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms, "Administrator" or "Admin" access) of a computer system, without authorization by the system's owners and legitimate managers. Access to the hardware (e.g., the reset switch) is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system.

Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
Rootkits strike at the core of your system, and are so ingrained into your operating system that they are able to prevent you from getting rid of them with normal Anti-virus or Malware software. One of the best tools I've used for removing this is a program called ComboFix, which is a general Malware removal tool created by sUBs that is really great at targeting Rootkits.

ComboFix Links

Primary Download:

Secondary Download:
ComboFix @ HT

Instructions for use of ComboFix can be found here:
ComboFix Guide

More to come?

This is the end of the guide for I find more useful programs, I'll be sure to list them with more links and guides. I plan to add another section dealing with malicious logic that affects your System Restore points soon.

If you have helpful tips or links you'd like to add, please feel free, and this thread will be updated appropriately. Thanks for taking the time to read, and I hope this gives you a decent start to getting your computer back into working order.

Last edited by ArchangelX; 12-22-2008 at 05:55 PM.
ArchangelX is offline  
Reply With Quote Share with Facebook