Sign in with
Sign up | Sign in
Your question

PC Cleaning Procedures & Detection Tools

Last response: in Networking
Share
Anonymous
August 11, 2005 8:53:39 PM

Archived from groups: comp.security.firewalls (More info?)

The first step in ridding your system of unwanted intruders is to
protect it from them in the first place.

Reminder – If your system is simply too infested to effectively clean,
or has too many problems related to past infestations or other
problems, it may be better to back up all your data, format and install
Windows again, so you can have a fresh, clean start.

In order to view some of the files and folders mentioned here, you will
need to set your system up accordingly. Open Windows Explorer, go to
Tools, and in Folder Options, select Show hidden files and folders, and
uncheck Hide protected operating system fileS.

You may also need to boot into Safe Mode, the most common way to do
this is to reboot your computer, and then repeatedly hit F8 while it's
booting up. A menu will be displayed which will give you several
options. Select Safe Mode, and press Enter.

Another way to get into Safe Mode is to go to Start, Run, type in
msconfig, and then click OK. When the System Configuration Utility
window comes up, click the BOOT.INI tab, select SAFEBOOT, and then OK.
You will be asked to reboot, and when you do, your system will come up
in Safe Mode. When you're finished in Safe Mode, go back to msconfig
and remove the checkmark from SAFEBOOT.

A combination of the utilities listed may be required to successfully
clean a heavily infested system; if the ones you are using don’t seem
to be doing the job, try some of the others. You should also try
running them from Safe Mode.

In order to effectively clean your PC:

1.) Follow all the instructions in the Temporary Files section.
2.) Empty the Prefetch folder as explained.
3.) From the Malware section, run both Ad-Aware and Spybot.
4.) Also from the Malware section, run either CounterSpy or Ewido (or
both if you like).
5.) In the Free Online Scans section, run at least two of the suggested
scans.
6.) If you are still experiencing problems after taking these steps,
please go to the thread concerning specific infections.

Temporary Files

Depending on your Operating System, you may, or may not, have all of
the folders listed. Please complete the instructions for the ones you
do have.

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder.

Do a search for *.tmp and delete all entries found.

For every User listed under C:\Documents and Settings, delete the
entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

If you have Firefox, open it and go to Tools, Options, and then click
on Privacy (padlock icon on the left); click on the Clear All button.

If you use any other browser, clear the History, Cookies, and Cache.

Go to Start, Run, type in cleanmgr, and then click OK. Select the drive
your operating system is on (usually C), and check the boxes for
Downloaded Program Files (move any files you wish to keep out of this
folder first), Temporary Internet Files, Recycle Bin, Temporary Files,
Temporary Offline Files, Offline Files, (and Compress old files &
Catalog files for the Content Indexer if you wish), and then click OK.
Click Yes to confirm you want these files deleted. It may take awhile
for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal
mode, try Safe Mode. If any still cannot be deleted, use the Pocket
Killbox (link below). Please ask for instructions before using this
tool!

Prefetch

To increase the startup time of your applications, Windows pre-loads
portions of programs in a folder called Prefetch. Malware sometimes
imbeds itself in this folder and uses that as their ‘autostart’
mechanism each time you boot.

Since Windows will automatically repopulate the Prefetch folder with
valid program entries, emptying the entire contents of the folder won’t
do any harm. You can do this by going to C:\Windows\Prefetch; open the
Prefetch folder, click on Edit, Select All, and then hit the Delete
key.

Utility to help with cleanup:

CCleaner – Removes unused and temporary files from your system.
http://www.filehippo.com/download/l...h/download.html

Malware

There are several free (or free-to-try) utilities available to help rid
your system of unwanted intruders. Always be sure you have the latest
versions and update them immediately before scanning. Also, go through
their configuration options and make sure they are set to properly scan
your system. If you have any questions about these settings, feel free
to ask us.

Must have these:

Ad-Aware SE Personal Edition – Removes ad-supported software components
from your system.
http://www.download.com/Ad-Aware-SE...tml?tag=lst-0-2

Spybot - Search & Destroy – Removes threats to your security and
privacy from your hard disk and Registry.
http://www.download.com/Spybot-Sear...tml?tag=lst-0-1

Pocket Killbox – Use to delete files that refuse to be deleted
normally.
http://bleepingcomputer.com/files/spyware/KillBox.zip

Should have at least one of theses:

CounterSpy – Detects and deletes malicious software from your PC.
http://www.download.com/CounterSpy/...tml?tag=lst-0-1

Ewido (XP users only) – Protects your computer from various threats and
hackers.
http://www.download.com/Ewido-Secur...tml?tag=lst-0-1

Other helpful utilities:

Stinger – Scans data for viruses and objectionable content.
http://www.download.com/Stinger/300...tml?tag=lst-0-1

TrojanHunter – Examines your files, registry, open ports and running
processes to protect against Trojans.
http://trojanhunter.com/

Trojan Remover – Aids in the removal of Trojan Horses and Worms.
http://www.simplysup.com/

Free Online Scans
http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php


--
dr.nil
------------------------------------------------------------------------
dr.nil's Profile: http://forums.techarena.in/member.php?userid=4402
View this thread: http://forums.techarena.in/showthread.php?t=340571
Visit - http://www.techarena.in | http://forums.techarena.in | http://gallery.techarena.in
Anonymous
August 12, 2005 8:04:25 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 11 Aug 2005 16:53:39 +0530, dr.nil
<dr.nil.1tlli0@DoNotSpam.com> wrote:

>
>The first step in ridding your system of unwanted intruders is to
>protect it from them in the first place.
>

>Depending on your Operating System, you may, or may not, have all of
>the folders listed. Please complete the instructions for the ones you
>do have.
>
>Delete the entire contents of your C:\Windows\Temp folder.
>
If you have Drive Image 7 and you delete the contents of the
C:\Windows\Temp folder. You will break it. Drive layout information is
stored in two files in this folder.
Anonymous
August 13, 2005 10:23:42 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<1123877115.a8445eb955bdf96bdcd93368ecedce4c@meganetnews2>, Smiley Burns
wrote:

>>Delete the entire contents of your C:\Windows\Temp folder.
>
>If you have Drive Image 7 and you delete the contents of the
>C:\Windows\Temp folder. You will break it. Drive layout information is
>stored in two files in this folder.

I'm sorry, but what freakin' idiot decided that was a good idea. Does
this person not speak or at least vaguely understand English? Does this
person not realize the 'Temp' stands for "TEMPORARY"?

temporary adj. for a short time only; lasting, used or enjoyed
for a limited time; not permanent

Sheesh!

Old guy
Related resources
Anonymous
August 16, 2005 1:22:45 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 13 Aug 2005 18:23:42 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>In the Usenet newsgroup comp.security.firewalls, in article
><1123877115.a8445eb955bdf96bdcd93368ecedce4c@meganetnews2>, Smiley Burns
>wrote:
>
>>>Delete the entire contents of your C:\Windows\Temp folder.
>>
>>If you have Drive Image 7 and you delete the contents of the
>>C:\Windows\Temp folder. You will break it. Drive layout information is
>>stored in two files in this folder.
>
>I'm sorry, but what freakin' idiot decided that was a good idea. Does
>this person not speak or at least vaguely understand English? Does this
>person not realize the 'Temp' stands for "TEMPORARY"?
>
> temporary adj. for a short time only; lasting, used or enjoyed
> for a limited time; not permanent
>
>Sheesh!
>
> Old guy
I'm sorry, I just retested the effect of moving those two files to
another location and ran a backup with no problem. I had tested it
twice before and it wouldn't even load properly. Now moving those
files seems have no effect at all. Sorry about the misinformation I
posted.
Anonymous
August 16, 2005 11:39:04 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<1124198618.0ce1b15d0922aaa619fa8ad2021e784a@meganetnews2>, Smiley Burns wrote:

>(Moe Trin) wrote:

>> I'm sorry, but what freakin' idiot decided that was a good idea. Does
>> this person not speak or at least vaguely understand English? Does this
>> person not realize the 'Temp' stands for "TEMPORARY"?
>>
>> temporary adj. for a short time only; lasting, used or enjoyed
>> for a limited time; not permanent

>I'm sorry, I just retested the effect of moving those two files to
>another location and ran a backup with no problem. I had tested it
>twice before and it wouldn't even load properly. Now moving those
>files seems have no effect at all.

The IEEE's POSIX requirements identify temporary directories (/tmp/ in
UNIX) as a place for temporary storage, but with the proviso that the
application creating these files must not expect the files to last longer
than it does. The original concept was that /tmp was used as a momentary
holding point - where you ran one application and got some intermediate
data that was going to be used in another application - perhaps you used
a database tool to locate all of a model car you wanted to purchase - and
you would then plug this small data set (rather than the whole database)
into a spreadsheet to figure out which you can afford. The intermediate
data need only exist until it can be plugged into the next part of the
task.

While microsoft likes to claim that somehow, windoze is POSIX compliant,
they're rather lax at enforcing the concepts. In many implementations of
UNIX, /tmp/ gets cleared at boot time (not a big deal, we don't reboot
that often), and an automatic (cron) job will delete files in /tmp/ that
haven't been used in some period (like a week). You wouldn't believe
the screams we hear from new users who stashed something in temp because
it seemed like a good place at the time.

Old guy
Anonymous
August 18, 2005 2:40:45 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 16 Aug 2005 19:39:04 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>In the Usenet newsgroup comp.security.firewalls, in article
><1124198618.0ce1b15d0922aaa619fa8ad2021e784a@meganetnews2>, Smiley Burns wrote:
>
>>(Moe Trin) wrote:
>
>>> I'm sorry, but what freakin' idiot decided that was a good idea. Does
>>> this person not speak or at least vaguely understand English? Does this
>>> person not realize the 'Temp' stands for "TEMPORARY"?
>>>
>>> temporary adj. for a short time only; lasting, used or enjoyed
>>> for a limited time; not permanent
>
>>I'm sorry, I just retested the effect of moving those two files to
>>another location and ran a backup with no problem. I had tested it
>>twice before and it wouldn't even load properly. Now moving those
>>files seems have no effect at all.
>
>The IEEE's POSIX requirements identify temporary directories (/tmp/ in
>UNIX) as a place for temporary storage, but with the proviso that the
>application creating these files must not expect the files to last longer
>than it does. The original concept was that /tmp was used as a momentary
>holding point - where you ran one application and got some intermediate
>data that was going to be used in another application - perhaps you used
>a database tool to locate all of a model car you wanted to purchase - and
>you would then plug this small data set (rather than the whole database)
>into a spreadsheet to figure out which you can afford. The intermediate
>data need only exist until it can be plugged into the next part of the
>task.
>
>While microsoft likes to claim that somehow, windoze is POSIX compliant,
>they're rather lax at enforcing the concepts. In many implementations of
>UNIX, /tmp/ gets cleared at boot time (not a big deal, we don't reboot
>that often), and an automatic (cron) job will delete files in /tmp/ that
>haven't been used in some period (like a week). You wouldn't believe
>the screams we hear from new users who stashed something in temp because
>it seemed like a good place at the time.
>
> Old guy

Thanks for the explanation. I had thought that temp/tmp was a
temporary holding place but that Drive Image 7 wasn't following that
logic. My mistake, not Symantecs.
Anonymous
August 19, 2005 6:56:43 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<1124376099.7b0070af6a0d30e0a59fbd93ef7686bf@meganetnews2>, Smiley Burns wrote:

>Thanks for the explanation. I had thought that temp/tmp was a
>temporary holding place but that Drive Image 7 wasn't following that
>logic. My mistake, not Symantecs.

Well, how long is "temporary"? For an ice-cube in a cold drink, that
could be minutes. On the other hand, the US Navy occupied "temporary"
buildings built during World War One in Washington DC for more than
fourty years. ;-)

The /tmp directory must be made available for programs that require
temporary files.

Programs must not assume that any files or directories in /tmp are
preserved between invocations of the program.

Rationale: IEEE standard P1003.2 (POSIX, part 2) makes requirements
that are similar to the above section.

Although data stored in /tmp may be deleted in a site-specific manner,
it is recommended that files and directories located in /tmp be
deleted whenever the system is booted.

There's also a scheduled job that runs nightly on this computer that
deletes anything in /tmp/ that hasn't been used in ten days. This is
fairly common in *nix

Old guy
!