Virus removal techniques that I use
Since computer viruses can attack from all directions, I don't have a standard
protocol to remove these tenacious and annoying little buggers. It used to be
that the virus or malware could easily be found in a few standard directories,
eg, the \windows or \windows\system32 directories. Now they may hide in a
variety of locations. One such place is the "RECYCLER" directory as some of
the virus scan software ignore this directory when doing a "whole computer
scan". You can read more about recycler viruses
HERE. Another place where viruses, worms, adware hide is
"C:\Documents and Settings\(user)\Local Settings\Temporary Internet Files"
where (user) is your user name. Look for any file that ends in ".exe" or ".dll"
and delete it if you can. This may require that you boot to "safe mode".
How to boot to safe mode can be found
HERE. If you still cannot
delete the suspected executable - I use a program called "Bart PE Builder"
which you can learn about in this
TUTORIAL .
This program will allow you to examine your windows disk and remove the
the suspected file.
PE Builder is one of the tools I carry in my toolbag. I also have a CD which contains
the following tools:
1. HJTInstall.exe - Installs the HiJack this program.
2. xp_exec_fix.reg - will restore your executables so they run.
3. LSPFix.exe - will repair a damaged winsock stack.
4. Programs to remove rootkit.win32.tdss
a. FixTDSS.exe
b. tdsskiller.exe
c. cleantdss.exe
5. drweb-cureit.exe - I haven't used this program
in a long time but I remember it
worked really well - cured some
stubborn viruses that no other
program could remove.
I think this program is no longer free
If you have a real tough virus to remove
it may be worth the cost.
6. I also have the setup programs for
a. AVG Free
b. Malware Bytes anti-malware. I think this is
no longer free - ie, you can get it on a trial basis.
7. tskinfo50.exe - Look for newer version. I use this program
to see all "dll" modules for a given executable
For example, - "explorer.exe" . In the past, I
discovered bogus modules (ie, not a MS module)
and would then delete it.
P.S. I would suggest you put these files on a CD or memory stick.
Okay, with toolbag in hand ( my CD which contains these files) I take
the following steps to remove a suspected virus.
1. Try to run Malware Bytes anti-malware program. If you cannot
execute this ( then try to execute any other program ) -
if nothing executes then run the xp_exec_fix.reg program from
the CD.
2. If you cannot get any executable to run after step 1 - then you may
have to do a "clean" windows install. I personally dislike this
option but sometimes it's the last resort to remove a virus.
3. If malware bytes doesn't do the trick - then run AVG free.
4. If AVG free doesn't clean the virus - then install and run
"HiJack This" and look for bogus startup programs. The bogus
programs to look for are the BHO entries. If any of these
contain programs that are "unknown" or the executable has a
strange name in a directory that looks suspicious then mark
it for deletion. Also look for startup program in the
registry key:
"04 - HKLM......\Run:" . Make sure there is nothing strange
here. If it is some unrecognizable program - then "google"
the name to find out if it is bogus and mark it for deletion.
Continue this process and always cross check a suspicious file
on the internet. DON'T FORGET - IF YOU CHANGE ANYTHING
USING "HJT" YOU HAVE MADE CHANGES TO THE REGISTRY - AND
COULD MAKE THE SYSTEM UNSTABLE.
5. If HJT didn't solve the problem - Install the lastest version of
tskinfo50.exe - and look at each process ( program) that is running
and examine the "dll" modules for that running program. For example,
I once looked at the explorer.exe program and found a "dll" module
with no version and no manufacturer and a name that looked like
Utynu887.dll - certainly not a Microsoft dll file. I found the file
hidden ( literally, ie, its hidden attribute was turned on) in a non
system directory and deleted it. This cleared up the problem as this
module was responsible for another program to keep re-spawning - which
was causing the problem I experienced.
6. If still no luck - look at the host file which is in the directory
" \windows\system32\drivers\etc " - and make sure there are
no re-directs, that is, the only thing you should see is the
entry for the localhost :
127.0.0.1 localhost
and remove any line that associates an ip addresses to a website.
7. If you suspect a rootkit - ie, none of the above helped - then run
the rootkit programs described above.
8. If the virus is hidden in a driver file ie, a file with extension
".sys" - and it cannot be found with the virus scan programs. You
can try to do a windows "repair"
See details HERE
9. If all these fail - check additonal info - with video help
More anti-virus help here
10. Also, I would suggest to check out this article by Ed Bott - it explains
how some exploits are carried out to place a trojan on your computer.
Visit HERE.
11. And, check out these sites for help:
TRY 1CLICK PC FIX
COMPUTER REPAIR DONE REMOTELY
PC PROBLEM SOLVER
KASPERSKY VIRUS REMOVAL TOOL
DOWNLOAD ANTI-MALWARE SOFTWARE
GET AVG FREE - ANTI VIRUS SOFTWARE
VIRUS AND SPYWARE REMOVAL - 3 WAYS
|