PDA

View Full Version : How to remove viruses



thegrogster
01-16-2009, 06:03 PM
I was sent a message about how to remove a virus/adware/spyware so I did a complete write-up.
I don't have much time so I'm just copy and pasting. - I'll revise it later for instances that you can't boot into your computer, or can only get into safe mode.

My steps for removing any malicious software.

Load up computer and make sure all the following are installed.

Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
If you DO NOT have a genuine copy of Windows, use the following.
Avira Antivirus (http://filehippo.com/download_antivir/)
If you still want to use AVG Free then Here it is. (http://filehippo.com/download_avg_antivirus/)
Just don't have two or more installed at the same time.

Spybot S&D (http://fileforum.betanews.com/detail/Spybot_Search_Destroy/1043809773/1)
MalwareBytes Anti-Malware (http://filehippo.com/download_malwarebytes_anti_malware/) (it shocked me how much shit this one finds)
and/or
Superantispyware (http://filehippo.com/download_superantispyware/)
CCleaner (http://www.filehippo.com/download_ccleaner/)

As Than suggested, Superantispyware is also a very good program. Unlike virus scanners, anti-malware programs will run fine together as long as they do NOT have real-time scanners.

First step

Disable System Restore (right click my computer > properties > System Restore >Turn Off)
(Viruses love to hide in there) And then delete everything under "c:\System Volume Information" that's left over if you can get in that folder. Often times it's locked out. Once it's all deleted you can turn on system restore again if you've used it in the past. That was just to clear out the viruses that could be hiding in there.
If you can't see "System Volume Information" do the following.
In the window you're using the browse go to
Tools > Folder Options > View
Click on "Show hidden files and folders"
Uncheck "Hide protected operating system files" > you will get a prompt > click OK.
Again, you may be locked out, but don't fret. AVG and the malware scanners will manage to get in there anyway.

//--------------------------------------------------------------------------------------
Once in the computer, go to Start > Run > type in "msconfig" and click OK.
(For vista users. Click Start > type in "msconfig" in the search area and press enter)
Select the startup tab.
Uncheck EVERYTHING that does NOT have to do with AVG as it is not necessary at this point and a few of them are likely viruses.
When windows starts it'll show a dialogue box. just click "Never show this to me on startup again" or something along those lines and close the window.

Run the first three (or four) at the same time, walk away and do something else for an hour or two(Or more if you've got a shitty computer).
Come back remove as much as you can and run CCleaner. Both the cleaner and the registry sweep.
Ccleaner's registry sweep will ask you if you want to do a registry backup. ALWAYS say yes. Doing anything with the registry can damage it. Though I have never damaged it with this program and it use it on a daily basis.

Since not all Operating systems give you the ability to change ownership of folders and files I will suggest using the Disk Cleanup utility in this case since doing it manually takes time.
To run this go to My Computer
Right click on your drive c:\ or whatever your main partition is.
Click on Properties and in that first tab there is Disk Cleanup under the pie chart.
Select everything in the list (except maybe the Hibernation file if you use that feature)
And click on OK.
This will clean out your Temp folder and your Temporary Internet Files. Viruses love to hide in there.

Go back to "msconfig"'s startup tab.
Put checks on anything you WANT to start up now. Things like
Windows Live Messenger, AIM, RocketDock, and most importantly, Steam.
Anything that has a fucked up name like "as7d6hgs0.exe" is without a doubt, a virus. Others are tricky.
That's why you want to be very picky about what starts up. Since most things aren't necessary anyway.

Repeat everything in the "//---------" area for each user on the computer because they all have their own set of temp folders and locations that virus scanners can't touch.

//------------------------------------------------------------------------------------------------------------

Restart the computer for the last time and it should be removed. I usually run the scan over and over again on customer computers to make sure it's all gone because often it isn't after one sweep.

This is a long process for sure, but it's very effective. With this method, the only thing that has evaded my grasp were rootkits. Even then, there are specific scanners for those.

If you still run into problems like Rootkits, then ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) is the way to handle them.
That's a direct link. It's a very powerful program that can cause problems, though I haven't run into those problems myself. Here is the Tutorial for Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)


Since not all of use know what we're doing with computers and surfing the internet, I suggest keeping a copy of this handy.

Nick Mangiaracina
01-16-2009, 07:11 PM
You might want to go into detail on creating a registry backup as well.

01-16-2009, 10:10 PM
Superantispyware is also one of the best at removing stuff.....
I run it.

-Than

thegrogster
01-17-2009, 01:47 AM
You might want to go into detail on creating a registry backup as well.

ccleaner asks you if you want to do one. click yes, then save.

thegrogster
01-17-2009, 10:37 AM
That's about as edited and thorough as it's going to get unless someone else has some suggestions.

thegrogster
04-01-2009, 10:59 AM
Bump: Updated.
As well as since this conficker scare is about, here's a reminder.

- GrOg

thegrogster
01-15-2010, 05:31 PM
A lot of viruses now are disabling the internet with an easy to fix problem so I figured I'd give you all a reminder this thread exists with an extra tip in the process.

Viruses now are turning on proxy settings to disable your surfing. You can't get help on the internet that way.

Here's a way to get around that:

Internet Explorer
(If you can't see a File menu, press "Alt" on your keyboard and it should show up.)
Click on Tools > Internet Options > Connections > LAN settings.
Under "Proxy server" you might see it checked. UNCHECK that box, click OK and close everything. You should be able to surf the internet now and get help on removing the source of the problem. (As described by the first post)

Firefox
Click on Tools > Options > Advanced > Network > Settings
Click on "No proxy"
Click OK and close everything out. You should be able to surf the internet again.

Basically the same thing in other browsers such as Opera or Chrome. Find any option pointing to a proxy and disable it.

I'll keep you posted if I've got more tips for you.

Loasted
01-15-2010, 05:40 PM
Best way to remove virus'

format c:

Z-95
01-15-2010, 06:48 PM
Best way to remove virus'

format c:
Ya beat me to it!

Most of the time you will end up spending MUCH less time removing a virus/trojan/worm/malware/spyware/adware by simply formatting and starting from scratch instead of trying to clean an existing install.

And everyone has their important stuff already backed up anyway, right? RIGHT??? ;)

With the rock bottom prices on storage these days no one has an excuse not to back up the important stuff!

Hellblazer
01-15-2010, 09:19 PM
I'd like to add that quite a few "viruses" are pretty much trojans, which most antivirus programs have a hard time removing.

Before beginning hardcore removal of viruses I always run SDFix (http://www.bleepingcomputer.com/forums/topic131299.html) and Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix), in that order. I generally always follow-up with Malwarebytes and then an actual antivirus scan (most likely AVG). This combo has a 90% success rate for me.

TypeZERO
01-16-2010, 06:24 AM
Great utility to keep track of running processes, HiJackThis!

I love that program. It's a little dangerous to use, as if you kill a process that shouldn't be shutdown, it may render your computer useless. But if you've been fighting with a piece of malware for a while, it's a good tool to check to see if it's come back.

Rmeddy
01-16-2010, 06:54 AM
I do it the noob way and just run ESET and use Hijackthis to sort out later and if the malware damage is too much , I reload the OS.

Loasted
01-16-2010, 12:16 PM
Great utility to keep track of running processes, HiJackThis!

I love that program. It's a little dangerous to use, as if you kill a process that shouldn't be shutdown, it may render your computer useless. But if you've been fighting with a piece of malware for a while, it's a good tool to check to see if it's come back.

Hasn't HijackThis gotten better with letting you know what most of the processes are? I don't think there is as much danger if your not familiar with all processes and reg keys as it once was.

thegrogster
02-10-2010, 05:03 PM
Apparently Microsoft has come out with a free anti-virus/malware program that blows avast, avira and avg out of the water for performance, detection rate and how resource light it is.

Correct me if I'm wrong but I believe it's based off of Microsoft Forefront. And really, who would know the ins and outs of a Microsoft operating system than the people who have full access to the source code?

I'm giving it a shot at work now and if you'd like to give it a shot too it's called Microsoft Security Essentials.
Arstechnica had an article with the best of the best antivirus programs and MSE was one of those best.

Let me know if you have good experiences with it if you try it out.

Ag3nTTeresa
02-10-2010, 05:27 PM
I got a nasty bug a few weeks ago that wouldn't allow me to do anything. It was some stupid fake Anti Virus called, Anti Virus Live Pro or something like that.

It secretly downloaded from somewhere and the next day it would run upon boot up. You can close it, but it doesn't allow you to launch any programs or use any of your drives. Every time you click on something you'll get a random error such as, "This program/file has detected blahblah.dfksdf.bat which has been infected with a virus or spyware! Please run Anti Virus whatever to correct this error."

I couldn't even start up in safe mode as it simply rebooted my computer if I tried doing so.

So using a different computer, I retrieved instructions on having to go into your registry and delete about 10 different files. The hard part is getting in there because you pretty much have to spam End Task on boot up so absolutely nothing is allowed to launch.