You are on page 1of 9

GE Geek

GE Geek Antivirus/Malware Audio / Video Automation Backups Cheat Sheets Diagnostics / Utilities DOS Reference Downloads How To Guides Hardware Networking Outlook Program Help Windows Troubleshooting Infected PC Repair Internet Miscellaneous Laptops Miscellaneous My Software 2012 Networking Online Tools Recovery Tools Remote Control Rescue Disks Search Engines Security Tech Help Tweak Tools Windows Ref Unix / Solaris Ref Linux / Ubuntu Ref DIY Projects Tech Blogs/Forums Starting a PC Business Tech Docs About

GE Geek - PC Tech Quick Reference Tools Solutions Control + F to search

this page

Home How To Guides Hardware Networking Outlook Program Help Windows Troubleshooting Internet Misc How To Step-By-Step PC Virus Repair Removal Guide for the Everyday User Hopefully this article is both educational and useful. My advice, download all the programs listed here ahead of time and save them for that fretful day and then print this article.

At first glance yes, it is a long procedure. But it has been my experience that sometimes even when you clean a system with a known anti-malware program and it does restore functionlity, it doesn't always clean up every rement of the infection. So if you are like me and have to have things Mr. Clean clean, then follow along. Some steps are optional.

Most average home users can follow this guide and maybe save themselves some time and big money. These are some of the best tools around as of this writing so your chances are excellent of succeeding. I've tried to be very thorough here and include references tools along the way to help educate as well as guide you to a successful cleaning of your PC. It will take some time so you need to be in a patient mind set here before you start. Don't get frustrated! Good Luck Last Update to the Article 8 15 2012 by GEGeek

Contents step 1 Preparation step 2 Cleanup step 3 Backup step 4 Registry Cleanup step 5 Malware Removal step 6 Post Repairs step 7 Protection

Some preliminary notes before we start:

Note: How Do I Know I am Infected? What are the signs? Click Here. Note: Services to Watch for Infection Note : How can I found out the name of the virus I am infected with?

First thing to try is System Restore. Often overlooked or forgotten and could possibly provide a very quick resolution to your problem. How To Use System Restore - Windows has a feature called System Restore that can restore your registry to a previously known good state. It's worth a shot. You can also download the System Restore Mgr to aid in the restoring process of a restore point.

If you are unable to launch the GUI for the System Restore utility due to the infection, then type in Start, Run, Cmd.exe At the DOS Prompt type in the following: c:\windows\system32\rstrui.exe This will launch the System Restore Utility shown below: Select the date that you know your computer was not infected.

2nd thing I would do right away is back up your important data from the drive . Backup your "My Docs" folder to an external drive or if you are unable to boot into Windows then you will need a Rescue CD. I would recommend UBCD4WIN for that. Simply boot from the CD and have an external USB drive connected while you do this. Then navigate with the CD's built-In explorer and copy the files from your My Docs folder over to the USB drive for safe keeping while you try and clean the PC. You might have to call a friend up to download and burn this CD for you since you are infected and downloads may be disabled by the virus. Have him download all the files listed here as well while he's at it.

Note: A couple of tools I would also recommend worth learning for the more advanced adventurous users are: Optional Using these tools I have removed some viruises in a matter of minutes. Sometimes you get lucky, but you need to have some experience knowledge about where viruses spyware hide. Keep them in mind for the future.

Comodo Cleaning Essentials - Combo of tools, KillSwitch, Autorun Analyzer and Scanner D7 - My new favorite tool. Still learning all the Ins and Outs of it but it is quickly becoming my go to tool. Autoruns - Great tool to peek into all the Window's hidden locations where virus spyware can hide. How To Use Autoruns or Here Process Explorer - Process Explorer shows you information about which handles and DLLs processes have opened or loaded. Process Monitor -Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process thread activity. RegScanner - Viewing the list of Registry keys modified in the last hours days. Unlocker - For times when you cannot delete a file folder RKill - Attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. HiJackThis - Scans startup hidden locations and generates a log file which you can submit to the url below or a forum for help.

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

Services - How Malware hides and is installed as a Service Virus Removal Guide - Latest virus threats and their removal instructions Startup Database - This database will allow you to search for programs that you find starting automatically on your computer and determine if they are considered to be malware (harmful), optional, unnecessary, or necessary to run.

Note: You could also check with the links below to see if your particular Malware is listed with exact removal instructions. Sometimes you will see the name of the virus in the title of the pop up window. Enter the name, search and follow instructions. Updated List of Viruses from BleepingComputer.com Latest Viruses Listed Here Kaspersky List of Tools AVG List of Tools Synmantec List of Tools MalwareTips List

Note: Here's a reference of all windows startup locations where malware typically hides. Optional Bleeping Computer Windows Startup Locations

You can also search this database of known Malware Startup programs for help Optional

Windows Startup Database Computer running Slow? Take back control of your PC!

Filename to search for:

Search

Powered By: BleepingComputer.com

Add this search to your site! Windows Startup Database Computer running Slow? Take back control of your PC!

Filename to search for:

Search

Powered By: BleepingComputer.com

Add this search to your site!


Latest spyware threats:


Trojan Zeroa.dukks 16/08/2012 Interpol virus 15/08/2012 Searchformore.com 15/08/2012 redirect virus Trojan Patched!IK 'Ads not by this site' virus Windows Safety Series Windows Secure Workstation Windows AntiMalware Patch Trojan.Dididix Searchsafer.com redirect virus Interpol virus 15/08/2012 14/08/2012 14/08/2012 13/08/2012 11/08/2012 11/08/2012 10/08/2012

Trojan Zeroa.dukks 16/08/2012 15/08/2012 Searchformore.com 15/08/2012 redirect virus Trojan Patched!IK 'Ads not by this site' virus Windows Safety Series Windows Secure 15/08/2012 14/08/2012 14/08/2012

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek
13/08/2012 11/08/2012 11/08/2012 10/08/2012

Workstation Windows AntiMalware Patch Trojan.Dididix Searchsafer.com redirect virus

spyware threats >>>


HiJackThis - Program that scans all typical Malware locations and creates a log file for you to upload for analysis. Optional For help with HiJackThis Logs Analyzes your HiJackThis log file and the dB recommends deletions for possible infections. Be Carefull. HiJackThis Analysis 1 HiJackThis Analysis 2 HiJackThis Analysis 3 HiJackThis Tutorial - Very detailed tutorial about all locations with the HiJackThis program.

Note: If You Can't Boot Into Windows or Safe Mode, it might NOT be due to Infection, you may just need a Rescue Repair instead! Optional How to Perform a Startup Repair in Windows 7 10 things you can do when Windows XP won't boot

If you can't boot into Windows due to infection then you need a Antivirus Rescue CD Optional Bootable Antivirus Rescue CDs Kaspersky Rescue Disk Vipre Rescue Disk Dr Web Live CD

top

Following the procedure below is a methodical, lengthy process that anyone can employ. With a little patience and some time, chances are you will be successful and learn something along the way.

Step 1 Preparation Preliminary Steps

a. Disable UAC in Vista Windows7 (Just to speed things along during our repair process. Turn it back on if you desire later) goto Start menu-->in search box type UAC-->Drag it down to lowest level-->ok. Turn back when finished with this document.

b. Unhide all Hiden files. The procedure for every version of Windows is located here. For Windows 7 I've listed the steps here Close all programs so that you are at your desktop. Click on the Start button. Click on the Control Panel menu option. When the control panel opens click on the Appearance and Personalization link. Under the Folder Options category, click on Show Hidden Files or Folders. Under the Hidden files and folders section select the radio button labeled Show hidden files, folders, or drives. Remove the checkmark from the checkbox labeled Hide extensions for known file types. Remove the checkmark from the checkbox labeled Hide protected operating system files (Recommended). Press the Apply button and then the OK button.. Now Windows 7 is configured to show all hidden files. Make sure to Hide all Folders again when finshed with this document! c. Disable ALL currently installed Anti-Virus programs or any other security product (Just to speed things along during our repair process) The link below shows how to disable your security application if you are not sure. http:www.techsupportforum.com security-center virus-trojan-spyware-help 490111-how-disable-your-security-applications.html Use Control + F on that page to search for your Antivirus on how to disable it. Turn back when finished with this document.

d. Turn System Restore OFF It's assumed you tried system restore first. Since system restore did not work, we will not be needing any of these previous restore points now since they might be infected anyway. Viruses have been known to make themselves resident in the Windows System Restore section, which is a protected area, Read Only! How to turn System Restore Off Turning System Restore off deletes all these possibly infected files. Re-enable when your pc is clean!

e. Delete the Hibernate file - hiberfil.sys - I personally disable this on all desktops anyway. The hiberfil.sys file is hidden and by default is not visible in Windows Explorer, or accessable by any application, including anti-virus programs. Control Panel and access Power Options, select the Hibernate tab in the Power Options Properties, Clear the Enable Hibernation check box. Reboot Re-enable when your pc is clean!

f. Delete the Swap File - pagefile.sys - As a security option it Should be set to "Clear page file at Shutdown" Go here for fix: AutoFix Many viruses like to hide here as well. The only way to delete it is to set your swap file size to zero. Re-enable when done! Go to the Control Panel, System, Advanced, Performance, Settings, Virtual Memory Change the page file swap size to zero (No Paging File) and reboot. Re-enable when your pc is clean!

g. Delete Temp Files Go to Start, Run and type %temp% this will open a folder with all the temporary files on your computer. Delete all these files. Use Ctrl + A and press the del key. How To Delete Temporary Files in Windows XP

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

How To Delete Temporary Files in Windows 7

h Delete Recycler folder - Not the same as the recycle bin when you have more than one user on the same system! There is a recycle bin for each user and each user's recycle bin is stored in the recycler folder. How to delete Recycler Folder Recycler is a read only folder and that is why it gave error if you tried to delete it. To view the folder, go to Tools -> Folder Options -> View tab and uncheck the option of Hide Protected operating System Files. Now just right click on the folder, go to Properties and unselect the option of Read Only. Now it can be deleted.

If the folder cannot be deleted, then something from the Recycler folder is loaded as a process. Find out which file is that and note its location. Navigate to C:Recycler (cd C:Recycler) cd and press Tab to see how many Sxxxxxxx-xxxxxx-xxx folders you have. Navigate to each of them with cd once to navigate to the first folder, tab twice for second, etc. This is filename completion, so use it freely attrib r a s h * to remove attributes from all files del. y to delete all files cacls * to see leftovers If there are any leftovers, destroy their rights with cacls * d everyone and y when asked if sure to do so Now restart your computer and go to the same RECYCLER folder (as described before) and just delete this file (or leave it there) More about this folder

i. Run RKILL http:www.bleepingcomputer.com download rkill Attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections Just double click the file you downloaded.

j. Run FixExec http:www.bleepingcomputer.com download fixexec FixExec is a program that is designed to fix executable file associations for the .bat, .exe, and .com file extensions. Run this is you cannot execute any programs

k. Run MalAware http:download2.emsisoft.com malaware MalAware.exe Download Link Very small and good cloud anti-malware .this will remove most common to difficult infections. Make sure you have an internet connection. MalAware will provide an indication of whether a PC is infected with malware or not. -double click the file-->start-->Clean protect-->select exit-->next

Note: Sometimes viruses prevent or disable Internet Explorer from working. Optional Here's a program that might repair your internet connection and IE Complete Internet Repair Try and get a 2nd copy of Opera, Firefox or Chrome downloaded from your 2nd PC or from your friend and install that as well. A portable browser might be a good alternative here as well. Portable Firefox

Note: If you cannot get into safe mode due to the infection, then download safemodefixer and run that to fix Safemode. Optional Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. Running scans in Safemode is always preferred when possible. Note Some viruses will block the execution of certain antivirus programs by their name. I have in the past been successful by simply renaming the .exe file to a temp name and the antivirus program was then able to run no problem. Ex: rename mbam . exe to explorer.exe and it should run. Also please note that HitManPro has a similar feature built-in where you can hold down the left-control key while double clicking the icon. This is called "breached mode" by the oem and will bypass the bad guys preventing hitmanpro from launching. l, Make sure MSConfig is set to Normal Startup Mode How to use MSConfig

m. If you use AOL, Specifically look in Add Remove Programs for the below programs and uninstall them if found: Optional MyWay or MyWay Search Assistant Viewpoint Manager (Remove Only) Viewpoint Media Player Viewpoint Toolbar Viewpoint Toolbar (Remove Only) How to Remove Viewpoint

n. Check for a malicious proxy server - This will prevent internet access as well. Just in case you did not run Complete Internet Repair Some forms of malware may add a proxy server which prevents the user from accessing the internet Start IE, Tools, Internet Options, Go to the tab Connections.At the bottom, click on LAN settings. Uncheck the option Use a proxy server for your LAN MiniToolBox - http:www.bleepingcomputer.com download minitoolbox Can do this for you.

top

Step 2 Cleanup No cleaner is perfect, so i use a few different cleaners here in this process to be sure. These cleaners will go to every possible temp location and most hidden virus locations to remove leftovers and improve AV scan time.)

a. Run CCleaner (only file cleaning don't run reg cleaning) [http:www.piriform.com ccleaner download portable] (most simplest temp file cleaner.it can remove unwanted startup items) -double click file-->press 'run cleaner'-->close the program.

b. Run System Ninja (check all the option) http:singularlabs.com software system-ninja (removes temp & backups that are not used. and saves lots of space) I like this one alot. c. Run TFC (After cleaning this will reboot your PC) Optional

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

http:www.geekstogo.com forum files file 187-tfc-temp-file-cleaner-by-oldtimer (specially designed for assisting malware removal tools. removes tools remainings & remainings by viruses) -double click file-->start (run this as administrator)

d. Run diskmax Optional http:www.koshyjohn.com software diskmax (Specifically for temp cleaning and disk defragment.everything automated) -install diskmax-->select 'complete' option.

e. Run JavaRa (removes old java JRE) Optional [http:sourceforge.net projects javara files javara JavaRa JavaRa.zip download] (removes older versions and useless remainings of java runtime environment-JRE) -double click file-->select language-->remove older versions (close all web browsers)-->after that 'search for updates'(and install new version) -->now click on 'additional tasks'-->select the checkboxes 'remove useless JRE files','remove starup entry'-->GO

f. Run Revo-Uninstaller Optional http:www.revouninstaller.com revo_uninstaller_free_download.html (Usefull for removing toolbars and other garbabe) Now is the time to remove these junk programs. . -double click 'revouninstaller.exe'-->select the unwanted software you want to remove-->press 'uninstall'-->check on 'moderate'-->press 'next'--> follow the application's uninstaller-->(now it will scan remaining files & registry) press 'next'--> select all (for files & registry)--> delete remainings-->finish

top

Step 3 Backup (Hippocratic oath - Do no harm. If not successful at least we can restore it to where it was and save our docs)

a. Run Registry Backup http:www.tweaking.com content page registry_backup.html (when we use run any registry cleaner or registry modification by any Antivirus product .there is a chance for registry corruption. it will save the copy of current user profile and all registry hives for easy restoration) -double click 'Registry Backup.exe'(run as administrator) I would recommend keeping this program after all is said and done.

b. Run hostXpert - Hosts file editor http:www.funkytoad.com index.php?option=com_content&task=view&id=13&Itemid= (This tool can edit host file ,removing or applying permissions of host file,backup & restore host file .when you are facing too many redirections check this file and replace it with original one by this tool) -double click file-->click on 'make file writeable'-->click'backup restore'-->create backup (this will create the host file back up in same folder where hostxpert is)--> click'make readonly'-->exit

c. My Docs Backup - Optional Now is the time to think about transferring those important docs, songs and pictures if you did not do it before as mentioned earlier. Suggestion- Create a folder called backup on another partition or better yet an external USB drive and transfer your files. Once your system is clean you can then turn your attention to that folder and scan through the files to make sure they were not affected. The best program I've seen for this is a piece of shareware call Fabs Autobackup

Step 4 Registry Cleanup Removes and possibily repairs registry entrys

a. Run Wise Registry Cleaner http:www.wisecleaner.com wiseregistrycleanerfree.html (this is safe registry cleaner.which will fix many internet and file related problems) -double click 'WiseRegistryCleaner.exe'-->select language-->cancel the back up option (because we have done it)-->scan(make sure it is on 'check all')-->Fix-->exit

b. Run Glary Registry Repair http:www.glarysoft.com products utilities registry-repair (another registry cleaner with good reputation) -install (uncheck ask toolbar)-->start glary registry repair--> scan registry for problems-->'repair'-->close-->exit

top

Step 5 Malware Removal (only quarantine virus file if not sure) - You don't have to run all of them, only those that apply.

Part 1 General infection removal - Run all of these!

a. Run SpybotSD http:www.safer-networking.org en download (this tool removes malware entrys based on registry hives.works good for bot removevals.removes registrys by malwares and unhooks them) -install-->start spybotSD-->'search for update'-->'check for problems'-->'fix problems'-->uninstall program(optional)

b. Run Malwarebytes anti-malware http:www.malwarebytes.org products malwarebytes_free (most effective and special tool for malware & fraud software removals) -install -->update database-->'full scan'-->remove findings(when asked for reboot do it)

c. Run Emsisoft Emergency kit scanner http:www.emsisoft.com en software eek (this is the new generation antivirus scanner with good detections but it gives some false positive.over all works with any condition) -double click 'emergencykit.bat'-->update database-->select 'deep scan'-->quarantine infected files-->exit

d. Run SuperAntiSpyware http:www.superantispyware.com Another execellent program for ridding you of spyware.

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

Part 2 Rootkit removal (Run in normal mode and always select disinfect)

a. Run TDSS-Killer http:support.kaspersky.com faq ?qid=208283363 (most effective automated antiroot kit tool for 'all versions of TDSS root kit.works on both x32 & x64 OS) -double click file-->check both options & start scan-->ONLY APPLY CURE OR DISINFECT OPTION-->close Note: If TDSSKiller will not open, download and run FixTDSS from Symantec.

b. Run Trend Micro RootkitBuster http:www.bleepingcomputer.com download trend-micro-rootkitbuster -This scanner will scan for rootkits that are using the latest technology including Master Boot Record (MBR) infections.

c. Run combofix [http:www.bleepingcomputer.com download anti-virus combofix] (very usefull for trojans and root kit removal.which not caugth by major AV tools) -double click file(RUN AS ADMINISTRATOR)-->this will run all scan Read the instructions carefully!

d. Run Norman TDSS cleaner Optional http:www.norman.com support support_tools 77201 en (good automated tool for mbr and kernal hooking rootkit removals) -double click file-->start scan-->it will automatically cure infections-->close

e. Run GMER (ONLY FOR EXPERTS) Optional http:www.gmer.net (best for manual removal of rootkits,includes cmd shell,registry,process) -double click file-->select'rootkit malware'-->remove detection-->close

top

Part 3 Fake security programs (antivirus,antispyware,optimization tools) - Run only if they apply! Optional

First Boot into Safe Mode (this tools are self explanatory follow instructions on screen)

a. Run remove fake-antivirus http:freeofvirus.blogspot.com 2009 05 remove-fake-antivirus-10.html

b. Run SmitfraudFix http:siri.geekstogo.com SmitfraudFix.php windows xp only

c. Run stinger Fake-Alert http:www.mcafee.com us downloads free-tools stinger.aspx

(above are the separate tools from different authers for fraudware & malware that removes fake alerts on your system,)

Step 6 Post Repairs (Do this even if all looks fine) Once the malware is removed from your PC, you may experience some annoying problems, such as Windows Update fails to start, Google search results being redirected, and missing files. Fortunately, there are easy ways to fix these problems.

a. Run Windows Repair (All In One ) if functions are not fully restored. http:www.tweaking.com content page windows_repair_all_in_one. With Tweaking.com - Windows Repair you can restore Windows original settings. For Windows XP, 2003, Vista, 2008 & 7 (32 & 64 Bit)

b. Run Advantage-PC-Fix -- ONLY FOR VISTA WIN7 - if functions are not fully restored. http:www.advantage-pc.com ?page_id=721 only for vista win7 machines) -double click file-->under'fixes & utilities'-->select 'system file checker','driver verifier','file signature verifier'--> press 'run'-->select all under 'vista repair options'-->press 'process checked'

c. Run Security-Restore http:www.softpedia.com get Security Security-Related Security-Restore.shtml (restores security setting for internet,system etc, which may be altered by malware) -double click file-->press 'GO' (it will take some time to complete)

d. Run complete internet repair (RUN ONLY IF INTERNET PROBLEMS PERSIST) Optional http:www.datum-forensics.com downloads ?did=4 (repair most of the internet not working problems) -double click file(run as administrator)-->simply just select every option and hit 'GO' Bonus Program - if needed - Repair Internet Explorer - http:www.tweaking.com content page repair_internet_explorer.html

e. Run Renable http:www.tangosoft.co.uk index.html Optional Re-Enable was designed to repair the left over damage caused by Viruses,Malware,Trojans f. Additional Issues for "Post Virus". Fortunately I have gathered a collection of small fixes for almost every post virus issue. Go here for the list of fixes.

g. Disk Heal - It allows you to fix common errors which are caused by certain viruses. Optional http:www.computer-realm.net diskheal

h. Repair all damage left by the Malware - Read this article for more details http:www.techsupportalert.com content how-fix-malware-infected-computer.htm

top

Step 7 Protection

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

Part 1 Passive Protection to Prevent Infections in the Future

a. Disable autorun (This is a must in my mind.) -just run the setup which is applicable for your OS http:www.disableautorun.com

b. Add MVPS Hosts File updates (This is a must in my mind.) http:winhelp2002.mvps.org hosts.htm -Simple program that adds almost 10,000 known bad sites to your hosts file and blocks these sites from loading. Probable the single most important and simple fix you can take to protect yourself.

c. Use WOT (Web of Trust) http:www.pcworld.com downloads file fid,73058 description.html Warns You Ranks sites as you surf.

Part 2 Active Protection

a. Install comodo internet security http:www.comodo.com home internet-security free-internet-security.php

b. Install the antivirus of your choice - Many are free. No excuse not to have something running. http:www.filehippo.com software antimalware antivirus http:www.pcmag.com article2 0,2817,2400355,00.asp

c. Here is a complete list of all security meausures you can take to protect yourself in the future.

top

NOTE: At this point your system should be clean if indeed you found some viruses spyware and successfully cleaned them from your system. Try booting up normally and test the system once again. If the virus spyware persists then it's time to think about a reload or seeking professional help, depending on how important the data current load of the machine you have is.

[Search][Previous|Next][Up|First|Last](Article 61 of 108)

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]

GE Geek

file:///H|/d7/3rd%20Party%20Tools/_Virus%20Repair%20Step%20by%20Step/GE%20Geek.htm[8/16/2012 7:08:23 AM]