Chris Nowell
Information Security
Englìsh   Français   Español   Deutsch   Russian   Japanese   Chinese
About Chris Tools and Downloads Presentations, Instructions, and Booklets Links Contact Support
How to Remove Viruses and Spyware
I get many requests to remove viruses and spyware from clients' computers. In some cases, special skills are required. In most cases, however, the following algorithm will suffice. These instructions come from several years of removing viruses for a living, working help desk, and several security certifications.

Please note: steps 16 and 34 may cause problems if not reversed if you disable required services. Please use them with caution. If you are not very familiar with Microsoft Windows Administration, please do not use these instructions.

Do NOT do anything in addition to the following instructions. Once you start your computer, DO NOT run Internet Explorer or other programs. Start your computer in “Safe Mode” Not “Safe Mode with Networking Support”

If you know which virus you have:
1. On a safe machine, go to http://www.symantec.com/avcenter/global/tools.list.html
2. Download the removal tool for the specific virus and save it to a floppy or CD-R and run it on the infected machine in safe mode. (follow steps 7 through 8 below) and then run the downloaded program


1. On a safe machine, look up the suspected spyware to learn file names etc.
2. In Internet Explorer (on the safe machine), go to:
http://www.trendmicro.com/download/dcs.asp
3. Download “Sysclean Package”
4. In Internet Explorer (on the safe machine), go to:
http://www.trendmicro.com/download/pattern.asp
5. Download the latest Virus Pattern File
6. Extract the pattern file and sysclean.com to the same directory and burn onto a CD-R
7. Turn on or restart the infected machine
8. Before Windows starts, repeatedly press the F8 key, and enter "Safe Mode". If you haven’t already done so, disable the system restore feature of Windows XP as shown below.
9. Right-click the task bar, and choose "Task Manager" (if you cannot right-click on the taskbar, press Ctrl+Alt+Delete and choose Task manager)
10. Click the "processes" tab
11 Check "Show processes from all users"
12. Scroll up and down and end all processes other than the following:
  • taskmgr.exe
  • explorer.exe *
  • wmiprvse.exe
  • HelpSvc.exe
  • svchost.exe *
  • lsass.exe
  • services
  • winlogon
  • csrss.exe
  • sms.exe
  • System
  • System Idle Process System

    You can also end the processes marked with asterisks. However, if you do, your computer will have significantly reduced capabilities. If you end explorer.exe, DO NOT close Task manager

13. Within Task Manager, click “File” then “New Task (Run…)”
14. Type:
Regedit
15. Double-click the following:
1. HKEY_LOCAL_MACHINE
2. SOFTWARE
3. MICROSOFT
4. WINDOWS
5. CurrentVersion
6. Run
16. In the right pane, look for anything unusual. If you spot something from the spyware you found in step 1, double-click it. In the “Value data:” field, type:
     Rem
before the existing filename. Example:
     NAIL.EXE
Becomes:
     REM NAIL.EXE
Click OK
17. Do the same thing under “RunOnce” and “RunOnceEx”
18. Repeat steps 13 through 17 except start at “HKEY_CURRENT_USER”. Also repeat the above but instead of “Windows” use “Windows NT”. Finally repeat, but use HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > WINDOWS NT > CURRENT VERSION > WINLOGON
19. Close the Registry Editor
20. If you Back in Task Manager, click the “File” menu, then “New Task (Run…)”
21. Type:
Control Pan
22. Double-click “Internet Options”
23. On the “General” tab, under “Temporary Internet files”, click “Delete Files…”
24. Check the “Delete all offline content” box, and click “OK”
25. Click the “Programs” Tab.
26. Click “Reset Web Settings…”
27. Check the “Also reset my home page” checkbox and Click “Yes” and “OK” if needed
28. Click the “General” tab.
29. On the “General” tab, click the “Use Blank” button
30. Click “OK” to close Internet Properties.
31. In the control panel, double-click “Administrative Tools”
32. Double-click “Services”
33. Go through the list and look for services with an “Automatic” Start-up type.
34. If you don’t recognize it, or it’s from the list gathered in step 1, then right-click it, choose “properties”, in the “Startup type” drop down, change “Automatic” to “Disabled”. Also click the “Stop” button if the service is currently running. Click “OK”

Hopefully the virus/spyware is no longer running.

35. Create a new folder on your desktop (right-click the desktop, select “new” then “folder”
36. copy the sysclean.com and extracted pattern file from the CD-ROM to this new folder.
37. Run sysclean.com and ask it to automatically clean.
38. Go through the log files it generated and take action on the detected viruses.
39. Restart your computer in safe mode again. Repeat steps 13 through 18. Take note of any files that have re-appeared. Research them and take suggested action.
40. Restart your computer in Normal mode (or safe mode with network support if normal mode is still not working).
41. Run Trend Micro’s House Call program through Internet Explorer by visiting: http://housecall.trendmicro.com
42. Repeat steps 1-34. If you know where any virus files are, after step 34, delete them manually.



To disable the system recovery feature of Windows XP (copied from TrendMicro.com):
1. Log on as Administrator.
2. Right-click the My Computer icon on the desktop and click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore.
5. Click Apply > Yes > OK.
6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
7. When you are done cleaning the spyware/virus from your computer, Re-enable System Restore by clearing Turn off System Restore.
New
Active Directory Date Converter

Unix Timestamp Date Converter

Unix Security Analyzer

Windows Security Analyzer

NIST SP 800-63 password policy compliance checker

Sponsors
News: ThreatPost
Threatpost | The first stop for security news

Threatpost News Wrap, August 18, 2017

Hacker Publishes iOS Secure Enclave Firmware Decryption Key

Cisco Patches Privilege Escalation Bugs in APIC

Drupal Patches Critical Access Bypass in Core Engine

News: SecurityFocus
News: Change in Focus

News: Twitter attacker had proper credentials

News: PhotoDNA scans images for child abuse

News: Conficker data highlights infected networks

Brief: Google offers bounty on browser bugs

News: CBC
CBC | Technology News

Digital vigilantism after Charlottesville: Get ready for more naming and shaming

Solar eclipse myth-busting: Facts and fiction behind nature's stunning event

Websites aim to exile white nationalists in wake of violence

Science Says: DNA test results may not change health habits

News: CNN
CNN.com - RSS Channel - App Tech Section



Japan is building the fastest supercomputer in the world





Statistics

© 2006, 2007, 2008 Christopher A. Nowell, BSc, CISSP, CISA, TCSP

Mesothelioma Survival