If you would like to pay for your virus removal, try McAfee Virus Removal Service, or a more afforable alternative PcCare.com Step 1 Step 2 Temporarily turn off all unecessary programs. Start->run->msconfig->Start up->disable all->apply->ok Start->run->msconfig->Services->Hide all Microsoft entries->Check->disable all->apply->ok Download Sysinterals Suite and run autoruns . Uncheck any unverified program, be careful not to turn off the drivers you need to start your system, see step 1. Start up Internet Explorer->Tools->Manage Add-ons->Enable or disable add-ons->Disable all add-ons. Step 3 This step verifies your computer's operating system files are not destroyed. Please insert the Windows (XP , Vista) cdrom into your CD/DVD drive. Your computer manufacturer should have supplied this cdrom to you when you bought your computer.
Click Start, then Run
Copy and paste the below command into the text box
sfc /scannow
Click Ok To check log file results ( here ). Fixing infected files ( here ). Sfc may request your operating system cdrom, if you have one, insert it into your cdrom drive. If you don't, obtain the a cdrom from someone who is running the same version of xp that you are (home professional or Home basic, etc). If you can't obtain the cdrom, attempt to obtain the I386 directory from a local technician. You also might call microsoft and have them send you an iso image ( mount ) . It can be copied to your system, and enabled by setting the following registry keys: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath If you copied your I386 directory to c:\temp\i386, then the sourcepath should point to c:\temp. once you successfully complete sfc, you must restore this back to it's original value. Vista computers don't have a I386 directory, if sfc fails, you should use your operating system cdrom and run an UPDATE, not a fresh install. Then re-run sfc. See, Vista Upgrade, the upgrade can be performed with the upgrade cdrom or the original installation cdrom. Step 4 Run the following scans to uncover viruses. Advanced procedure to uncover viral infected files ( here ). Step 5 Re-enable all programs you turned off in Step 2. Complete - no more steps Helpful links CHECK FOR ROOTKITS Use windbg to remove active rootkits (here). Note, you will see windbg connections in tcpview.exe, they're ok. GMER ->download,unzip and run GMER. Some entries can be fixed by right clicking the entry and selecting remove code. Delete infected registry keys with regedt32.exe or regdelnull.exe (in pccare directory). System cleanup, will speed up the entire process by reducing the number of files requiring investigation. Install a commercially available anti-virus. Microsoft Windows Defender -> Defender doesn't require you to fill out formst or provide your email address. Vista computers already have Defender installed, Start->Control Panel->Security->Windows Defender AVG Snort Spybots Microsoft tools Restart your computer, check if the virus symptoms have gone away. If so your virus is gone and there's no need to continue on. If your symptoms still exist, run Additional Virus/Spyware removal tools from Additional Virus/Spyware If you believe the virus damaged your system, continue to the next step. Some viruses and spyware change the internet addresses of sites you use. This step checks for that. Start->run notepad C:\WINDOWS\system32\drivers\etc\hosts Normally this file is empty, if you have many entries containing the same numbers or contain site names of popular web sites, it may be a virus. Here's an example of a virus I found on one of my customer's computers. 10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
Your can rename the file to prevent the virus from spying on your computer by doing the following: Start->run rename C:\WINDOWS\system32\drivers\etc\hosts hosts.bak Verify the checksums of all system 32 files: sigcheck -e c:\windows\system32 Checks every file on the disk, Windows will execute any file with an exe header (inside the file). Files with .gif that show up in this list could very possibly be a virus. Also if you have a bart or pe image, run this command in the pe environment and then in normal boot mode, compare the results to discover hidden rootkit files. sigcheck -e -a -s c:\ > c:\temp\sigcheck.txt To verify against Windows catalog files: sigcheck -c C:\WINDOWS\system32\CatRoot\{guid}\nt5.cat *.*
Step 8 If your control panel is missing from your start menu, create the following registry key: [HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowControlPanel"=dword:00000002 Master Boot record If you master boot record becomes infected, proceed with caution. Virus's sometimes rearrage the partition table and if you restore the master boot record with the original partitions, The disk will be unreadable. The following commands update the Master boot record, FDISK /MBR, Fixmbr. More info. MBRTool. Start->run->mmc File->Add/remove snap in->Certificates->My User Account->Finish File->Add/remove snap in->Certificates->Computer Account->Local computer->Finish OK Compare serial numbers against these certs: Note: During normal browsing of https sites, root certs are added automatically to the root cert lists. Cert deletions will not prevent a cert from being added again in the future. Therefore, leave all certs intact, and verify the hashes on the ones listed in 293781. |