noquest banner



How to remove almost any virus without an antivirus

When a computer virus strikes our system, even having an antivirus installed, sometimes it is difficult to remove it.
This is a guide to remove almost any virus for Microsoft Windows 7 but it is very likely we can apply it to Vista/XP systems.
The situation is that the virus is inside the system and it is working hard, our antivirus is useless.
In this guide we are not going to use what is technically called an antivirus (software to prevent, detect and remove virus), in our case, the prevention failed, so we are going to use removal tools and utilities.

Why our antivirus did not block it?

In order to protect the computer against viruses, we must update not only our antivirus but the operating system and all the internet related software must be also up to date. Old versions of Adobe Acrobat Reader, Sun Java or Flash Player are usually an open door for viruses and trojans.

Anyway, it is time to remove the virus. Below there is a list of procedures that we can apply in that order.

System Restore


Start > All Programs > Accessories > System Tools > System Restore

We would like to choose a restore point before our system got infected. It is a good idea to take it back one week before that date. That is because the virus could be there working on the background and we did not notice it.
There is a check box labeled "Show more restore points".

Restore
Restore system files and settings software

This procedure will not affect your documents, but installed software, printers and with some luck the virus.
However, some virus disable this function, so it may be possible that we cannot use the restore point function.
After the requested reboot, it is time to scan all the system files with our antivirus.

Remove unwanted software

We call it virus, trojans, rootkits, worms, logic bombs, but it is difficult to classify them when we do not know what is really going on in our system.
We can remove unwanted software with care. The main rule is: If we don't know what it is, then keep it.

Start > Control Panel > Click on View by: Small icons > Programs and features.

This shows all the installed software in our system. Look for "whatevername Toolbar" and uninstall it.
Usually toolbars are unwanted software that gets installed on Internet Explorer and show us advertisements, keep track of visited websites and even may log our key presses.
This step may not remove the virus but will speed up the system.

Kill them all

Utilities and standard tools bundled on Windows are not powerful enough for our mission. We need to download tools.
Let's first check for unwanted proxy configuration.
Virus may redirect us to evil websites, an easy way to check it is in:

Start > Control Panel > Internet options > Connections tab > LAN settings

Uncheck the box: Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections).

Proxy settings
Proxy server must be unchecked

Download and save the following files from Microsoft Sysinternals (we will talk about them later):

http://live.sysinternals.com/procexp.exe
http://live.sysinternals.com/autoruns.exe

RKill

A good tool that we need is RKill, download it and save the rkill.com flavor from:
http://www.bleepingcomputer.com/download/anti-virus/rkill

Virus writers are very smart people and their virus may be programmed to kill our antimalware tools, that's why if these three utilities do not work, we can try to rename them to something like explorer.exe so the virus thinks it is a simple system process.

RKill is a nice tool. When we run it in our system, it will attempt to terminate known malware processes, a console window will be displayed briefly on the screen and nothing more will happen, apparently of course.
Run it two or three times to be sure that unwanted software is not running in memory, a side effect is that it will close all open windows.

RKill screenshot
RKill closes unwanted processes

Procexp

Run procexp, this tool shows us running applications, processes and services. It is like Windows Task Manager on steroids.
We must look the Process column for suspicious names, then right click and Kill Process Tree.
For suspicious names, we look for random names like: jaisojfsdoasoji.exe. We can also right click on a name and click properties to know the path where the program is located.

Processxp screenshot
Procexp, much better than task manager

Autoruns

Run autoruns, this tool lists all the self-loaded programs that run when the system starts. Check on every tab for random names or entries without a publisher name and uncheck them.
In this way we make sure that the running malware that we stopped when running RKill and procexp will not be loaded again.

Autoruns screenshot
Autoruns, much better than msconfig

What to do when in doubt

Whether in procexp or in autoruns, if in doubt about a suspicious file, we can check it on virustotal.com website.
Right click on the file and then on Properties to know the file path, then open Internet Explorer and go to:

http://www.virustotal.com/

Upload the suspicious file to the website and let it scan with multiple antivirus. Then you will know if it is a virus, trojan or rootkit, and its name.

Virustotal screenshot
Virustotal.com is a good free service






Cleaning software

Some antivirus companies release every month or week a free tool to remove the top hitting virus.
This software does not need to be installed and can be downloaded, saved and run on our system freely.

Microsoft Windows Malicious Software Removal Tool
On the second Tuesday of each month, Microsoft releases an updated version of the tool.
Download it from:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
There is a 32bit and also a 64bit version.
The complete virus list that this tool removes can be found here.
Download and run the tool, try the Quick scan first, that only searches in the main folders where viruses usually hide, the Full scan is very slow because it checks every file on the computer, leave it for a later use.

Malicious SoftwareRemoval
Tool
Microsoft tool for fast virus removal

McAfee Stinger

Like MS Malicious Removal Tool, Stinger scans and removes top viruses; it is updated every few days.
Download it from:
http://www.mcafee.com/es/downloads/free-tools/stinger.aspx
The Scan Now button searches all the files in the system, so it is a slow option. A faster approach is to click Browse, select the C:\Windows\system32 folder where most viruses are found. We can scan all the system later.

McAfee Stinger
McAfee tool is frequently updated


Kaspersky Anti-rootkit utility

A rootkit is a program that hides the presence of virus in the system. Kaspersky developed TDSSKiller, a very powerful and fast tool.
Download it from:
http://support.kaspersky.com/faq/?qid=208283363

Kaspersky anti-rootkit
TDSSKiller helps removing virus that other tools cannot find


Hijackthis

This is a free utility from Trendmicro, like autoruns, it lists all the services and applications that run when the system starts.
Download it and install from:
http://free.antivirus.com/hijackthis

We can paste the results to these websites, so Hijackthis can automatically check for evil software.
http://hijackthis.de/
http://hjt.iamnotageek.com/

Hijackthis
Hijackthis analyzer

Malwarebytes

Malwarebytes Anti-Malware Free is the king of the hill in removing malware.
Download it and install from:
http://www.malwarebytes.org/
It is always important to click on the Update tab before using it.
If a virus blocks the update process, we can download the updates apart from:
http://data.mbamupdates.com/tools/mbam-rules.exe
Once installed and updated it is time for a quick scan. You can perform the full scan later on.

Malwarebytes
Malwarebytes does a good job in cleaning the malware files


ComboFix

The last option to remove a virus is to run this tool: Combofix.
Download it and install from:
http://www.bleepingcomputer.com/download/anti-virus/combofix
ComboFix removes strange programs that run automatically, and maybe others that you use.
It is a slow process, but it installs a system recovery console and after 50 steps trashes all the suspicious programs, services and registry entries.
Keep this ace for the last hand, but play it hard, it is almost always a win, even for unknown viruses.

Combofix
Combofix: a radical tool that could be our last chance


Specialiced virus removal tools

When we know the virus name, and that virus had hit many computers, some antivirus companies release a free specialiced tool to destroy it.
This could really save us some time.

ESET removal tools:
http://kb.eset.com/esetkb/index?page=content&id=SOLN2372&cat=EAV4&actp=LIST

AVG removal tools:
http://www.avg-antivirus.com.au/avg_virus_removal.htm

Symantec removal tools:
http://www.symantec.com/security_response/removaltools.jsp

Kaspersky removal tools:
http://www.kaspersky.com/virus-removal-toolsHow



April 2012.

Use main page comments for questions.


Tweet
Copyright NoQuest.com Contact NoQuest.com