How to remove almost any virus without an antivirus |
When a computer virus strikes our system, even having an antivirus installed, sometimes it is difficult to remove it. This is a guide to remove almost any virus for Microsoft Windows 7 but it is very likely we can apply it to Vista/XP systems. The situation is that the virus is inside the system and it is working hard, our antivirus is useless. In this guide we are not going to use what is technically called an antivirus (software to prevent, detect and remove virus), in our case, the prevention failed, so we are going to use removal tools and utilities. Why our antivirus did not block it? In order to protect the computer against viruses, we must update not only our antivirus but the operating system and all the internet related software must be also up to date. Old versions of Adobe Acrobat Reader, Sun Java or Flash Player are usually an open door for viruses and trojans. Anyway, it is time to remove the virus. Below there is a list of procedures that we can apply in that order. System RestoreStart > All Programs > Accessories > System Tools > System Restore We would like to choose a restore point before our system got infected. It is a good idea to take it back one week before that date. That is because the virus could be there working on the background and we did not notice it. There is a check box labeled "Show more restore points". ![]() Restore system files and settings software This procedure will not affect your documents, but installed software, printers and with some luck the virus. However, some virus disable this function, so it may be possible that we cannot use the restore point function. After the requested reboot, it is time to scan all the system files with our antivirus. Remove unwanted softwareWe call it virus, trojans, rootkits, worms, logic bombs, but it is difficult to classify them when we do not know what is really going on in our system.We can remove unwanted software with care. The main rule is: If we don't know what it is, then keep it. Start > Control Panel > Click on View by: Small icons > Programs and features. This shows all the installed software in our system. Look for "whatevername Toolbar" and uninstall it. Usually toolbars are unwanted software that gets installed on Internet Explorer and show us advertisements, keep track of visited websites and even may log our key presses. This step may not remove the virus but will speed up the system. Kill them allUtilities and standard tools bundled on Windows are not powerful enough for our mission. We need to download tools.Let's first check for unwanted proxy configuration. Virus may redirect us to evil websites, an easy way to check it is in: Start > Control Panel > Internet options > Connections tab > LAN settings Uncheck the box: Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections). ![]() Proxy server must be unchecked Download and save the following files from Microsoft Sysinternals (we will talk about them later): http://live.sysinternals.com/procexp.exe http://live.sysinternals.com/autoruns.exe RKill A good tool that we need is RKill, download it and save the rkill.com flavor from: http://www.bleepingcomputer.com/download/anti-virus/rkill Virus writers are very smart people and their virus may be programmed to kill our antimalware tools, that's why if these three utilities do not work, we can try to rename them to something like explorer.exe so the virus thinks it is a simple system process. RKill is a nice tool. When we run it in our system, it will attempt to terminate known malware processes, a console window will be displayed briefly on the screen and nothing more will happen, apparently of course. Run it two or three times to be sure that unwanted software is not running in memory, a side effect is that it will close all open windows. ![]() RKill closes unwanted processes Procexp Run procexp, this tool shows us running applications, processes and services. It is like Windows Task Manager on steroids. We must look the Process column for suspicious names, then right click and Kill Process Tree. For suspicious names, we look for random names like: jaisojfsdoasoji.exe. We can also right click on a name and click properties to know the path where the program is located. ![]() Procexp, much better than task manager Autoruns Run autoruns, this tool lists all the self-loaded programs that run when the system starts. Check on every tab for random names or entries without a publisher name and uncheck them. In this way we make sure that the running malware that we stopped when running RKill and procexp will not be loaded again. ![]() Autoruns, much better than msconfig What to do when in doubt Whether in procexp or in autoruns, if in doubt about a suspicious file, we can check it on virustotal.com website. Right click on the file and then on Properties to know the file path, then open Internet Explorer and go to: http://www.virustotal.com/ Upload the suspicious file to the website and let it scan with multiple antivirus. Then you will know if it is a virus, trojan or rootkit, and its name. ![]() Virustotal.com is a good free service |
Cleaning software |
Some antivirus companies release every month or week a free tool to remove the top hitting virus. This software does not need to be installed and can be downloaded, saved and run on our system freely. Microsoft Windows Malicious Software Removal Tool On the second Tuesday of each month, Microsoft releases an updated version of the tool. Download it from: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16 There is a 32bit and also a 64bit version. The complete virus list that this tool removes can be found here. Download and run the tool, try the Quick scan first, that only searches in the main folders where viruses usually hide, the Full scan is very slow because it checks every file on the computer, leave it for a later use. ![]() Microsoft tool for fast virus removal McAfee Stinger Like MS Malicious Removal Tool, Stinger scans and removes top viruses; it is updated every few days. Download it from: http://www.mcafee.com/es/downloads/free-tools/stinger.aspx The Scan Now button searches all the files in the system, so it is a slow option. A faster approach is to click Browse, select the C:\Windows\system32 folder where most viruses are found. We can scan all the system later. ![]() McAfee tool is frequently updated Kaspersky Anti-rootkit utility A rootkit is a program that hides the presence of virus in the system. Kaspersky developed TDSSKiller, a very powerful and fast tool. Download it from: http://support.kaspersky.com/faq/?qid=208283363 ![]() TDSSKiller helps removing virus that other tools cannot find Hijackthis This is a free utility from Trendmicro, like autoruns, it lists all the services and applications that run when the system starts. Download it and install from: http://free.antivirus.com/hijackthis We can paste the results to these websites, so Hijackthis can automatically check for evil software. http://hijackthis.de/ http://hjt.iamnotageek.com/ ![]() Hijackthis analyzer Malwarebytes Malwarebytes Anti-Malware Free is the king of the hill in removing malware. Download it and install from: http://www.malwarebytes.org/ It is always important to click on the Update tab before using it. If a virus blocks the update process, we can download the updates apart from: http://data.mbamupdates.com/tools/mbam-rules.exe Once installed and updated it is time for a quick scan. You can perform the full scan later on. ![]() Malwarebytes does a good job in cleaning the malware files ComboFix The last option to remove a virus is to run this tool: Combofix. Download it and install from: http://www.bleepingcomputer.com/download/anti-virus/combofix ComboFix removes strange programs that run automatically, and maybe others that you use. It is a slow process, but it installs a system recovery console and after 50 steps trashes all the suspicious programs, services and registry entries. Keep this ace for the last hand, but play it hard, it is almost always a win, even for unknown viruses. ![]() Combofix: a radical tool that could be our last chance Specialiced virus removal tools When we know the virus name, and that virus had hit many computers, some antivirus companies release a free specialiced tool to destroy it. This could really save us some time. ESET removal tools: http://kb.eset.com/esetkb/index?page=content&id=SOLN2372&cat=EAV4&actp=LIST AVG removal tools: http://www.avg-antivirus.com.au/avg_virus_removal.htm Symantec removal tools: http://www.symantec.com/security_response/removaltools.jsp Kaspersky removal tools: http://www.kaspersky.com/virus-removal-toolsHow |