How to Remove Viruses and Spyware
I get many requests to remove viruses and spyware from clients' computers. In some cases, special skills are required. In most cases, however, the following algorithm will suffice. These instructions come from several years of removing viruses for a living, working help desk, and several security certifications.
Please note: steps 16 and 34 may cause problems if not reversed if you disable required services. Please use them with caution. If you are not very familiar with Microsoft Windows Administration, please do not use these instructions.
Do NOT do anything in addition to the following instructions. Once you start your computer, DO NOT run Internet Explorer or other programs. Start your computer in “Safe Mode” Not “Safe Mode with Networking Support”
If you know which virus you have:
1. On a safe machine, go to http://www.symantec.com/avcenter/global/tools.list.html
2. Download the removal tool for the specific virus and save it to a floppy or CD-R and run it on the infected machine in safe mode. (follow steps 7 through 8 below) and then run the downloaded program
1. On a safe machine, look up the suspected spyware to learn file names etc.
2. In Internet Explorer (on the safe machine), go to:
3. Download “Sysclean Package”
4. In Internet Explorer (on the safe machine), go to:
5. Download the latest Virus Pattern File
6. Extract the pattern file and sysclean.com to the same directory and burn onto a CD-R
7. Turn on or restart the infected machine
8. Before Windows starts, repeatedly press the F8 key, and enter "Safe Mode". If you haven’t already done so, disable the system restore feature of Windows XP as shown below.
9. Right-click the task bar, and choose "Task Manager" (if you cannot right-click on the taskbar, press Ctrl+Alt+Delete and choose Task manager)
10. Click the "processes" tab
11 Check "Show processes from all users"
12. Scroll up and down and end all processes other than the following:
- explorer.exe *
- svchost.exe *
- System Idle Process System
You can also end the processes marked with asterisks. However, if you do, your computer will have significantly reduced capabilities. If you end explorer.exe, DO NOT close Task manager
13. Within Task Manager, click “File” then “New Task (Run…)”
15. Double-click the following:
16. In the right pane, look for anything unusual. If you spot something from the spyware you found in step 1, double-click it. In the “Value data:” field, type:
before the existing filename. Example:
17. Do the same thing under “RunOnce” and “RunOnceEx”
18. Repeat steps 13 through 17 except start at “HKEY_CURRENT_USER”. Also repeat the above but instead of “Windows” use “Windows NT”. Finally repeat, but use HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > WINDOWS NT > CURRENT VERSION > WINLOGON
19. Close the Registry Editor
20. If you Back in Task Manager, click the “File” menu, then “New Task (Run…)”
22. Double-click “Internet Options”
23. On the “General” tab, under “Temporary Internet files”, click “Delete Files…”
24. Check the “Delete all offline content” box, and click “OK”
25. Click the “Programs” Tab.
26. Click “Reset Web Settings…”
27. Check the “Also reset my home page” checkbox and Click “Yes” and “OK” if needed
28. Click the “General” tab.
29. On the “General” tab, click the “Use Blank” button
30. Click “OK” to close Internet Properties.
31. In the control panel, double-click “Administrative Tools”
32. Double-click “Services”
33. Go through the list and look for services with an “Automatic” Start-up type.
34. If you don’t recognize it, or it’s from the list gathered in step 1, then right-click it, choose “properties”, in the “Startup type” drop down, change “Automatic” to “Disabled”. Also click the “Stop” button if the service is currently running. Click “OK”
Hopefully the virus/spyware is no longer running.
35. Create a new folder on your desktop (right-click the desktop, select “new” then “folder”
36. copy the sysclean.com and extracted pattern file from the CD-ROM to this new folder.
37. Run sysclean.com and ask it to automatically clean.
38. Go through the log files it generated and take action on the detected viruses.
39. Restart your computer in safe mode again. Repeat steps 13 through 18. Take note of any files that have re-appeared. Research them and take suggested action.
40. Restart your computer in Normal mode (or safe mode with network support if normal mode is still not working).
41. Run Trend Micro’s House Call program through Internet Explorer by visiting:
42. Repeat steps 1-34. If you know where any virus files are, after step 34, delete them manually.
To disable the system recovery feature of Windows XP (copied from TrendMicro.com):
1. Log on as Administrator.
2. Right-click the My Computer icon on the desktop and click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore.
5. Click Apply > Yes > OK.
6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
7. When you are done cleaning the spyware/virus from your computer, Re-enable System Restore by clearing Turn off System Restore.