This article takes a generalised approached to removing nuisance Trojan/virus/malware from your computer. The author takes no responsibility for you trashing your computer as a result of the advice on this web page, and assumes you have an intermediate knowledge level of the Windows operating system.
Recently I have had the pleasure of disinfecting many computers with stubborn viruses that refuse to go away with the usual methods (e.g. opening your anti-virus programme and clicking scan). The "deep rooted" ones, as I like to call them, can be more problematic.
There are lots of different symptoms, one problem you may face is fake/scam anti-virus programmes that will pop-up as soon as you open your Internet browser (or sometimes opening any executable (.exe) file) and prevent you from viewing other websites until you have paid. I can't stress how important it is NOT to pay. No real anti-virus programme would force you to pay so you could "get on the web".
So, how do we remove these pests?
Here are some steps you could follow to fix the problem.
(These steps presume you can logon and see the Windows desktop, if not please go straight to step 4)
1. Restart your computer and constantly tap the F8 key until you get the boot menu and select: "Safe Mode with Networking"
2. Once the Windows desktop has loaded click Start -> Control Panel -> Internet Options -> Click the "Connections" tab -> Click the "LAN Settings" button. Under the "Proxy Server" heading, if the "Use a proxy server for your LAN" is checked then click the "Advanced" button. Look at the HTTP item, if the address is "localhost" or "127.0.0.1" then you may be infected. To test this go back and uncheck the "Use a proxy server for your LAN". Then try and connect to the Internet. If all is OK and you can browse the web then go to the list of anti-virus programmes below.
If opening any programme invokes a fake anti-virus pop-up then your.exe file association needs to be fixed. If your operating system is XP then you can download a.reg file to set it back to default here: http://www.dougknox.com/xp/file_assoc.htm
3. If none of the above works and you still can't access websites, then you may need to remove the hard drive from the infected computer and "dock" it with another computer for analysis. You can then scan the external drive for viruses (see list of anti-virus programmes below). You can also load registry files from the docked drive. So if your docked drive is F: Try the following:
Click Start -> Run -> type "regedit" and press OK. Then expand "My Computer" (if it isn't already) and click the HKEY_LOCAL_MACHINE key so it is highlighted. Then you need to load the registry hive from your docked drive. So click File -> Load Hive, then navigate to your registry files, they will be situated F:WINDOWSsystem32config. If your docked drive is using a different letter then replace F: with your docked drive letter. See the list of possible infected registry keys below.
LIST OF ANTI-VIRUS PROGRAMMES AND ROGUE SOFTWARE REMOVAL TOOLS
I usually install three or four different virus scanners from the list below to ensure that all Viruses/Trojans/Malware are discovered and removed.
Here is my order of priority:
1. Malwarebytes
2. AVG Free
3. Microsoft Security Essentials
4. Trend Housecall - free on-line virus scan
5. Bitdefender - free on-line virus scan
Another tool that can show everything that starts-up on your computer is Hijackthis.
IMPORTANT XP REGISTRY KEYS THAT CAN BECOME INFECTED
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
** Programmes within these keys are loaded at start-up **
HKEY_CLASSES_ROOT.exe
** This key can be changed to load the virus every time a programme is started **
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
** This key value should be "C:WINDOWSsystem32userinit.exe,"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell
** This key value should be "Explorer.exe"
Source by Kevin Abbott
Post a Comment