This is not related to any specific virus but a generic guide as most viruses follow the same pattern when they run. I have removed a lot of viruses manually and people tend to ask me how do I do that ? This guide is mostly for geeks, so you need patience if you need to master it.
I suggest reading my previous "Ways to prevent viruses in PCs" post before you move on, as always "Prevention is better than cure" :) Now read on..
What does a Virus do once it starts running ?
- Virus runs automatically every time you start Windows- typically established by modifying registry keys usually in the start up items list or sometimes as a Windows Service too. Sometimes, they pass themselves as command line parameters to programs like Explorer.exe which is responsible for your main Windows user interface.
- It blocks the ways by which you can terminate and destroy it - First, it blocks the Task Manager or sometimes they just disguise as system processes with names like "svhost.exe", where the original process is called "svchost.exe" which always has multiple instances of it in the Task Manager Process list. Then, they corrupt the registry so that you can never see files with hidden/system attributes and apply those attributes to the virus files. I have written about fixing this problem here.
- Does everything necessary, to replicate itself - It keeps running in the background, detects attachment of USB Drives, and immediately copies them to the USB Drives along with an autorun.inf file so that next time you plug in the USB Drive it starts running automatically to infect the system. Other things include, blocking installation of anti-virus softwares, changing the registry keys constantly so even when the user manually changes things, it immediately overwrites the keys.
Steps to remove the Virus
- Terminate the Virus process execution - I usually need a task manager alternative to establish this, when the Windows task manager is blocked. I use the Process Manager of Tune-Up Utilities - a great package which is not completely free, but it does provide a 30 day evaluation period. Speaking of terminating the actual process, you need to identify the virus first. Experience helps a lot here, but for newbies you need to know the list of common windows processes and services by heart and that happens only over time.
You can refer to these superb list of articles to get started
Most common processes and description - Webkeysoft (must read, short essential list)
The amazingly big list of processes sorted alphabetically
Very nice guide to Windows processes for IT Beginners
When you need info about a specific process name, you can look it up here to ensure if its a normal process or a virus process. If that doesn't help Google is your friend.
- Prevent the Virus from running again - I usually type "msconfig" at the Run dialog to remove the suspicious items from the start up list. For thorough checking of start up items I suggest you use StartEd. As a final step, check the services list using "services.msc" at the Run Dialog. You can open the Run Dialog by clicking the Start Menu.
- Remove the virus executable files - When you are removing from the start up list, you can look for their path also. Then navigate to that path and delete the files to ensure that they never trouble you again in any possible way.
Please don't hesitate to comment and ask me if you have any problems. I will be definitely happy to help you. Happy Virus Busting !
No comments:
Post a Comment