Thread: UPDATED! Virus Removal Primer
View Single Post
  #1 (permalink)  
Old 12-19-2005, 11:23 AM
Kamesh Kamesh is offline
Member
  
About:
Join Date: Dec 2005
Posts: 45
Kamesh is on a distinguished road

Default UPDATED! Virus Removal Primer

Okay, Class, Welcome to Virus Removal 101.

Got a nasty bug you can't get rid of? (The computer kind, I mean, lol) Here's the quickest, easiest way to rid yourself of these headaches. These are general directions regardless of which version of Windows you are using.
Disable System Restore.
Download any removal tools and patches (and my batch file below) and then kill your internet connection. If you are on a high speed connect don't just disable the connection -- actually, physically pull the plug.
Remove any known registry keys. Specifically any found here:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer

Edit following files as needed (run Sysedit !!!):
C:\Autoexec.bat
C:\Windows\Win.ini (Look for strange entries in the [Windows] section)
C:\Windows\System.ini (Look for strange entries in the [Boot] section)
C:\Windows\Config.sys (Look for unusual lines beginning with device=)
C:\Windows\Wininit.ini (you can usually just delete this one)
C:\Windows\Winstart.bat (you can usually just delete this one, or delete any unwanted line. Lines will appear as a filename.)
Disable any screensavers by selecting none.
Be sure the SfcScan DWORD value is set to 0 under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Be sure the Shell STRING value set to explorer.exe without any trailing characters under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Be sure the Userinit STRING value set to C:\Windows\System32\Userinit.exe, without any trailing characters under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Don't forget the trailing comma. This path should be adjusted to match your system directory.

Check the following registry keys for unknown program calls, the Default string values are listed for each:

HKCR\batfile\shell\open\command ("%1" %*)
HKCR\comfile\shell\open\command ("%1" %*)
HKCR\exefile\shell\open\command ("%1" %*)
HKCR\piffile\shell\open\command ("%1" %*)
HKCR\regfile\shell\open\command (regedit.exe "%1")
HKCR\scrfile\shell\open\command ("%1" %*)

HKLM\Software\CLASSES\batfile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\comfile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\exefile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\piffile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\regfile\shell\open\command (regedit.exe "%1")
HKLM\Software\CLASSES\scrfile\shell\open\command ("%1" %*)

Delete unusual links from the Startup folder under Programs (or All Programs) on the Start Menu.
End any unneeded processes in Windows Task Manager (including AV services which can sometimes lock deleting files).
Run Windows Cleanup Wizard with all items checked (except Compress Files) and delete everything.
Reboot into Safe Mode as Administrator
Run my SysClean.vbs (right-click and Save As...) or SysClean.exe batch file.
Run any removal tools and/or delete the virus process files cleaning infected files whenever possible.
Install any patches or hotfixes.
Run "sfc /scannow" to check the integrity of your system files.
Reboot in Normal Mode
Re-enable System Restore.
Install or enable a good firewall
Reconnect to the internet and run Windows Update.
Create a Restore Point if using System Restore.

NOTE: Attempting to run my SysClean scripts while your Antivirus software is enabled may result in them being incorrectly detected as malicous scripts. This is normal since they run on the Windows Script Host. You can allow them to run if your AV supports that or you can disable either your script protection feature or your AV software before running them. Just make to to enable any protection once they have run.

Post back for help with any of these steps or questions/comments.

My downloads are provided as freeware with no warranty expressed or implied. Please don't hold me responsible for any damages. They are provided as a means of automation for your convenience only. I have tested them without any problems.
__________________



Reply With Quote