SysChat is a free online computer support community. Ask questions, share resources, contribute knowledge and discuss technology. Join our growing community to access all features. Register Now!

SysChat » Software Support » Operating Systems » UPDATED! Virus Removal Primer

Operating Systems

Support help troubleshooting and discussions on Operating Systems.

LinkBack Thread Tools
  #1 (permalink)  
Old 12-19-2005, 11:23 AM
Kamesh Kamesh is offline
Join Date: Dec 2005
Posts: 45
Kamesh is on a distinguished road

Default UPDATED! Virus Removal Primer

Okay, Class, Welcome to Virus Removal 101.

Got a nasty bug you can't get rid of? (The computer kind, I mean, lol) Here's the quickest, easiest way to rid yourself of these headaches. These are general directions regardless of which version of Windows you are using.
Disable System Restore.
Download any removal tools and patches (and my batch file below) and then kill your internet connection. If you are on a high speed connect don't just disable the connection -- actually, physically pull the plug.
Remove any known registry keys. Specifically any found here:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad

HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer

Edit following files as needed (run Sysedit !!!):
C:\Windows\Win.ini (Look for strange entries in the [Windows] section)
C:\Windows\System.ini (Look for strange entries in the [Boot] section)
C:\Windows\Config.sys (Look for unusual lines beginning with device=)
C:\Windows\Wininit.ini (you can usually just delete this one)
C:\Windows\Winstart.bat (you can usually just delete this one, or delete any unwanted line. Lines will appear as a filename.)
Disable any screensavers by selecting none.
Be sure the SfcScan DWORD value is set to 0 under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Be sure the Shell STRING value set to explorer.exe without any trailing characters under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Be sure the Userinit STRING value set to C:\Windows\System32\Userinit.exe, without any trailing characters under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Don't forget the trailing comma. This path should be adjusted to match your system directory.

Check the following registry keys for unknown program calls, the Default string values are listed for each:

HKCR\batfile\shell\open\command ("%1" %*)
HKCR\comfile\shell\open\command ("%1" %*)
HKCR\exefile\shell\open\command ("%1" %*)
HKCR\piffile\shell\open\command ("%1" %*)
HKCR\regfile\shell\open\command (regedit.exe "%1")
HKCR\scrfile\shell\open\command ("%1" %*)

HKLM\Software\CLASSES\batfile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\comfile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\exefile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\piffile\shell\open\command ("%1" %*)
HKLM\Software\CLASSES\regfile\shell\open\command (regedit.exe "%1")
HKLM\Software\CLASSES\scrfile\shell\open\command ("%1" %*)

Delete unusual links from the Startup folder under Programs (or All Programs) on the Start Menu.
End any unneeded processes in Windows Task Manager (including AV services which can sometimes lock deleting files).
Run Windows Cleanup Wizard with all items checked (except Compress Files) and delete everything.
Reboot into Safe Mode as Administrator
Run my SysClean.vbs (right-click and Save As...) or SysClean.exe batch file.
Run any removal tools and/or delete the virus process files cleaning infected files whenever possible.
Install any patches or hotfixes.
Run "sfc /scannow" to check the integrity of your system files.
Reboot in Normal Mode
Re-enable System Restore.
Install or enable a good firewall
Reconnect to the internet and run Windows Update.
Create a Restore Point if using System Restore.

NOTE: Attempting to run my SysClean scripts while your Antivirus software is enabled may result in them being incorrectly detected as malicous scripts. This is normal since they run on the Windows Script Host. You can allow them to run if your AV supports that or you can disable either your script protection feature or your AV software before running them. Just make to to enable any protection once they have run.

Post back for help with any of these steps or questions/comments.

My downloads are provided as freeware with no warranty expressed or implied. Please don't hold me responsible for any damages. They are provided as a means of automation for your convenience only. I have tested them without any problems.

Reply With Quote
  #2 (permalink)  
Old 04-28-2006, 03:34 PM
aquillatechman aquillatechman is offline
Junior Member
Join Date: Apr 2006
Posts: 2
aquillatechman is on a distinguished road

Unhappy Will these tips help get rid of spyware too?

I have some pesky spyware on my XP box that Symantec's Corporate version AV software can't remove. And I can't delete the offending files while booted in Safe Mode either. Also I've tried certain free spyware removal progs without success. Any ideas?

Reply With Quote
  #3 (permalink)  
Old 04-28-2006, 03:36 PM
aquillatechman aquillatechman is offline
Junior Member
Join Date: Apr 2006
Posts: 2
aquillatechman is on a distinguished road

trouble What about XP Quickboot?

Umm..... What about XP Quickboot? If I use it to boot my XP box will I then be able to trash spyware files that would otherwise give me an access denied error?

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are on

» Ads

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54