Fighting Difficult Viruses

Fighting Difficult Viruses

Fighting Difficult Viruses

Let’s face fact, most commercial AV publishers can’t get everything. They do a good job keeping known viruses off your system by scanning for the existence of certain files (not checking content), certain registry entries or running processes/services. So how do you get rid of a virus that your AV vendor doesn’t know about? Here are the tactics I use, with a high rate of success. Please not that the order is of no consequence, all of these tasks are fine to be performed atomically.

Fix 1: Get the computer to boot:

Does the computer boot? If not, what messages (if any) are you getting? If you are getting error messages, Google them; most likely, you are not the first person to experience this problem. Careful where you click, though. Assuming you have eliminated the possibility of hardware failure (and that you have properly backed your important documents up): if the computer doesn’t boot, you could have a boot sector virus. To get rid of these, load the Windows CD and press ‘R’ when prompted to enter the Recovery Console. Type these commands:

  • fixmbr
  • bootcfg /list
    • If no entries are listed, type bootcfg /rebuild
    • Enter the numerical identifier for your Windows installation (likely the number 1)
    • Type Y or Yes to add installation to boot list
    • Provide a load identifier (e.g. Windows XP)
    • Enter /fastdetect

Fix 2: Finding the culprits:

If it’s possible, hook the infected hard drive up to a different machine and scan it using MalwareBytes , removing any infected objects it finds. Now, knowledge of an approximate time the virus was contracted is REALLY helpful here, though not necessary. If you can’t hook it up to another computer, boot the computer into safe mode (press F8 as the computer is booting) and choose Safe Mode (with Networking).

Whether you have booted to this hard drive or are viewing it from a different computer, take the following actions:

Open My Computer > C:. Go to Tools > Folder Options > View tab > Check “Show hidden files and folders”; uncheck “Hide extensions for known file types”, “Hide protected operating system files” and “Use simple file sharing”. > Change to detail view and sort by Date Modified, more than likely, all of the virus files are going to have the same date in this field. Now is the tedious process of looking (and deleting/renaming), be sure you aren’t deleting important system files by using Google. Here are the important places to look, though they can be anywhere:

  • C:\
  • C:\WINDOWS\
  • C:\Recycler\S-1-{RANDOM}\
  • C:\WINDOWS\Tasks
  • C:\WINDOWS\system32\
  • C:\WINDOWS\system32\drivers\
  • C:\Program Files\{ANY RECENT SOFTWARE THAT IS NEW AN YOU DIDN’T CHOOSE TO INSTALL}
  • %TEMP% (Start > Run > %TEMP% > OK)
  • %USERPROFILE%\Desktop (look for installer files)
  • “%USERPROFILE%\Local Settings\Temporary Internet Files\”

Open Windows Firewall through Start > Control Panel > Windows Firewall, click on the Exceptions tab and check for any programs that you didn’t specifically authorize, remove the exception if there are unknown entries.

Fix 3: Stop the rogue processes from loading at startup

Download Autoruns from Sysinternals . Run the program and select the Logon tab. Check for malicious software under the headings listed below, unchecking each malicious item:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  • C:\Documents and Settings\username\Start Menu\Programs\Startup

Move to the Services tab and look for items where the Publisher is missing, these items are frequently (not always) suspect. Remove malicious services by unchecking them

Select the “Image Hijacks” tab, the only item that should be present is “Your Image File Name Here without a path”. If anything else is present, uncheck it.

Close Autoruns

Cleanup

Download CCleaner , install and run it with the default settings to remove all of your temporary files. If you don’t have a good Firewall and don’t have money to spend, download Comodo or ZoneAlarm . Turn off System Restore by right-clicking My Computer and selecting Properties. Select the System Restore tab and check the Turn off System Restore checkbox > Select Apply (may take a moment or two). Once it is responding again, uncheck the box and it will create a new restore point (that doesn’t have the virus files).

Disclaimer

I cannot be held liable for you bricking your computer. It is your responsibility to take the necessary precautions when altering system files and folders. I make no guarantee about the fitness of these instructions, their application to your computer system and settings and accept no liability for any system errors, serious or not that result from following these directions. The riskiest items in this posting are:

  • the fixmbr command could cause some problems (warning is given when command is run)
  • Deleting files in the WINDOWS, system32, drivers directories is extremely risky, check files if you are unsure
  • Using Autoruns can be risky; if you uncheck important system processes your computer may no longer boot.

That being said, if you have problems, post in the comments section and I will try to help.


About the Author

Rob McVey

I am a software developer/IT professional helping businesses save money through informed purchase consulting; website development and marketing; and process automation.