Common steps to remove virus

These are several steps you need to use in several cases in removing a trojan or a worm manually. You may need to take one or more of these steps as advised in the manual removal writeups. The steps are explained in detail and is useful when you need to take these steps

How to Boot in Recovery Console in winXP
If you are having trouble to access registry tools, and task manager, then you will be unable to end the running processes of the virus, and detete them from hard disk. In such a situation booting from a cd helps which does not give the virus executables a chance to run.

First see that your computer BIOS setting allows you to boot from your cd. Then insert windows installation disk in the drive bay and restart the computer. As the computer detects the cd , it asks you to press any key to boot from the cd. If you do so, it starts detecting hardware and then present you with an option to start installation or start Recovery console. Press R to start Repair console.

On the next screen you will be asked to choose the windows installation to repair. If you have installed windows XP on C drive and it is the only installation on your disk then it will be listed as
1 C:\windows\system
type 1 at the prompt and press Enter to repair this installation
It will prompt for administrative password. Type it and press Enter.

You will be taken to C:\windows

Now you can look into the root directory and the system directories for the virus files and delete them. But you should know the exact names and the locations of the files before you come to this place, because there is no search function available in the Recovery Console.
Type cd.. to go back a level. Type cd to enter the folder. Type dir to display the file in the current directory. Type delete to delete a file, this command does not give confirmation. Type dir to confirm that the file is no more.

Changing the hidden and read only attributes of a virus file.

If you locate a file present in the specified directory and run delete command and still if it does not get deleted means the file has a read only and a hidden attribute.

Type dir press Enter (suppose you are in the same directory)
It will display -RH etc attributes before its name. R means read only and H means hidden file.
So type
attrib -R press Enter
attrib -H press Enter
To remove its read only and hidden attributes.

Now the you can use the delete command to delete the file.

After you are able to locate and delete the virus files, type Exit, press Enter , and take out the cd from the cd bay to allow the computer to restart normally.

(You are limited to only C drive (the root drive), and the system folders, in other folders acess is denied)


How to Enable Task Manager and Registry Editor using a script


Sometimes the virus may have disabled your task manager and the registry Editor may refuse to open. Even the Start > Run window may not appear. In that case you can create a small script by pasting the following VBScript code in notepad, save it on hard disk and execute it to re enable all the tools.

Open Notepad and copy and paste the following:

On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"



Save this file with .VBS extension.
While saving enter the name in double quotes and select all files from the save as type in notepad.
For the ease of use, save the file on desktop.
for example "regtool.vbs"
When the file is saved as a vbs file then the file icon changes as a VBScript script file
Double click on the file name to execute it

It will enable the registry Tools


How to Use UnHookExec tool from Symantec
(to reset these registry values to their default settings)

As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.
For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.They may also change a registry value so that you cannot run the Registry Editor at all.
Symantec Security Response has created a tool to reset these registry values to their default settings.


Read More about the tool on this link
symantec security response

Download It from here
UnHookExec.inf

Download the file UnHookExec.inf and save it to your Windows desktop.
(If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it either to a floppy disk or cd, dvd. Then take the disk and insert it in the disk drive of the infected computer.)

Note: The tool has a .inf file extension

Locate the download file, either on the Windows desktop or the floppy disk
Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)



How To End/Kill a Process

(Below is a short clip showing how to end a process)


(Sometimes you will be asked to kill a process)
It means open Task Manager
by pressing ctrl+alt+delete keys
Then click on Processes Tab
Locate the process in the displayed processes
If found click on it once then press the End Process Button
or right click on it and select delete from the popup menu.
Close the Task manager by pressing
the X button on the top right corner.


How To disable System Restore
(when you are asked to disable system restore temporarily, follow the steps below. Do not forget to Enable System again once your virus cleaning is over, most instructions forget to tell you that.)
Disable System Restore in Windows ME

Click on Start > Settings > Control Panel.
Double-click 'System',
then click on the 'Performance' tab.
Click 'File System'
then click the 'Troubleshooting' tab.
Select 'Disable System Restore'
and click 'Apply'.
Restart your system.

Disable System Restore in Windows XP
(Below is a short video clip showing how to disable/enable system restore)


Click on start > all programs > Accessories > System Tools > System Restore
Click on System Restore settings.
Check the box:Turn off system restore on all drives.
press apply. press ok.


How To enable System Restore

Enable System Restore in Windows ME


Click on Start > Settings > Control Panel
Double-click 'System'
then click on the 'Performance' tab
Click 'File System'
then click the 'Troubleshooting' tab.
Deselect or Uncheck 'Disable System Restore'
and click 'Apply'.
Restart your system.

Enable System Restore in Windows XP



Click on start > all programs > Accessories > System Tools > System Restore
Click on System Restore settings.
UnCheck the box:Turn off system restore on all drives.
This will start system restore monitoring all your drives/partitions
press apply press ok


How to boot in safe mode


In windows XP if you restart the computer and press F8 while rebooting the computer may not display safe mode boot option. For that Turn computer off. Then Turn it on after two minutes. Press F8 while booting, keep tapping F8 key several times so that you do not miss the exact point of pressing the key. It should open a menu, select boot in safe mode

There is also an options from msconfig window in winXP. Click on start > run. Type msconfig. Press Ok. The system configuration window opens. Click on BOOT.INI Tab. At the bottom of the Tab, you will see a checkbox /SAFEBOOT. If you check the box. Press apply. Press close. Press Restart. Now the computer will Reboot directly in safe mode. Use this option if you are having difficulty in using the other method.

Once you are through your work in safe mode, come back to msconfig window and Uncheck the /SAFEBOOT box. Otherwise each time your computer will take you to the safe mode. If you uncheck the safeboot option then you will be able to boot normally after restart.



How to search and delete files from hard disk


-First View Hidden Files (In WindowsXP)

click on start > control panel > Folder options
click on View Tab.
In Advanced Settings.
Locate hidden files and folders
Select the radio button in front of
Show hidden files and folders.
press ok.

-Now start search

Click on start > search
clik on All files and Folders
(copy and paste the names to be searched in the search box. You can search for many names at once separated by comma.)
click on more advanced options.
Check the boxes in front of
-Search system folders
-Search hidden files and folders
-Search subfolders

click search. Delete the files if found.
To delete a file. Select by clicking on it once and
press delete button on the keyboard or rightClick
and select delete from the menu.

How to open windows registry


Click Start > Run.
Type regedit
Click OK.
The Registry Editor opens

How to make a registry backup

Assuming that you have opened the registry Editor
Click on File > Export
Give the file a name
And click Save
It saves a copy of registry in My Documents folder by default

How to restore registry using backup


In rare cases if after editing the registry your computer seems to have more problems than before. Then Open the registry editor again and Press File > Import
Select the file that you had saved before. Click on Open. This will copy the backup file to your registry to restore it to its original status. Remember to close all
other applications while Importing/Restoring registry, as the open programs keep some registry keys open and therefore can not be overwritten


How to delete Keys from the registry

Important: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only

Assuming that you have already opened registry Editor

Navigate registry subkeys

Click on the Plus sign before the name of the key in the left panel to expand it further
Or you can doubleClick on the name to expand it

Delete a key

To delete a key. Select in by clicking on it once.
Then press delete key on the keyborad.
Or right click on it to display a menu and
select delete from it.
Press Yes to confirm.

Easy way to find a subkey

Click on Edit > Find
Type the name to be searched and click on Find Next
Select the entry if found. Right click and select delete
Press F3 to search for next entry
Continue till you finish searching through the registry

Also if you have problem locating the long subkeys copy and paste the last portion of the key, the one within curley braces, copy the part with the curley braces and Paste it in Edit > Find window, and click on Find Next. That will be easier way to identify the keys. Press F3 to search for next entry. Continue till you finish searching through the registry

You can search for only one name in the registry at a time, unlike in the search options on the hard disk where you can search for many names separated by a comma. Therefore you have to repeat searching in the registry for each name separately

Close the registry Editor when Done
How To edit the Win.ini file

WARNING: The following steps instruct you to remove the text from the run= line of the Win.ini file. If you are using older programs, they may load at startup from one of these lines. If you are sure that the text contained in these lines is for the programs that you normally use, then we suggest that you do not remove it

If you are running Windows 95/98/Me, follow these steps
Click Start > Run. Type the following
edit c:\windows\win.ini
and then click OK
(The MS-DOS Editor opens.)

NOTE: If Windows is installed in a different location, make the appropriate path substitution.

In the [windows] section of the file, look for a line similar to:

run=[TROJAN FILE NAME]

Note: [TROJAN FILE NAME] refers to the file name detected during the scan.

If this line exists, delete everything to the right of run=

Click File > Save. Click File > Exit


How To edit the System.ini file

If you are running Windows 95/98/Me, follow these steps: Click Start > Run. Type the following:

edit c:\windows\system.ini
and then click OK
(The MS-DOS Editor opens)

NOTE: If Windows is installed in a different location, make the appropriate path substitution

In the [boot] section of the file, look for a line similar to

shell = Explorer.exe [TROJAN FILE NAME]

Note: [TROJAN FILE NAME] refers to the file name detected during the scan

If this line exists, delete everything to the right of Explorer.exe

When you are done, it should look like

shell = Explorer.exe

Click File > Save. Click File > Exit
Post a Comment