infinite_trial
03-08-2007, 02:09 PM
Applicable for Windows OS (XP, 2000, Me, 98)
If you suspect virus/spyware and even hacking tool has been installed on your PC, you can try these steps after exhausting antivirus cleanup using your antivirus/spyware tools.
WARNING: Do not attempt to delete any files on your PC unless you have already done a backup. If in doubt you can consult a friendly TF member :D
First, you need to download StartupList (http://www.spywareinfo.com/%7Emerijn/programs.php) software (for easier reference). This software creates a list of your startup programs (installed by your network if you are in the office, startup files created by the programs installed in your PC e.g. yahoo messenger, drivers, internet explorer hijacks/spyware/url redirection).
This is how it looks like:
http://www.merijn.org/images/startuplist2.gif
You can create a log for the startup list by going to File > Save as > then save the log as a text (.txt) file.
Now, I would discuss first on how to identify the viruses. We will get down to deleting them later on.
For suspected programs running on the background you can go to Running processes on the log file you created. For easier viewing, you can go to notepad and press ctrl + f to find the text. Type in Running processes and the following text are the programs running on the background including the dll files associated with it.
For example:
[C:\Program Files\CyberLink\Powe rDVD\DVDLauncher.exe (24)]
C:\WINDOWS\system32\ ADVAPI32.dll
C:\WINDOWS\system32\ apphelp.dll
C:\WINDOWS\system32\ comctl32.dll
The highlighted text is the program and the directory in which it was installed. Not all programs listed are viruses. To confirm if the program is a virus, you can try google (http://www.google.com) to search for the program. In this case, you can use DVDLauncher.exe as your keyword for searching. Since this is a valid program, you don't need to delete this. This is only an example.
Note: Viruses/Spyware usually resides in C:\Windows\system32\ directory
Warning: Most of the files in C:\Windows\system32\ are important files...so do not just delete them without doing a search on the program. Again, google is your friend.
Other parts of the log file where you can find the suspected viruses are in:
Autostarting batch files
WinLogon autoruns
Registry 'Run' keys
Hijack points
How to Delete the Virus
Once you have confirmed that the file entry on your log file is a virus/spyware, delete them by doing these:
Go to msconfig (start > run > type msconfig > press enter).
Disable the suspected programs by following the instructions shown on this post (http://www.timog.com/forum/showpost.php?p=21964 9&postcount=8) (refer to the system configuration utility entry).
Restart your computer.
When system configuration utility comes up, check on the 'do not show this on startup' checkbox, then hit OK.
Before hitting the delete button, some viruses can be actually uninstalled from add/remove programs in your control panel. If you can't see it there, go to windows explorer (right click on start menu > explorer) and browse the directory where the file is installed. Delete the file (In some cases it is installed in a folder where the other files associated with it are also installed).
If the program (exe) cannot be deleted (it might say it's protected or in use) and it has associated dll files, go to the log file and look for the dll files in explorer then delete them. If the dll file cannot be deleted, stop it first by going to start > run > type cmd > enter. Go to C prompt (C:\) by typing \ then press enter. Unregister the dll file by typing regsvr32 /u followed by the directory and the dll filename with the quotation marks (e.g. regsvr32 /u "program files\common files\oe\toolbar.dll"). After stopping the dll files, delete them altogether with the program (exe file).
Searching the entries in the registry:
Go to regedit-
start > run > regedit > then press enter
On the registry editor, press ctrl + f and look for the exe file that you have deleted. This will be shown on the right pane of registry editor. Delete the whole key by pressing delete on your keyboard or right click > delete.
Well...that's it...if you want to delete them manually but in doubt, you can use StartupList and make a post on this thread (since the log is too long maybe you can try truncating the log).
If you suspect virus/spyware and even hacking tool has been installed on your PC, you can try these steps after exhausting antivirus cleanup using your antivirus/spyware tools.
WARNING: Do not attempt to delete any files on your PC unless you have already done a backup. If in doubt you can consult a friendly TF member :D
First, you need to download StartupList (http://www.spywareinfo.com/%7Emerijn/programs.php) software (for easier reference). This software creates a list of your startup programs (installed by your network if you are in the office, startup files created by the programs installed in your PC e.g. yahoo messenger, drivers, internet explorer hijacks/spyware/url redirection).
This is how it looks like:
http://www.merijn.org/images/startuplist2.gif
You can create a log for the startup list by going to File > Save as > then save the log as a text (.txt) file.
Now, I would discuss first on how to identify the viruses. We will get down to deleting them later on.
For suspected programs running on the background you can go to Running processes on the log file you created. For easier viewing, you can go to notepad and press ctrl + f to find the text. Type in Running processes and the following text are the programs running on the background including the dll files associated with it.
For example:
[C:\Program Files\CyberLink\Powe rDVD\DVDLauncher.exe (24)]
C:\WINDOWS\system32\ ADVAPI32.dll
C:\WINDOWS\system32\ apphelp.dll
C:\WINDOWS\system32\ comctl32.dll
The highlighted text is the program and the directory in which it was installed. Not all programs listed are viruses. To confirm if the program is a virus, you can try google (http://www.google.com) to search for the program. In this case, you can use DVDLauncher.exe as your keyword for searching. Since this is a valid program, you don't need to delete this. This is only an example.
Note: Viruses/Spyware usually resides in C:\Windows\system32\ directory
Warning: Most of the files in C:\Windows\system32\ are important files...so do not just delete them without doing a search on the program. Again, google is your friend.
Other parts of the log file where you can find the suspected viruses are in:
Autostarting batch files
WinLogon autoruns
Registry 'Run' keys
Hijack points
How to Delete the Virus
Once you have confirmed that the file entry on your log file is a virus/spyware, delete them by doing these:
Go to msconfig (start > run > type msconfig > press enter).
Disable the suspected programs by following the instructions shown on this post (http://www.timog.com/forum/showpost.php?p=21964 9&postcount=8) (refer to the system configuration utility entry).
Restart your computer.
When system configuration utility comes up, check on the 'do not show this on startup' checkbox, then hit OK.
Before hitting the delete button, some viruses can be actually uninstalled from add/remove programs in your control panel. If you can't see it there, go to windows explorer (right click on start menu > explorer) and browse the directory where the file is installed. Delete the file (In some cases it is installed in a folder where the other files associated with it are also installed).
If the program (exe) cannot be deleted (it might say it's protected or in use) and it has associated dll files, go to the log file and look for the dll files in explorer then delete them. If the dll file cannot be deleted, stop it first by going to start > run > type cmd > enter. Go to C prompt (C:\) by typing \ then press enter. Unregister the dll file by typing regsvr32 /u followed by the directory and the dll filename with the quotation marks (e.g. regsvr32 /u "program files\common files\oe\toolbar.dll"). After stopping the dll files, delete them altogether with the program (exe file).
Searching the entries in the registry:
Go to regedit-
start > run > regedit > then press enter
On the registry editor, press ctrl + f and look for the exe file that you have deleted. This will be shown on the right pane of registry editor. Delete the whole key by pressing delete on your keyboard or right click > delete.
Well...that's it...if you want to delete them manually but in doubt, you can use StartupList and make a post on this thread (since the log is too long maybe you can try truncating the log).