Instructions

Instructions for removing viruses in Windows

These are general instructions that can be used to remove any virus from a Windows Computer

How to find out other virus files if you know one of them

Sometimes you may find one of the virus files. And a virus may create several files that you do not know. You can find out all these virus files. First locate the virus file on your hard disk. Right click on it's name and select "properties" from the pop up menu. Here you can find the date when this file was created. 

So when a virus affectes a computer, all of its files are created together, or sometimes later. You can use this information to find out virus files. Use the windows search tool to search and find files that were created in the computer on that date onward till today.  View Screenshot

How to detect malicious look alikes of legitimate files

Several viruses create files with same names as legitimate files. An exe file seen in the task manager is called a Process. 

You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown as Unknown Publisher in Windows Defender. Whereas in Windows7 you can find that out from within the Task manager itself.

A video tutorial about Windows Defender.

• How to use Windows Defender in windows XP
• How to use Windows Defender in windows Vista
• How to use Windows Defender in windows7  

Or you can use Sysinternal's Process Explorer. More information about Sysinternal's Process Explorer

A video tutorial about   Sysinternal's/ Windows Process Explorer

Using System Restore

This is perhaps the first thing you should try when you are trying to remove a virus. 

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP

Using system restore in windows Vista

Using system restore in windows7 

A video tutorial about System Restore

Boot in safe mode

Sometimes you can not delete a file because of several reasons. A virus may make entries in windows registry, or load the virus file in the address space of legitimate files, or create a service. Windows will not allow you to delete the virus file, due to one of these reasons. You can try to delete the virus files by booting the computer in one of several Safe Mode options. It is also possible to boot in Dos prompt if there is a hard to remove virus file. 

How to boot in safe in windows XP

How to boot in safe mode in windows Vista

How to boot in safe mode in windows7

A video tutorial about Booting in Safe Mode

View Hidden Files

Viruses create their files in the Windows, system32, Application Data etc. These and other folders are considered as Hidden folders, and you will not be able to view or search for virus files hidden in these folders. 

You need to enable to view hidden files and folders before searching. Otherwise virus files in the hidden folders will not be found.

How to Enable to View Hidden Files and Folders in Windows XP

How to Enable to View Hidden Files and Folders in Windows Vista

How to Enable to View Hidden Files and Folders in Windows7

A video tutorial about hidden files and folders

Remove Processes from Task Manager

When a virus executable file is active on your computer,  you may be able to see it in the Task Manager. You need to stop/ end this process. Only then you can delete it from the hard disk. Windows does not allow you to delete a file/ process which is currently running.

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names of the virus files in it. Generally you will find EXE files in the Task manager. Select the process if found and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time.

You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself

How to use Windows Defender in windows XP

How to use Windows Defender in windows Vista

How to use Windows Defender in windows7 

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

A video tutorial about finding currently running programs

Removing entry from windows startup

More often viruses add an entry in the Windows startup, therefore a virus file starts running as soon as you start the computer. To find out if there is an entry of a virus file in the windows startup, you need to look into the startup list. This can be done by using the "System configuration utility" in Microsoft windows.

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible. You can check / uncheck any entry from windows startup any number of times.

Open system configuration window. Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of the names of virus files.  (also look for any other suspicious names) Press Apply , Press Close/Ok , Select "restart" at the next prompt.

A video tutorial about Windows Startup

Stopping a Malicious Service

Sometimes a virus creates a malicious service. If it is mentioned in the article, then you can stay in the "System confuguration utility" and proceed to stop the malicious service/es

Select the Services tab.  Look at the list of the services. You can "Hide all Microsoft Services" to make the list smaller. After that select the service created by the virus. If it is checked, you need to uncheck it, that will stop the service. Otherwise it will not let you delete its file from the hard disk. Press Apply/ Ok to complete the process, and then restart the computer. 

Starting the Services stopped by a virus

Sometimes a virus stops one or more windows services. It affects the functioning of the windows. You need to start these services, if the virus has stopped them. You can stay in the System Configuration Utility, and select Services tab. Locate the service stopped/ disabled by the virus. It will be unchecked, if it is disabled/ stopped. In that case, check it to start it. Press Apply/ Ok . And restart the computer at the next prompt. Do nothing if the service is already checked.

Searching Files on the hard disk

  You can use windows search utility to search for the virus files and find out if there are any other instances of this file present elsewhere in the computer. Do not do this for the files whose names are similar to legitimate windows processes. It is mentioned whenever such is the case. You should delete such malicious clones only from the location where the virus creates them. 

You need to select Advanced Options > Search Hidden Files and folders when the virus is created in a Hidden Folder. Generally All the folders under C:\Windows and is subfolders are Hidden by default. And the Application Data folder in the user profile is also hidden. You need to enable to view them, if you intend to locate and delete the viruses in the Hidden folders. 

Deleting virus files from the hard disk

After the computer restarts. Delete the virus files. You may have to delete an entire folder if it is created by the virus. The virus files and the folders are listed in a separate article.  Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for the virus files and find out if there are any other instances of this file present elsewhere in the computer.

Generally there is a virus sample uploaded on Threatexpert site. We do not know the name or the location of the sample, it could be in your default download location or on the desktop or in a Temp folder. The files and folders in the Temp folder can be automatically removed, if you use a free temp files/ registry cleaner software like CCleaner

Registry Keys

 Some of the registry keys  will be automatically removed if you run Registry menu of CCleaner. For other registry changes you can see the report mentioned at the beginning of each article.

Advanced users may try editing registry. A video tutorial about registry editing

Using CCleaner

You can easily remove the files in the temp folder by running CCleaner. You can set CCleaner to run automatically each time the computer starts.

Do not forget to run CCleaner > Registry menu to remove the obsolete registry entries.

more about CCleaner on this link

A video tutorial about using CCleaner

Repair Hosts File

Viruses can stop access to security related websites from your computer, or can redirect them to malicious addresses by modifying the Hosts file. Hosts file is a text file in Microsoft Windows. 

To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows XP

Tools for Windows Vista

Tools for Windows7 

Using System File Checker application

To repair altered windows system files.

How to run System File Checker utility in windows XP

How to run System File Checker utility in windows Vista

How to run System File Checker utility in windows7

A video tutorial about System File checker

Some Videos on Free Tools

Virus infections are complex. Most of the times a virus on the computer downloads more files and make it complicated. In my attempt to warn users about the different ways that viruses are trying to infect and ways to find them and remove, I have created videos on specific Free tools and manual methods,  these videos could be of great help

1) To detect and remove malicious Alternate Data Streams - Stream Armour 

2) To detect and remove malicious Services - Advanced WinService Manager 

3) To detect and remove viruses in Fake recycle Bin - Watch Video 

4) keep an eye on suspicious connections using a Firewall  - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover 

6) To detect a Hidden process in windows - EvilFingers HPD

7) A free tool from Microsoft to reset the IE settings - on Microsoft's website   

Using Linux Boot Disk to boot and delete virus files

Several times a virus make it difficult to remove its files while you are logged in windows. These are the symptoms that you may encounter

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then you can try to remove the virus files with help of a Linux Boot Disk. 

1) Download a Knoppix Boot only CD ISO  image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD 

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

Type
knoppix screen=1280x1024
knoppix screen=1024x728 or any suitable resolution that your computer supports.
If you do not specify screen resolution, the knoppix will boot with minimal resolution and you may have to use command line options which is inconvenient for a windows user.

Once the knoppix window opens, click on the folder icon in the bottom left of the screen to open the PCMan file manager.  It is a graphical file manager in Knoppix. It has two panels. In the left panel you should see the partitions of your hard disk. Select the partition in which windows is installed and you will instantly see all the folders. Now you can access the contents of your folders and delete suspicious files and folders just as you would do in the windows explorer.

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.