Sunday, 15 August 2010

How to remove virus manually from your system

Virus, trojans and worms are one of the biggest threats in the personal as well as enterprise computer systems leading to system instability to data loss to other serious crimes. Though they are one of the major threats, most of the users lack proper knowledge of their actions and behaviors. And, many of the antivirus are unable to remove the virii and their effects especially if the virii are of new type or newly released ones.

So, using fully updated antivirus softwares and firewalls systems can not ensure full protection of the user's system and data. And sometimes your antivirus system can not be accessed due to the virus infections. Today, I am going to put forward some basic techniques to remove the virii manually from your computer system.



For removing virii manually, its very important to know about safe mode. In safe mode, the basic essential drivers are loaded with basic graphics without loading any unnecessary drivers i.e. basically you can access windows interface by loading minimal drivers or softwares. You can achieve safe mode by pressing F8 key while you are starting your computer. Safe mode is a powerful mode to fix numbers of problems in your windows OS. You might have figured out why to start your infected PC in safe mode; because many virii won't start execution in safe mode. Second, you should know enough command prompt knowledge or you should try to learn some important commands so that you can work to remove virii manually. I assume you have some basic knowledge of command prompt.



Most of the virii attach themselves to startup by any of the several means such as registry, startup folder, autoexec, etc. Usually virii affect the registry most and modify several keys in your system's registry. You might have been confused what registry is. It is a hierarchical database that stores configuration settings, options and low level OS components for windows OS. So its an important part of your system and you can modify the entries in the registry by using a tool called Registry Editor. You can access registry editor by typing "regedit" or "regedt32" in run command.



Now we are ready with basics so lets start our way into removing the active virus in our computer. Remember, its always better to start in safe mode for virus removal in windows.



When you have got an active virus in your system, there's a task associated with the virus. So try to view and figure out the related virus process in tasklist. Try to end the process and if the process doesn't reappear after ending, its good but most virii processes get re-invoked after the parent process is killed. So again, its command prompt that's going to be useful for us. Fire up the command prompt (cmd, or command.com from run menu) and type "tasklist". You'll see the list of current tasks running. From there, you'll have to figure out the process for the virus. This is one of the tough works so you'll need some practice of removing virii manually to master this. Now, you know the process of your virus, you will end the task process using the "taskkill" command. Type "taskkill /f /T /im virusprocess.exe" in the command prompt where virusprocess.exe is the name of the process you will end and /f is the switch for forceful termination of the process and /T for tree kill i.e. killing the child processes too. And /im means the image name or executable process image name seen in tasklist.



After ending the task, its now time to remove virus process from startup because most of the virii are attached to the startup. For this, you'll have to edit registry and startup folder. There's another tool called "msconfig" which will be useful to remove programs from startup. Type "msconfig" in run menu and a system configuration utility window will open. Switch to the startup tab and from there, uncheck the reference to the virus from startup items list. Also, some virii place their shortcut in the startup folder so right click on the start menu and click on open. From there, navigate to Program files>Startup where you'll see shortcut that must be deleted to prevent virus execution in future restarts. Also, if you love to edit registry, you can delete the related virus startup keys from:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce



Also, some virii start themselves from other files like win.ini and system.ini so look through them and modify if needed.



Now you have ended virus process and its startup reference, you'll have to search for virus executable. Usually, virus copies itself to the root folders of each drive and to the folders "windows" and "windows/system32" of the XP partition. To delete them, open command prompt and navigate to the drive or directory.

For example, to change drive, type drive letter followed by colon eg. D: to go to D:\ drive. Now since virii are usually hidden, you will want to see the virii by typing "dir /ah" which will list you the hidden files and folders. After seeing the list of files, delete them by issuing "del" command like "del /f /ah virus.exe" where virus.exe is the virus file. Also, delete autorun.inf(like above) file from root drives as they are usually responsible for executing virus when you open your drives. Also, don't forget to delete virii from C:\windows and C:\windows\system32 following similar steps as above. To navigate to the directories, use the "cd" command.



Now restart your computer and you'll find your computer free from virus. This works for most of the virii perfectly and is the method followed by many virus removal tools, too. Also, if you want to prevent yourself from being affected by virii, run your system with low privilege users. And most important part, be careful enough not to delete any system files while removing your virus manually. Many times, you would need to check and set the new permissions. There's a very useful command called "attrib". Learn about it by typing "attrib /?" in command prompt. You'll yourself figure out its use because you can use it to set attributes of files like hidden, system files, read only, etc. Finally, there's cool programs from sysinternals(www.sysinternals.com) to help you accelerate the manual virus removal. And you can apply these processes to remove virus from your pen drive too. Have fun removing the virus manually. Its really a fun and entertaining task for the computer enthusiasts. Give it a try.