HowTo: Manually Remove a Virus from Computer
This manual is intended for those that in no circumstances have the time and resource to wait or to download an antivirus. This instruction includes modifying registry which could cause damage to your operating system. This instruction can also be used simply to clean viruses from memory, in case your antivirus can detect them but unable to erase them because they’re still active.
This manual was intended for Windows XP but usage in Windows Vista, 98, and Me should be similar.
Follow this instruction at your own risk.
Update 24 July 2009
Kill your XP/Vista system restore… from my experience they create more headache then relieve.
Get your infected PC off the network, you don’t want to infect a perfectly healthy PC or risk reinfection by some virus (ie. conficker).
If you’re one of those cheap pocket pirated software user that doesn’t use original OS, download the patch… or move to Linux.
If your browser was magically unable to access AV sites nor MS sites, most likely you’re infected with conficker… the block can be easily bypassed by killing DNS Client service under Control Panel – Administrative Tools – Services – DNS Client.
Under some cases, the virus encapsulate a legitimate file (usually executable), such as in sality case. If you are infected with such virus, then it is best to use sality fix tools such as one provided by Trend Micro, and download the virus pattern here (lpt$vpn.xxx) and spyware pattern here (ssapiptn.dax). Extract Fixtool, and the pattern at the same folder and run fix.bat.
You’ll have to use tools because in sality case, because your explorer, system file, even your anti virus should be incapable to remove them.
You’ll need a good process explorer. Process XP from Sysinternals was one of my favorite in this task. You can download Process XP here. This program can be used to kill a virus that resides in active memory, which is the first thing we need to do in manually removing a virus.
The downside of this program is that it is too famous, that most virus maker has taken Process XP into consideration when designing their virus. Most viruses nowadays have the ability to block Process XP entirely, damage the file, or close it if it’s detected that Process XP is active in the memory.
Most virus have that ability either by blocking the filename, which can be easily bypassed by changing the filename, or by actively monitoring every program caption for word such as “Sysinternals” or “Process XP”. This renders the program useless.
To bypass the second blocking by the virus, you’ll need to sidestep a bit from Sysinternals EULA which state not to modify their program with the intention of bypassing the software limitation. This is debatable, but I think modifying the program which was limited by the virus, not Sysinternals, is excusable. You can download the modified version of Process XP here.
You will also need Autoruns that you can download here. This is another utility from Sysinternals.
Last, you’ll probably need Unlocker, a neat unlocking program by Cedrick Collomb.
Close every opened programs like word, excel, jpg viewer. This way it’s easier for you to pinpoint the virus when you open Process XP.
First, close the system tree, with small exception, we only interested in processes under explorer. If the processes doesn’t seems to be in hierarchical order, click Process until it does.
Most easy-to-kill virus are executed under explorer. After you close opened program earlier, you’ll easily spot a suspect. Note that, if the icon is a folder, office program, or a picture, then it is especialy suspicious.
Right click and Suspend the suspicious program. You don’t want to kill it instantly. Hover the mouse above the suspended suspect, until the filepath and filename appear, and write it down. After you write all the suspect filepath and filename, you can safely kill it by right click and click Kill Process Tree.
Note: some virus back up each other by executing another copies of itself if it was closed. This is another reason you’ll have to be sure to Suspend all suspect before you start killing them.
You’ll need to clean your registry from entry that executes the virus. For that task use Autoruns.
With a small exception, most viruses execute themselves by hooking to logon process, winlogon, explorer and internet explorer.
First thing to do was cleaning logon. Search for the suspected filename under logon and winlogon, and delete them. Also search for suspect that you didn’t notice earlier. Do the same thing with explorer and internet explorer. Give special attention to browser helper object under internet explorer, only allows entry that you recognize.
You’ll need to restore your registry from whatever limit the virus might cause.
Search and destroy. This is one reason why you’ll need Unlocker and why you need to fix your registry beforehand.
Take a look at the actual file of the virus you wrote previously. It might be hidden, and it might be a system file, so set your explorer to see hidden and system files. Hover the mouse over the file and write down the modified date and the size of the virus. Be sure to note file extension as well. Do this for each suspect you wrote previously.
Note that if you got more than one virus size, for example 40KB and 59KB, than most likely you are infected with more than one virus.
Search all drives in your computer for all files and folder for the extension *.exe;*.scr;*.com;*.cmd;*.bat with the size option set to at most the virus size + 1 (in Kilo Bytes). Set the modified date option to Specifies Date with Modified Date set to the virus modified date.
Delete all file that have exactly the size of the virus.
Repeat this step for each virus size in you note.
Note: Some viruses have the ability not just to hook with explorer, but also to integrate with it using dll file. In this case it becomes a bit more complicated because you’ll need to detect which dll actually is the virus and delete them manually. You can use Unlocker to delete the suspected dll and use Autoruns afterward to delete the entry from explorer. But in this case I recommend searching for an antivirus.