Jump to content


- - - - -

General Malware Removal


In general malware removal is difficult and a lot of it depends on the specific malware. Why we strongly suggest you have a professional remove the malware- in the long run they can save you a lot of time and frustration.
If you are determined to skip professional help and want to try and remove the malware yourself, here are some guidelines:

Figure out why kind of malware you have.

  • Use your favorite search provider and learn as much about the malware as you can. You may have to use someone else's computer or one at the Library.

Boot into safe mode

Microsoft has a great article describing this (http://support.microsoft.com/kb/315222):
  • Restart your computer and start pressing the F8 key on your keyboard. A boot menu should appear before Windows starts to load.
  • When the Boot menu appears again, select "Safe Mode" and press ENTER.

Find and end the malicious process in task manager

  • Open your task manager by clicking on the Start button and going to Run. Then type in: taskmgr



  • Click on the Processes Tab

  • Click on Show Processes for all users at the bottom
  • Now the fun part...guessing which process is malware:
    • If you're lucky, you can lookup the name of the offending application on the Internet.
    • In some cases virus will generate random names for themselves. In general, anything that looks like a bunch of random characters and cannot be found on the Internet is probably a virus.
    • You can also try uploading the file to http://virustotal.com and see if it's detected. To find the location of the file with taskmanager, open the Processes tab and select View->Select Columns->Command Line->Ok. There should now be a Command Line column displaying the path to the file.
    • Try to find out the name of the virus (usually the detection name is a good start) and google for as much information about it as you can find. There are usually specific removal tools for the nastier viruses, but be sure to download them from a reputable vendor otherwise you may end up with a Rouge AV fix (i.e. another virus disguised as a fix for the virus you already have).
    • Try the locked files solution found here
  • Once you locate the offending process, select it and click on End Process.

Backup your registry (just in case)

(http://windows.microsoft.com/en-US/windows7/Back-up-the-registry)
  • Open the Registry Editor by clicking the Start button, type "regedit" into the search box, and press Enter.‌ If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

  • Locate and click on "My Computer"
  • Click the File menu, and then click Export.
  • In the Save in box, select the location where you want to save the backup copy to, and then type a name for the backup file in the File name box.

  • Click Save.

Stop it from starting on reboot:

  • In the registry, search for the offending file and delete any references to it. Usually the file adds entries to:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • In the registry, look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. If there are a bunch of executables under it that have "Debugger"="'svchost.exe'", then delete those keys. For example, if you see HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe with "Debugger"="'svchost.exe'" under it, delete the entire agent.exe key.

  • Now close the registry and look for other common startup locations on your disk:
    • C:\Documents and Settings\{username}\Start Menu\Programs\
    • C:\Documents and Settings\{username}\Start Menu
    • C:\Documents and Settings\All Users\Start Menu\Programs\
    • C:\Documents and Settings\All Users\Start Menu

Clean up your hosts file and proxy settings

  • If you look in your windows directory (%WINDIR%), you can find your "hosts" file in %WINDIR%\system32\drivers\etc\hosts. This file overrides your DNS, so delete any entries in there that don't make sense. For most users, you'll see an entry for localhost 127.0.0.1 and nothing else.
  • If you know you don't use a proxy, go to your browser's Tools --> Options --> Network Settings and remove the proxy if there is one.

Now find any copy of the file on your system and delete it.


  • ideapocket likes this


0 Comments