How to Remove a Virus in Windows

If you haven’t read the first part of this series, now is a good time to do that.  In that article you learn how to identify and stop a virus in Windows.  You’ll also learn what tools you need to get the job done.  You can find that article here.

At this point I’m going to assume you have already stopped the viral processes.  We’re only going to deal with finding any additional parts and removing them.

Viruses can be very tricky.  They will typically create a backup of themselves and install it if you try to remove them.  You need to make sure that these backups, if they exist, are removed in order to prevent re-infection.

You may also want to consider saving a copy of the virus files (by changing their names as you’ll learn later on) to submit to your AV company.  Antivirus companies don’t have the resources to explore every virus opportunity out there.  Viruses are simply developed too quickly.  By passing these files along to them, you can ensure that detection signatures are created for new variants as quickly as possible.

You should also take steps to back up your system frequently.  Having a clean backup available can sometimes be easier than attempting to remove some viruses.  Some types of viruses, such as rootkits, can be extremely difficult to remove and may require formatting your hard drive.  Having a backup available can greatly reduce the amount of time required to get your system back up and running properly.

I’m sure you’re all ready to move along, so let’s learn how to rid your system of that nasty bug.

There are literally dozens of ways for programs to schedule themselves to start when Windows boots.  The great majority of those are contained in the Windows Registry and remain fairly obscure to the common user.

One of the easiest ways to determine what programs are loading with Windows is to use DiamondCS’s Autostart Viewer.  This robust application will list programs from over 50 different autostart locations and allow you to disable or remove each entry.

It also shows the location from which the process is starting. This allows you to verify that the process really is what you think it is.

You can take the information that you know about your rogue processes along with the information that you find in Autostart Viewer and use them to further research your infection.  Sites like Sysinfo.org offer large databases of startup applications as well as information and advice concerning their purpose and removal.

Another nice feature about Sysinfo.org is the ability to research specific CLSID numbers.  You’ll find later in this article where that can be quite useful.

Since disabling startup applications does require working in the registry, it’s a good idea to make a registry backup before continuing.  You can do this very easily with ERUNT.  ERUNT is a program that creates a backup of the NT registry found in Windows 2000, XP, 2003, and Vista. 

Once you make your backup, you’re ready to remove those entries.  Once the viral process has been removed along with its startup methods, you have effectively disabled the virus.  Now it’s time to do a little cleanup.

There are two main areas where you need to focus your cleanup efforts: the Windows Registry and leftover files.

We’ll begin by cleaning up those files.  You may or may not have found file variations for your virus while researching its processes.  If you did, you will save yourself a lot of work in this next step.

Simply find all of the files specified, but do not delete them at this point.  Instead, only change their names by adding another .BAK extension or the like.  We don’t want to remove them until we’re sure we have the correct files.

If you don’t have a list of possible file names, you’ll need to do a little more work.  Pay attention to the file size of your viral processes and search for other files with the same size.  This is common in folders such as System32.

If you find other files with matching file sizes and equally obscure names, you’ve probably found another part of your virus.  Check the file’s properties and see if there is a manufacturer listed.  Also, double check it against the links you got in the last article.  You should be able to tell whether or not the file is required by Windows or is suspect.

Once you’re sure a file is suspect, go ahead and rename it.  It’s a good idea to have your original Windows CD or some other method of booting available with this step.  If you inadvertently rename a needed file, you make your system unable to boot.  If this happens, you need to boot with your CD and change back the file name.

Once you’ve renamed all of the files, and successfully rebooted (after the next step), make sure that all of your software and hardware works as intended.  If everything is stable, go back and delete those backups.

Cleaning the registry can be a tedious task.  Entries can be sprawled out over many different areas that you may not expect.  To make things easier, start off with a good registry cleaner.

I suggest using TweakNow’s RegCleaner.  Aside from being freeware, this program is extremely efficient at identifying and removing extraneous entries in the registry.  If you’ve renamed all of the files in the last section, RegCleaner will be able to detect most of the entries as being invalid.

Now it’s time to do some manual labor.  Open the Registry Editor by entering regedit in the Run… dialog box.  You may also use any third part registry editor if you wish.

Begin by searching for the names of your viral processes.  As you identify any entries, pay particular attention to those associated with CLSIDs and make a note of them.  CLSIDs are very long; just copy and paste them into an empty notepad document.

Delete each of the entries for your viral process until you cannot find any more.  Then go back and do the same for each entry containing your CLSID.  This should remove all remaining entries.

It’s possible that you may have still missed some entries.  Unfortunately, it’s far beyond the scope of this article to show you how to correctly identify each entry in the registry.

Suffice it to say that you have removed more than enough to render your infection completely harmless.  Once you have ended and renamed the processes, disabled their startup, and removed all extra registry entries, you’re ready to perform a reboot.

Double check to make sure that the viral processes are no longer running and that all of your software and hardware works as expected.  As long as your system is stable, you can go back and safely delete any of the files that you renamed.

And that’s all there is to it.  Get in there and get your hands dirty.  It’s not as hard as it seems once you begin learning how to recognize rogue processes.  Learn the things that run on your system normally so you know if anything is out of the ordinary and maintain regular backups in case disaster strikes.