How to Stop a Virus in Windows

What do you do when your system is brought to a grinding halt by malware or viruses? If you’re a true power user, you rid your system of the infection and get back to work. In this article, I’m going to show you how to do just that.

There are new malware and viruses released every day.  It’s impossible for antivirus companies and security firms to stay completely up to date on these parasites.  That means that from time to time you’re likely to be infected with a new variant that isn’t recognized by your current protection scheme.

That in no way means that I don’t recommend the use of antivirus and anti-malware software.  You should protect your system with both.  While I’m not going to make any recommendations on which to choose, you can see a list of what not to use by checking out Spyware Warrior.

There are other methods of protection as well.  Many products offer protection from specific kinds of threats.  Microsoft’s RegMon (formerly by SysInternals) and DiamondCS’s RegProt will continually monitor your registry for changes.  Products like DiamondCS’s WormGuard add another layer of protection against Trojans and worms.

You may also consider the use of resident process protection.  These types of programs monitor the running processes on your machine and attempt to stop any rogue process.  DiamondCS’s ProcessGuard does a pretty effective job of this.

There are also intrusion detection systems such those available by Prevx that can offer usable solutions.  Along with offering a layer of resident protection they typically offer a form of network protection as well that protects you from unauthorized network connections.  However, this should be used in conjunction with a proper firewall such as ZoneAlarm.

Finally, the most effective way to reduce or eliminate your risk of being infected with malware and viruses is to avoid visiting certain websites.  Pornography sites and sites offering software serial numbers and cracks are cause for the greatest majority of problems.  You should also avoid installing software from non-reputable companies.

Now that we’ve covered how to protect yourself, let’s learn how to determine if you’ve been infected.

{mospagebreak title=Identifying when a problem exists}

While many infections become noticeable right away, a good many others remain undetected because users don’t know what to look for.  There are a few basic warning signs that indicate that your computer may be infected. 

  • Frequent pop-ups and unwanted advertisements.
  • A change in your browser’s home page or search pages.
  • Poor system performance such as slow starting programs, programs that frequently hang, frequent system crashes, and slow start up and shutdown.
  • Frequent hard drive activity or frequently seeing the “hourglass” cursor while the system is idle.
  • Unusually slow Internet connection speeds.
  • Apparent network traffic while you are not actively browsing the Internet.
  • Web pages that are slow to load and then appear all at once.
  • Unknown icons or shortcuts appearing in your system tray, desktop, or start menu.
  • New buttons or toolbars appearing in your browser.
  • The inability to load specific web sites that you know exist.
  • The inability to run specific programs, specifically antivirus or anti-spyware programs.
  • Frequent unknown error messages suggesting either invalid memory access or that your system has an infection. 

While some of these indicators can have other logical explanations, experiencing two or more of these at the same time is usually a good sign of an infection.

Troubleshooting these symptoms can be a full time job.  There are a number of reasons why you may experience some of these symptoms that aren’t directly related to malware or viruses.

If you are unsure, get other opinions.  There are a number of forums on the Internet where experienced users get together and share ideas.  These are usually very productive places to get answers.  The forum on ASP Free’s sister site, Dev Hardware, is one such community.

Now that you know the warning signs, let’s take a look at how to identify and stop an infection.

{mospagebreak title=Identifying rogue processes}

The first step I take in identifying malware or viruses is to download and run HijackThis 2.  It has taken some heat recently over some false positives and its inability to stop some processes; however, it still remains one of the best tools available for identifying threats.

Reading a HijackThis log can be a bit intimidating.  The program’s author has written a brief tutorial that can help you get started, but it shouldn’t be a replacement for posting in a knowledgeable forum.

Once you become accustomed to reading the log, identifying rogue processes becomes extremely easy.  You’ll want to pay specific attention to the auto start and BHO (Browser Helper Objects) sections since these are common hot spots.

Most rogue processes will be randomly named.  They can typically be identified quite easily this way.  Others may try to name themselves after valid Windows files.

Once you identify a suspected file or process a Google search will typically reveal some useful information.  For best results, be very specific in your search by only searching for the file or process name.  There are also several useful sites where you can look up processes. 

Once you have identified a rogue process, the next course of action is to find and stop it.

{mospagebreak title=Stopping malware and viruses}

Processes are typically started in one of three ways: as a standalone process, as a system service, or as a child process for another program such as Internet Explorer.  Learning to differentiate between the three can greatly aid you in trying to stop them.

Processes are perhaps the most common, so we’ll start there.  You can activate Windows Task Manager by pressing Ctrl + Alt + Del to stop many running processes.  Task Manager will show you most of the processes running on your computer and tell you what user owns them.

This can be deceptive and it’s a good idea to use a third-party process viewer instead.  Combining that with the fact that Task Manager isn’t very efficient at ending processes only adds to the need for an alternative.

By far the best process viewer available today is Microsoft (formerly SysInternals) Process Explorer.  Amazingly enough it’s also freeware!

Process Explorer will give you a detailed look at the processes running on your system.  It also allows you to end them.  Its detailed process view allows you to quickly identify a process as well as its parent process.  This can be useful information for determining how a process starts.

As an example, let’s assume a process is listed as a child process of Winlogon.exe.  This is a necessary program required for Windows start up, but its child processes are always spawned from a specific place in the Registry.

From time to time you will run into a process that you cannot end.  This is because the process belongs to another that is critical to system functionality.  Microsoft prevents those processes from being ended.

Enter Unlocker by Cedrick Collomb.  If you’ve ever come across a process you couldn’t end or a file that you couldn’t delete because of the infamous in-use message, Unlocker is the tool you’ve been missing.

Why does this work?  It works because Unlocker does not attempt to kill the parent process.  Instead, it focuses on the specific handle that is locking your file.  This explanation is far beyond the scope of this article, so for now just trust me that it works.

The second method of starting a process is as a system service.  These are hidden from Task Manager.  However, they can be controlled by the Services snap-in for the Microsoft Management Console.

Just choose Run… from the start menu and enter services.msc to start it.  You can browse the list of available processes and start and stop them from their respective properties dialog boxes.  Setting a service to Manual start up will prevent it from automatically loading the next time Windows starts.

The last method of starting processes is typical of unwanted BHOs in Internet Explorer.  Make sure that all Internet Explorer and Windows Explorer windows are closed and these can typically be removed by HijackThis.  Occasionally you may stumble upon one that can’t be, but having Unlocker installed at the time will ensure the job is done.

Now that you’ve learned how to stop a malware or virus, stayed tuned for the next article to learn how to make sure it doesn’t start up again the next time you reboot.  Until next time…

2 thoughts on “How to Stop a Virus in Windows

  1. With an influx in new viruses and new variants on old ones, anti-virus makers are struggling to keep virus detection signatures up to date. Learn what to do when your AV software doesn’t cut it.

  2. Computer viruses are among the oldest and most dreaded computer security threat. They are a measure of how vulnerable any computer system is to modern security threats. If you know how viruses work, and how computer viruses spread you can easily make sure that they do not infect your computers and create problems for you.

[gp-comments width="770" linklove="off" ]