Self Troubleshooting – Manual steps to kick out any virus
After replying to so many people here, i feel that people should know/learn how to remove viruses themselves.
I don’t get time to come on net and reply to all.
So, here i’m posting my way of fixing viruses.
This is be “one solution for all viruses”
Visuses, i mean malwares, not the complicated ones.
This solution is not for ‘all’ viruses.
Many viruses infect some particular, say all exe files, these solutions are no where related to such viruses.
DOWNLOADS
You need some tools
-Process Explorer from here
-Autoruns from here
-Heal Antivirus from here
STEPS
Heal_AntiVirus
Run Heal_Antivirus.
If it continues to report corrupt registries, say more than one minute, then exit it.
Task Manager
Check if task manager is working.
Goto: Process Tab
Goto: View > SelectColumn > Check ‘PID’ & ‘ThreadCount’ > OK
Look for
-Unknown Processes
-Having Thread=’1′
-Running under User Name=’your login name’ (ie other than SYSTEM, LOCAL SERVICES, NETWORK SERVICES)
Right click on the process and select ‘End Process Tree’
ProcessXP
Look for
-Unknown Processes
-Processes in ‘Pink Color’ esp.
-Child process of Explorer.exe
Right click and ‘Kill Process Tree’ such processes
ProcessXP can EndTask processes that cannot be killed from Task Manager 🙂
#Trusted important processes
#Do not kill these process
#All running under SYSTEM, LOCAL SERVICES, NETWORK SERVICES only
alg.exe
csrss.exe
lsass.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe (many)
winlogon.exe
<your antivirus software>
Autoruns
Goto: ‘Logon’ tab
Goto: ‘Options’ > Mark yes for ‘Verify Code Signatures’
Press F5 for refresh
Look for
-‘Not verified’ items
-Suspected items
-Folder iconed items
Remove unwanted items by unchecking the checkbox
#Trusted entries
#Do not remove any of these, or else you will be in trouble
* HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
Entry=C:WINDOWSsystem32userinit.exe,
Image path=c:windowssystem32userinit.exe
* HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
Entry=Explorer.exe
Image path=c:windowsexplorer.exe
#Most of the cases, some other terms are appended to these, just delete the extra terms by unchecking the checkbox
Heal_AntiVirus
Again run Heal_Antivirus.
If it continues to report corrupt registries, say more than one minute, then it means you are still affected.
It can be used to find out whether your comp is affected by some virus or not.
No reporting of corrupt registries doesn’t guarantee for absence of viruses.
EXTRA
When you use ProcessXP, if ‘Interrupts’ and ‘DPCs’ are eating up your CPU resources,
then you better reinstall Windows XP.
There should be no ‘Exporer.exe’ in c:windowssystem32 folder.
If these doesn’t work, then you may like to End Task ‘Explorer.exe’, also as some viruses inject dll into Explorer.
Sometimes there are such registry changes that prevents you to login to your account, in that case you have to go for unconventional offline-registry change, ie, without booting into your windows. (link – yet to be posted).
PLEASE REPLY
If these steps have helped you in removing some virus, then please leave a reply here.
Include the name of virus and its properties also.
It will help someone else.
: : : Piyush Labs : : : 
28 January, 2009 at 4:02 pm |
with this self troubleshooting steps I thought I could kill any / all the virus on any computer. But off late when my cousin told me abt his PC being attacked by a virus this steps dint work I travelled all the way across the city to be disappointed.
the virus came in thru a cd, wasnt detected by some basic antivirus(without update), internet connection not present, some other antivirus detected it as win32/heur, heal antivirus is not allowed to run after infection.
no processes suspected other than wowexec, remind, jqs.
taskmagr, regedit diabled,
msconfig wrking,
hidden folders become hidden even after unhiding them.
please help solve this challenge!!
or should I format??
jafferipatel@yahoo.com
7 February, 2009 at 7:10 pm |
I have win32/sality.nao virus i tried all kinds of antivirus like eset,avira etc but no use all my exe files are getting damaged. Please give the instructions to remove it completely
20 February, 2009 at 10:51 am |
Thank you piyush for the use ful post and softwares….i am going to check heal antivirus rest all I alrady used…
7 March, 2009 at 9:50 am |
spoolsv.exe process uses 99% cpu?
can u send me removal tool for spoolsv process
or any solution?
7 March, 2009 at 3:32 pm |
gr8 work keep it up
7 March, 2009 at 3:42 pm |
delete autorun.inf (causing prob evrytime)
run-cmd-i: (“type the drive which ur pen drive shows eg in my case its i)
nw u entered into ur pd,after dat type
attrib -s -h -r -a autorun.inf den hit enter
nw type
del autorun.inf
problem solved
i hop it helped u
20 April, 2009 at 2:07 pm |
goodbye hinhem.scr 4Ever haha
THANKS A LOT !!!
23 April, 2009 at 5:07 am |
Idiot Thank you so much.
4 June, 2009 at 5:53 pm |
hi…Piyush
my computer is having a virus “USB cillin v0.1” (coded by :Rajat his website http://www.rajat.com.np) It is not shown in “Add & Removed ” programme. Please let me know how I can remove “USB cellin” so that this can be waived out of my computer. Further I would like to let you know that this “USB cillin” can not be removed with my existing anti-virus programme.
Please help me to remove the above stated virus.
14 July, 2009 at 10:25 pm
rajesh,
use Autoruns from sysinternals.com
and remove the program from startups
if it is running, ‘Kill Task’ using ProcessXP from sysinternals.com
3 July, 2009 at 10:28 pm |
Thanks Piyush. Your post helped me remove the “regsvr.exe” error that i was getting when i used to start my computer.
@ Abhi
Thanks Abhi ur post on removing tha autorun.inf file also helped.
Thanks guys.
3 September, 2009 at 3:49 pm |
hello,thank for yr any advise.
Also need advise for my problem:
1) If harddisk make new partition and low level formatting,still have chance to recover?
2)which software yr recommend?”the best sofware”
tq, once agains.
24 September, 2009 at 5:27 pm |
kaspersky can easily heal any win32/sality infection,
for data recovery, i would recommend r-studio
30 September, 2009 at 2:20 pm |
dear piyush,
I am facing a peculiar problem, when i try to send attachment mail via my pop client, the smtp will time out, I can recive emails, without any hassles. I can someties send non attachment mails though. I tried the same pop and smtp settingss on a different computer and it works fine. i can also access the inbox via web, and can view the files, but when try to attach a file, it will time out. pls help
9 October, 2009 at 7:46 am |
Hey.. it is true kaspersky can easily removed/heal any of “win32/Sality Virus”??? Like NAO, AA, SAo etc.
cause i tried so many anti virus like smart eset, avira, yahoo anti spyware, norton 2009 and even avast 2009. still going around and spread and spread.
what tool/s that you recommend for me?
im scared in manual self troubleshooting.. LOL!
please emial me @ ampao009@yahoo.com for your reply or just reply me hear.. i really need to kill this bastard win32/sality.NAO virus hanging around to my pc… 😦
13 October, 2009 at 5:31 pm |
hello piyush,
I’ve been visiting lot many sites over the net that claim to provide solutions for virus/infections….
but there’ll only be few through which users are benefited,
let me tell u,ur PIYUSH LABS ‘ll b one of the top sites……
I appreciate your efforts and am inspired by you sir!
i’ld recommend your site to all of my frnds……
you’ve been doing a great job sir,
6 September, 2010 at 1:33 pm |
informative stuff, thanks