Self Troubleshooting – Manual steps to kick out any virus

After replying to so many people here, i feel that people should know/learn how to remove viruses themselves.
I don’t get time to come on net and reply to all.
So, here i’m posting my way of fixing viruses.
This is be “one solution for all viruses”
Visuses, i mean malwares, not the complicated ones.
This solution is not for ‘all’ viruses.
Many viruses infect some particular, say all exe files, these solutions are no where related to such viruses.

DOWNLOADS
You need some tools
-Process Explorer from here
-Autoruns from here
-Heal Antivirus from here

STEPS
Heal_AntiVirus
Run Heal_Antivirus.
If it continues to report corrupt registries, say more than one minute, then exit it.

Task Manager
Check if task manager is working.
Goto: Process Tab
Goto: View > SelectColumn > Check ‘PID’ & ‘ThreadCount’ > OK
Look for
-Unknown Processes
-Having Thread=’1′
-Running under User Name=’your login name’ (ie other than SYSTEM, LOCAL SERVICES, NETWORK SERVICES)
Right click on the process and select ‘End Process Tree’

ProcessXP
Look for
-Unknown Processes
-Processes in ‘Pink Color’ esp.
-Child process of Explorer.exe
Right click and ‘Kill Process Tree’ such processes
ProcessXP can EndTask processes that cannot be killed from Task Manager 🙂

#Trusted important processes
#Do not kill these process
#All running under SYSTEM, LOCAL SERVICES, NETWORK SERVICES only
alg.exe
csrss.exe
lsass.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe (many)
winlogon.exe
<your antivirus software>

Autoruns
Goto: ‘Logon’ tab
Goto: ‘Options’ > Mark yes for ‘Verify Code Signatures’
Press F5 for refresh
Look for
-‘Not verified’ items
-Suspected items
-Folder iconed items
Remove unwanted items by unchecking the checkbox

#Trusted entries
#Do not remove any of these, or else you will be in trouble
* HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
Entry=C:WINDOWSsystem32userinit.exe,
Image path=c:windowssystem32userinit.exe
* HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
Entry=Explorer.exe
Image path=c:windowsexplorer.exe
#Most of the cases, some other terms are appended to these, just delete the extra terms by unchecking the checkbox

Heal_AntiVirus
Again run Heal_Antivirus.
If it continues to report corrupt registries, say more than one minute, then it means you are still affected.
It can be used to find out whether your comp is affected by some virus or not.
No reporting of corrupt registries doesn’t guarantee for absence of viruses.

EXTRA
When you use ProcessXP, if ‘Interrupts’ and ‘DPCs’ are eating up your CPU resources,
then you better reinstall Windows XP.
There should be no ‘Exporer.exe’ in c:windowssystem32 folder.
If these doesn’t work, then you may like to End Task ‘Explorer.exe’, also as some viruses inject dll into Explorer.
Sometimes there are such registry changes that prevents you to login to your account, in that case you have to go for unconventional offline-registry change, ie, without booting into your windows. (link – yet to be posted).

PLEASE REPLY
If these steps have helped you in removing some virus, then please leave a reply here.
Include the name of virus and its properties also.
It will help someone else.

57 Responses to “Self Troubleshooting – Manual steps to kick out any virus”

  1. jaffer Says:

    with this self troubleshooting steps I thought I could kill any / all the virus on any computer. But off late when my cousin told me abt his PC being attacked by a virus this steps dint work I travelled all the way across the city to be disappointed.

    the virus came in thru a cd, wasnt detected by some basic antivirus(without update), internet connection not present, some other antivirus detected it as win32/heur, heal antivirus is not allowed to run after infection.
    no processes suspected other than wowexec, remind, jqs.
    taskmagr, regedit diabled,
    msconfig wrking,
    hidden folders become hidden even after unhiding them.

    please help solve this challenge!!

    or should I format??

    jafferipatel@yahoo.com

  2. hyndavi Says:

    I have win32/sality.nao virus i tried all kinds of antivirus like eset,avira etc but no use all my exe files are getting damaged. Please give the instructions to remove it completely

  3. Santhosh Says:

    Thank you piyush for the use ful post and softwares….i am going to check heal antivirus rest all I alrady used…

  4. panky Says:

    spoolsv.exe process uses 99% cpu?
    can u send me removal tool for spoolsv process
    or any solution?

  5. abhi Says:

    gr8 work keep it up

  6. abhi Says:

    delete autorun.inf (causing prob evrytime)

    run-cmd-i: (“type the drive which ur pen drive shows eg in my case its i)
    nw u entered into ur pd,after dat type
    attrib -s -h -r -a autorun.inf den hit enter
    nw type
    del autorun.inf
    problem solved
    i hop it helped u

  7. khay Says:

    goodbye hinhem.scr 4Ever haha
    THANKS A LOT !!!

  8. Valentine Aaqil Mahmood Says:

    Idiot Thank you so much.

  9. Rajesh Maheshwari Says:

    hi…Piyush

    my computer is having a virus “USB cillin v0.1” (coded by :Rajat his website http://www.rajat.com.np) It is not shown in “Add & Removed ” programme. Please let me know how I can remove “USB cellin” so that this can be waived out of my computer. Further I would like to let you know that this “USB cillin” can not be removed with my existing anti-virus programme.

    Please help me to remove the above stated virus.

    • piyushlabs Says:

      rajesh,
      use Autoruns from sysinternals.com
      and remove the program from startups
      if it is running, ‘Kill Task’ using ProcessXP from sysinternals.com

  10. Vikash Says:

    Thanks Piyush. Your post helped me remove the “regsvr.exe” error that i was getting when i used to start my computer.

    @ Abhi
    Thanks Abhi ur post on removing tha autorun.inf file also helped.

    Thanks guys.

  11. kamar Says:

    hello,thank for yr any advise.

    Also need advise for my problem:
    1) If harddisk make new partition and low level formatting,still have chance to recover?

    2)which software yr recommend?”the best sofware”

    tq, once agains.

  12. dkposeidon Says:

    kaspersky can easily heal any win32/sality infection,
    for data recovery, i would recommend r-studio

  13. SK SABOO Says:

    dear piyush,

    I am facing a peculiar problem, when i try to send attachment mail via my pop client, the smtp will time out, I can recive emails, without any hassles. I can someties send non attachment mails though. I tried the same pop and smtp settingss on a different computer and it works fine. i can also access the inbox via web, and can view the files, but when try to attach a file, it will time out. pls help

  14. POLO (PHILIPPINES) Says:

    Hey.. it is true kaspersky can easily removed/heal any of “win32/Sality Virus”??? Like NAO, AA, SAo etc.
    cause i tried so many anti virus like smart eset, avira, yahoo anti spyware, norton 2009 and even avast 2009. still going around and spread and spread.

    what tool/s that you recommend for me?

    im scared in manual self troubleshooting.. LOL!

    please emial me @ ampao009@yahoo.com for your reply or just reply me hear.. i really need to kill this bastard win32/sality.NAO virus hanging around to my pc… 😦

  15. K@R@/!/ Says:

    hello piyush,
    I’ve been visiting lot many sites over the net that claim to provide solutions for virus/infections….
    but there’ll only be few through which users are benefited,
    let me tell u,ur PIYUSH LABS ‘ll b one of the top sites……
    I appreciate your efforts and am inspired by you sir!
    i’ld recommend your site to all of my frnds……
    you’ve been doing a great job sir,

  16. Jenny Carson Says:

    informative stuff, thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: