Your Ad Here

Monday, March 16, 2009

How to remove a virus or malware

In the earlier post I described how to take precaution against viruses. But in case your computer is already infected, those precautions are of no use. Most of the viruses are always running in the memory which means if you delete them from your computer, it will make a copy of itself. To add to your pain these malwares can also disable task manager1, which makes it more difficult to remove the process2 from the memory.

There are two ways in which such viruses can be removed:-
  1. These viruses can be removed automatically by using antivirus softwares (if such software has the correct definition of the malware present in your system). There are many good antivirus softwares3 in the market, some of which will cost you for protection, but some won't cost a penny.

    Some of the most popular ones are:-

    I have been using avast antivirus since I had my own PC and touch wood not a single virus has infected my computer. So, I would recommend you Avast Home Edition as it is free of cost.
  2. You can also manually remove memory resident viruses, but you need to have some experience using windows, so that you don't accidentally delete a system file. This method is only possible if the malware has not done any serious damage to the computer or has not made it unusable. The tools required for this method are:-
    • Sysinternals Process Explorer (This may not be required if task manager is not disabled. But Process Explorer is a better and more advanced software.)
    • Sysinternals Autostart Program Viewer (Without this you will have to edit the registry manually which may be tricky for beginners.)
    • An active internet connection (Experienced user may not need this)

    Now, first you have to know the name of the process or the executable(virus) which is running in the background. For this, start process explorer. You will see a list of processes running in the memory. This is a hit and trial method, so try to find any process which looks suspicious to you and then go to www.processlibrary.com and search for the process name (You can also search in google). If you see "Oooops... Process Not Found" then you can be sure that this is a virus but for confirmation you should google search that process name.
    If Process Library returns a result, it provides detailed information about the process, but then there may be two possibilities:-
    1. If the result returned contains both windows process and potential virus suspects - As most malwares create a copy of itself in the system folders, so it may replace the matching executable when copying. But in this condition the system may be very much unstable and/or unusable. So you have little chance of recovering the system. You can try to repair the Operating System using the recovery disc or you can try System Restore.
    2. It returns a result which classifies it only as a virus - Check it with google.

    Now once you identify the virus or malware using this hit and trial method, you have to stop that process immediately before it does any harm. To terminate that process, right-click the process name and select "Kill Process". You have to remove all the memory resident malware using this method, otherwise it can again make a copy of itself. But before killing the process, note down the path of the process or the folder where it is stored. After terminating the process, go to that folder, and remove those executables (Delete them permanently, don't send them to recycle bin). Finally, start Autostart Program Viewer, and after the scan is complete, do a search for the suspicious process name which you just deleted. And again note down the directories or paths where such process name is mentioned. Delete those entries by right-clicking and selecting Delete and afterwards go the path you just noted and delete any occurence of the suspicious file.

After these steps you'll have to reboot the system and then see if the same processes are relaunched and if so you will have to repeat the whole process over again. To make the process a lot easier you have to make sure that the virus is not in the memory before removing the autorun entries, i.e., the suspicious process is not running in the background (Recheck Process Explorer before deleting the Autoruns entry). Because if the virus is in the memory, it can re-create the autorun entry just after you delete it.

This method may look a lot hectic to you, but this works when all anti-virus softwares fail. Some malwares are even capable of disabling the anti-virus software. But I recommend that even, if you remove the virus manually, do a boot-time scan using your favorite anti-virus.


References:
  1. ^ Task Manager - Windows Task Manager is a task manager application included with Microsoft Windows NT family of operating systems that provides detailed information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and statistics, logged-in users, and system services. Source:http://en.wikipedia.org/wiki/Windows_Task_Manager
  2. ^ Process - In computing, a process is an instance of a computer program that is being sequentially executed by a computer system that has the ability to run several computer programs concurrently. Source:http://en.wikipedia.org/wiki/Process_(computing)
  3. ^ List of Antivirus Softwares

Bookmark and Share How to remove a virus or malwareSocialTwist Tell-a-Friend

0 comments:

Post a Comment

Please comment if you like my posts and suggest improvements if you disliked. You can also post your queries if you have any, and I will try to answer it.

Search