Manually Removing Viruses and Worms
----------------------------------
Here I shall discuss about manual techniques to remove any malicious program
from an infected system. Below given are the steps to be followed while removing
any malicious file manually.
a. The first step is always isolating the system by removing it from any network
(e.g. dial-up, LAN, VPN or DSL etc) if connected.
b. Disable system restore and reboot the system in safe mode (Since, in safe mode
very minimal services runs preventing any unknown services to start during
system startup).
startup. Windows “msconfig” tool can be used removing un-necessary programs
from the system startup.
Note: “msconfig” is not present in all versions of windows. Incase msconfig is not
present then the startup entries has to be removed manually which I shall
discuss in further steps.
Go to Start => Run => Type “msconfig” (without quotes) => Press Enter
Select the option "Diagnostic Startup" in the “General”
tab.Switch to “Services” tab . Click “Enable All” and check
click "Hide Microsoft services".Now switch to “Startup” tab . Un-check all unnecessary
startup items or any suspicious startup file. Now press “OK” button in
“msconfig”.
d. In some versions of windows (e.g. Windows 2000) “msconfig” is not present. In
that case one has to remove the un-necessary startup files manually. Startup
items can be manually removed from the following locations:
Start => Programs => Startup => Right click item => delete or it can be found at
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Similarly, the un-necessary services have to be disabled manually in the
“services.msc” manually.
To disable the un-necessary services manually Go to Start => Run => Type
“services.msc” (without quotes) => Press Enter. Then right click the service that
has to be disabled => properties => stop (if running) => disable => press enter.
e. Most of the malicious programs make entries in the registries to start on system
boot. These entries can be found in the following locations:
HKEY_LOCAL_MACHINE => Software => Microsoft => Windows => CurrentVersion => Run
HKEY_LOCAL_MACHINE => Software => Microsoft => Windows => CurrentVersion =>
RunOnce
HKEY_LOCAL_MACHINE => Software => Microsoft => Windows => CurrentVersion =>
RunServices (Only for windows 9x/ME)
and
HKEY_CURRENT_USER => Software => Microsoft => Windows => CurrentVersion => Run
To remove the entries from the registries, go to Start => Run => Type “regedit”
(without quotes) => press enter. Then go to the above mentioned keys and delete
all un-necessary entries.
f. Purge recycle bin and restart window in normal mode. Connect to internet and
update the Anti-Virus signature and once the signatures are up-to-date then a
complete system scan should be done.
g. Go to Start => Run => Type “msconfig” (without quotes) => Press Enter. Select
the option "Normal Startup" (view Screenshot 3.1.3.a) in the “General” tab and
press OK. Reboot the system again into normal startup.
