You are most likely reading this because you are infected with some sort of malware and want to remove it. With this knowledge that you are infected, it is also assumed that you have examined the programs running on your computer and found one that does not look right and you want to remove it.
Follow these steps:
1. Download and extract the Autoruns program by Sysinternals to C:\Autoruns
2. Reboot into Safe Mode so that the malware is not started when you are doing these steps.
3. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
4. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
Include empty locations:Verify Code Signatures,Include empty locations,Hide Signed Microsoft Entries.Then press the F5 key on your keyboard to refresh the startups list using these new settings.
5. The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our computer help forums.
7.Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.
8.Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden - so change view options
9. When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.
Additional info:
dir /ah to see the hidden file
look under /user/public folder
rename if you can not delete some virus related file.
look for suspicious batch files
User process explorer - http://www.techsupportalert.com/content/check-windows-processes-viruses-easily.htm
See Who Your PC's Talking To - The Moo0 Connection Watcher is free, and you can get it from http://www.moo0.com/software/ConnectionWatcher
Startup entry database: http://www.bleepingcomputer.com/startups/
Follow these steps:
1. Download and extract the Autoruns program by Sysinternals to C:\Autoruns
2. Reboot into Safe Mode so that the malware is not started when you are doing these steps.
3. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
4. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
Include empty locations:Verify Code Signatures,Include empty locations,Hide Signed Microsoft Entries.Then press the F5 key on your keyboard to refresh the startups list using these new settings.
5. The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our computer help forums.
7.Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.
8.Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden - so change view options
9. When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.
Additional info:
dir /ah to see the hidden file
look under /user/public folder
rename if you can not delete some virus related file.
look for suspicious batch files
User process explorer - http://www.techsupportalert.com/content/check-windows-processes-viruses-easily.htm
See Who Your PC's Talking To - The Moo0 Connection Watcher is free, and you can get it from http://www.moo0.com/software/ConnectionWatcher
Startup entry database: http://www.bleepingcomputer.com/startups/
No comments:
Post a Comment