Viruses are annoying. Now they are moving between all platforms as well – Apple, Microsoft, Linux even mobile operating systems have issues with bugs. This post will primarily focus on virus removal from Windows systems.
Recently there has been much more of occurrence of Malware – programs that appear to be safe but are actually malicious.
One of the keys to removing viruses is being able to find where they are running from. Some viruses are smart and limit your ability to use programs to find where they are running, or spawn randomly named processes that make it more difficult to find them.
Recently I came across a malware infections called Windows Protector SL, this program ran on boot and showed random messages saying there were infections and hardware failing.
To find the infections process, normally I attempt to run Task manager by pressing CTRL+SHIFT+ESC or right clicking the task bar and going to Task Manager and alternatively typing taskmgr into the Run dialog box.
This virus however prevented it from running – so I attempted to use regedit, same error occurred. Luckily in Windows the command prompt provides some useful commands that can help aid in finding at the least the name of the infection and sometimes can even stop the process from being active.
In this case, we use the command tasklist. This will give a list of the processes running on the system, and other useful details such as the Processor Identifier or PID and the name of the file running.
If you can identify the malicious process you can use the following command to stop it:
taskkill /pid XXXX /f
This command stops the process from running in a forceful manner. In some cases this will be enough to allow you to navigate around the computer using the GUI and possibly delete the virus file that has arisen.
There are a few known locations where they like to hide:
– All temp directories (Windows\Temp and Temp files within User folders)
***Please note the above paths refer to Windows Vista and above systems, XP uses “C:\Documents and Settings\Username\Applicaiton Data”***
If you have used taskkill to stop the process running, check these folders for a file with the same name as the malicious one you stopped earlier and DELETE it.
I also suggest you look in msconfig to see if there is a registry loading point for the virus and remove it, if you can not open regedit just disable the loading point in msconfig. Be sure to check the startup folder as well for any strange entries and remove them as well.
Once you reach this point, reboot your computer and see if the virus loads. If it doesn’t try and use a scanner to remove any further infections that may be present.
I generally use Malwarebytes Antimalware as it now offers a tool called Chameleon that is able to kill known malicious processes which then in turn allows Malwarebytes scanner to operate. This program has saved me a significant amount of time on several occasions as it not only removes malicious files but also malicious registry entries. I also use Combofix as it has great log files and an exceptional removal ability due to its process of killing the explorer.exe process to aid in removal.
There are other tools available, I have found though in most circumstances it is best to begin with a manual approach, without this manual approach it is likely you will need to run BartPE cd’s just to get a start, and who wants to wait for one of those things to load.