Difficult Virus and SpyWare Removal


If you can't remove a virus or a spyware program -- or it comes right right back after you reboot -- you may need to try these tricks.

SAFE MODE:  Some viruses take advantage of Windows services that are disabled in "Safe Mode". Sometimes being in safe mode is the only way you can keep the computer from crashing while you're working on it. Being in Safe mode can signifigantly increase the chances of you removing a virus. For instructions on restarting in Safe mode, refer to the Symantec document How to start the computer in Safe Mode.

SYSTEM RESTORE:  Both "System Restore" and "Windows File Protection" will restore critical files if you accidentally delete them. Unfortunately, many viruses and spyware programs manage to register themselves as critical files! So even if you delete them, Windows will reinstall them! For instructions on disabling System Restore, see the well-written Symantec documents How to disable or enable Windows Me System Restore and How to turn off or turn on Windows XP System Restore. To disable "Windows File Protection" for XP or 2000, the easiest way is via the Windows File Protection settings tab on the free XP Lite / 2000 Lite utility from LitePC. After you finish removing the virus or spyware, be sure to remember to re-enable System Restore and Windows File Protection.

MANUALLY REMOVING STARTUPS:  You want to stop viruses and spyware from running when you start your computer. I won't mention the registry (because if you know it, you know it, and if you don't, you won't need it for this). Windows 98/ME/XP users have a program called "msconfig.exe" that is easily launched from the "Start" / "Run" dialog. Once msconfig is running, go to the "Startup" tab on the right and uncheck the bad things. What's bad? Well, the good things are "ScanRegistry", "TaskMonitor", "SystemTray", "LoadPowerProfile", and your antivirus program (whatever it is). If you don't have the good items, don't worry. Anything else you can probably kill if you have any doubts. Lists of known (good and bad) applications can be found here:
If you see a process that has a random name (a bunch of random letters and/or numbers), you can bet it is bad.
    Windows 2000 users don't have msconfig, but you can download msconfig from Microsoft... indirectly. Msconfig is in several patches, like Q328940 and the massive SP2 patch. You need to use WinZip to open the patch without running it, then extract and possibly decompress the msconfig file. A bit awkward, but it works. Far easier is to just steal msconfig.exe from a nearby XP computer.
    XP and 2000 users will get better results by using a dedicated startup utility like the very popular Sysinternals AutoRuns or NirSoft StartupRun.
MANUALLY REMOVING FILES:  Many viruses and spyware programs assign themselves random names in order to avoid automated removal. In addition to stopping these items from running at startup, you'll want to try to delete the files yourself. Perform a search on the base file name (without the file extension) to see if there are copies in the cache or restore folders. You'll need to configure Explorer to show all hidden and system files. If you see file with a random name in the Windows, WinNT, System, or System32 folder, that's more evidence it is bad. If you right-click the file, select "Properties", and find no "Version" tab or no manufacturer and description information in the version tab, then that's three strikes. It's bad. Delete it and delete any cached copies. If Windows complains that the file can't be deleted because it is in use, use the task manager to stop the process, then delete the file. Don't worry if you can't delete everything. The more you delete and disable, the more likely you'll be able to get it fully removed -- or removed automatically by your antivirus -- after the next reboot.

BOOT CDROM:  If you can't get the computer to boot into safe mode, you can't make registry changes, and you can't stop running processes, your only hope may be to boot on something else. I suggest making a bootable CDROM and placing antivirus tools, a remote registry editor, spyware removal tools, backup software, and file recovery utilities on the CDROM. A good place to go to build such a CDROM is Bart Lagerweij's BartPE page. Building a simple BartPE CDROM can be done withing minutes of downloading the program. Given a few hours, you can get the basic antivirus and registry editor on the CD. By then you'll be hooked, and you'll spend the next few days getting all your tools on the CD and working out how to automatically update and build everything. However, once you have a CD like this, there is nothing you can't do. If you can't build or use a bootable CDROM, you might consider building a separate hard drive (complete with an OS and all your tools) to install in the problem computer.

REPEAT AS NECESSARY:  Yes, the same thing your shampoo bottle says. You do all these tricks, reboot, and see how much you fixed. Run the antivirus and anti-spyware programs and see if they show you clean. Then check your startups again. Then look for random-named processes. Then boot into safe mode and test again. Once everything tests clean every way you can test with every tool you have two reboots in a row, then you can call the computer clean. Then, for goodness sake, do something to stop from getting infected again!

Lost? Look at the site map.

Bad links? Questions? Send me mail.

Ask Jeeves