How to Find and Remove Spyware,Trojans and Viruses

[GShock]

 

Malware RemovalPCWizKid in this tutorial shows you an advanced yet manual way of finding and removing spyware, trojans or viruses when your anti spyware or anti virus program is not fixing it for you properly.

 

There are general 3 steps to removing malware which should be done in SAFE Mode. If you unsure about how to boot your windows into SAFE Mode only, when you first boot your computer before you see the Windows Logo press and hold down the F5 key and you will be given the option to boot your PC into a minimal boot configuration of the OS so you can do your investigation without being connected to the internet. Always remember to make a backup of your registry (use the system Restore checkpoint tool) before you do any of these changes.

 

Step 1.

The first step is to stop the malware that is currently running and starting up automatically every time you login to windows. We need to stop and kill the process of it running and prevent it from starting up again.

 

There are 2 areas that are useful for checking what is "Starting up" and "Running". This is shown in the video tutorial below in more detail, but for reference these 2 areas are the System Configuration accessed using MSCONFIG and the Task Manager which is accessed by doing a CTRL+ALT+DEL.

 

Within these existing tools in Windows you can get the details on a suspicious EXE file starting up or a process running in the background hidden from view and disable it.

 

Step 2.

Though you might be successful in disabling temporarily the malware from running by doing Step 1, this does not solve the problem long term because most malware (Spyware, trojans and viruses) can put them selves back and re-enable themselves once you reboot because the registry still has entries that reference them and start them up. This means that before you restart your computer and immediately after you have done step 1, you need to go into the windows REGISTRY (as shown in the video tutorial) and remove the references of the suspicious malware executable from there. The windows registry has specific area where you can specify programs to start automatically or associate themselves as something else or hide. Searching the registry for these references and deleting them ensure that they do not start-up again.

In the registry malware places itself in the startup here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

 

Step 3.

The last thing that you would do is delete the actual malware files. Once you have found the filenames and locations (based on our findings in the MSCONFIG and REGISTRY) you can navigate using Windows Explorer and delete the actual files from your hard drive. Though this is not 100% fool proof and malware files can make copies of themselves and duplicate themselves, removing as much as possible will in most cases break the cycle of allowing the malware to run. Some common areas where you will find Spyware , Trojans and Virus hiding are as follows:

 

C:\Documents and Settings\Administrator\Local Settings\Temp\

C:\windows\system32\

C:\WINDOWS\Prefetch

 

In these folders when you sort by date your files and folder you can see what has recently been touched, added or changed. Malware will try to discuse itself as a DLL file or an EXE file, usually they have odd file names with no real meaning and you can seach online for that file name to get details on its origine and if its a threat or not. Sometimes they try to take on filenames similar to actual real system files such as rundll32 . If you saw something called rundll33 then you know that for sure is a threat and should be deleted.

 

 

 

PM if you have any questions on type of spyware/anitvirus the best or if your program is good or might need a new upgrade. :P

EDIT:

SOMEONE MOVE PLEASE!

[Jay]

Moved to Computing forum :)

[Anthoni]

Very nice guide bro.

[Ded]

Great guide man.

[Benjamin^^]

Good Guide.

 

You ever used the windows defender?

[GShock]

Good Guide.

 

You ever used the windows defender?

Awesome software. You use it as well?

 

EDIT:

Thank you Anthoni, Ded, Jay and Benjamin but full credits go to PCWizKid. Just posted to help members in need.

[Marty]

Most malicious files will set their file attributes to hidden to attempt to hide itself, which may lead to difficulties on the 3rd step for some people.

Click here for a tutorial on how to see hidden files on Windows.

 

Also, I don't advise people go on a cleaning spree through there registry unless they know what they are doing as there is a chance you will **** **** up.

 

 

I recommend using something similar to AVG Firewall, which alerts you whenever an unauthorized program is attempting to access the internet.

[Casey]

Nice guide, well written, or typed I should say :P

[GShock]

Most malicious files will set their file attributes to hidden to attempt to hide itself, which may lead to difficulties on the 3rd step for some people.

Click here for a tutorial on how to see hidden files on Windows.

 

Also, I don't advise people go on a cleaning spree through there registry unless they know what they are doing as there is a chance you will **** **** up.

 

 

I recommend using something similar to AVG Firewall, which alerts you whenever an unauthorized program is attempting to access the internet.

Oh your right, a internet service provider should offer a free software and it usually recommended which can has a nice firewall and it shouldn't interfere with the software currently being used. I'm using my internet service provider anti-virus program and as well Microsoft Windows Defender.

[Alessandro]

Nice guide, helped me.

[Goop]

Great guide

I tend to use a similar process.

[Coz]

pretty good guide

[Adamantite]

simple solution to this is to delete system 32.

[Mod Mark]

Very nice :]

[P0ke N Die]

If you get infected with a keylogger, rat or bot and you play Runescape, it's probably going to be one of the hackforums kids and you are probably retarded. All keyloggers on Hackforums are recycled source codes from kids who don't know what the **** they are doing and they're always pretty much identical. If you are infected with a keylogger, pm me and I'll go on TeamViewer with you and remove it. If it's .NET which is going to be 90% of the time then I'll crack it for you too so you can go get the kid back who hacked you.

[Lamotrigine]

good stuff to know. It's always good to practice safe web browsing.

[Obese Inc]

If you get infected with a keylogger, rat or bot and you play Runescape, it's probably going to be one of the hackforums kids and you are probably retarded. All keyloggers on Hackforums are recycled source codes from kids who don't know what the **** they are doing and they're always pretty much identical. If you are infected with a keylogger, pm me and I'll go on TeamViewer with you and remove it. If it's .NET which is going to be 90% of the time then I'll crack it for you too so you can go get the kid back who hacked you.

 

LOL

[Pureforeva07]

cleared a few things for me. thanks for this guide very helpful

[`Mo]

cleared a few things for me. thanks for this guide very helpful

Oh Shi- ITS YOUUUUU