Erradicating A Virus After An Infection Scan

in #blog7 years ago

I have lots (and LOTS) of stories from customers, friends, and family about taking their computers to various big box repair centers to remove a virus only to have the virus return in a week or two. Then when they take it back to complain, they are told it will cost them again to have it removed, again. Here a few steps you can (and should) take AFTER your antivirus program isolates/removes the problem, or after paying someone to remove it. I have spent quite a few years doing computer repairs, and have removed many viruses. I have spent a fair amount of time studying, practicing, and researching computer security and have written a few viruses for self study. The Windows system has a million places and a million ways for viruses to hide and replicate. Here are a few extra steps that you should take after the problem has been detected and corrected:

1.) Turn off System Restore, then turn it back on. This will delete the previous backup taking with it any remnants of the infectious critter with it.

2.) Delete the contents of the Windows\Prefetch folder. This can be done by typing prefetch in the run box or by manually going to C:\Windows\Prefetch. This will delete any calls to the infected files that may have been removed or may be called on to check and/or reinstall any self replicating virus.

If you are familiar with the Windows registry, Autoruns, which must be executed with administrator privileges, can be used to check various sections of the registry for browser hijacks, image hijacks, scheduled tasks, etc. This tool can be used to locate suspicious files or used to remove entries pointing to files that are no longer present on your system. If you decide to use this tool, backup the current registry (it can be done from within autoruns), and realize that the changes made through this tool are permanent. The only way to undo any changes is through loading a backup of the registry. If you are not comfortable working with the registry, don't risk it.

Some things to look for in Autoruns:

  • Missing publisher information
  • Any red highlighted line
  • Thoroughly inspect any scheduled task
  • Entries missing path information can and should be safely removed
  • These are a few steps that will determine if an infection is a one off or a recurring problem.