Trust Kroll Ontrack to recover your data

Free Virus Removal Steps

Viruses, Trojans, Worms and Hijackers

Help its frozen!Viruses, Trojans, worms and hijackers - you would almost think this is a new game or film of some sort - but if your PC is infected with any sort of virus it can be bad news.

In this article we will show you what steps to take to remove any viruses that have infected your computer.

Here's just a quick list of the types of viruses that plague personal and business PC's alike.

Virus - a virus is a program that when run, has the ability to self-replicate by infecting other programs and files on your computer. These programs can have many effects including slowing down your PC, wiping all or part of your hard drive, displaying some sort of bogus warning message, or doing nothing at all except replicating itself. These types of infections tend to be localized to your computer and do not have the ability to spread to another computer on their own.

Trojan - a trojan is a program that has been designed to appear innocent but has been intentionally constructed to cause some malicious activity or to provide a backdoor into your system for an unscrupulous hacker or criminal.

Worm - a worm is a program that when run, has the ability to spread to other computers on its own using either mass-mailing techniques to email addresses found on your computer or by using the Internet to infect a remote computer using known security holes.

Browser Hijackers - this type of program attempts to hijack certain Internet functions like redirecting your start page to the hijacker's own start page, redirecting search queries to a undesired search engine, or replacing search results from popular search engines with their own misleading information.

Backdoor - a backdoor program allows a remote user to execute commands and tasks on your computer without your permission. These types of programs are typically used to launch attacks on other computers, distribute copyrighted software or media, or hack other computers.

All these different programs are often just called 'computer viruses' even though there are obviously many different types of virus infection.

There are two distinct ways to remove viruses.

1. Rely on your Anti Virus Software (and other freely available software) to remove any viruses from your PC.

2. Completely wipe your hard drive and reinstall Windows and all your programs.

TIP: Always backup your important data before attempting any virus removal procedure.

Removing Viruses Using Software

You should first run your anti virus software and do a full sweep of your computer's drives, all of them - even any flash sticks or external hard drives. Follow the instructions to clean delete or quarantine the infection.

If your anti virus software reports that it cannot remove the virus infection an application is probably running that is using the infected file, which prevents it being cleaned, deleted or quarantined.

To overcome this problem try rebooting your PC and make sure that no programs are running (except the anti virus software).You can test that no other software is running by using the Windows Task Manager - type Ctrl Alt Delete and click on the Applications Tab. Now run your anti virus software and do another sweep of your entire system.

If you still cannot clean, delete or quarantine the virus infection the infected file may be a Windows System File (i.e. that is being used by the Operating System).

Warning - make sure you have a back up of all your important files before you take the next step - because cleaning or deleting a windows system file may make your computer unstable and it may not even start up when you reboot your PC to exit Safe Mode.

Next, try starting your PC in Safe Mode (keep clicking F8 as your PC starts and choose Safe Mode from the resulting list).

Safe mode only uses the bare minimum components to load Windows and looks very different to a normal windows desktop. Safe Mode is just a minimal set up that should only be used for diagnosing problems.

However you should be able to run your anti virus software in Safe Mode and perform a manual scan of just your C drive, where your Windows Operating System is installed. Hopefully the infected file will now be cleaned or deleted by your anti virus software.

If you still cannot clean, delete or quarantine the virus infection the infected file(s) are either core Windows files which are in use even in Safe Mode or the virus has hooked directly into the Windows Registry and may be automatically starting when the system starts.

As long as you know what type of virus is infecting your PC and its name try the following step.

Using Autoruns to Track Down a Virus file

Download the Autoruns program by Sysinternals and install this on your PC's hard drive at C:\Autoruns or just on your desktop so its easy to find in Safe Mode.

Now reboot into Safe Mode and navigate to the C:\Autoruns folder or the desktop folder that you created and double-click on autoruns.exe.

When the program starts, click on the Options menu at the top of the screen and enable the following options by clicking on them. This will place a checkmark next to each of these options.

1. Include empty locations

2. Verify Code Signatures

3. Hide Signed Microsoft Entries

Then press the F5 key on your keyboard to refresh the startups list using these new settings.

The program shows information about your startup entries in a number of different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well.

Be very careful and make sure you know which virus file(s) you plan to remove.

Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for viruses to create multiple startup entries. It is important to note that many viruses disguise themselves by using the same filenames as valid Microsoft files. It is therefore important to know exactly which file (and the folder they are in) you want to remove.

Once you find the entry that is associated with the infection, you should delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.

While you are still in Safe Mode you should delete the infected file(s) using My Computer or Windows Explorer.

When you are finished removing the entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection. But just to be sure re-run your anti virus program and check all your PC's drives.

Warning About Using Autoruns

Please note that some entries shown in Autoruns must not be deleted:

Under the Logon Tab


Never amend this unless you simply want to set it back to its default value, because some rogue software maliciously modified it. Never untick it or delete it. You will not be able to logon ever again.

WindowsNT\ CurrentVersion\

Never amend this unless you want to set it back to its default value, because some rogue software maliciously modified it. Never untick it or delete it. You will not see your desktop if you do.

In general, be very careful with all the other entries starting with HKLM because changing them will affect all users and may negatively affect some of your applications and even your Windows installation. However, it will not normally render your system un-bootable.

Under the Services Tab

Basically, do not untick any service, unless you are absolutely sure your system does not need it at start up (search Google online to see what each Windows service does and if it's essential).

Tip: If you need to reconfigure the way a service is launched (automatically, manually, never) user services.msc instead of Autoruns. Type services.msc in the Start\Run box.

Some services are more vital than others so you will only learn during the next reboot if disabling a service was a good idea or not.

Hopefully the virus infection has now been removed.

As a safeguard run your anti virus software again to check that your PC is virus free.

Finally, if your computer was infected with any trojans, backdoor, hijackers etc, they could have been saved in System Restore and are waiting to re-infect your PC. Since System Restore is a protected directory, your anti virus software cannot access it to delete any files that may contain viruses.

So its best to disable and enable System Restore as this action removes all its restore points.

How to Disable and Enable System Restore

Click Start, right-click My Computer, and then click Properties in the resulting list.

In the System Properties dialog box, click the System Restore tab.

Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box and click OK.

You will see the following message:

You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer. Do you want to turn off System Restore?

Now click Yes to confirm that you want to turn off System Restore:

After a few moments, the System Properties dialog box closes.

To restore System Restore follow the same procedure but untick the Turn off System Restore check box or,untick the Turn off System Restore on all drives check box and click OK.

Still Have a Virus Infection?

If, after all this, you still have a virus infection chances are your system is infected with multiple viruses. If this is the case these viruses will have made multiple changes to the Windows Registry rendering your system unstable. The only way to proceed is to completely wipe your hard drive and reload Windows and any other software that you use on a regular basis.

Removing Viruses by Wiping a Hard Drive

If you are installing Windows XP or later the installation routine will allow you to delete an existing partition and erase all the data on that partition. The installation routine can also create and size a new partition on which you will install Windows.

After installation, you will have to use Disk Management (Administrative Tools - Computer Management - Disc Management) to partition the remaining space on the hard disk.

For a full guide to installing Windows XP on your computer see our article - How can I install Windows XP Home or Professional on my computer?

Of course its better not to have any sort of virus infection. And this can be achieved if you carry out a good housekeeping schedule for your computer.

As a minimum you should have an Anti Virus Program, a robust Firewall and effective Spyware and Adware programs. See our Software Reviews page for a review of all these programs.

Run all these regularly, as often as weekly if you use your PC a lot.

Security Issues

If you were using your PC to make credit card purchases, check online bank details, conduct PayPal transactions etc while any routes into your PC were active, your computer could well be compromised. You should certainly inform your bank/building society/credit card company immediately of this situation. They can then watch your accounts for any illegal activity.

Read more articles about PC repairs, Web design & SEO