Ambedda.com

Take the World at new Level

Removal of deep-seated viruses from Windows operating systems

This article takes a generalized approach to remove annoying Trojans/viruses/malware from your computer. The author is not responsible for you destroying your computer as a result of the advice on this web page, and assumes that you have an intermediate level of knowledge of the Windows operating system.

I’ve recently had the pleasure of disinfecting many computers with stubborn viruses that refuse to go away with the usual methods (for example, opening your antivirus program and clicking scan). “Deep roots,” as I like to call them, can be more of a problem.

There are many different symptoms, one problem you may face is fake or rogue antivirus programs that will appear as soon as you open your internet browser (or sometimes when you open any executable (.exe) file) and prevent you from viewing other websites until you have paid. I cannot stress how important it is to NOT pay. No real antivirus program would force you to pay to “get on the web.”

So how do we get rid of these pests?

Here are some steps you can take to fix the problem.

(These steps assume you can log in and see the Windows desktop, otherwise skip to step 4)

1. Restart your computer and keep tapping the F8 key until you get the boot menu and select: “Safe Mode with Networking”

2. Once the Windows desktop has loaded, click Start -> Control Panel -> Internet Options -> Click the “Connections” tab -> Click the “LAN Settings” button. Under the “Proxy Server” heading, if “Use a proxy server for your LAN” is checked, click the “Advanced” button. Look at the HTTP element, if the address is “localhost” or “127.0.0.1”, then you may be infected. To test this, go back and uncheck “Use a proxy server for your LAN”. Then try to connect to the Internet. If everything is fine and you can browse the web, go to the list of antivirus programs below.

If opening any program gives you a fake antivirus popup, you need to fix your.exe file association. If your operating system is XP, you can download a .reg file to reset it to its default settings here:

https://support.microsoft.com/en-us/help/950505/when-you-run-an-.exe-file-on-a-windows-xp,-windows-vista-or-windows-7- computer-based,-the-file-can-start-a-different-program

3. If none of the above works and you still cannot access the websites, you may need to remove the hard drive from the infected computer and “dock” it with another computer for analysis. You can then scan the external drive for viruses (see the list of antivirus programs below). You can also load log files from the docked drive. So if your docked drive is F: try the following:

Click Start -> Run -> type “regedit” and press OK. Then expand “My Computer” (if it isn’t already) and click the HKEY_LOCAL_MACHINE key so it’s highlighted. Next, you need to load the registry hive from your docked drive. So click File -> Load Hive, then navigate to your log files, they will be located F: WINDOWSsystem32config. If your docked drive uses a different letter, replace F: with the letter of your docked drive. See the list of possible infected registry keys below.

LIST OF ANTI-VIRUS PROGRAMS AND ROGUE SOFTWARE REMOVAL TOOLS

I usually install three or four different virus scanners from the list below to ensure that all viruses, Trojans, and malware are detected and removed.

Here is my priority order:

1.Malwarebytes

2.AVERAGE Free

3.Microsoft Security Essentials

4. Trend Housecall – Free Online Virus Scan

5. Bitdefender: Free Online Virus Scan

Another tool that can show you everything that starts on your computer is Hijackthis.

IMPORTANT XP REGISTRY KEYS THAT CAN GET INFECTED

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrent VersionRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

** Programs inside these keys are loaded at startup **

HKEY_CLASSES_ROOT.exe

**This key can be changed to load the virus every time a program is started**

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonUserinit

** This key value must be “C:WINDOWSsystem32userinit.exe”,

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonShell

** This key value must be “Explorer.exe”

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *