Removing a virus

17:00 - Leave a Comment


Ok. Let's say that your PC has been infected with a virus or you believe it has. What should you do now?

  • First off, turn on your PC or re-start it if it is already on and as it starts to boot press F8 every second until you get the Windows boot menu.
  • If you miss it and it starts loading Windows press CTRL+ALT+DEL. Do not press your reset button as your hard drive could be damaged.
  • Make sure you have the latest virus definition file for your antivirus software or a tool designed to remove the virus that you believe/know has infected your PC.
  • Select SAFE MODE from the menu.
  • Allow the PC to boot into Windows Safe Mode. Backup your registry.
  • To do this run regedit and select Export registry file from the Registry menu.
  • Give your export a name and select ALL.
  • Still in regedit go to HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run and remove any keys pointing to a virus
  • Disable System Restore in XP. (My Computer>Properties>System Restore)
  • Use your virus removal software at this point or find the virus files if you know where they are and erase (SHIFT+DEL) them (not delete to Recycle Bin).
  • Install any Microsoft Security patches now for this particular virus.
  • Enable System Restore Reboot your machine.

Finding a web dialer virus
The following locations on Windows machines are where you can generally find web dialer viruses:
Directory Structure:
Note: WINDIR means your Windows installation directory and can be WINDOWS, WINNT, etc.

  • Start menu
  • WINDIR\
  • WINDIR\SYSTEM\
  • WINDIR\SYSTEM32\
  • WINDIR\WINDIALUP\
  • WINDIR\SYSTEM\
  • Program Files\dialers\
  • Program Files\webdialer\
  • Documents and Settings\Administrator\Desktop\Mijn Weirdmovies.exe
  • Documents and Settings\Administrator\Start Menu\Mijn Weirdmovies.exe


Registry:

  • HKEY_CURRENT_USER\RemoteAccess\
  • HKEY_CURRENT_USER\RemoteAccess\Profile\
  • HKEY_LOCAL_MACHINE\Software\DKSoftware\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKEY_LOCAL_MACHINE\Software\WindowsRTS "SerialID"
  • HKEY_CLASSES\ROOT\MS-Connect.Scriptfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Comsoft

File names:

  • msite18.exe webdialer.* wininetd.* Mijn Weirdmovies.exe live_girls.exe
  • instantpleasure.exe 0190Alarm.exe 0190Killer.exe Warn0910.exe
  • SmartSurfer.exe
  • hh.exe
  • dc.exe