how to remove viruses spyware manually
TRANSCRIPT
8/2/2019 How to Remove Viruses Spyware Manually
http://slidepdf.com/reader/full/how-to-remove-viruses-spyware-manually 1/4
July 16th, 2006, 07:15 AM
HOW TO REMOVE VI RUSES/ SPYWA RE MANUA LLY PROGRAMS N EEDED The following programs are needed to protect your computer:
•
An anti-virus program- Forum recommended are Grisoft AVG antivirus or NOD32.•Hijackthis- To find suspected viruses
•Firewall- To block the virus from gaining access to the internet, some viruses can download more harmfulmaterial and give annoying pop-ups. Zone-alarm and AVG anti-virus plus firewall is an-all in one package.
•Registry cleaner- Remove redundant entries of the virus/spyware. Winxp is an excellent program for the job.
I NTRODUCTI ON Viruses/spyware is everywhere. You may be protected by effective anti- virus software such as AVG 7.1, NODavast etc. As you probably know even though these programs are very effective they are not impervious agaisome viruses/spyware. When you do a scan you may see a virus that may not be removed as the anti-virusprogram may say unable to remove but it will give you the path. So this you can use this method to remove hto-remove viruses/spyware. Another way of finding this viruses/spyware is using a program known as hijackthThis is a saved log when I was recently infected with a nasty virus:
Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\Ati2evxx.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exe
ttp://forums.ircspy.com/showthread.php?t=32661 (1 of 10)11/24/2006 1:58:12 PM
8/2/2019 How to Remove Viruses Spyware Manually
http://slidepdf.com/reader/full/how-to-remove-viruses-spyware-manually 2/4
ow To Manually Get Rid Of Viruses/spyware - *Spy Forums
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\dcomcfg.exeC:\WINDOWS\System32\atmclk.exeN:\Program Files\Logitech\iTouch\iTouch.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeN:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Skype\Phone\Skype.exeN:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\243903c8.exeN:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeN:\Software\HijackThis.exeC:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - N:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmpO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\ProgrFiles\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLLO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLLO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbdllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [zBrowser Launcher] N:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "N:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [243903c8.exe] C:\WINDOWS\System32\ 243903c8 .exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [243903c8.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\ 243903c8 .exe O4 - HKCU\..\Run: [LDM] N:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-887648exeO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.O4 - Global Startup: Adobe Reader Speed Launch.lnk = N:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sexeO4 - Global Startup: Logitech Desktop Messenger.lnk = N:\Program Files\Logitech\Desktop Messenger\88764\Program\LDMConf.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinkhtmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://N:\PROGRA~1\MICROS~2\OFFICE11\EXCEL
ttp://forums.ircspy.com/showthread.php?t=32661 (2 of 10)11/24/2006 1:58:12 PM
8/2/2019 How to Remove Viruses Spyware Manually
http://slidepdf.com/reader/full/how-to-remove-viruses-spyware-manually 3/4
ow To Manually Get Rid Of Viruses/spyware - *Spy Forums
EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ProgramFiles\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - N:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common F\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDO\web\related.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) -O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapdll" (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgam
exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvcO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common \InstallShield\Driver\11\Intel 32\IDriverT.exe
The file “243903c8.exe” has been bolded because that is the virus/spyware that was infecting my computer. Tway I knew this was a virus was my firewall prompted me whether to let the file “243903c8.exe” could accessinternet. After researching the file I knew that this was a virus. In the next section we will see how to manualremove this viruses/spyware.
HOW TO REMOVE THE VI RUSES 1. Before you do anything Turn off system restore as these programs are programmed to get in there, to do t
go to:control panel -->System-->System Restore-->then tick "turn off system restore on all drives".2.First of all write down the path given by the anti-virus program or the Hijackthis log. In this case it is:O4 - HKLM\..\Run: [243903c8.exe] C:\WINDOWS\System32\ 243903c8 .exe O4 - HKCU\..\Run: [243903c8.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\ 243903c8 .exe
3.The next step is to boot the computer in “safe mode with command prompt” to do this when restarting thecomputers repeatedly press the F8 button. (Note: Some keyboards need you to press the “f-lock” button to usthe F keys). A screen with options will come up such as “boot is safe mode” etc. select the “boot in safe modewith command prompt” with your navigation buttons.4.You will be prompted to log in to an account. (Note: log into an account which has administrator capabilities5.Ok so now you have been booted in c drive. We have two viruses in this case and therefore must perform st
ttp://forums.ircspy.com/showthread.php?t=32661 (3 of 10)11/24/2006 1:58:12 PM
8/2/2019 How to Remove Viruses Spyware Manually
http://slidepdf.com/reader/full/how-to-remove-viruses-spyware-manually 4/4
ow To Manually Get Rid Of Viruses/spyware - *Spy Forums
5 twice. The two viruses areVirus 1 - HKLM\..\Run: [243903c8.exe] C:\WINDOWS\System32\ 243903c8 .exe
Virus 2 - HKCU\..\Run: [243903c8.exe] C:\Documents and Settings\Administrator\Local Settings\Application \ 243903c8 .exe
Virus 1- the path for virus one is C:\WINDOWS\System32\243903c8.exe. We don’t want to execute 243903c8exe but just want to go to the folder it is located in. so we type “C:\WINDOWS\System32” and it will take youthat folder. Then type these exact words “del 243903c8.exe” and it will remove that entry.
Virus 2- the path for virus two is C:\Documents and Settings\Administrator\Local Settings\Application Data
\ 243903c8 .exe . Once again we don’t want to execute “243903c8.exe” so we must type “C:\Documents andSettings\Administrator\Local Settings\Application Data” and it will take us to that folder. Once again type “del243903c8.exe” and it will remove that entry. (Note: if you cant find the virus type the words “dir” and it will tyou all files in the folder.)
5.Once finishing step 5 press CTRL+ALT+DELETE and press new task in the applications tab and type “exploreexe” and it will boot windows.6.Run Winxp manager’s registry cleaner and let is clean the registry and you have now removed a nasty virusspyware.7.Run another virus scan just to be safe, if found nothing congratulations you have just removed a nasty virusnot start at step 2.(hopefully a sticky )
By king22491Thanks to JohnSmith331 for the original idea.
__________________
Last edited by Jackal : July 16t h, 2006 at 10:31 AM .