Wednesday, October 21, 2015

Reprint: When the Anti-Virus won't run: Manual Virus Removal

Briefly back to tech.
This is also available online but it bears repeating here.
It's also a bit dated since it was written in the days of XP and will work with Windows 7, but getting into Safe Mode for Windows 8 and 10 is another blog post entirely.



When the Anti-Virus Software Won't Run - 

Manually Disabling Viruses in Windows
by Ellen Clary

Note this was written for Windows XP (last edited Jan 2012)
Windows 7 is similar, but will vary
Many of us are now our family's and friends' designated "computer expert" despite whatever you have claimed.  If a computer owned by someone you know is misbehaving you will often get the phone call for help.  

If the computer is running erratically and slowly without the person having done "anything," then one possibility is that the computer has a virus or worm.  So you have them run Symantec (or other) Anti-Virus and you find that it is running very slowly or not at all, or it may run for a short while and then crash.  You are now in what my brother refers to as a chicken/egg situation where the cure for the virus is being hampered by the virus itself.

There are some strategies for manually disabling the virus(es) and thus allowing the Anti-Virus software to run.  These are often presented as last resort options, but I've found that you will save a lot of time if you opt to do them sooner rather than later as many viruses are surprisingly easy to disable (though not all).

Viruses often have two common features.
- they tend to take up a lot of the cpu.
    (which actually makes them a poor model of a virus as a virus should hide itself.)
- they often (though again, not always) use the same area in the registry to start up at boot time.

First try the Simple Solution
Before you embark on all this, first see if the Anti-Virus software will work in Safe Mode.
It's been my experience that while the AV software will run in Safe Mode it will not necessarily find all the viruses in that mode.

To boot into Safe Mode, press F8 while Windows is starting up, and select Safe Mode with Networking (which turns on some services).  The system should not be running slow at this point, if it is then you likely have a larger problem.

Run an Anti-Virus scan and see if it locates anything.

Reboot the system before the next section.

Killing the running virus
If a computer is running slowly, then it's possible that the system is being hampered by a virus or worm or spyware.  If you suspect this and the anti-virus software won't run or is running slowly enough to make it unusable, then first try to kill the viral process by using the Task Manager.  Press Control-Alt-Delete, and click on Task Manager.  You will likely see a list of processes.  First let's check the obvious.  Click on the Performance tab.  Is the graph maxed out at 100% and staying there?  Now, no offense to those users, but it is rare for someone who is asking you for help to run applications so CPU demanding to max out the computer (unless the computer is really, really old), so it is likely a virus or other unwelcome program.  Click on the Processes tab to get back the list of processes and then click on the "CPU" heading to sort the display by CPU load (not CPU time).  Look at the process list and see if there is a process besides the "System Idle Process" that has a high percentage (like over 80%) of the CPU.  If so, click on that process (this may take a few tries as the process list tends to change quickly) make a note of the name and the Data line and then select "End Process" (and click on Yes if it asks "Are you sure?").  You are not doing permanent damage as this is only affecting what's running on the system right now.

Now see how the computer is behaving.  First look at the Performance graph again by clicking on the Performance tab in the Task Manager and see if the graph is no longer stuck at 100%.  If it is looking more normal then try some basic things and see if the computer is behaving as expected.  If so, then run the Anti-Virus program (make sure the virus definitions are current) and it should find the virus and remove it.  If the Anti-Virus program didn't find it, then manually search for the program and rename it (or if it's something obvious like msblast.exe then just delete it.)  

If the computer is not working as expected then reboot it and you will be back to the same broken virus state as before.

If the suspect program is a part of Windows (e.g. explorer.exe) then you may have a program that has been "Trojaned" meaning it has been altered to misbehave.  Either that or you have a virus that is using a program of the same name, but located in a different place.  If it is explorer (the Windows File manager - aka "My Computer"), then to tell the difference, kill the explorer in the Task Manager (yes, you can do this) and see how the system behaves.  If it behaves better, then relaunch the explorer by double clicking My Computer and see if the poor performance returns.  If it does, then sorry, but you will have to reinstall or repair windows via the Windows installation CD (if you have a bootleg copy go to the store and buy a real copy and consider this your penance).  If it is still ok, then the original Windows program is fine, but you will need to find the viral one and delete it.  This is best left to an Anti-Virus program and, as they say, is beyond the scope of this article.  (We're here to cope, finessing is best left to the experts.)

Get it before it Starts - Editing the Registry
While editing the registry is generally not for the timid, it's often the best way to stop things from going awry at startup.  

[New] The faster way to find unwanted viruses is to use Start-run-msconfig while still in Safe Mode.
Click the Start Up tab and see if something looks amiss.  Unfortunately it does take an experienced eye to know what that is.  Google can help you identify well know, but strangely named programs.  If something doesn't look right it will tell you where in the registry or file system the program is located.


Start up the Registry Editor by clicking Start-Run and entering: regedit

First back up the registry in case you make a mistake (not likely, but it can happen).
Make sure "My Computer" at the top of the left window panel is highlighted (so you get a copy of the full registry and not just a part of it.)  Select Registry-Export Registry File, and give it a name that you'll recognize and put it in a location where you can find it if need be.

While viruses can and do use other start up areas, I'm going to list the most common ones, the first being where 70-80% or more of them start up.

Navigation note.  To open a subfolder click the + sign next to the name.
  • Find the area called HKEY_LOCAL_MACHINE
  • Navigate to: Software-Microsoft-Windows-CurrentVersion-Run
  • Make a list of what you see on the right hand window panel including the Data field of what you don't recognize. It's often a good idea to type this up in your favorite text editor as you can cut and paste from it and avoid typos.  Many of the items you'll recognize and don't worry about "Default" as that should be there.
  • Google (if you can get internet access to work) for the ones you don't.
  • If you find that certain programs are Spyware, Adware, Worms, or Viruses, delete them from the registry which prevents them from starting up at boot time.  This will not remove the virus, best to let an Anti-Virus program delete or you can search for it manually and rename or delete it.
  • Exit regedit and reboot the system.  Hopefully the computer will be running much better.
Another area to check (though much less commonly used) is:
HKEY_CURRENT_USER-Software-Microsoft-Windows-CurrentVersion-Run

Conclusion
Remember that this is just a way to cope.  Once the machine is running well enough, download new virus definitions for their Anti-Virus program (or make them go out and buy one as payment for your time - negotiate lunch out of the deal too) and run a full scan, or if they have a fast internet connection you can have the system scanned online via the Symantec site.  Likely the software will find inactive viruses as well and if you manually renamed the ones you found it should find those as well as well as the ones that you merely disabled.  A reputable spyware remover is a good investment too (I've just heard that one person tried Spybot and Pest Patrol and Spybot found many things that Pest Patrol did not).

Give them the usual lecture about not clicking on attachments that they don't expect even from people that they know.  And check on (via separate email or phone) ones that they received from people that they do know.  And never open a .pif or .scr attachment as I've never seen a legit program use them.  Viral emails often have a certain vague, generic look to them that over time they should be able to spot.  

If it was a worm that was causing the problem then consider helping them to install a personal firewall like Zone Alarm or if you're really feeling kind (to them and yourself), configure a screening router for them.

Good luck and know that even if this took some time you have spent a good deal less time on it that waiting for the Anti-Virus software to run on an infected system.  And you probably learned something in the process.  And there's always lunch.


In the Future

To prevent further mahem, some relatively simple things that you can do:
  • Demote yourself.  
    • Create another administrator account (and make sure you can log in as it)
    • Make yourself a regular user and not an administrator
  • Use a router (wireless or not) as they usually screen off traffic that you did not initiate