Removing a virus infection surely is a difficult job. Anti-virus software can be very helpful, removing most of viruses easily. But sometimes, your computer may get infected with a really annoying virus which will not be removed with ease. Well, is it a dead end?
Viruses always load themselves when windows starts. Adding themselves to windows registry start up keys, or register as the file handler for a certain file type so every time that file type is loaded the virus is loaded first. To solve this dilemma (Starting Windows system without invoking the virus), you have to boot your system from a Bootable Windows CD or DVD and use it to log on your infected system.
Now, you have started your windows system and the virus is dormant, so far so good. Running your anti-virus now is not the best option, I recommend using anti-virus from a USB Drive. Plug in the USB drive before booing, and make sure to disable "autorun" option just in case your the USB drive was infected with an autorun worm. Now, shut down the computer ,plug in the USB drive, and start up your computer. Note that the bootable CD will not recognize the USB drive if it was not plugged in before computer booting. Scan your system and get rid of the invader.
I will not recommend using system restore point to get your system back,because usually viruses infect it too.
Here you are the AutoStart Entry Points in Windows:
- WIN.INI file:
it's a file belongs to old winows versions (3.x and 9x) to load applications and configuration settings at startup. The pertinent sections to check in the WIN.INI file are theand lines located under the [Windows] heading. - System.ini File:
The system.ini file was used in earlier versions of Windows to load device drivers and the explorer shell. It is no longer used by Windows XP and above. The pertinent line to check in the system.ini file is, located under the [boot] heading. - Startup Folder:
The Windows Startup folder of the current logged on user can view startup folder inclusions through the Start menu:
Start | Programs | Startup .
You can view items in the Startup folder by navigating to:
%USERPROFILE%\Start Menu\Programs\Startup (where %USERPROFILE%) signals the username of the logged on user)
The common startup folder, applicable to all users:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup - System Registry Run Keys:
Windows uses specific registry keys values to load applications (including malware) when starting up. The values to examine are located in subkeys Run, RunOnce, RunServices, and RunServicesOnce, located in either of the following registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ - ASEPS Specific to ME, 2000, XP:
Users running Windows ME, 2000 or XP will also want to check the following registry keys for any unexpected values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU = HKEY_CURRENT_USER
HKLM = HKEY_LOCAL_MACHINE - System Registry - Winlogon:
Winlogon is responsible for supporting the DLL responsible for managing the interactive logon when Windows starts. Pre-Vista, that DLL provides a customizable user interface and authentication process. Malware that hooks into Winlogon can be particularly difficult to remove, as even booting into Safe Mode will not deactivate it. The string values that customize the Winlogon process are located in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon - Active Setup:
Any program specified by the StubPath value will be loaded when Windows is started. Pertinent key location is:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ - Upgrades from Windows 9x:
Users who installed an upgrade version of ME, 2000, or XP over an installation of Windows 9x will also want to check the following registry locations:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
These keys will contain items from theand lines of the win.ini file used by Windows 9x.
Which key runs first when windows starts up:
- RunServices / RunServicesOnce - HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER RunServices/RunServicesOnce will be launched concurrently. In the event of a conflict, precedent is given to HKEY_LOCAL_MACHINE. These ASEPS may continue loading during and after the login dialog.
- Login Dialog (Winlogon).
- RunOnce / Run for HKEY_LOCAL_MACHINE hive.
- Run key in HKEY_CURRENT_USER hive.
- Startup Folder.
- RunOnce in HKEY_CURRENT_USER hive
Kaspersky ®Anti-Virus 2010 45 days money back warranty
This improved and easy-to-use solution provides complete antivirus protection that allows you to surf the web safely and keeps your PC free of viruses, Internet and email worms, and Trojans.Only $39.95
No comments:
Post a Comment