Virus Software

Removing Fake Anti-Virus Software from Windows   by Kevin Abbott

The author cannot take responsibility for any damage caused to your computer as a result of the advice on this web page, and assumes you have a good understanding of the Windows Operating System. This article explains how to remove nuisance Trojan, virus, and malware from a personal computer.

I provide computer repairs in London and have fixed many computers with stubborn viruses; I am going to explain how to removing viruses that cannot be easily removed with your usual virus removal software. I will use the words virus, Trojan, and spyware interchangeably; they normally all use the same removal process.

Some symptoms you can have are fake/scam anti-virus programmes that will run when opening any executable (.exe) file and stop you from browsing other websites until you have paid. I can’t stress how important it is you do NOT pay. No real anti-virus programme would force you to pay for Internet access.

Here are some steps you could try to fix the problem.

(We presume you can logon and see the Windows Desktop, if not please go to step 4)

1. Turn on your computer and keep taping the F8 key until you get the boot menu and select: “Safe Mode with Networking”

2. When you can see the Windows desktop, click Start -> Control Panel -> Internet Options -> Click the “Connections” tab -> Click the “LAN Settings” button. Under the “Proxy Server” heading, if the “Use a proxy server for your LAN” is ticked then click the “Advanced” button. If the HTTP item has an address like “localhost” or “127.0.0.1″ then you may be infected. To test go back and un-tick “Use a proxy server for your LAN”.
Try and connect to the Internet. If the fake anti-virus programme stops appearing and you can browse the web then go to the list of anti-virus programmes below.
If the above doesn’t work and you are still infected with a virus then your.exe file association needs to be fixed. If you are using Windows XP then you can download a.reg file to revert back to default here: http://www.dougknox.com/xp/file_assoc.htm
When you have done this, open your browser see the list of virus removal tools below that you can download.

3. If you are still infected and can’t open any other programmes, then you will need to remove the hard disk from the infected computer and attach it to another computer for further analysis. You can then scan the drive for viruses, Trojans, and spyware (see list of anti-virus programmes below). You will probably need to open registry files from the attached drive.
If your attached drive is F: Try the following:
Click Start -> Run -> type “regedit” and press OK. Then expand “My Computer” and click HKEY_LOCAL_MACHINE key so it is highlighted. You need to open the registry hive from your attached drive. Click File -> Load Hive, then navigate to your registry files, they will be in F:\WINDOWS\system32\config. If your attached drive is using a different letter then replace F: with your attached drive letter. See the list of possible infected registry keys below.
MY ANTI-VIRUS PROGRAMMES AND PROBLEM SOFTWARE REMOVAL TOOLS
I install three or four different virus scanners from the list below to make sure that all Viruses/Trojans/Malware are discovered and removed.

Here is the order of priority:

1. Malwarebytes (http://www.malwarebytes.org/)
2. AVG Free (http://free.avg.com/gb-en/homepage)
3. Microsoft Security Essentials (http://www.microsoft.com/Security_Essentials/)
4. Trend Housecall – free on-line virus scan (http://housecall.trendmicro.com/uk/)
5. Bitdefender – free on-line virus scan (http://www.bitdefender.com/scanner/online/free.html)

A tool that can show everything that starts-up on your computer is Hijackthis. (http://www.bitdefender.com/scanner/online/free.html)

REGISTRY KEYS THAT CAN BE CHANGED TO START MALICIOUS SOFTWARE

HKEY_CLASSES_ROOT\.exe

** This key can be changed to load the virus every time a programme is started **

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

** Programmes within these keys are loaded at start-up **

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell

** This key value should be “Explorer.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

** This key value should be “C:\WINDOWS\system32\userinit.exe,”

About the Author

Kevin Abbott has been delivering technical solutions for the past 10 years in the Travel, Investment Banking, Media, and IT industries. Currently providing PC Repairs in London at rebootthat.com
The best Free anti-virus software