Manually remove viruses – Part 1

Posted on October 19, 2008. Filed under: Viruses | Tags: , , , , , , |

Now we will see how we can remove viruses manually. Because, sometimes the antivirus we installed does not seem to do its job. This is where we have do it the hard way. The first thing you have to do, is to locate the viruses running in memory. Press ctrl-alt-del to get the task-manager. Look for suspicious processes in that list, if you are familiar with the process list of your system (If you are not familiar, then all are suspicious). And then look up the suspicious processes in Google, and find out information on them. If the information(if you trust it) says that it is dangerous, then right-click on the entry and in the menu that pops up, click “End process tree”. Similarly, end all suspicious processes.


My Windows Task Manager

Some viruses will deny your access to the task-manager. If so, go to ‘Start > Run > cmd.exe’, and type in ‘tasklist’ and press enter. Then again, you will get the running processes’ list. Here, you will have to use the command ‘taskkill’, to kill a running process. Type in ‘taskkill /?’ for info on the command. For example, if you have Notepad running, you can kill that process by typing “taskkill /im notepad.exe”and pressing enter. Where ‘im’ means that the input is a process-image-name.


Tasklist in console

Please remember that System(PID=4), System Idle Process(PID =0), winlogon.exe, services.exe, lsass.exe, svchost.exe, smss.exe,… are legitimate Windows processes. It is advised not touch any processes under SYSTEM, NETWORK SERVICE, and LOCAL SERVICE unless you are confident and familiar with these things.

You can also get a full-permission Task Manager for temporary purposes from I have personally checked the program. It gives you access to task manager by double-clicking it, when ctrl-alt-del is denied by the virus.

Assuming that this stage is a complete success, we have stopped all running virus programs. And thus, hopefully, stopped the virus from making all our efforts go waste.


Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

9 Responses to “Manually remove viruses – Part 1”

RSS Feed for Jais’  Weblog Comments RSS Feed

Nice post……..
But one question….

What should we do if the virus’ process name itself is ‘svchost.exe’ ?

Nice question. Usually, the svchost.exe is legitimate Windows program running under the user names SYSTEM, NETWORK SERVICE, & LOCAL SERVICE. My XP runs ‘svchost.exe’ as 4 SYSTEMs, 2 NETWORK SERVICEs, & 1 LOCAL SERVICE. Any svchost running under any other user names, say ‘john’, are viruses. And they should be ended via the task-manager.

Also, if you find svchost.exe in the list on “Start > Run > msconfig > Startup” it is defenitly a virus.

But if there is a virus in your system named svchost.exe running, it is most likely that you will not be able to access task-manager, in which case you will have to get the alternate task-manager linked in the post to do the cleaning up.

But there are viruses whose services are running as SYSTEM ‘svchost.exe'(like w32.welchia.worm and we can’t kill them via task manager). How do we recognize them ?

The number of ‘svchost.exe’ are instantaneous. Multiple svchost.exe files are loaded when a program needs to be grouped from other Windows services. So its hard to differentiate.

Dude, I found another process explorer, think its good

This page is useful in the case of ‘svchost’.

The reason is that Windows’ Security/Permission/Access Control mechanism are compromised. But designs like Unix/Linux are far better in this case. I’m not saying that a Linux virus can’t be written. But the threats are smaller. I agree that Linux viruses are low because its used in a small number of Desktops..

Your blog is going nice…. well… keep it updated.
I’m a regular visitor and I’ll always comment on your posts.
These posts are really helpful..

Yes the process explorer linked above by you is very useful. And the fact that it is from Microsoft’s site makes it even better.

And yes, what you said about random number of ‘svchost.exe’s is also true. But svchost viruses running under SYSTEM cannot be easily recognized with inbuilt XP tools. The closest thing you can use is “tasklist /svc” in command prompt to get which modules are running the different svchosts. In such extreme cases manual removal may not be practical for a normal user. So additional tools may have to be used. Everyone concerned about viruses and Trojans should download one or more of such tools.

And remember, any process can be killed except core Windows porcesses like “System Idle Process” and “System”, by via the /f switch on taskkill.

We cannot discuss on viruses in higher category, since they will require software programs like anti-viruses for ensuring complete removal. This series(Manually remove viruses) is for relatively simpler viruses that a normal person can hope to remove manually.

And no, this post is not the end, but just the beginning of a grand new series of posts on viruses.

And yes, XP’s security has somewhat been compromised which is why there are a lot of viruses for it, and also why i need to write this series. Yes, Linux has fewer viruses and better stability. But that doesn’t make it more comfortable to use for above 90% of home users, which is why they can’t even think of switching.

Still a Windows fan ? Amazing…..

I’ve lost in understanding the good about Linux and Free Software.

Take care dude……

Yes, i know what is DRM. And yes i know how restricted us Windows users are in terms of freedom. People will change. They will go seek out better solutions like Free Software, Open Source, and Linux. Ubuntu developers seems to be doing a good job in making their OS as usable as a Windows OS. It is a good thing. Even i have ordered Ubuntu 8.10 (Intrepid Ibex).

I wonder what they call it next. J* Jackal or J* Jaguar?

But as long as major hardware-vendors, game developers and software developers aren’t willing to work for Free(as in cost),Free(as in Freedom), or Open(as in Open Source), and on a completely alien-OS like Linux, Windows is here to stay.

For example, hardcore PC-gamers have no choice but to stay on Windows if they wanna play. The only thing they can do if they want to get rid of windows is to buy Xbox 360, or a PS3(exclude XBox if you wanna end the deal with Microsoft and DirectX). Similar is the case of most software users.

Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: