After you install them, you MUST update AVG so you will have the latest virus database (In case Internet connectivity issue follow this article). If you don't update AVG and you are infected with the latest parasites, you will not be able to effectively detect and clean them from your computer, so remember to update, update, update. The same applies for your operating system – released updates addresses security holes in the system which could allow the malware to come back. Some of the updates even remove specific infection on system files. You can visit the Windows Update website to check for the available updates for your system.
Now that you have downloaded, installed and updated AVG, operating system (and other utilities, if installed)... Print this so you can refer to it later and disconnect your computer from the Internet. This is an important step and will remove one way that a malware may use to re-infect your computer.
3) Carefully Look at Windows Add/Remove programs for suspicious programs
• Many of the spyware threats actually install into your system just like a regular program. Many may appear to be utilities that you may think are helpful but in reality aren't. Look for add-an toolbars, while toolbars like those provided by Google, MSN, Yahoo and other are great utilities, there are many more that aren't and if in doubt check it out to see if ones you have are parasitic. Another common exploit are the Search helpers, WinTools, Gator products, IE Helper, Comet Cursor and many others just to name a very few. Peer-to-Peer (P2P) programs are another common source for these and even the ones that don't come with spyware themselves are a high security risk that may lead to your system being infected or to spread infections like these. Remove all suspicious programs, if you accidentally remove the wrong item, you may always re-install them later.
4) Run Disk Clean-Up
• This actually comes with Windows and has been installed by default since Windows 98. You can find it by clicking the Start Button and then going to Programs / Accessories / System Tools / Disk Clean-up. I recommend selecting all of its options except the ones for Office Setup Files and Compress Old Files if you have them. While you may select those if you wish, they aren't as important. This will clean up all of the temporary files so your testing will go faster, and may also delete any spyware that may hiding there if the spyware isn't already running. To clear systems that have System Restore you will need to select the second tab and click the button for clearing this.
These procedures should have cleaned most cases of infection that you will find. Yes I said MOST because there are some infections that are very hard to detect and remove. Generally, if you have one of these, you will need the assistance of an expert to help you get rid of it.
When you believe you are finished, remember to turn System Restore back on if you had turned it off.
Windows itself, by default, hides certain files, system folders or file extensions from the user to make it easier to navigate. If you have to find an infected file or just one you are looking for, this can cause you to not find it. If you wish you may change this to show all of the files on your computer follow article: How To Display Hidden Files And Folders.
How to find an embedded infection
AVG detects infections in archives as well. Since AVG can't determine if you created the archive or if it was a parasite that created it, they leave these alone so you may have a chance to recover uninfected files from the archive and then you simply delete the archive when done. Infections that are inside of an archive aren't a direct threat to your system unless the file gets extracted to allow it to run. AVG Technologies have chosen this method because it is safer for your data that the archive may contain.
For someone that is new to looking for these embedded infections, it can be a little confusing with the way that AVG will list the file because it also must include the archive file name that contains it in the full path/filename. The following is an example that I made up to highlight the info so you will know which filename to look for so you may either extract files and or delete the correct file. I will color code these for you, but AVG will not.
The location of the file is in C:\Windows\Temp
The archive that contains the infection is InfectedArchive.cab
And the actual infected file inside of the archive is InfectedFile.exe
Note the :\ that separates the archive from the file it contains.
After you have recovered any files inside of the archive that you may want to keep (other than the infected one that is) just simple delete the whole archive.. in this example the file to delete would be InfectedArchive.cab
It looks harder than it really is.. just remember the file you want to look for is named just before the last :\.
Most of the time, you won't have any files to recover inside of the archives. The only time this isn't true is if it is an archive that you had created yourself. If you didn't create it.. just delete and move on.
One of utilities which can be used for analysis is GMER. I'm not going to get into the use of GMER here since that is covered below a bit and in more details on the GMER website. You can download GMER from http://www.gmer.net ... please read what info they have on their site for a better understanding on how to use the utility as well as looking at the examples they have provided. Even more information about rootkits can be found on the RootKit Revealer webpage that Microsoft has at http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Gmer - !!!! IT IS A TOOL FOR ANALYSIS - REMEMBER THAT NOT EVERY FOUND ITEM IS INFECTION !!!! Like any tool, if used improperly it can also do damage so be very careful with it. - More information in other post below.
- choose the ">>>" tab and then select the "Files" tab
- in the file manager find and then highlight the file(s) and the click the "Delete" button ( you probably should backup the file first by using the "Copy" button to back up the files first just to be on the safe side ) then remove them using the "Delete" button.
- restart computer and run Gmer again
If some rootkit service is detected again and again after following the above steps, or it is not possible to delete it from within Gmer (the Delete option is grayed-out), please follow these steps:
- open Registry Editor (menu Start -> Run -> enter "regedit" and confirm OK)
- find this key:
- find the mentioned rootkit service name in the list, right-click on it and choose "Permissions"
- click on "Add" button, in the form enter "Everyone" and click "Check Names"
- confirm the changes by clicking OK, OK...
- now it should be possible to right-click on mentioned service and choose "Delete"
- restart computer and run Gmer again
If the rootkit is still not removed or you have some other suspicions, please provide us with the Gmer scan output:
- after the testing is finished, click the "Save" button
Windows has an area in the registry that is normally used to help debug program issues but also has other uses. Sometimes malware will add a registry entry to this Window's registry key so that when you try to run AVG or another protection software, the malware or other program is actually run instead. In these cases, the registry entries that may have been made must be manually removed in order that AVG can work properly.
Please open the Windows Registry Editor
- open menu Start -> Run -> enter "regedit" and confirm OK