Virus and Spyware Removal Process

I am assuming that the reader is using a Windows operating system, has administrator rights (is allowed to download and install programs), and knows how to access safe mode. The reader can assume that all recommended software is free for personal use unless specified otherwise.


The difficulty of performing a thorough virus removal on a badly infected machine is often underestimated. It tends to require more than simply running a scan with your favourite antivirus program. I’ll attempt to lay out the steps for virus removal in the following steps, but before you begin keep in mind that it is a thorough and time consuming process. The thoroughness is necessitated by the nature of modern infections. If you miss one Trojan horse, your system will quickly arrive at the same level of infection once the malware re-invites all of its buddies.

Step 1: Determine whether or not you have a virus infection.

Typical virus behaviour may include the following:

* Frequent system error messages
* Slowness
* Hard drive activity (spinning/writing) for no apparent reason
* Lots of network activity, also for no apparent reason
* Difficulty with programs, especially antivirus programs. For example, you may have difficulty updating your antivirus definitions or the program may not start at all.
* Your browser randomly redirects to another web page without any action on your part.
* Your browser prevents you from accessing certain websites, especially to update your operating system or download an antivirus program.
* You begin seeing pop-up ads frequently.
* New and unfamiliar icons appear in your system tray, indicating new programs are running without your knowledge.
* You are denied permission when working on the computer even though you are an administrator.

Also keep in mind that a computer virus is similar to a roach in that there’s rarely just one. By the time you notice one virus, you probably have several.

Step 2: Determine the severity of the infection.

The severity of the infection should reflect to what degree your ability to access the computer normally is impeded. This will help you decide if you should attempt a virus removal at all or if you should simply back up your data and start from scratch with a format/reinstall. If you can do most everything you could normally do, but you know that you have a virus, the severity might rank as a one on a one to ten scale (ten meaning infected on a massive scale). Keep in mind that the worse the infection, the greater the damage caused by ripping the infection out during the removal process. If you cannot even access your computer in safe mode, you might consider the severity to be a ten. In this case, your computer has the equivalent of advanced-stage AIDS and should be formatted.

Step 3: Remove temp files.

Spyware often sits in the temp files and you can get rid of lots of malware simply by deleting temp files. More importantly however, you will save yourself tons of time when you scan for viruses because the scanners will not have to trudge through thousands of temporary internet files. When you run five or six scans, the amount of time you save adds up in a hurry. To accomplish this, I recommend running CCleaner. If you cannot install this program, you could also clean out the files by navigating to the directory C:\Documents and Settings\YOURUSERNAME\Local Settings\Temporary Internet Files and cleaning out all of the unnecessary stuff. You might also want to run the CCleaner registry cleanup program. Sometimes this will get rid of viral registry keys. Another decent registry cleaner is Registry Mechanic, but only the trial version is free.

Step 4: Disable System Restore

Some viruses copy themselves into system restore files to avoid deletion. To remove these, it is necessary to disable system restore (which is largely worthless anyway in my opinion). Navigate to Start -> Programs -> Accessories -> System Tools -> System Restore. Disable system restore and make sure all prior restore points are deleted (they should be automatically).

Step 5: Based on the severity of the infection, plan your method of attack.

The important thing to keep in mind while planning your attack is that no one antivirus or antispyware program will find every infection. Organizations that are paid to remove viruses will use no less than nine or ten different antimalware programs and every single program will find something different. I’ve seen this personally hundreds of times.

Scenario 1: If you are able to access the internet while in safe mode.

If you are able to boot into Windows “safe mode” with networking and access the internet, you have the option of installing antivirus/antispyware software, updating the definitions, and scanning from within safe mode. If this is your case, you will choose the various antivirus/antispyware programs you intend to run and update the definitions to prepare for the next step. Select the anti-malware programs you will run from the list below (programs are listed in NO PARTICULAR ORDER). Install the ones that you have selected and go ahead and update all of them.


Super Antispyware
Spybot Search & Destroy
Spyware Doctor


AVG Antivirus
McAfee Stinger
Sophos AntiRootkit

Online Antivirus Scanners:

TrendMicro Housecall
Bit Defender

If you’d like to go the non-free route, I highly recommend Spy Sweeper Antivirus with Antispyware as well as AVG AntiSpyware (formerly Ewido).

Scenario 2: If you are unable to access the internet while in safe mode.

If you are unable to access the internet even while booted into safe mode, your best option is to use a boot disc such as Ultimate Boot CD, Hiren’s Boot CD (which includes a PE), or Bart’s PE. If your situation is severe enough to necessitate this option, you might want to run command-line antivirus scanners first, then boot into a PE and run cleaners and antispyware programs to follow up.

Step 6: Run Antimalware

Now begins the easiest and yet also the most time consuming part. I recommend selecting two or three of the antivirus programs to run first. If you are working in Windows safe mode, you should run one scanner at a time. If you are working in a PE or with a boot disc, you can run as many as you want simultaneously. Follow up with multiple (preferably all) of the antispyware programs next. Next try running one of the online antivirus scanners. Each scanner should find progressively fewer infections.

Step 7: HijackThis

HijackThis requires a step of its own. This utility is unlike any of the others because it does not automatically detect and remove infections. Instead, if provides you with a cross-sectional look at your system and is ideal for cleaning up after an infection as well as making sure there are no longer any traces left. Run this utility and post the output in a new Taz thread or in one of the many HijackThis support forums to get feedback on what (if anything) should be removed.

Step 7: Run fixes

After your system is clean, it can sometimes be helpful to download and run dial-a-fix to repair many of the things that viruses tend to screw up in Windows. You may also want to run winsock fix. In Windows XP SP2 and later (including Vista) you can simply type “netsh winsock reset” from the command line.


Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

By admin

Former Freehand Freelance Graphic Illustrator... been online since 2004 ( late starter ), blogging since 2005, presently writing a suspense-thriller e-book that began as a screenplay.