I put this virus removal and data recovery page together as a resource to myself and other people who need information regarding how to do virus and spyware infection removal and data recovery.
I have been doing virus and malware removal for a number of years now and decided to put all the resources, tips and tricks on one page so I and anyone who finds this page, don't have to scour the web to find the tools needed to do the job. My goal is to put everything here in one place to make it easier to find and use the most effective tools to get the job done efficiently. Standard Disclaimer : This information is provided for educational purposes only, so if you don't know what you're doing it is advised that you let a professional do your virus removal or data recovery. You could end up making things worse and permanently destroy your valuable data.
Antivirus Programs
AVG
Everyone seems to have their own favorite antivirus program, whether it's Norton or AVG or AVAST or any of the plethora of antivirus programs. People have found through trial and error what works for them and what doesn't exactly cut the mustard.
For myself, I was originally using an antivirus called F-PROT but have been using the free version of AVG for the past few years and found that for myself, it was the most effective. Some people swear by AVAST but I never liked the GUI they are using that looks like a car radio. As for Norton, let's just say, they have a Norton Removal Tool that Symantec made if you want to remove it from your computer. I would recommend using it because the way Norton binds itself in the Windows registry, just using the add/remove programs in the Windows control panel won't get rid of it.
ClamWin
Lately I have been having good results with a free antivirus called ClamWin. I had a customer who was using AVG on his computer and he got some bad trojans that actually disabled his AVG virus scanner and after trying to uninstall/reinstall AVG, AVG still wouldn't function properly. So instead I installed ClamWin, updated and scanned with it and was able to remove the trojans with ClamWin. I also found that ClamWin seems to run well on older computers as it doesn't take up too many resources.
Also it is not advisable to use two different antivirus programs at the same time as they will conflict with each other and cause other problems for you. There are some exceptions though, such as using Malwarebytes with your current antivirus which seems to work well.
Removal Tools
Malwarebytes
One of the best malware removal tools I have been using recently is called Malwarebytes. Malwarebytes is a virus and malware removal tool which I have found to be very effective when removing the latest fake antivirus trojans such as Antivirus 2009. For people that don't know, there are fake antivirus programs on the web that masquerade as real antivirus programs but in reality are trojan horse viruses themselves. Once installed on your computer they will consume CPU resources and make your system run slower and give you pop up advertising and basically hijack your computer.
To remove these fake antiviruses download Malwarebytes, install the program and check for updates, by clicking on the Update Tab and clicking Check For Updates which will install the most up-to-date database information. Then after Malwarebytes is updated select the scanner tab and Perform a quick scan. Let Malwarebytes run a quick scan and depending on how large your hard drive is it could take around ten minutes. Once Malwarebytes has completed the scan it will tell you if it found any infections or not. If it finds infections remove them and Malwarebytes will quarantine them and may reboot your computer automatically to make the virus removal complete when it updates your windows registry. Once your computer reboots open Malwarebytes and run it again. I normally run Malwarebytes in the 'Run a quick scan' mode the first time and if I find any viruses I run Malwarebytes again selecting 'Run a full scan' mode so it scans all the files and folders on the hard drive to make sure it has not missed anything.
Trend Micro - Sysclean
Another virus removal tool I have had some success with is called Sysclean from Trend Micro. This isn't a simple download and install file like other programs but consists of a series of different files you have to find and install together in the same folder so all the different plug-in files are used by the Sysclean program. When you run the Sysclean scanner it looks like a DOS antivirus and shows it's activity through the Windows command (cmd) window. If you download the Sysclean Package from the Trend Micro website make sure you also download the other files that go along with it or it will fail to run properly. You can download all the files to make Sysclean run by using the Search bar on Trend Micro's website if you are missing any files.
Spybot Search & Destroy
Another tool I have used for spyware removal is called Spybot Search & Destroy. To use this download and install it, then do the spyware definitions updates on the web and before scanning your computer you need to run the immunize feature which immunizes your computer against all the latest threats. In the Spybot program the immunization function is done by pressing the green cross at the top of the program and you will see a brick wall graphic run as the immunation is being done. Another spyware scanner is called Ad-Aware Free which I don't use as much anymore but I put it here for reference purposes.
SDfix
SDfix is a trojan removal tool that runs in Safe Mode and I have used this in the past to fix some virus problems. A complete set of instructions and download link can be found on the bleeping computer website.
Hijack This
Hijack This is a utility to selectively toggle on and off running processes associated with viruses running from the Windows registry. When you run Hijack This and it shows you suspicious registry keys you can remove them or you can copy the whole registry file list and post it on help forums for other people to look at and give you advice on how to remove them.
Darik's Boot and Nuke
Darik's Boot and Nuke or DBAN is a hard disk wiping utility I use when all else fails and I want to completely wipe a hard disk before reformatting and reinstalling Windows. Call me paranoid if you want to but I don't want any virus hiding out in the free space of a hard disk if I am going to reformat it to start over again. Sometimes viruses have caused so much destruction and havoc that doing this may be the best thing to do.
Damage/Data Recovery
WinSock XP Fix
When you have viruses or spyware on your computer and have finally cleaned them out they may still have corrupted certain Windows system files and cause your computer to no longer have internet access. This WinSock XP Fix tool, when run on a Windows XP computer, resets your Winsock settings to get your network adapter working correctly again.
GetDataBack
Get Data Back for NTFS and FAT is a valuable tool to recover lost or deleted data. I have used this to recover data from crashed hard drives and fix the after effects of deleted files by viruses. This is not a free utility but is well worth it when attempting to do your own data recovery. With the cost of data recovery from an expert service costing anywhere from $300 to $3000 this could pay for itself depending on what value you put on your data. A free version you might want to try is called Undelete Plus.
DriveImage XML
A very valuable and free disk imaging program called DriveImage XML enables you to make a complete image (copy) of your hard drive that you can restore on a blank formatted hard disk later if you have a crashed hard drive or it is too badly damaged by viruses to be fixed. When using this program to back up your hard drive make sure you don't back up onto the same hard drive you plan on restoring so use an external USB hard drive or another hard disk on a networked computer. This DriveImage XML program saves your whole hardisk as a single .dat file with an .xml file that's used as a table of contents to let you browse the data file. If trying to image your hard drive to a removable USB drive first make sure the removable drive is using the NTFS file system and not the FAT 32 file system because FAT 32 has a single file size limit of 4 gigabytes and this program saves the whole hard drive space in one single file. If the removable drive is using the FAT 32 file system then back up the data on it to another disk and reformat it as an NTFS drive and then you will have no problem. I found this out when I tried using DriveImage XML with a customer's portable 500 GB USB hard drive and once it hit the 4 gigabyte file limit it stopped with an error message because it was formatted in FAT 32. Most preformatted commercial USB hard disks are formatted as FAT 32 because this file system is compatible with both Windows and MAC computers.
Some Other Tips
- Temporarily disable System Restore in the Windows control panel and run your virus scanner to find and remove viruses in the restore partition.
- Try virus scanning in Safe Mode (press F8 before Windows boots) because Safe Mode loads the most basic drivers and you have a better chance of finding and removing viruses in Safe Mode.
- Keep trying different things because virus removal is like a battle that you win using the best techniques and methods and you know you are making progress when you start to see improvements.
- Virus removal can be fairly quick or can take hours or days depending on what type of viruses you are trying to remove.
- Have a pen and paper ready and write down any strange error codes or messages you encounter which can give you clues to what type of virus infection you have and google this code to see what other people did to fix this problem. Don't try to reinvent the wheel if you don't have to. Someone else may have already posted the solution or you can ask a question about your virus problem on a help forum.
- Weigh all the factors and decide whether you should use Darik's Boot and Nuke to erase the hard disk and start from scratch again, reformatting the hard drive and reinstalling Windows. Sometimes it is better to cut your losses when a virus infection is too bad because there are some viruses that are coded to hide themselves and make a reappearance later, especially root kits.
