Virus Removal on Vista
Procedure used for cleaning up from the 2011 virus challenge
- Log out from the infected account. This stops all processes running under the affected user.
- Switch to another nonprivileged account (or make one) - do not use a search engine
as a privileged user. Download one or more recent antivirus products,
such as AVG or Malwarebytes,
if there are none already installed.
- Download AutoRuns from sysinternals.com
- Switch to a privileged (administrator) account, or install the antivirus program(s)
and AutoRuns using UAC.
Do not enable realtime scanning on more than one A/V package (unless you really want to). Update the A/V databases.
- Scan all files in the affected account directory, particularly AppData and Roaming (e.g. C:\Users\username\AppData).
Remove or quarantine infected files
- Run AutoRuns and check for any autorun entries inserted by the malware. Some may be in system services
flagged to run at login, or in HKEY_USERS\userid\Software\Microsoft\Windows\CurrentVersion\Run. Note that
these userid registry entries are unloaded to NTUSER.DAT when the user logs out, so that regedit
will not see them, but AutoRuns is able to find them.
- Run a full virus scan of the computer
- Rescan the affected account after a couple of days, and after a week, to re-check for zero-day infections
that are added to the antivirus database later.