How To Remove Viruses – Part 4

This article assumes that you have already followed Part 3 in this series of posts. We will now look at advanced techniques that may be of help for the confident user.

Step 1 – Check for Master Boot Record (MBR) Infection – The MBR is stored on your hard drive but is kept outside of partitions and volumes which makes it a great place for virus infections to hide – even if you format (delete everything on) your hard drive, the MBR will not be deleted so the virus will not be erased.

As soon as you reinstall Windows you will be infected again because the MBR virus is still there. For this reason it is really important that you check the MBR is virus free even if you plan to format and start again from scratch.

Download Avast’s free program aswMBR.exe from here. Follow the instructions on the download page to run it and fix any infections found. You will need to restart your computer after fixing then rerun the tool again to check that no further MBR infection is found.

Warning: the MBR may contain code required by manufacturer’s software that enables you to return your computer back to factory settings. Fixing the MBR infection involves erasing the MBR and recreating it with a standard set of code for Windows that will not include any customization by the manufacturer so you will no longer be able to use the factory restore method of reinstalling Windows!

Step 2 – Check For TDSS Rootkits – A rootkit is a type of harmful software that actively hides its presence from Windows (and therefore cannot be found by most antivirus software). It is possible that Malwarebytes or your current antivirus software reports no infection whilst a rootkit still hides in your computer – if it is not removed you will continue to have virus problems and major security issues.

Download the free TDSSKiller program from Kaspersky here and follow the instructions given on the download page to run it. TDSSKiller checks for a certain type of rootkit (TDSS – the most common) and does a good job of removing them but note that removing a rootkit can be risky and may corrupt windows so it does not start up.

If any rootkits were found, you will need to restart your computer after fixing then rerun the tool again to confirm they have been removed successfully.

Step 3 – Check For Other Rootkits – Use the free GMER program to check for other types of rootkit – GMER can be downloaded from here. Run the downloaded program and check if any rootkits are outlined in red (see the download page for an example).

Removal of rootkits can be very difficult and risky – there is a video called gmer.wmv on the above download page which shows an example of rootkit scanning and removal but we recommend that you seek expert professional help or back up your documents and reinstall Windows if rootkits are detected.

Step 4 – Final Full Scan

If you have a good antivirus suite like Norton or Kaspersky (see our article on the latest comparisons of antivirus software), update it now and then run a full scan of your computer to check all malware has been removed.