Sticky note of manual way to find those pesty virus/trojan/spyware
1. Unplug the network cable.
2. In the current logged on user, go to the registry and check under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for weird looking exe files.
Do a search on the file names on google and you should find out if they are weird or harmless files.
Delete those weird registry keys.
For those who are concern with deleting the wrong keys, export the registry keys and save them before deleting
Take note of the file names and path so that you can delete them in window explorer when you are in administrator mode.
3 Take note that you should not have this folder HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.
If you find it, delete the folder
4 Go to your task manager and end the task with the weird file names. If you have problems with ending certain task, restart the pc in safe mood and try to end weird task again.
5 This step is to prevent any software running to sniff your admin password
6 Now log off the current user.
7. Log on under administrator mode and check under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for weird looking exe files and delete them.
8. Take note that you should not have this folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.
If you find it, delete the folder
9. Go to your windows explorer and delete all the noted weird files
Do a search for all files created during the period/days when you suspect that the spyware/virus/trojan was launched.
Delete those you deem as weird.
10 If it prompts that the file is in use, go to your task manager and end the file. After that, you can delete the file.
11 If you cannot delete the files, boot up in safe mood to delete those files
12 Now go back to the registry and do a search on all the weird files name noted above and delete them
13 Check the local services of the pc and stop & disable any weird services. If you are not sure, do a screen shot of another new/clean pc and compare.
14 Check that your local pc administrator password is valid and not changed by the virus/spyware/trojan using password hack.
15 Check the host file of the pc which should be located in c:\winnt\system32\drivers\etc\host does not contain lookup for anti-virus/microsoft website to invalid loopback at 127.0.0.1
16 Go through the above steps again to check if the weird files reappear. If they do, it could be due to other exe files and you would have to double check again.
17 Plug in the network cable
18 Update microsoft patches/antivirus and disable file/printer sharing for local pc if this service is not required.
19 Monitor the pc for at least few minutes to find out if the weirdo stuffs appear again.
The above steps should get rid of most spyware/virus/trojan.
As one exe file could be use to created another, take note that you should complete the above steps quickly.
20 After resolving all infected pc, take a break.
The steps should remove most of those stuffs.
For other more powerful virus/spyware/trojan, ther are some other manual ways to do that.
