Removing Infected Files

This section assumes that either you or the virus scanner has identified the infected files.

Research the Virus

Get up on the Web and learn as much about the virus as you can from a reliable source to help in its extraction.

Stop Any Virus Services

Viruses like Remote Explorer install themselves as a Windows NT service. If you have identified the malicious service’s name, go to Control Panel Services Startup Disable. This will prevent the malicious service from automatically re-starting during a reboot.

Boot to the Command-line Mode

Like in the detection process, we are trying to keep the virus out of memory so we can disinfect it. In Windows 3.x, 9x, or NT with FAT partitions, consider booting from a known clean DOS disk and getting to a DOS prompt. NTFS partitions will require a clean NT boot diskette.

Delete and Replace Infected Files

If a virus scanner doesn’t clean the virus out of the host file, you should delete the file and restore from a clean source. Often I’ll rename suspected or identified virus files with a .VIR extension. With that extension, they are not likely to cause further harm, but it allows me to reverse the process if I’m mistaken.

Clean Up Startup Areas

If a virus has modified your startup areas (i.e. registry, WIN.INI, SYSTEM.INI, AUTOEXEC.BAT, CONFIG.SYS, WINSTART.BAT, DOSSTART.BAT, or Startup group), you will want to clean up those areas. In Windows 98 you can use MSCONFIG.EXE to disable any malicious startup programs. In the other platforms, you will have to manually edit the necessary files.

Replace Registry to Remove Malicious Startup Programs

Most people are not registry experts and don’t feel comfortable making customized changes to the registry. In these cases, it may be easier to restore a previously saved copy of the registry over the virus-modified version in order to stop virus programs from launching on startup. The Registry menu option in REGEDIT.EXE allows complete copies, or just parts, of the registry to be exported and imported.


Restoring an older copy of your registry can cause problems because legitimate changes are also wiped out.

Windows 95 registry restoration

The copies of the Windows 95 registries, SYSTEM.DA0 and USER.DA0 , can be copied over their respective registry cousins, SYSTEM.DAT and USER.DAT . You will need to make sure you used a boot disk to be able to overwrite the registry. The Windows 95 CD-ROM includes a utility called Emergency Recovery Utility (ERU). It can be used to create a Windows 95 emergency boot diskette with copies of your registry and startup configuration files, such as AUTOEXEC.BAT and CONFIG.SYS.

Windows 98 and ME registry restoration

Windows 98 and ME include the Registry Check (Start Programs Accessories System Tools System Information Tools Registry Checker), which can be used to backup your registry at any time. It is also run at each bootup, and if it finds a corrupt registry, it will replace the bad version with a copy. The Registry Checker (SCANREG.EXE) keeps your five most recent registry versions. You can boot to DOS and run SCANREG /RESTORE and restore any of the five copies.

Windows NT registry restoration

Windows NT’s registry editor, REGEDT32.EXE can be used to save and restore parts of, or whole, registries. You can also use the RDISK.EXE program with the /S parameter to back up the registry database to an Emergency Repair Disk. Then you can use NT’s Repair option to restore the registry from disk. Unfortunately, Windows 2000’s RDISK command does not backup the registry as it too large to fit on a single diskette.

Unlike 9x’s ability to automatically make a backup copy of the registry and save each copy to a file after each successful restart, Windows NT stores only part of the registry as a backup. Even stranger, the backup copy is stored in the current registry. The different copies of the HKLM\System hive, which documents which devices and services to start during the NT bootup process, are stored in separate Control Sets. NT usually maintains three different control sets, CurrentControlSet, ControlSet001, and ControlSet002 under the HKLM\System hive. During boot up, NT prompts you with the message, “Select L to load Last Known Good Configuration.” If you choose this option, NT will load the registry settings listed in ControlSet002. Otherwise, ControlSet001 is loaded and becomes the CurrentControlSet.

Using System Recovery Tools

Using most Windows system recovery tool requires that you take the steps to back up, save, and record the system while it is in clean health. These tools do to little to help you after a malicious code attack if you haven’t done your prework first in preparation of a disaster recovery event.

First, always make a system startup diskette during the system’s installation, or at least have one copy on hand from a similar machine. With most Windows operating systems, you can make an emergency recovery diskette that records critical system files and settings. Windows 9x allows you to make one during install. NT 4.0 uses RDISK.EXE /S. Windows 2000 uses Start Programs Accessories System Tools Backup Tools Create an Emergency Repair Disk. The registry in Windows 2000 is too large to fit on one disk. In order to backup the registry, make sure to perform a full tape back up (including backing up the system state). Startup disks can be used to boot the machine and access the disk partition while minimizing the chances that a virus is in memory. The ERD can be used to restore some system files and the registry (not in 2000).

Backing up the system state

Windows 2000, ME, and XP have the ability to backup and restore crucial system files. Windows ME does it automatically, to the disk, every 10 hours of up-time with the System Restore feature. Windows XP does it after every driver replacement or system upgrade. In Windows ME choose Start Programs Accessories System Tools System Restore Choose a Restore Point, and then choose a date when you know your system was clean. Windows will bold all dates that contain a system restore point.

The Windows 2000 system state feature is a part of the MS Backup program and will backup boot files, system files, the registry, and all files protected by WFP. To back up the system state in Windows 2000 use Start Programs Accessories System Tools Backup Backup System State. You can then back up the system state with the MS Backup program. When you restore the system state it is an all or nothing decision. The system state restoration cannot be done on a selective file by file basis.

Windows Recovery Console

The Windows 2000 Recovery Console is a text mode command-line tool that allows an administrator to access the hard disk of a Windows 2000, regardless of the file format used. The Recovery Console allows you to manage files and folders, stop and start services, and repair critical system files (including the registry, boot sector, MBR, and partition table). It is an excellent tool for removing computer viruses. In order to be used, you must install the console after Windows 2000 is already running. Place the Windows 2000 install CD-ROM in your drive, and choose Start Run <CD-ROM drive letter> \i386\WinNT32.EXE /cmdcons and hit Enter. Follow the instructions and restart your PC when prompted.

In certain situations, like a corrupt registry or boot sector, Recovery Console will start automatically and carry out repairs. The console contains many other commands, like CHKDSK, FIXBOOT, and FIXMBR (which are covered elsewhere). Type in HELP at the console prompt for a complete list of commands. After you install the Recovery Console for the first time, it becomes a menu option you can access during bootup by hitting F8.

Restore from a Tape Backup

In the event that you suffer damage due to a malicious mobile code attack, and none of the previous steps helped to remove the virus and repair the damage, restore files from your most recent backup.

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.