Before we begin, boot off of the windows cd, at the first screen choose r for recovery console. Enter the number shown above for which version of windows to boot into, then press enter at the admin password prompt. Next it will put you into a c:\windows command prompt. Here type the following commands that are highlighted in bold text.
fixboot type y when prompted to continue.
fixmbr again type y when prompted
change directories to your cd e.g. d:
now type the following commands:
Note: Press y at the prompts for all of the follwing commands
copy winlogon.ex_ c:\windows\system32\winlogon.exe
copy logonui.ex_ c:\windows\system32\logonui.exe
copy userinit.ex_ c:\widows\system32\userinit.exe
Now reboot and follow the following steps!

1) While it is booting keep tapping f8. This will bring you to the safe mode screen. Select safe mode with networking
Note: If computer won't go into safe mode and reboots go to the section about Dr. Web and then go back to step one.

2) Insert flash drive, and copy contents to a folder on the C: drive, remove flash drive.

3) Run ComboFix.exe (if it will not run, rename the file as "cf.com", if that one wont run, rename it as "cf.bat", if this one wont run rename it as cf.pif, you will go through a lot of prompts, click ok to all of them except microsoft recovery console. After it is done running it might reboot the computer. Be sure to put it back in safe mode in the same account you ran it in initially. When it gets back into windows, let it finish removing the viruses it found and let it create it's report. Do not click anything or run anything until the report comes up on the screen. Close the log report. If the desktop does not come back up, press "ctrl alt del" to bring up the task manager. Click "File, new task" in the window that pops up type "explorer.exe", then press enter. This will restart the desktop so you can continue.
Note:If there are any rootkits on the screen it will tell you before it can scan, the program will promt you letting you know what the files are, click ok. The machine will reboot so it can disable these programs.

4) Run MalwareBytes (be sure to update it), click full scan and select all drives except the cd or dvd rom. When it is finished it will give you a total of infected files in red. Click "Show Results", then click "next". the program will remove the ones it finds.

5) Repeat step 4 for every user account.

6) Run Super anti spyware in every account
Note: If windows vista do not log out, move to step 7.

7) Click on "my computer", right click on "c:", click on "properties", click "disk cleanup", when the screen comes up click on the second tab and be sure to click on the option to delete restore points. Click on the first tab, check all of the boxes except microsoft office setup files, when that is finished, and click "ok" then "yes".

8) When the disk cleanup is complete, click on the second tab of the properties window, click "Defragment Now". Defragment the c: drive.

9) When this is finished run ccleaner, to cleanup registry entries, and fix errors and missing file extensions.

10) Reboot computer, Let windows start normally. Go into the first user account.


11) Install and update avira. You dont have to register for the program just un check the box at the bottom of the registration screen.

12) Run a full scan. Grab a cup of coffee or something.

13) If avira didn't find any viruses go to step 17.

14) Run a quick scan with avira on all user accounts.

15) Click on "start", "run", then type "msconfig" in the run prompt box. When the system configuration utility comes up, click on the startup tab. Turn off all services as follows. anything that looks like this asdadasdad.exe, all programs associated with adobe, java, quicktime, apple, google, any empty entries, anything that say xpantispyware, winantivirus 2007(8)(9)(10), anything running out of a temp folder, application data folder, or any other programs that you or your computer manufacturer did not install on your computer. Click "apply", "ok", "ok". It will prompt you to reboot, go ahead. After the computer reboots, you will get a prompt on the screen, check the box and click ok..

16) Go to windows update, install the activeX control, when it is done scanning click "custom", make sure all optional and high priority updates are checked, click "install updates" in the top left. Click "install". Keep repeating this step until there are no more updates available.

17) Removal Complete!

Dr. Web

Dr. Web is a linux live cd. What this means is you boot off the cd, and it boots to a linux operating system. Download the .iso file, and burn the image to a disk. Boot off the cd, Update the software, and then run the virus scan. This will remove some viruses so you can get the system in to safe mode.

Note: This scan takes a long time but is very effective.

Tips

• If the computer runs funny (eg. wont go into windows) after any of these scans, grab the windows cd, boot off of it, at the first screen press "enter", then "f8" at the next screen, at the third screen press "r", and go through the setup, it will look exactly like a full windows install, but it's not. This is a operating system repair.


• Run HiJack This, to search for un recognized files.


• To look for hidden services, boot off the windows cd, at the first screen press "r". Then press "1", at the administrator password prompt press "enter". Then type "listsvc". To disable a certain service type "disable service name". If you aren't sure about a service or it looks questionable, use google to search for that filename. Google will tell you if it is virus related.


• To be sure that the windows logon screen is not infected: boot off of the windows cd, at the first screen press "r", then "1", then press enter at the admin password screen. When the command line appears change to your cd rom. Type the following: cd i386. Then type "copy winlogon.ex_ c:\windows\system32\winlogon.exe".