As a computer technician I deal with viruses and spyware all the time, some of them are easy to get rid of, and some of them are just a pain in the neck. the other day I got a call from a customer for a virus removal, and after trying to remove the virus for a couple of hours I realized I was in big trouble. normally what I do after battling for 2 hours with a virus without success is back-up the data on the computer and do a complete rebuild. but this time I was too angry to do that, I was determined to root out the virus despite the time it could take me to do so.
this is my normal procedure to remove a virus. from basic to advanced.
download Malwarebytes at http://malwarebytes.org/ update it and do a full scan. if its a “weak” virus or spyware this should remove it. in my case the virus completely killed the mbam.exe file in malwarebytes, so there was no way I could run it. I tried changing the name of the executable file to game the killing monster but it was futile.
Restart the computer in safe mode, and run a full scan with malwarebytes. when you start the computer in safe mode only the necessary system files are loaded, and most of the time malicious software does not run, so there is a good possibility that any virus or spyware file will be quarantined from there. in my case it was still the same, I tried to reinstall malwarebytes and run it, but it was immediately killed by the virus again. so even in safe mode, this virus was being loaded into memory.
Boot the computer from my Hiren bootable flash drive, and run a full scan with SuperAntiSpyware tool. Hiren Boot CD comes with Mini Windows XP which allow to boot into the system pretty much the same way a normal windows do, but from a removable media. SuperAntiSpyware gets pretty good reviews on the web, so I guess is not that bad, but in my case it did not find anything. the virus was still there, and I was getting anxious.
download and run ComboFix. ComboFix is very powerful but dangerous virus and spyware removal tool, so I only use it when I have almost exhaust most of other tools available. when I downloaded ComboFix and ran it in normal windows mode, it was immediately killed, but after rebooting the computer in safe mode and changing the name of ComboFix.exe to CF.EXE I was able to run it, and remove the nasty virus.
another thing I tried before running ComboFix was to spot the virus manually using Process Monitor from Microsoft SysInternals but it was killed at executing as well. what a nasty virus!