Using Process Explorer and Autoruns to Quickly Kill Viruses

In my last post, I covered great antivirus tools that I keep on my write-protected flash drive. Here I'll outline how to quickly kill viruses using two of those tools, Process Explorer (PE) and Autoruns.

1) Run Process Explorer (PE) from the flash drive, and use it to kill off active virus processes.
I recommend turning off "Confirm Kill" in the options of PE. This will speed up your ability to kill off processes before they can be respawned. Then, proceed to kill off (by selecting and pressing the 'delete' key) all virus processes. To identify these processes, look for ones that are running from packed images (PE will highlight them purple), or ones with suspicious names. Also, check the attached DLLs (press Ctrl+D if you aren't currently viewing them) for all other processes to look for similarly purple or suspicious DLL names. If you unfortunately find a core windows process (smss.exe, wininit.exe, services.exe, lsm.exe, lsass.exe, or winlogon.exe) that has infected DLLs attached, you can actually stop these processes without shutting down the computer. In order to terminate these processes, follow Mark Russinovich's guide for XP. The guide goes like this for Vista/7:

1. Kill Smss.exe
2. Suspend Wininit.exe
3. Right-click on Services.exe and kill its process tree
4. Kill in this order Lsm.exe, Lsass.exe and Winlogon.exe
5. Then you can kill all other processes except Csrss.exe processes

Note that you can't terminate Csrss.exe, so if it's infected, then you are out of luck. If you terminate all suspicious activity, and they don't pop back up after about a minute, then you can move on to the next step.

2) The next step can be dangerous, so make a registry backup using regedit or other tool. It should be noted that this next step can toast a Windows installation if you are not careful, and you may be forced to reinstall Windows.

3) Now that we have terminated the virus processes, launch Autoruns. If you had to take out Windows core processes in the last step, you may launch autoruns directly from PE. Click Options->Filter Options in the menu, and ensure that 'Verify code signatures' and 'Hide Microsoft entries' are checked. Refresh Autoruns (F5). Scan the list of startup items for suspicious entries, paying attention to whether or not an entry is signed by the publisher. Uncheck all suspicious entries, but be careful with Microsoft/Windows ones. If you disable the wrong item, it may prevent the computer from loading a necessary driver or service on boot. If you aren't sure, then leave it alone.

4) Trigger a system halt by terminating csrss.exe using PE. This step will prevent viruses with hooks on system shutdown from recreating their startup entries.

5) (optional) Perform an offline virus scan. There are plenty of offline scanners that can be run from a flash drive or CD. AVG, Avira both have this capability. More on this when I post about my offline flash drive tools.

That's it! You should be able to boot the computer normally and be virus-free. Please note that this guide does not cover rootkit detection. This is a rather in depth topic, so I'll cover that in a later post.