So you’ve got a virus

So you’ve got a virus. Lets skip the recrimination and determine what can be done about it.
Step 1
Check with your Antivirus Vendors latest virus writeups to see if you can identify what your are infected with.
Step 1B Check other vendor’s sites.
Trend Micro
If you can determine what you are infected with, they should have cleaning instructions, probably a manual cleaning process, but they may have a cleaning utility.
Step 2
Its a new virus. You couldn’t determine what it was much less how to clean it. Looks like its time for some reconnaissance.
This is where knowing what should automatically run with your system comes in handy. We need to check what starts automatically on your system. The most obvious vanilla place a virus could be is in the run key in the registry. Open regedit and look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If you know your system, you may recognize something that should not be there.
Of course there are many other places something could start automatically. Spyware is more likely than a virus to hide someplace else, but you never know. You can download “autoruns” from sysinternals to look at other places where something might start automatically.
Step 3.
If you see something out of the ordinary set to be run automatically write down where an what it is. You can use google to lookup unknown files to determine if they are legit. If you cannot determine the validity of a file, upload it to It will be scanned with multiple virus scanners and report back to you.
Step 4
If virustotal determines it is a virus, you need to figure out why your antivirus didn’t detect it. Is your antivirus disabled? Some viruses disable antivirus software. Is your antivirus software getting updates? It may be broken or the virus may have disabled the ability of your software to update. If you have the latest available virus def from your antivirus company and it cannot detect the file that virustotal reports is a virus, then you need to submit it to your antivirus company. Each antivirus company has a different method for this. Note that virustotal says that it submits the files to antivirus companies, but I like to do it also so I get feedback from the antivirus company. Often they make a pre-release version of their virus definition files available so that the file can be deleted.
If you figure out a name for the virus (either from virustotal or from submitting the file to your antivirus vendor) this can be used to successfully find the virus definition writeup which will hopefully have complete removal instructions. Often virus encyclopedias are only indexed by virus name making it difficult to search for text from the viral message.