There are often threads about how to fix an ill PC or how to remove viruses from a PC.
This guide will cover how to completely remove a virus from a PC, and to ensure that you are not immediately hit with it again afterwards. This is rather lengthy, so you may need some coffee
We're going to get pretty intense here and delete some files in places you should be weary of deleting things. I do this because I have many years experience with the Windows operating environment and know what and what not to delete. While I will attempt to give the best advice possible, it is entirely possible that you will accidentally delete something important. By following this guide you are accepting that risk and neither I, nor computerforums.org can be held accountable for those actions, nor any files lost.
The Test Environment
I do not yet know the virus I will contract on this system so you'll also learn how to identify|find these things. I've tried in a small way to replicate an environment in use by the average user.
Dual Core @ 2.9Ghz with 4GB RAM (Virtualized)
Window 7 Pro w/SP1 | Up to date as of 9-22-13
Java 7 update 40 | Ask Toolbar included
Adobe Flash Player 11 | Google Toolbar Included
Apple iTunes 10 w/QuickTime
Most people don't know that they even have a virus until something starts going awry. Some of the early warning signs include:
- Desktop icons you did not install
- Slow computer bootup
- Unrecognized screen pops at bootup
- Security software you did not install
- Prompts that you have a virus, pay to clean or scan now
A common one going around these days is the FBI Warning that you were looking at some kind of banned pornography and you now have to pay to use your computer again. This is the virus I was able to contract on the test system.
As you can see, I am no longer able to use my system. Whatever shall I do?
Now we get to the meat and potato's of this guide... how to get rid of the virus.
From another PC (you're reading this from somewhere...), download the following programs and put them on an empty USB.
The first thing we want to do is to remove the possibility that the virus exists and is running in our temporary storage, or RAM. To accomplish this, we will turn off the PC and unplug it. Now, with the PC unplugged, press the power button (as if turning it on) a few times and then hold for 10 seconds. Now plug the PC back in.
Boot the PC into Safe Mode
When you boot up the PC, you must watch the bootup process. After your BIOS screen (the first screen displayed when the power turns on (e.g. the HP screen on first bootup)), the screen will turn black for just a moment before the Starting Windows screen is displayed. During that momentary black screen, press F8 (I typically just press and press right after the BIOS screen).
If you see the Starting Windows screen, you're too late. Turn the PC back off.
If successful, you should see this screen:
Some notes here:
I typically advise to boot up into Safe Mode with Networking which is usually the best option. With the test virus I contracted on this machine, it was able to infiltrate Safe Mode somehow and would immediately reboot. I was able to get around this by booting into "Safe Mode with Command Prompt" and then typing "explorer" and pressing enter once I was in the command prompt (DOS looking window). That launched normal safe mode so now we can begin.
Now that we're in safe mode, let's start cleaning this crap up.
The first thing we want to do is to install and run MalwareBytes. Since the virus won't allow Safe Mode with Networking, we'll have to run this twice (once without the updated virus definitions and once again with, just to be sure).
Once the MalwareBytes installer finishes, select Finish to launch MalwareBytes and perform a scan of the entire PC. If you get the Program error after clicking Finish and then seeing the "Connecting to Server" window, this is okay. Your PC cannot connect to the internet so it cannot update. Click Ok to continue to 'mbam'. At the below screen, select Perform full scan and click Scan.
Then when prompted about drives, select all drives that are not CD/DVD drives and click scan. This scan may take up to 2 hours to complete (depending on many things) so walk away for a bit.
Upon completion, you may or may not have viruses detected. Most likely MBAM will pick a few up and ask if you wish to delete them. Follow the steps in MalwareBytes to remove the found infected files.
If asked to restart, select the option to NOT restart as we still have work to do.
In the case of this particular virus and environment, no malicious objects were found, which we know is not the case.
In every scenario, you should always assume that a simple virus scan is not
going to cure all.
Open a Windows Explorer instance by pressing the (keyboard) Windows + E keys.
We'll need to enable viewing of hidden files. Follow these clicks
Now return to the C: drive.
On a normal Windows installation, these are the only folders that should exist on the root drive C: (when viewing in explorer. Additional system files/folders will exist but are hidden even from the hidden view)
- PerfLogs (optional)
- Program Files
- Program Files x86 (if 64 bit Windows)
- ProgramData (hidden)
If your drive contains other
folders that you do not recognize
, I typically delete those. As always, exercise caution.
First, let's go into the Users folder.
Double click Users > Your user account name > AppData
First order of business here is the "Local" folder. Upon inspection of mine, I already have some suspicious characters
I am in C:\Users\User\AppData\Local and see the following.
In this folder, (as well as the LocalLow and Roaming folders) Windows and other programs store temporary information. It is okay to delete unrecognized folders in these directories as they will be simply recreated upon the programs next launch. This does not mean that you can clear the entire folder(s) contents as some profile information is stored here as well.
I am going to highlight the following folders:
When deleting, hold shift and press delete. This skips the Recycle Bin and removes the data from the drive.
Note: Because I selected the Temp folder, I am going to get an error that I cannot delete the file "FXSAPIDebugLogFile." I am given the option to Try Again or Skip. This is a system log file so I will select Skip on this prompt. You may also get other prompts asking you if you are sure you want to delete files. If you are sure that you have selected non-Microsoft/Windows folders, then don't feel alarmed and select Continue.
All selected folders (except Temp) should now be gone.
Moving on to my LocalLow folder, I will again select unrecognized folders
I know that the Microsoft folder is legitimate, and Sun belongs to my Java installation, so I now only delete the ilividmoviestoolbarha folder.
Moving on to the Roaming Folder
Tip: The two files on the bottom, "cache.dat" and "cache" are extremely telling. Windows, nor other legitimate software will store files at the root of your Local/LocalLow/Roaming folders. These two files may very well be related to our virus.
Note: The folder "com.adobe.down..." is a legitimate folder, I am choosing to delete in the above screenshot.
Let's make our way back to the root of drive C: and then navigate to the folder "ProgramData"
Wow, that's a lot of highlighted folders!
The ProgramData folder is another location for Programs to store temporary, and not so temporary, information. I am deleting everything but the Microsoft folder (as you can't delete that one). I caution you on deleting folders from here as the removal of these folders may remove program specific settings. IMHO, I would rather have to reconfigure a program or two than miss deleting a Virus.
What is suspicious here?
Given that I have listed all the software that I installed on this machine, the presence of a "McAfee" folder is extremely suspicious. I had not installed any anti virus software.
Remember to question!
On to the "Program Files" and "Program Files x86" Folders.
Now, you need to be cautious in these folder because these contain the software packages that you installed or use on your computer. However, a lot of malware may have made its way into your system and into these folders as well. The folder names are going to typically tell what manufacturer the folder belongs to, so if you should recognize most of the names. If not, open the folder(s) and in them may be another folder of the software you have installed. If you do not recognize the folder, or its contents, I advise deleting.
Before you get delete happy though, here is a list of system folders, on a standard Windows installation.
> Program Files | Program Files x86
- Common Files
- Internet Explorer
- Reference Assemblies
- Uninstall Information (hidden)
- Windows Defender
- Windows Journal
- Windows Mail
- Windows Media Player
- Windows NT
- Windows PhotoViewer
- Windows Portable Devices
- Windows Sidebar
These may exist in both folders (on x64 systems)
Now, back to the USB containing CCLeaner. Let's install and run.
Once you have completed the install process (accepting all defaults is fine, you can uninstall later if you wish) you'll get a pop-up asking if you want to intelligently scan for cookies to keep. I always select No.
Note: Removing all internet temp files will also remove some settings (like tabbed browsing history in Chrome) but this is a small price to pay IMHO.
Right off the bat, I'm going to select "Run Cleaner," and then OK on the next pop-up.
Now, before moving on to the registry cleaner, we're going to stop at the Tools section and check out our Startup items.
These are programs that start with Windows. I recognize the "SearchProtection" also from the file structure that we deleted. It is OK to delete every entry in here. If there's a program that you like starting with Windows (e.g. WeatherBug in the example environment), then leave it. Otherwise, we want to delete these entries.
I also went through the "Internet Explorer" and "Google Chrome" tabs to ensure that no add-ons (e.g. That Movie Toolbar crap) was left there. I deleted from there any add-ons I did not want starting with either of my browsers.
Now let's move on the Registry Cleaner.
Note: There's a lot of discussion over whether or not a registry cleaner is snake oil, but I can tell you that if you know how to use it, it can do great things for you. How is that, you ask? Well, since we went around deleting a ton of crap off the drive, that now makes invalid registry entries. The point of all the deleting above was to get to this point, where we now allow a program like this to remove the entries from the registry, because there is no longer a file to be called on the drive.
Why is that important? In my experience, malware developers are not stupid, and things are constantly evolving. A common theme I have seen though is that they ensure their program(s) can 'come back' by hiding files all over the place, and referencing each in hidden registry entries. Hence the long process in truly removing malware. The only way is to be thorough.
On the left, click Registry.
Now click Scan for Issues and allow to complete.
Once done, click Fix Selected Issues.
Now you'll be prompted on whether or not you wish to backup the registry. Always backup the registry on the first pass
After making a backup, select "Fix all Issues" and then "Close"
Now again click "Scan for Issues" and repeat the process (without backup now) until the scans return no results.
Almost done... just a few more steps.
In Windows explorer again, navigate to C:\Windows\System32\drivers\etc\ and double click on the "hosts" file. When prompted about what program to open with, select Notepad. Your host file should look like this:
Unless you know that there are entries in there you need, it is entirely okay to Press "CTRL + A" to select all, then Delete. You can save this empty file with no worries.
Note: The hosts file is like a local DNS directory. You can point site addresses such as 'www.google.com' to a malicious site using this file, which is why it is key to make sure it is clear so we don't get infected immediately after cleanup.
Next, launch Internet Explorer. Attempt to stop the loading of any page using the "X" next to the address bar. We just need to get to the Internet Options.
Depending on your version,
Tools > Internet Options
(Gear Icon) > Internet Options
Internet explorer controls a large part of the routing for Windows' connection to the outside world. Even Google Chrome uses IE's settings, so resetting after an event like the above is not a bad idea.
Now since my first pass with MalwareBytes failed, I want to attempt to restart the computer in "Safe Mode with Networking" and allow MalwareBytes to run again, but this time with updates.
Shut down the PC, flush the RAM again, and then power on, booting into Safe Mode with Networking as outlined previously.
Looks like Safe Mode with Networking worked so we're in business for MalwareBytes updates.
Launch MalwareBytes and allow it to update, and then perform another full scan.
Note: My MalwareBytes failed to update and I was forced to Uninstall/Reinstall to get the updates to work.
If MalwareBytes detects any malicious objects, (mine detected 2 after the update) then remove them. It is okay to now reboot to allow the infected files to be removed, but be sure to boot back into Safe Mode as we are still in the maintenance mode until all detected items are cleaned.
Once the files have been removed, remember to run CCleaner again (the registry cleaner) the remove any registry entries that pointed to those malicious files.
Once you get MalwareBytes updated and a full 'clean' scan, you should be 'good to go.' Remember that the only true way of knowing that a PC is no longer infected is to completely destroy all data on the drive. However, this is not always a viable option for many.
Using (while writing) this guide, I was able to successfully remove the Virus originally contracted.
If you have additional questions, be sure to sign up and create a thread in our Security section for help.
Best of Luck!