How To: Clean an infected PC

iPwn

..m.0,0.m..,
Messages
3,999
Location
::1
There are often threads about how to fix an ill PC or how to remove viruses from a PC.
This guide will cover how to completely remove a virus from a PC, and to ensure that you are not immediately hit with it again afterwards. This is rather lengthy, so you may need some coffee :)

Disclaimer: We're going to get pretty intense here and delete some files in places you should be weary of deleting things. I do this because I have many years experience with the Windows operating environment and know what and what not to delete. While I will attempt to give the best advice possible, it is entirely possible that you will accidentally delete something important. By following this guide you are accepting that risk and neither I, nor computerforums.org can be held accountable for those actions, nor any files lost.


The Test Environment
I do not yet know the virus I will contract on this system so you'll also learn how to identify|find these things. I've tried in a small way to replicate an environment in use by the average user.

Hardware: Dual Core @ 2.9Ghz with 4GB RAM (Virtualized)
Software:
OS:
Window 7 Pro w/SP1 | Up to date as of 9-22-13
Add-on Software:
Java 7 update 40 | Ask Toolbar included
Adobe Flash Player 11 | Google Toolbar Included
Apple iTunes 10 w/QuickTime
WeatherBug
Google Chrome


The Problems
Most people don't know that they even have a virus until something starts going awry. Some of the early warning signs include:
  • Desktop icons you did not install
  • Slow computer bootup
  • Unrecognized screen pops at bootup
  • Security software you did not install
  • Prompts that you have a virus, pay to clean or scan now

A common one going around these days is the FBI Warning that you were looking at some kind of banned pornography and you now have to pay to use your computer again. This is the virus I was able to contract on the test system.

51748-albums33-215.png


As you can see, I am no longer able to use my system. Whatever shall I do?


Troubleshooting
Now we get to the meat and potato's of this guide... how to get rid of the virus.

Requirements
From another PC (you're reading this from somewhere...), download the following programs and put them on an empty USB.
MalwareBytes AntiMalware
CCleaner

----

The first thing we want to do is to remove the possibility that the virus exists and is running in our temporary storage, or RAM. To accomplish this, we will turn off the PC and unplug it. Now, with the PC unplugged, press the power button (as if turning it on) a few times and then hold for 10 seconds. Now plug the PC back in.

Boot the PC into Safe Mode
When you boot up the PC, you must watch the bootup process. After your BIOS screen (the first screen displayed when the power turns on (e.g. the HP screen on first bootup)), the screen will turn black for just a moment before the Starting Windows screen is displayed. During that momentary black screen, press F8 (I typically just press and press right after the BIOS screen).
If you see the Starting Windows screen, you're too late. Turn the PC back off.
If successful, you should see this screen:

51748-albums33-214.png


Some notes here:
I typically advise to boot up into Safe Mode with Networking which is usually the best option. With the test virus I contracted on this machine, it was able to infiltrate Safe Mode somehow and would immediately reboot. I was able to get around this by booting into "Safe Mode with Command Prompt" and then typing "explorer" and pressing enter once I was in the command prompt (DOS looking window). That launched normal safe mode so now we can begin.

Now that we're in safe mode, let's start cleaning this crap up.

The first thing we want to do is to install and run MalwareBytes. Since the virus won't allow Safe Mode with Networking, we'll have to run this twice (once without the updated virus definitions and once again with, just to be sure).

Once the MalwareBytes installer finishes, select Finish to launch MalwareBytes and perform a scan of the entire PC. If you get the Program error after clicking Finish and then seeing the "Connecting to Server" window, this is okay. Your PC cannot connect to the internet so it cannot update. Click Ok to continue to 'mbam'. At the below screen, select Perform full scan and click Scan.

51748-albums33-216.png


Then when prompted about drives, select all drives that are not CD/DVD drives and click scan. This scan may take up to 2 hours to complete (depending on many things) so walk away for a bit.

....

Upon completion, you may or may not have viruses detected. Most likely MBAM will pick a few up and ask if you wish to delete them. Follow the steps in MalwareBytes to remove the found infected files.

If asked to restart, select the option to NOT restart as we still have work to do.
In the case of this particular virus and environment, no malicious objects were found, which we know is not the case.

In every scenario, you should always assume that a simple virus scan is not going to cure all.


Open a Windows Explorer instance by pressing the (keyboard) Windows + E keys.
We'll need to enable viewing of hidden files. Follow these clicks

51748-albums33-217.png


Then

51748-albums33-218.png


Now return to the C: drive.

On a normal Windows installation, these are the only folders that should exist on the root drive C: (when viewing in explorer. Additional system files/folders will exist but are hidden even from the hidden view)

  • PerfLogs (optional)
  • Program Files
  • Program Files x86 (if 64 bit Windows)
  • ProgramData (hidden)
  • Users
  • Windows

If your drive contains other folders that you do not recognize, I typically delete those. As always, exercise caution.

First, let's go into the Users folder.
Double click Users > Your user account name > AppData

First order of business here is the "Local" folder. Upon inspection of mine, I already have some suspicious characters

I am in C:\Users\User\AppData\Local and see the following.
51748-albums33-219.png


In this folder, (as well as the LocalLow and Roaming folders) Windows and other programs store temporary information. It is okay to delete unrecognized folders in these directories as they will be simply recreated upon the programs next launch. This does not mean that you can clear the entire folder(s) contents as some profile information is stored here as well.

I am going to highlight the following folders:

  • iLivid
  • ilidmoviestoolbarha
  • Temp
  • Torch
  • Updater4351

When deleting, hold shift and press delete. This skips the Recycle Bin and removes the data from the drive.

Note: Because I selected the Temp folder, I am going to get an error that I cannot delete the file "FXSAPIDebugLogFile." I am given the option to Try Again or Skip. This is a system log file so I will select Skip on this prompt. You may also get other prompts asking you if you are sure you want to delete files. If you are sure that you have selected non-Microsoft/Windows folders, then don't feel alarmed and select Continue.

All selected folders (except Temp) should now be gone.

Moving on to my LocalLow folder, I will again select unrecognized folders

51748-albums33-220.png


I know that the Microsoft folder is legitimate, and Sun belongs to my Java installation, so I now only delete the ilividmoviestoolbarha folder.

Moving on to the Roaming Folder

51748-albums33-221.png


Tip: The two files on the bottom, "cache.dat" and "cache" are extremely telling. Windows, nor other legitimate software will store files at the root of your Local/LocalLow/Roaming folders. These two files may very well be related to our virus.

Note: The folder "com.adobe.down..." is a legitimate folder, I am choosing to delete in the above screenshot.

Let's make our way back to the root of drive C: and then navigate to the folder "ProgramData"

51748-albums33-222.png


Wow, that's a lot of highlighted folders!

The ProgramData folder is another location for Programs to store temporary, and not so temporary, information. I am deleting everything but the Microsoft folder (as you can't delete that one). I caution you on deleting folders from here as the removal of these folders may remove program specific settings. IMHO, I would rather have to reconfigure a program or two than miss deleting a Virus.

What is suspicious here?
Given that I have listed all the software that I installed on this machine, the presence of a "McAfee" folder is extremely suspicious. I had not installed any anti virus software.

Remember to question!

On to the "Program Files" and "Program Files x86" Folders.

Now, you need to be cautious in these folder because these contain the software packages that you installed or use on your computer. However, a lot of malware may have made its way into your system and into these folders as well. The folder names are going to typically tell what manufacturer the folder belongs to, so if you should recognize most of the names. If not, open the folder(s) and in them may be another folder of the software you have installed. If you do not recognize the folder, or its contents, I advise deleting.

Before you get delete happy though, here is a list of system folders, on a standard Windows installation.

> Program Files | Program Files x86

  • Common Files
  • Internet Explorer
  • MSBuild
  • Reference Assemblies
  • Uninstall Information (hidden)
  • Windows Defender
  • Windows Journal
  • Windows Mail
  • Windows Media Player
  • Windows NT
  • Windows PhotoViewer
  • Windows Portable Devices
  • Windows Sidebar

These may exist in both folders (on x64 systems)

Now, back to the USB containing CCLeaner. Let's install and run.

Once you have completed the install process (accepting all defaults is fine, you can uninstall later if you wish) you'll get a pop-up asking if you want to intelligently scan for cookies to keep. I always select No.

Note: Removing all internet temp files will also remove some settings (like tabbed browsing history in Chrome) but this is a small price to pay IMHO.

Right off the bat, I'm going to select "Run Cleaner," and then OK on the next pop-up.

51748-albums33-223.png



Now, before moving on to the registry cleaner, we're going to stop at the Tools section and check out our Startup items.

51748-albums33-224.png


These are programs that start with Windows. I recognize the "SearchProtection" also from the file structure that we deleted. It is OK to delete every entry in here. If there's a program that you like starting with Windows (e.g. WeatherBug in the example environment), then leave it. Otherwise, we want to delete these entries.

I also went through the "Internet Explorer" and "Google Chrome" tabs to ensure that no add-ons (e.g. That Movie Toolbar crap) was left there. I deleted from there any add-ons I did not want starting with either of my browsers.


Now let's move on the Registry Cleaner.

Note: There's a lot of discussion over whether or not a registry cleaner is snake oil, but I can tell you that if you know how to use it, it can do great things for you. How is that, you ask? Well, since we went around deleting a ton of crap off the drive, that now makes invalid registry entries. The point of all the deleting above was to get to this point, where we now allow a program like this to remove the entries from the registry, because there is no longer a file to be called on the drive.

Why is that important? In my experience, malware developers are not stupid, and things are constantly evolving. A common theme I have seen though is that they ensure their program(s) can 'come back' by hiding files all over the place, and referencing each in hidden registry entries. Hence the long process in truly removing malware. The only way is to be thorough.

On the left, click Registry.
Now click Scan for Issues and allow to complete.
Once done, click Fix Selected Issues.

Now you'll be prompted on whether or not you wish to backup the registry. Always backup the registry on the first pass.

51748-albums33-225.png


After making a backup, select "Fix all Issues" and then "Close"

Now again click "Scan for Issues" and repeat the process (without backup now) until the scans return no results.

Almost done... just a few more steps.

In Windows explorer again, navigate to C:\Windows\System32\drivers\etc\ and double click on the "hosts" file. When prompted about what program to open with, select Notepad. Your host file should look like this:

51748-albums33-226.png


Unless you know that there are entries in there you need, it is entirely okay to Press "CTRL + A" to select all, then Delete. You can save this empty file with no worries.

Note: The hosts file is like a local DNS directory. You can point site addresses such as 'www.google.com' to a malicious site using this file, which is why it is key to make sure it is clear so we don't get infected immediately after cleanup.

Next, launch Internet Explorer. Attempt to stop the loading of any page using the "X" next to the address bar. We just need to get to the Internet Options.
Depending on your version,
Tools > Internet Options
(Gear Icon) > Internet Options

Now this:
51748-albums33-227.png


Internet explorer controls a large part of the routing for Windows' connection to the outside world. Even Google Chrome uses IE's settings, so resetting after an event like the above is not a bad idea.

Now since my first pass with MalwareBytes failed, I want to attempt to restart the computer in "Safe Mode with Networking" and allow MalwareBytes to run again, but this time with updates.

Shut down the PC, flush the RAM again, and then power on, booting into Safe Mode with Networking as outlined previously.

....

Looks like Safe Mode with Networking worked so we're in business for MalwareBytes updates.

Launch MalwareBytes and allow it to update, and then perform another full scan.

Note: My MalwareBytes failed to update and I was forced to Uninstall/Reinstall to get the updates to work.

If MalwareBytes detects any malicious objects, (mine detected 2 after the update) then remove them. It is okay to now reboot to allow the infected files to be removed, but be sure to boot back into Safe Mode as we are still in the maintenance mode until all detected items are cleaned.

Once the files have been removed, remember to run CCleaner again (the registry cleaner) the remove any registry entries that pointed to those malicious files.

Once you get MalwareBytes updated and a full 'clean' scan, you should be 'good to go.' Remember that the only true way of knowing that a PC is no longer infected is to completely destroy all data on the drive. However, this is not always a viable option for many.

Using (while writing) this guide, I was able to successfully remove the Virus originally contracted.

If you have additional questions, be sure to sign up and create a thread in our Security section for help.

Best of Luck!
 
Last edited:
Excellent write up!

Sometimes, the "FBI Ransom Virus" attacks the registry and will start as soon as explorer.exe loads. I found the best way around this is to put Combofix on a flash drive and boot to Safe Mode With Command Prompt. From there, you can run Combofix which should get you to a starting point.

I think it's important to share how to avoid getting a virus in the first place. Allow me to share some of my tips for avoiding getting a virus. Anyone else is free to chime in with their input.

1) Install a good anti-virus program and keep it updated. I like using Avast since it is free, auto-updates itself, constantly monitors files while using little system resources. If there was an anti-virus program that one could set and forget, Avast is it.

2) Use common sense. If you get a prompt and you're unsure what it is, don't click Yes or OK. Google it. Never install software you're unfamiliar with.

3) Keep software up to date. This includes web browsers, plugins and the operating system.
 
Hi

That is a fantastic write up. However it is very long for someone who has already read this and put it into practice to refer back to certain key points. Would it be possible for you to write up a summary of this post? As in a Step by step summary

THANKS :)
 
Wonderful guide.

I shall copy this and break it down to key points and then use it.

Thank you iPwn.

Mossiac

Sent from my GT-I9505 using Computer Forums mobile app
 
Back
Top Bottom