I work in IT for a living at a Boston engineering school. As you might imagine, I have to deal with viruses quite often, but as of late I find myself cleaning more and more infected machines for friends/family outside of work, answering questions, etc. The best way to get rid of a virus is to never get it by practicing safe surfing habits and a little common sense. "oh, this program that I've never seen before just scanned my 800gb hard drive in 3 seconds and found over two thousand infections! of course i want to remove now!"
But regardless, I felt it relevant to re-post this information here. If you ever get (or suspect) that your computer is infected, I am more than happy to help you attempt to clean it yourself rather than have you go out to geek squad (or similar) and pay absurd amounts of money for what you can do yourself. I originally wrote this at some point last summer and posted it on 3SI:
So, your computer is infected.
Every time you open up your browser you get redirected to porn.
You have popups trying to sell you porn
you have a program telling you that your computer is infected and if you buy some absurd application (usually will have antivirus somewhere in the title) for 3 easy payments and one complicated payment of only $59.95 you can clean your computer!
So, what do you actually do to clean it?
Do you bring it to those PC guys in your town square who will charge you $75 for a PC Health report? If you're not comfortable with adding/removing software or running your computer in safe mode, not a bad idea. Hopefully this thread will get your feet wet with computing and get you comfortable with the Windows OS a bit more, and help you avoid bringing it in to your local PC repair guys.
Do you bring it to the Geek Squad at BestBuy? (HINT: NO.)
Basic assumptions ITT:
-You do not know anything about computers. I am going to try to put everything as plainly as possible - I hate it when I look up a tutorial on something that I am new at and it makes assumptions about what I already know.
-You have a high speed connection (fios, DSL, cable, ADSL, SDSL, etc. Not dial-up)
-You have access to the internet from another computer
-You have access to a flash drive
Your first step is to not panic. Everybody knows that bad things happen when you panic. Go ahead and disconnect your computer from whatever network it is on. If it has any wireless capabilities (as most laptops do), search for the switch on the body that will turn it off. You may or may not also have an Ethernet cable connecting your computer to your network (desktop computers will 99% of the time, this will vary with laptops depending on your working environment). Ethernet cables look like glorified telephone cables, with 8 pins. They will typically say "Cat 5" or "Cat 5e" or "Cat6" on them. Unplug this cable from either end (either your computer or modem/router). If you are on dial-up internet, disconnect the phone line from your computer.
From another computer, change your account passwords. It is very rare that your passwords were actually stolen, but it does happen. Be safe, change your passwords. Any websites, online banking, iTunes, Steam, NewEgg, anything. If you can log into it and have personal information stored there, change it. Do NOT do it on the computer that is infected. I repeat, do NOT do it on the computer that is infected.
Again, from another computer, and with the infected computer disconnected from your network, download this nifty little application called ComboFix.
A guide and tutorial on using ComboFix
This little guy is one of my best friends. Download it to your flash drive.
Plug the flash drive into the infected computer, go ahead and boot it up. Right here we are going to boot into Safe Mode with Networking.
When a computer boots, the first thing that you see is the BIOS screen during POST. POST is Power On Self Test, it is the computers pre-boot sequence. For example, if you own a Dell you will see the Dell logo displayed on the screen, etc.
This is where you start pressing the F8 key. Press this until the Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, your computer may show some form of a "keyboard error" message. To resolve this, restart the computer and try again. Select Safe Mode with Networking (More on booting into safe mode, depending on your operating system.)
Copy & paste the combofix executable onto your desktop. Double click it. your computer will likely beep a couple of times here, possibly quite loudly. This is normal.
Only if prompted to install the windows recovery console may you connect this computer to the network via Ethernet cable. After the MS Windows Recovery Console has installed immediately disconnect from any and all network connections. Let this program work its magic. Your computer will likely restart a couple of times during this progress. Scanning can take up to a half hour for badly infected systems. It will definitely reboot if you are told that you have rootkit activity. If you don't know what this means, don't worry about it.
It is okay that your computer does not reboot into safe mode at this point.
When the scan is complete your (potentially after a couple of reboots) your computer will display a logfile in notepad telling you what was removed, what was running, etc. Save this to your desktop, give it a descriptive name. You can close this out now.
Browse to your C drive, in there you will find a folder named "Qoobox" - this was created by combofix. Open up the Quarantine folder, delete the folder named "C" under this. Empty your recycle bin.
C:\Qoobox\Quarantine\C - this is the folder that you are deleting.
It is okay to leave the "Registry_backups" folder and catchme.txt file
Open up your registry with the registry editor
(Click Start > Run... > regedit > enter) or (windows key + r > regedit > enter)
select "HKEY_CURRENT_USER)
press ctrl+f and search for 127.0.0.1
The path that comes up should be similar to HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings
the key that will be highlighted will be named ProxyServer with a value of http=127.0.0.1:5577 (or similar value). Delete this key (right click on ProxyServer, Delete)
Next you will need to download and install the free version of MBAM (Malwarebytes' Anti-Malware) from this website:
Malwarebytes' Anti-Malware: Malwarebytes
(the download links may redirect you to MajorGeeks, this is okay)
After installation allow the program to update, run a complete/full scan with this. At this point it is unlikely that MBAM will have found anything, this is simply a supplemental scan.
Pending that MBAM finds nothing, next we are going to run CCleaner to tidy things up a bit - you can find that on this website: CCleaner - Optimization and Cleaning - Free Download
As a final precation, I would recommend updating the virus definitions of your chosen anti-virus program.
General Avoidance guidelines
Use Firefox. Use it with ABP (Ad Block Plus). Allow this app and addon to update when there are updates that need to be applied. Most updates that are put out for applications like these are security updates and are there for your safety and convenience.
Stop using IE. Many viruses are targeted at IE, simple as that. There are many reasons why they are targeted at the browser, but they are not particularly relevant. Unless you use a web app that only runs in IE, please do no use that browser. I hate the applications that I need to use for work that only run in IE.
Never give out your username or password for anything on the internet. I have never seen any company that needs your username and password for something. If there was a diabolical admin somewhere that really had it out for you and wanted to pose as you on some web forum, that admin has the power to change your password (I have also never seen this happen either, just illustrating that point that for no reason should you ever give out your username and password. for anything).
Disclaimer: I take no responsibility if your machine tanks due to following these steps, missing steps, skipping steps, etc. ComboFix is a very powerful application and if misused can ruin your day. Buy an external drive, backup your important data on this. For example, if you store your school/work files, music, movies, etc. on your laptop computer, have copies of these files on your external hard drive. External storage is dirt cheap, an external 1 TB hard drive can be bought for under $90 and is more than enough storage for the average computer user.
-jeff
Bookmarks