Thursday
Aug192010

Remove a virus from your computer

Everything you click on generates a pop-up saying that your computer is infected.  You can't browse the web, open a word processor, or anything.  You're (rightfully) suspicious when the one page your computer can open is one that's offering to fix the problem once you input your credit card information. 

Congratulations.  You have a virus.

You do some research on-line (at work - because your home computer is too messed up) and find that your local retail chain charges $50 just to look at the computer with no guarantees.

So what do you do?  Well...for starters don't shell out the $50.

It's dreadfully simple to remove a virus from your computer.

If you're reading this chances are you have one computer in your life that isn't infected by a virus.  So you've got that going for you.  Don't panic.  Just read carefully and take deep breaths because you've got to be brave.  Fixing your own computer is going to be fun and you're not going to screw anything up (really).  You're not going to screw anything up.

The Symptoms - you will experience more than one of the following:

  • The computer is very slow. 
  • You have icons and pop-ups you've never seen before. 
  • There's a lot of busy stuff on the screen indicating you have a virus.
  • You try to CTRL-ALT-DELETE to "End Task" and that is unsuccessful.
  • You cannot browse the web.
  • There's a lot of stuff prompting you to activate your anti-virus
  • There's stuff on the screen prompting you to scan or install...something

Don't panic

It's dreadfully simple.  Read on.

This article applies to basically all Windows computers including Windows 7, Windows XP, and Windows 2000.  I took most of the screenshots from a Windows XP computer, but there are comparable settings in most, if not all, of the Windows Operating Systems.  If you can't figure it out just post.

Tools

You'll want a few things before you get started.  All are availabe for less than the $50 the retail chains will charge:

  • A single 1GB USB "thumb drive" (a smaller drive will do as well - if you have an ancient one about)
  • Access to a working computer to download some stuff

Both of these are optional - especially if your infected PC doesn't have a USB port.  Though if your computer doesn't have a USB port you should probably buy a new computer.

If you don't know what a USB port or a thumb drive is ask any kid at the mall.  Or go to an electronics store and ask the salespeople on the floor before you buy it from them.  A USB drive should cost around $10.

Step #1 (optional - though highly recommended)

Do this from a working computer that's connected to the Internet

Plug the USB drive into a computer that's not infected and with which you can freely browse the web.  There is a tool you'll need to download.

The AutoRuns program

You can find this tool at www.sysinternals.com or here.  Notice that the www.sysinternals.com page redirects to TechNET which is Microsoft.  So you should be reassured somewhat that you're not downloading some random thing just because a guy on the web tells you to.

Downloading this tool is optional, but it'll save you a lot of time.

Navigate to the www.sysinternals.com site, click on the "Utilities Index" link and look for AutoRuns.  Download it and copy it to the USB "thumb" drive.  They may change up the site, so you could have a different experience.  I'm not affiliated with them, so this is how I did it a few minutes ago as of the time of this post.

To save time I would suggest downloading it to the working computer then extracting it.  Now copy the extracted files to the USB drive.  You won't want to mess around with extracting the files on your infected computer.  Let's clean it up as soon as possible.

Step #2 Safe mode (from the infected computer)

Turn off the infected computer.  Make sure it's completely off and not hibernating.  Now turn it on and hit the F8 key repeatedly - about once every two seconds.  Don't do it too fast or you'll start hearing a beep every time you mash the key.  That's bad.  You won't break anything - you'll just have to turn the infected computer off and start all over again. 

Hit F8 about once every two seconds as the computer starts up and you'll eventually get to an Advanced Startup Options Menu.  Use the arrow keys to select the Safe Mode startup option.  You have to pay attention because there's other options on this screen and the screen only displays for about 30 seconds.  Beyond that and it defaults to starting up normally and you'll have to power off again.

If you miss the startup options screen or select the wrong option or whatever don't panic.  You can simply power off and back on again.

You'll know you're in Safe Mode because your screen will look a bit off.  It won't have the clarity or definition you're used to.  That's okay.  Safe Mode isn't permanent.

Safe Mode starts the computer with limited driver support and limited startup options, so probably whatever has taken over your computer isn't running when you enter Safe Mode.

Log on as normal then plug the USB drive in.  Create a folder on your infected computer called AutoRuns and copy the AutoRuns files from your USB drive there. 

You can also run Autoruns from the USB drive, but it will be god awful slow.  I would suggest copying it to the infected computer's hard drive.

Cleaning Your Computer

You're almost there.

Once you open AutoRuns you'll see a screen like this:

 

The picture above is of the "Everything" tab.  That's the default view when you open AutoRuns. 

AutoRuns tells you what is configured to run on your computer at startup - either from certain folders or from the registry or from wherever.  There's a lot of stuff configured to run on your computer at startup. 

Look through the list.  Pay attention to the "Publisher" and "Image Path" fields.  When you see a name like fsdiiygrsma.exe or something equally as suspicious stop.  Look at the "Image Path" field for this entry. 

Analyzing the Image Path column

The "Image Path" column identifies the file (including its location) that the computer is running every time it starts.  Look for a known publisher (i.e. "Adobe," "Microsoft Corporation", "Symantec", et cetera) as they are all usually safe.  Be aware of misspellings, however as those are clever attempts to masquerade as legitimate programs.

Your virus is going to have an obscure name, no recognizable publisher, and the "Image Path" is generaly going to contain an oddly named folder.  Virus makers these days may use random character string generators to name their virus .executables and the files they house.  So files and folders with unpronouncable and unintuitive names should raise a red flag.

Liberally uncheck the boxes for these entries.  Bear with me.  We're not going to break anything.

Identify a few suspects for your possible virus and jot them down.  Uncheck the corresponding boxes in the left-hand column.  Jot down the "Image Path" entries. 

Tracking down the virus

Now start exploring your computer.  You want to browse the files on your PC.  You can do this in a number of different ways:

  • Hit the Windows Key while mashing e
  • Double-click on the My Computer icon on your desktop
  • Click on Start > Run  and input C:\
  • Navigate to Start > Programs > Accessories > Windows Explorer

I don't care how you do it, but you've got to open Windows Explorer.  It'll look something like this when you do:

Once there go to the Tools menu (keyboard shortcut Alt while mashing T) and select Options or Folder Options (depending on your Windows Operating System version). 

You now need to enable Windows Explorer to let you view hidden folders.  A lot of folders are hidden because they contain sensitive files.  We need to be able to view those because a lot of virus makers are adept enough to mark the folders containing their viruses as hidden so they aren't displayed by default.

Uncheck the boxes and radio buttons that don't display hidden folders.  I took a screenshot of this option on my Windows XP machine.  Windows 7 is similar.  I'm not going to tell you to delete anything yet, so calm down.

I'd check any settings prompting you to "Display the ..." as well.  Let's not keep secrets, eh?  Click Ok to finalize your changes.  Depending on your Windows Operating system (Windows XP versus Windows 7, et cetera) hidden folders will now appear in your display - albeit a little faded.

Now navigate to each suspicious entry you encountered in AutoRuns.  Rename the folder.  I suggest appending the beginning of the name with a bang or exclamation mark.  When sorted these will appear on top.

Again - I'm saying rename, here.  Don't delete.

The suspicious entries you jotted down when looking at AutoRuns generally stand out.  It used to be some pornographic reference to an unlucky celebrity (often misspelled).  Now virus authors are more sophisticated.  I just removed one today that was in the My Security Center folder.  Jerks. 

Once you've exhaustively gone through this list, and I would suggest only renaming three or four folders at a time, reboot.  Don't mash F8 - just start your PC normally.  If the virus reappears reboot into Safe Mode and rename your other top suspects.

Repeat until your computer is clean.  If your computer doesn't come clean you'll want to keep track of the folders you renamed.  Though generally I wouldn't worry about it:  the more garbage you eliminate from running automatically the faster your PC will perform.

How do I know the virus is gone?

Safe Mode doesn't allow for network connectivity - hence the USB drive.  While there is Safe Mode with Networking I've been unlucky with it personally so I don't recommend it.

When your computer allows you to hit CTRL-ALT-DELETE and enter Task Manager (to end tasks) or generally performs well after starting normally without Safe Mode you've probably circumvented whatever evil virus infected your PC.

But there could be an issue where you remove the virus and upon opening Internet Explorer it gives you  page could not be displayed error.

Open Internet Explorer.  Go to the Tools drop-down (keyboard shortcut Alt while mashing t).  Navigate to Internet Options.  Now bear with me...

There should be a LAN Settings tab on one of the resulting windows.  Clicking this will reveal a proxy server option.  There's hardly ever a proxy outside of a corporate network.  If you have a proxy setting that starts with 127.0.0.1 that was a virus entry.  Jot down the proxy server entry - just in case.

Now uncheck any boxes indicating that Internet Explorer should use a proxy.  Click Ok to finalize your changes.  Close out of any lingering Internet Explorer windows.  Now open a new one and explore the web as you did before the virus infected your computer.