1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

PC Infected with Virus

Discussion in 'General Software' started by OrbitzXT, Feb 29, 2012.

  1. OrbitzXT

    OrbitzXT New Member

    Joined:
    Mar 22, 2007
    Messages:
    1,969 (0.76/day)
    Thanks Received:
    59
    Location:
    New York City
    My boss isn't great with computers and clicked a link in an email she shouldn't have, now the PC is infected with one of those things asking for credit card info to buy anti virus software. I wasn't in the office today so I didn't get to look at it myself, but I told her to boot into safe mode and try system restore, it didn't work though and the virus/program still ran.

    Usually in these cases, I just would reinstall Windows to make sure everything is clean. But she has data on this hard drive that can't be lost. When I go in tomorrow, I was going to see if I can copy the data to an external while in safe mode. I don't think it'll work, but I'll give it a shot.

    I *think* I have a second internal hard drive at my office. Could I put this in the PC, install Windows on it, boot into the clean Windows then copy the files from the hard drive with the infected Windows?

    Any suggestions how I should best deal with this?
  2. Radical_Edward

    Radical_Edward

    Joined:
    Jan 24, 2010
    Messages:
    3,586 (2.32/day)
    Thanks Received:
    1,921
    Location:
    Oregon, USA
    I dealt with one of these recently. The one I dealt with was running a process called sfc.exe and caused all sorts of nasty registry problems. (It also infected restore points.) I'd make sure to nuke the infection first with malwarebytes before grabbing off any of her data.
    Crunching for Team TPU
  3. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.90/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Try MSE as well it may just catch and kill the virus. Or even AVG free. You maybe able to be the hero and not have to even reinstall windows at all!
  4. OrbitzXT

    OrbitzXT New Member

    Joined:
    Mar 22, 2007
    Messages:
    1,969 (0.76/day)
    Thanks Received:
    59
    Location:
    New York City
    Is it possible to install and run these programs while the PC is already infected? I got the impression it's not letting the user do anything.
  5. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.90/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Hmm. Maybe in safe mode, I do not know. Man this sucks! You may just have to nuke the thing and hope that the boss has a back up copy of the files. Them kind of viruses are tough and imbed all over the computer.
  6. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.28/day)
    Thanks Received:
    5,610
    Location:
    Cheeseland (Wisconsin, USA)
    I had a networked computer get one of these bastards.
    First thing to do is remove (physically) from network so it can't spread if it's capable.
    I've found that many of these do not stop Malwarebytes from installing or running, so I would start there.
    What ultimately will be required depends completely on the malware.
    I have yet to get something on my network that I could not remove without re-installation of workstations ... although it's been close. lol
    Keep at it, you'll win if you don't give up.
  7. DonInKansas

    DonInKansas

    Joined:
    Jun 2, 2007
    Messages:
    5,095 (2.03/day)
    Thanks Received:
    1,264
    Location:
    Kansas
    Depends. Sometimes you can run it in safe mode. Another trick is renaming the .exe when installing and renaming it again when running it so it is not recognized by the virus.
  8. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.90/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Another trick would be to isolate the hard drive, Take it out of the computer and hook it up to another one with MSE, Malwarebytes and AVG installed then do a scan of the infected Hard Drive . That would work also.
    driver66 says thanks.
  9. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    19,484 (6.35/day)
    Thanks Received:
    5,726
    I deal with cleaning these things 2-3 times a week, pretty easy once you know what to do.

    First of all, they usually set themselves so that the Virus runs whenever a program is executed(hence when anything is executed, even in Safe Mode, the virus will run instead).

    So the first thing you want to do is fix that issue. So on a clean computer copy and paste the following into a text file:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"
    
    [HKEY_CLASSES_ROOT\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"
    
    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "TileInfo"="prop:FileDescription;Company;FileVersion"
    "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
    
    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"
    
    [HKEY_CLASSES_ROOT\exefile\shell]
    
    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_CLASSES_ROOT\exefile\shell\runas]
    
    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"
    
    [HKEY_CLASSES_ROOT\exefile\shellex]
    
    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
    @="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
    @="C:\\Program Files\\Internet Explorer\\iexplore.exe"
    
    Then save the text file as fix.reg. Put that file on a USB flash drive, and boot the infected computer into safe mode. Double click the fix.reg file and tell it to add the information to the registry. If you are on Vista or Win7 it might give you an error about some things not being added successfully, don't worry about it, it still works.

    Next from a clean computer put Malwarebytes, Tdsskiller, and Combofix on a USB flash drive.(You might want to do this at the same time you put the reg file on the flash drive just to make things a little more efficient.)

    Then, while still in safe mode after installing the reg file(do not reboot!), install Malwarebytes. Update Malwarebytes, and do a full scan. When it finishes, tell it to remove what it found. And then reboot, let it boot into normal mode. 9 times out of 10 this will completely take care of the virus. One of the major things you want to check is internet function. Especially going to google and doing a few searches, and clicking on a few results, making sure it is taking you to the correct webpage from the results. These viruses love to install google redirect rootkits.

    If web pages aren't loading and you know the computer has a good internet connection, try checking Internet Options and going to the Connections tab. At the bottom will be a LAN Settings button. Go in there and make sure the box to use a proxy is not checked. These virus love to set the computer to use a proxy of 127.0.0.1, which redirects everything through the virus on the machine, to screw with the internet and only let certain pages through.

    If you are still having issues, run Tdsskiller. It will occasionally find rootkits that Malwarebytes misses, particularly ones that redirect from Google searches.

    Finally, after all of that, if you are still having issues run Combofix. If it asks you to update, do it, and if it asks you to install the recovery console don't. Only run Combofix as a last resort! Combofix is extremely aggressive. Even the author has admitted it will likely completely brick 1 out of 100 machines, making Windows completely unbootable even in safe mode, and I've had it do this on more than one occasion. However, it is a great thing to try if you are one step away from reformatting anyway.

    Now, for the OP's question directly. Yes, you can put another hard drive in and install Windows to that, and copy the important files over. Make sure you have a good AV installed before even hooking up the old drive though. You can do this, but personally, I prefer to clean the virus. Yes, it might take longer, but it is better to have the experience in doing it just in case there is a time where reformatting isn't an option.
    HTC, Daimus, stinger608 and 2 others say thanks.
    Crunching for Team TPU 25 Million points folded for TPU
  10. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.90/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Wouldn't it be easier to just take the hard drive out and hook it up to a clean computer and run AVG or MSE and Malwarebytes to clean the hard drive? The hard drive would be isolated and not booted up just sitting there as long as you do not access it. But still this is a vote for a sticky! Great job.
  11. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    19,484 (6.35/day)
    Thanks Received:
    5,726
    The viruses get past AVG/MSE pretty easily. Malwarebytes might work on the hard drive offline, but I've had greater success with scanning the drive directly from the OS installed on it.
    trickson says thanks.
    Crunching for Team TPU 25 Million points folded for TPU
  12. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.90/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Thank You good to know. This has help me out greatly too. :respect:
  13. stinger608

    stinger608

    Joined:
    Nov 11, 2008
    Messages:
    6,713 (3.38/day)
    Thanks Received:
    3,104
    Location:
    Wyoming
    Just had a very similar issue with a clients PC yesterday. What was the easiest that I have

    found in recent months is Kaspersky's Rescue Disk 10. With a second application one can

    create a bootable USB flash drive.

    Here is the link, with the instructions on how to create the bootable flash drive:

    http://support.kaspersky.com/faq/?qid=208286083

    Right below this statement:



    There are two files. One is the latest ISO for Rescue Disk 10, and the other is the utility to create the bootable USB Flash drive.

    I ran the program twice on the clients system yesterday, which by the way took about 6 hours to complete, and it cleaned two of the fake "antivirus" viruses out along with over 60 other Trojans, malware, adware, and other viruses.

    After all was said and done, I booted into windows normally, installed Microsoft Security Essentials ran the updates and a scan and all was clean.

    difficulty level is about a 2 of 10, so most people that are not even "tech savvy" would be able to follow this without much issues.

    Of course I am assuming that anyone wishing to use this method realizes all the downloads and making of the flash drive has to be done on a clean system. LOLOLOL
    Crunching for Team TPU
  14. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    7,989 (2.59/day)
    Thanks Received:
    1,084
    I have a tool in the network section that took care of a infection at work.
    10 Million points folded for TPU
  15. yuki2012

    yuki2012 New Member

    Joined:
    Feb 10, 2012
    Messages:
    3 (0.00/day)
    Thanks Received:
    0
    My computer have been infected with Virus, too...
    so upset
  16. moocow0463

    Joined:
    Dec 28, 2007
    Messages:
    394 (0.17/day)
    Thanks Received:
    13
    most the time the virus wont infect random files its looking for key registry or .exe files, backing up your hardrive and re-installing is usually the fastest and easiest way newtekie method will work but there is a chance youll miss a few corrupted files etc, and by the time you run tests delete registry clean registry run more tests delete files run a few scans delete more. and report back here every time with logs so we can see if its 100% clean you could of backed up and installed windows 3-4 times
  17. FreedomEclipse

    FreedomEclipse Crazy Dogmatic Bullsh!t!

    Joined:
    Apr 20, 2007
    Messages:
    13,018 (5.09/day)
    Thanks Received:
    2,058
    One suggestion.....

    COMBOFIX

    its saved a lot of machines that ive worked on which most techs will say is beyond saving and to reinstall your OS
  18. TheMailMan78

    TheMailMan78 Banstick Dummy

    Joined:
    Jun 3, 2007
    Messages:
    20,635 (8.21/day)
    Thanks Received:
    7,244
    This thing seems old honestly. How do you even get infected by this thing? I remember seeing a few years ago. Is this a new variant?
  19. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    19,484 (6.35/day)
    Thanks Received:
    5,726
    It also completely breaks a lot of machines, not something I would try first but something I would use if reformatting is the only other option.

    There are new variants coming out all the time.
    Crunching for Team TPU 25 Million points folded for TPU
  20. FreedomEclipse

    FreedomEclipse Crazy Dogmatic Bullsh!t!

    Joined:
    Apr 20, 2007
    Messages:
    13,018 (5.09/day)
    Thanks Received:
    2,058
    If by 'completely breaks' you mean it breaks the CD/DVD Autorun feature, then yeah. thats an unfortunate side effect of this program. but id rather my OS still be in working condition and relatively virus free so i can make backups (if i have to) so it depends if you really think its neccesary to reinstall the OS
  21. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    19,484 (6.35/day)
    Thanks Received:
    5,726
    No, I mean it completely breaks the OS. As in no booting, no safe mode, nothing. There are other ways to clean the virus that are less aggressive that should be tried first unless you are already at the point of reformatting anyway.:toast:
    Crunching for Team TPU 25 Million points folded for TPU
  22. FreedomEclipse

    FreedomEclipse Crazy Dogmatic Bullsh!t!

    Joined:
    Apr 20, 2007
    Messages:
    13,018 (5.09/day)
    Thanks Received:
    2,058
    Never heard of that happening before, I havent experienced it either...

    I think Its partly down to how deeply rooted the virus or malware is in your system. it might delete system/operation critical files that have been infected by the virus and cause such problems.

    Obviously reformatting is always easier and the most prefered method IMO.
  23. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    19,484 (6.35/day)
    Thanks Received:
    5,726
    There are plenty of threads about it if you search the net for it. I've seen it happen a few times, but like I said I clean 2-3 PCs a week, so over the years I've cleaned hundreds of computers. And like I said it breaks about 1 in 100, so unless you've used it on at least 100 computers, it isn't likely that you've ever seen it happen. It has happened to me 3 or 4 times over the years.
    Crunching for Team TPU 25 Million points folded for TPU
  24. TheMailMan78

    TheMailMan78 Banstick Dummy

    Joined:
    Jun 3, 2007
    Messages:
    20,635 (8.21/day)
    Thanks Received:
    7,244
    Whats the most common way to get it? Is it Java based?
  25. nelnel76 New Member

    Joined:
    Apr 25, 2012
    Messages:
    1 (0.00/day)
    Thanks Received:
    0
    Corrupted memory problems are then virus related?
    Last edited: May 4, 2012

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page