PC Infected with Virus

[OrbitzXT]

My boss isn't great with computers and clicked a link in an email she shouldn't have, now the PC is infected with one of those things asking for credit card info to buy anti virus software. I wasn't in the office today so I didn't get to look at it myself, but I told her to boot into safe mode and try system restore, it didn't work though and the virus/program still ran.

Usually in these cases, I just would reinstall Windows to make sure everything is clean. But she has data on this hard drive that can't be lost. When I go in tomorrow, I was going to see if I can copy the data to an external while in safe mode. I don't think it'll work, but I'll give it a shot.

I *think* I have a second internal hard drive at my office. Could I put this in the PC, install Windows on it, boot into the clean Windows then copy the files from the hard drive with the infected Windows?

Any suggestions how I should best deal with this?

 

[Radical_Edward]

I dealt with one of these recently. The one I dealt with was running a process called sfc.exe and caused all sorts of nasty registry problems. (It also infected restore points.) I'd make sure to nuke the infection first with malwarebytes before grabbing off any of her data.

 

[trickson]

Try MSE as well it may just catch and kill the virus. Or even AVG free. You maybe able to be the hero and not have to even reinstall windows at all!

 

[OrbitzXT]

Is it possible to install and run these programs while the PC is already infected? I got the impression it's not letting the user do anything.

 

[trickson]

Is it possible to install and run these programs while the PC is already infected? I got the impression it's not letting the user do anything.

Hmm. Maybe in safe mode, I do not know. Man this sucks! You may just have to nuke the thing and hope that the boss has a back up copy of the files. Them kind of viruses are tough and imbed all over the computer.

 

[Kreij]

I had a networked computer get one of these bastards.
First thing to do is remove (physically) from network so it can't spread if it's capable.
I've found that many of these do not stop Malwarebytes from installing or running, so I would start there.
What ultimately will be required depends completely on the malware.
I have yet to get something on my network that I could not remove without re-installation of workstations ... although it's been close. lol
Keep at it, you'll win if you don't give up.

 

[DonInKansas]

Is it possible to install and run these programs while the PC is already infected? I got the impression it's not letting the user do anything.

Depends. Sometimes you can run it in safe mode. Another trick is renaming the .exe when installing and renaming it again when running it so it is not recognized by the virus.

 

[trickson]

Another trick would be to isolate the hard drive, Take it out of the computer and hook it up to another one with MSE, Malwarebytes and AVG installed then do a scan of the infected Hard Drive . That would work also.

 

[newtekie1]

I deal with cleaning these things 2-3 times a week, pretty easy once you know what to do.

First of all, they usually set themselves so that the Virus runs whenever a program is executed(hence when anything is executed, even in Safe Mode, the virus will run instead).

So the first thing you want to do is fix that issue. So on a clean computer copy and paste the following into a text file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\\Program Files\\Internet Explorer\\iexplore.exe"

Then save the text file as fix.reg. Put that file on a USB flash drive, and boot the infected computer into safe mode. Double click the fix.reg file and tell it to add the information to the registry. If you are on Vista or Win7 it might give you an error about some things not being added successfully, don't worry about it, it still works.

Next from a clean computer put Malwarebytes, Tdsskiller, and Combofix on a USB flash drive.(You might want to do this at the same time you put the reg file on the flash drive just to make things a little more efficient.)

Then, while still in safe mode after installing the reg file(do not reboot!), install Malwarebytes. Update Malwarebytes, and do a full scan. When it finishes, tell it to remove what it found. And then reboot, let it boot into normal mode. 9 times out of 10 this will completely take care of the virus. One of the major things you want to check is internet function. Especially going to google and doing a few searches, and clicking on a few results, making sure it is taking you to the correct webpage from the results. These viruses love to install google redirect rootkits.

If web pages aren't loading and you know the computer has a good internet connection, try checking Internet Options and going to the Connections tab. At the bottom will be a LAN Settings button. Go in there and make sure the box to use a proxy is not checked. These virus love to set the computer to use a proxy of 127.0.0.1, which redirects everything through the virus on the machine, to screw with the internet and only let certain pages through.

If you are still having issues, run Tdsskiller. It will occasionally find rootkits that Malwarebytes misses, particularly ones that redirect from Google searches.

Finally, after all of that, if you are still having issues run Combofix. If it asks you to update, do it, and if it asks you to install the recovery console don't. Only run Combofix as a last resort! Combofix is extremely aggressive. Even the author has admitted it will likely completely brick 1 out of 100 machines, making Windows completely unbootable even in safe mode, and I've had it do this on more than one occasion. However, it is a great thing to try if you are one step away from reformatting anyway.

Now, for the OP's question directly. Yes, you can put another hard drive in and install Windows to that, and copy the important files over. Make sure you have a good AV installed before even hooking up the old drive though. You can do this, but personally, I prefer to clean the virus. Yes, it might take longer, but it is better to have the experience in doing it just in case there is a time where reformatting isn't an option.

 

[trickson]

I deal with cleaning these things 2-3 times a week, pretty easy once you know what to do.

First of all, they usually set themselves so that the Virus runs whenever a program is executed(hence when anything is executed, even in Safe Mode, the virus will run instead).

So the first thing you want to do is fix that issue. So on a clean computer copy and paste the following into a text file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\\Program Files\\Internet Explorer\\iexplore.exe"

Then save the text file as fix.reg. Put that file on a USB flash drive, and boot the infected computer into safe mode. Double click the fix.reg file and tell it to add the information to the registry. If you are on Vista or Win7 it might give you an error about some things not being added successfully, don't worry about it, it still works.

Next from a clean computer put Malwarebytes, Tdsskiller, and Combofix on a USB flash drive.(You might want to do this at the same time you put the reg file on the flash drive just to make things a little more efficient.)

Then, while still in safe mode after installing the reg file(do not reboot!), install Malwarebytes. Update Malwarebytes, and do a full scan. When it finishes, tell it to remove what it found. And then reboot, let it boot into normal mode. 9 times out of 10 this will completely take care of the virus. One of the major things you want to check is internet function. Especially going to google and doing a few searches, and clicking on a few results, making sure it is taking you to the correct webpage from the results. These viruses love to install google redirect rootkits.

If web pages aren't loading and you know the computer has a good internet connection, try checking Internet Options and going to the Connections tab. At the bottom will be a LAN Settings button. Go in there and make sure the box to use a proxy is not checked. These virus love to set the computer to use a proxy of 127.0.0.1, which redirects everything through the virus on the machine, to screw with the internet and only let certain pages through.

If you are still having issues, run Tdsskiller. It will occasionally find rootkits that Malwarebytes misses, particularly ones that redirect from Google searches.

Finally, after all of that, if you are still having issues run Combofix. If it asks you to update, do it, and if it asks you to install the recovery console don't. Only run Combofix as a last resort! Combofix is extremely aggressive. Even the author has admitted it will likely completely brick 1 out of 100 machines, making Windows completely unbootable even in safe mode, and I've had it do this on more than one occasion. However, it is a great thing to try if you are one step away from reformatting anyway.

Now, for the OP's question directly. Yes, you can put another hard drive in and install Windows to that, and copy the important files over. Make sure you have a good AV installed before even hooking up the old drive though. You can do this, but personally, I prefer to clean the virus. Yes, it might take longer, but it is better to have the experience in doing it just in case there is a time where reformatting isn't an option.

Wouldn't it be easier to just take the hard drive out and hook it up to a clean computer and run AVG or MSE and Malwarebytes to clean the hard drive? The hard drive would be isolated and not booted up just sitting there as long as you do not access it. But still this is a vote for a sticky! Great job.

 

[newtekie1]

Wouldn't it be easier to just take the hard drive out and hook it up to a clean computer and run AVG or MSE and Malwarebytes to clean the hard drive? The hard drive would be isolated and not booted up just sitting there as long as you do not access it. But still this is a vote for a sticky! Great job.

The viruses get past AVG/MSE pretty easily. Malwarebytes might work on the hard drive offline, but I've had greater success with scanning the drive directly from the OS installed on it.

 

[trickson]

The viruses get past AVG/MSE pretty easily. Malwarebytes might work on the hard drive offline, but I've had greater success with scanning the drive directly from the OS installed on it.

Thank You good to know. This has help me out greatly too.

 

[stinger608]

Just had a very similar issue with a clients PC yesterday. What was the easiest that I have

found in recent months is Kaspersky's Rescue Disk 10. With a second application one can

create a bootable USB flash drive.

Here is the link, with the instructions on how to create the bootable flash drive:

http://support.kaspersky.com/faq/?qid=208286083

Right below this statement:

2. Download the iso image of Kaspersky Rescue Disk 10 and a special utility

There are two files. One is the latest ISO for Rescue Disk 10, and the other is the utility to create the bootable USB Flash drive.

I ran the program twice on the clients system yesterday, which by the way took about 6 hours to complete, and it cleaned two of the fake "antivirus" viruses out along with over 60 other Trojans, malware, adware, and other viruses.

After all was said and done, I booted into windows normally, installed Microsoft Security Essentials ran the updates and a scan and all was clean.

difficulty level is about a 2 of 10, so most people that are not even "tech savvy" would be able to follow this without much issues.

Of course I am assuming that anyone wishing to use this method realizes all the downloads and making of the flash drive has to be done on a clean system. LOLOLOL

 

[Steevo]

I have a tool in the network section that took care of a infection at work.

 

[yuki2012]

My computer have been infected with Virus, too...
so upset

 

[moocow0463]

most the time the virus wont infect random files its looking for key registry or .exe files, backing up your hardrive and re-installing is usually the fastest and easiest way newtekie method will work but there is a chance youll miss a few corrupted files etc, and by the time you run tests delete registry clean registry run more tests delete files run a few scans delete more. and report back here every time with logs so we can see if its 100% clean you could of backed up and installed windows 3-4 times

 

[FreedomEclipse]

One suggestion.....

COMBOFIX

its saved a lot of machines that ive worked on which most techs will say is beyond saving and to reinstall your OS

 

[TheMailMan78]

This thing seems old honestly. How do you even get infected by this thing? I remember seeing a few years ago. Is this a new variant?

 

[newtekie1]

One suggestion.....

COMBOFIX

its saved a lot of machines that ive worked on which most techs will say is beyond saving and to reinstall your OS

It also completely breaks a lot of machines, not something I would try first but something I would use if reformatting is the only other option.

This thing seems old honestly. How do you even get infected by this thing? I remember seeing a few years ago. Is this a new variant?

There are new variants coming out all the time.

 

[FreedomEclipse]

It also completely breaks a lot of machines

If by 'completely breaks' you mean it breaks the CD/DVD Autorun feature, then yeah. thats an unfortunate side effect of this program. but id rather my OS still be in working condition and relatively virus free so i can make backups (if i have to) so it depends if you really think its neccesary to reinstall the OS

 

[newtekie1]

If by 'completely breaks' you mean it breaks the CD/DVD Autorun feature, then yeah. thats an unfortunate side effect of this program. but id rather my OS still be in working condition and relatively virus free so i can make backups (if i have to) so it depends if you really think its neccesary to reinstall the OS

No, I mean it completely breaks the OS. As in no booting, no safe mode, nothing. There are other ways to clean the virus that are less aggressive that should be tried first unless you are already at the point of reformatting anyway.

 

[FreedomEclipse]

No, I mean it completely breaks the OS. As in no booting, no safe mode, nothing. There are other ways to clean the virus that are less aggressive that should be tried first unless you are already at the point of reformatting anyway.

Never heard of that happening before, I havent experienced it either...

I think Its partly down to how deeply rooted the virus or malware is in your system. it might delete system/operation critical files that have been infected by the virus and cause such problems.

Obviously reformatting is always easier and the most prefered method IMO.

 

[newtekie1]

Never heard of that happening before, I havent experienced it either...

I think Its partly down to how deeply rooted the virus or malware is in your system. it might delete system/operation critical files that have been infected by the virus and cause such problems.

Obviously reformatting is always easier and the most prefered method IMO.

There are plenty of threads about it if you search the net for it. I've seen it happen a few times, but like I said I clean 2-3 PCs a week, so over the years I've cleaned hundreds of computers. And like I said it breaks about 1 in 100, so unless you've used it on at least 100 computers, it isn't likely that you've ever seen it happen. It has happened to me 3 or 4 times over the years.

 

[TheMailMan78]

Whats the most common way to get it? Is it Java based?

 

[nelnel76]

Corrupted memory problems are then virus related?