What if my computer is infected with a new virus?
By Robert McMillen, Koin’s Tech Guru
I guess we need to take a quick break from all the iPad and other tablet news to concentrate on something that seems to plague all Windows users at one time or another, and that is what to do when you get a virus that even your antivirus can’t protect you from.
I see this every week. People bring their computers to us to fix what they thought they were protected from: Worms, viruses, Trojans. You name it, they’ve got it, and in many cases they didn’t even visit websites that were considered high risk. High risk sites would be gambling, adult entertainment, and social networking sites like MySpace and Facebook. The people with infected computers had antivirus software. They even may have had anti malware software. It just doesn’t seem to matter.
This hit my sister’s computer this weekend. Despite having the latest antivirus software and even a program to protect her web browser from websites that could infect her PC, she still got hit. Now I’m going to tell you how the pros get rid of your computer viruses when you bring them to us, and it’s not that difficult if you take it one step at a time.
I have previously covered the differences between viruses and other malware, so we’re not going to get caught up in terminology. We will just refer to them generically as viruses, even though technically all intrusion based software installations come under the name of “malware.”
I’m going to refer to some products for home users that are absolutely free. I don’t recommend them for businesses because they have additional security requirements that will cost money and do additional things you may not need. We will also use Windows XP as the example since most computers are running this version. Although the principles apply to Vista and Windows 7, the actual locations of various different things to check may be slightly different.
I also want to express I take no liability for any changes you may make to your computer. This is a “do at your own risk” venture. These things work for us, however, so they are based on sound advice.
Let’s assume you have obtained a virus on your computer despite having antivirus software that’s up to date and running in the background. This is what I had to deal with on my sister’s computer this weekend, so I will walk you through what I did to resolve it.
After attempting to boot the computer into Windows, the screen went blue for a second and then rebooted over and over. I went ahead and chose the F8 key during the next reboot and tried to boot in Safe Mode and other modes with no success. I had to assume that the virus had damaged the hard drive and a repair was in order. I booted from a Windows CD and I chose the repair option. When I was presented with a command prompt, I typed in a command that fixes the hard drive (hopefully) and allows me to remove the virus in Windows. The command was chkdsk /r /p. This locates bad parts of the hard drive and repairs them.
Success! I was back in Windows, but now the virus was launching itself and trying to tell me it was infected. It asked me if I wanted to fix the infection. I know this is an old trick that downloads new viruses and makes the infection even worse. Fortunately, I had disconnected the network cable so it couldn’t go online to download any more baddies.
Since I couldn’t locate the virus using antivirus software, I knew I had some choices. I downloaded a free copy of Malwarebytes which you can get online by going to Download.com. I also downloaded Spybot Search and Destroy. Since she already had this program, I knew that the Spybot program wouldn’t help with this infection, but I saved it for later. The virus wouldn’t let me go to Download.com so I had to do it on another computer and save it to a USB flash drive. I copied it to the desktop for installation after the next step.
I then right clicked on My Computer and chose Properties. I checked the box to disable System Restore. If you don’t do this when you remove the software, it will automatically re add itself from the saved files in the restore area, and the virus will come back. Then I rebooted into Safe Mode by pressing F8 on reboot and choosing that option.
I installed Malwarebytes in Safe Mode and it found ten viruses, which I was able to remove. I scanned one more time to be sure that the virus didn’t create any new ones from the time I discovered the viruses and when I cleaned them. Everything was good, so I rebooted.
I was disappointed, but not surprised that another virus appeared upon reboot. This was going to be harder than I thought, but I’ve been down this road before. I had a virus at the Hillsboro airport that took almost three days to clear out. They even named the virus after one of our techs since we discovered it.
I went back to safe mode so the virus couldn’t launch and stop my efforts and opened the registry. You get there by going to the Start-Run command and typing in regedit. I wanted to find out what was launching when Windows opened in regular mode. I had to go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I looked to see what programs ran at startup. Some of them I knew, but just to be sure I typed each one of them into a search on the web. Some viruses look like regular files with one letter off just to be harder to detect. They were all fine except one. There was a file that ran at startup called vnvlsftav.exe. I did a search online and found nothing on this file, so I knew I had discovered a new one.
I searched the hard drive for this file and any other ones like it that started with “vnv” by going to the start menu and choosing “Search.” I typed in vnv*.* so it would find any file that started with those letters. I found two. One was the exe file that was the new virus. The other was a similar name but ended in a .pf instead of a .exe. A .pf file is used to make the virus load and run faster. It can also be used to locate and run new viruses locally and on the web.
I deleted both files and also deleted them from the recycling bin. Then I deleted the key that looked for the file in regedit that had previously opened. It’s also a good idea to backup the registry before making any changes. You can do this from the menu at the top of the regedit program.
I restarted the computer and the virus was no longer launching. I double checked both regedit and I ran msconfig from the start run menu. This allowed me to see if it lodged itself in the startup tab from there as well. Everything was looking good, but then I had to deal with the damage the virus had done. I could put the Windows CD in and run a repair of Windows, but that takes a long time and you have to have your Windows key handy in order to reactivate Windows during the process.
Instead, I put the Windows CD in the computer and ran a very useful command. I went to Start- Run again and this time I typed in sfc /scannow. This replaces all the important DLL files that makes Windows and all your programs run. Viruses like to corrupt or replace these files to cause all kinds of havoc.
Next, I wanted to do a few more things like install Spybot Search and Destroy, and run an online scan. Spybot Search installed and ran fine. I also activated the web browser protecting Tea Timer application that’s included. I then attempted to go to Trend Micro’s website at trendmicro.com to run the free Housecall application. This does a scan of your computer online and removes any viruses. I like to run multiple programs because very rarely does any one application remove everything. You should only have one antivirus program on your computer running because sometimes they fight each other and disable each other without you knowing about it. Apparently, their programmers never learned good manners.
Unfortunately, I was unable to reach any website. However, I quickly remembered that many viruses like to change a setting in the web browser that’s easy to fix. Just go to Tools-Options, and then the Connections tab in Internet Explorer. Uncheck the proxy settings buttons and then everything works as usual. There are similar buttons for other web browsers.
If I was unable to remove the virus then I would have removed the hard drive and plugged it into a USB enclosure. Then I would have plugged it into a known clean computer and scanned and removed the virus from there. That is assuming I had a virus that is known by an antivirus program. In this case, it was a new one that no one knew about, so I had to use the sleuthing techniques I spelled out for you here.
Now she’s back to surfing the web and causing other kinds of trouble, and I can get back to … working on…… everyone else’s computers.
If you have an interesting virus story please let me know about it.
For great tips, check back here each week and listen to me on the All Tech Radio show at
9:00 Sunday mornings on AM 1360 KUIK, or listen online at http://alltechradio.com.
To buy my latest book “How to be an IT Administrator,” go to http://howtobeanitadministrator.com/
If you would like your technical question answered here, just email rmcmillen@koin.com. Even if it doesn’t get answered in the column, I will always answer by email.
I guess we need to take a quick break from all the iPad and other tablet news to concentrate on something that seems to plague all Windows users at one time or another, and that is what to do when you get a virus that even your antivirus can’t protect you from.
I see this every week. People bring their computers to us to fix what they thought they were protected from: Worms, viruses, Trojans. You name it, they’ve got it, and in many cases they didn’t even visit websites that were considered high risk. High risk sites would be gambling, adult entertainment, and social networking sites like MySpace and Facebook. The people with infected computers had antivirus software. They even may have had anti malware software. It just doesn’t seem to matter.
This hit my sister’s computer this weekend. Despite having the latest antivirus software and even a program to protect her web browser from websites that could infect her PC, she still got hit. Now I’m going to tell you how the pros get rid of your computer viruses when you bring them to us, and it’s not that difficult if you take it one step at a time.
I have previously covered the differences between viruses and other malware, so we’re not going to get caught up in terminology. We will just refer to them generically as viruses, even though technically all intrusion based software installations come under the name of “malware.”
I’m going to refer to some products for home users that are absolutely free. I don’t recommend them for businesses because they have additional security requirements that will cost money and do additional things you may not need. We will also use Windows XP as the example since most computers are running this version. Although the principles apply to Vista and Windows 7, the actual locations of various different things to check may be slightly different.
I also want to express I take no liability for any changes you may make to your computer. This is a “do at your own risk” venture. These things work for us, however, so they are based on sound advice.
Let’s assume you have obtained a virus on your computer despite having antivirus software that’s up to date and running in the background. This is what I had to deal with on my sister’s computer this weekend, so I will walk you through what I did to resolve it.
After attempting to boot the computer into Windows, the screen went blue for a second and then rebooted over and over. I went ahead and chose the F8 key during the next reboot and tried to boot in Safe Mode and other modes with no success. I had to assume that the virus had damaged the hard drive and a repair was in order. I booted from a Windows CD and I chose the repair option. When I was presented with a command prompt, I typed in a command that fixes the hard drive (hopefully) and allows me to remove the virus in Windows. The command was chkdsk /r /p. This locates bad parts of the hard drive and repairs them.
Success! I was back in Windows, but now the virus was launching itself and trying to tell me it was infected. It asked me if I wanted to fix the infection. I know this is an old trick that downloads new viruses and makes the infection even worse. Fortunately, I had disconnected the network cable so it couldn’t go online to download any more baddies.
Since I couldn’t locate the virus using antivirus software, I knew I had some choices. I downloaded a free copy of Malwarebytes which you can get online by going to Download.com. I also downloaded Spybot Search and Destroy. Since she already had this program, I knew that the Spybot program wouldn’t help with this infection, but I saved it for later. The virus wouldn’t let me go to Download.com so I had to do it on another computer and save it to a USB flash drive. I copied it to the desktop for installation after the next step.
I then right clicked on My Computer and chose Properties. I checked the box to disable System Restore. If you don’t do this when you remove the software, it will automatically re add itself from the saved files in the restore area, and the virus will come back. Then I rebooted into Safe Mode by pressing F8 on reboot and choosing that option.
I installed Malwarebytes in Safe Mode and it found ten viruses, which I was able to remove. I scanned one more time to be sure that the virus didn’t create any new ones from the time I discovered the viruses and when I cleaned them. Everything was good, so I rebooted.
I was disappointed, but not surprised that another virus appeared upon reboot. This was going to be harder than I thought, but I’ve been down this road before. I had a virus at the Hillsboro airport that took almost three days to clear out. They even named the virus after one of our techs since we discovered it.
I went back to safe mode so the virus couldn’t launch and stop my efforts and opened the registry. You get there by going to the Start-Run command and typing in regedit. I wanted to find out what was launching when Windows opened in regular mode. I had to go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I looked to see what programs ran at startup. Some of them I knew, but just to be sure I typed each one of them into a search on the web. Some viruses look like regular files with one letter off just to be harder to detect. They were all fine except one. There was a file that ran at startup called vnvlsftav.exe. I did a search online and found nothing on this file, so I knew I had discovered a new one.
I searched the hard drive for this file and any other ones like it that started with “vnv” by going to the start menu and choosing “Search.” I typed in vnv*.* so it would find any file that started with those letters. I found two. One was the exe file that was the new virus. The other was a similar name but ended in a .pf instead of a .exe. A .pf file is used to make the virus load and run faster. It can also be used to locate and run new viruses locally and on the web.
I deleted both files and also deleted them from the recycling bin. Then I deleted the key that looked for the file in regedit that had previously opened. It’s also a good idea to backup the registry before making any changes. You can do this from the menu at the top of the regedit program.
I restarted the computer and the virus was no longer launching. I double checked both regedit and I ran msconfig from the start run menu. This allowed me to see if it lodged itself in the startup tab from there as well. Everything was looking good, but then I had to deal with the damage the virus had done. I could put the Windows CD in and run a repair of Windows, but that takes a long time and you have to have your Windows key handy in order to reactivate Windows during the process.
Instead, I put the Windows CD in the computer and ran a very useful command. I went to Start- Run again and this time I typed in sfc /scannow. This replaces all the important DLL files that makes Windows and all your programs run. Viruses like to corrupt or replace these files to cause all kinds of havoc.
Next, I wanted to do a few more things like install Spybot Search and Destroy, and run an online scan. Spybot Search installed and ran fine. I also activated the web browser protecting Tea Timer application that’s included. I then attempted to go to Trend Micro’s website at trendmicro.com to run the free Housecall application. This does a scan of your computer online and removes any viruses. I like to run multiple programs because very rarely does any one application remove everything. You should only have one antivirus program on your computer running because sometimes they fight each other and disable each other without you knowing about it. Apparently, their programmers never learned good manners.
Unfortunately, I was unable to reach any website. However, I quickly remembered that many viruses like to change a setting in the web browser that’s easy to fix. Just go to Tools-Options, and then the Connections tab in Internet Explorer. Uncheck the proxy settings buttons and then everything works as usual. There are similar buttons for other web browsers.
If I was unable to remove the virus then I would have removed the hard drive and plugged it into a USB enclosure. Then I would have plugged it into a known clean computer and scanned and removed the virus from there. That is assuming I had a virus that is known by an antivirus program. In this case, it was a new one that no one knew about, so I had to use the sleuthing techniques I spelled out for you here.
Now she’s back to surfing the web and causing other kinds of trouble, and I can get back to … working on…… everyone else’s computers.
If you have an interesting virus story please let me know about it.
For great tips, check back here each week and listen to me on the All Tech Radio show at
9:00 Sunday mornings on AM 1360 KUIK, or listen online at http://alltechradio.com.
To buy my latest book “How to be an IT Administrator,” go to http://howtobeanitadministrator.com/
If you would like your technical question answered here, just email rmcmillen@koin.com. Even if it doesn’t get answered in the column, I will always answer by email.
No comments:
Post a Comment