What to do When you Get a Virus (and how to remove it)

What to do When you Get a Virus (and how to remove it)

   10:36 AM       Laura

---

I'm not even sure how it happened.  I was browsing the internet like usual, and had multiple tabs open. I think I had grooveshark open, and was researching stuff on ferrets.  I must have clicked a bad link or something,  but a couple seconds later, my AVG popped up with a warning message telling me that something was trying to download to my computer.  Trojan Crypt.ce  I hit "move to Vault" and the message disappeared, and I saw right behind it, what looked like the AVG interface, (Kind of) and just to be sure I got everything, I hit scan now.  I was busy, I didn't look carefully enough, and I didn't check...

By hitting scan now, I was pretty much giving this interface permission to do things to my computer.  My computer slowed down instantly.   I still didn't even realize that it was this interface causing the problem.  I was getting pop up balloons from my system tray all saying "so and so file is infected."  What killed me was when it said my AVG.exe was infected... which meant my last course of action, my virus detection software, was gone.


Three things I should have noticed.  1.  The Antivirus interface I was seeing, which LOOKED like my normal one, was not.  2.  All the pop ups were coming from a Windows Icon.  The green Check/Shield.  If there was a problem with my computer, it would have been red.  3. There was no X on the Antivirus interface.

Let me explain a little bit about what's going on at this point.  A virus is a piece of code that duplicates itself on to other files.  It will find a file and rewrite the file with itself in it.  AND, what ever else is in the code... but it mainly replicates itself across your computer.  While you may take out the source, there's duplicates of itself hidden in your files on your computer, and you may not realize it. What's the worst, is when it hides itself in your OS files, or even  worse than that,  the Windows Registry, (Which most people hate getting into anyway) Usually, once it rewrites your OS files, your computer is done for, and you have to reinstall the OS unless you have special tools to remove it.

Sometimes, you can't remove it.  If things go to far, there's nothing you can do.... When in complete doubt, Turn the computer off...  The virus can't spread while its off.   Don't shut down windows.  Shut down the computer all together.  Hold the power button down so it shuts off.

I guess, I should mention, that if your AntiVirus software still works... for goodness sake use it.  Start the scan.  Get rid of the virus that way.  But viruses are getting smarter.  They can over power the AV if they get the chance.

I've never felt so stupid in my life.... I'm really good about these things.  So.  Here's what to do:

1. Turn off the internet connection
Why?  The biggest reason is so you don't infect the network. If you're sitting here going.. how am I supposed to research how to get rid of this... there are lots and lots of other people around with computers you can use.    I immediately flipped off my wireless switch on the side of my computer, which was good, because AVG (still fighting for the life of my computer) started warning me that information was trying to be sent to a certain IP via a certain port, which it now couldn't due to the fact that there was no internet connection.. so reason number 2.  The virus may be uploading or downloading things.  In this case, after researching the Trojan on my computer, it steals information from my computer and uploads it to some server somewhere. Bye bye identity...  You can slow down the symptoms by removing this pathway.

2. Don't Panic
Breathe for a second and try and figure out where its coming from. In my case I already had the source.   If you're like me, you use your computer enough to realize when things are wrong. Things are slow, a file stops responding.  Not all these things point to a virus, but you know things are out of the ordinary. A quick and easy way to see where your problems are most likely coming from is to have Windows Task Manager open all the time.  Remember how in the older machines, you had to hit CTRL + ALT + Delete, and you'd get a window that pops up to show you the programs that are running? (You can still do this, and select task manager, )  But you can right click on the start bar, and click task manager.  This is why:

See the green square that looks like a checker board?  This is what shows up in the system tray when you have the task manager running.  If its completely full with light green color, your processor is being pegged by something.  Which will slow your computer down.  The fuller this box is, the slower your computer is going.

If you open task manager, most people stay on the application tab.  If you go to the processes tab:

You can sort by cpu to see what's using your processor.  In the case that something has infected your computer, you can usually see it here.  However, that's if you can get here in the first place.

If something is TRYING to cause a problem, like say your browser usually the cpu for your browser process will be off the wall, and if you kill it here, the problem usually goes away. (Browsers are notorious for memory leaks).  If you're having problems, this is a good place to start.

My source however, was this STUPID interface that I couldn't shut down, by clicking an X. and I couldn't right click the icon in my system tray to shut it down, and I couldn't get into Task manager to shut down this rogue program....

3. Reboot your computer
There are some viruses out there that are called Boot Sector Viruses.  This infects the boot center of your computer and prevents you from loading it. Pretty much at that point your computer is hosed, unless you have some kind of boot sector removal tool.  REBOOTING YOUR COMPUTER DOES NOT MAKE THE INFECTION GO AWAY.  Just to be clear.  If you're using a school computer, or something, then yes, it will, as most computers use a program called Deep Freeze to return computers to a previous state.  I had a specific reason for restarting, I needed to get in and stop what ever it was, from loading.   At this point, there's 2 things you can do:  (I chose the 2nd one)

A. Boot into Safemode:
After forcing your computer to shut down, you should receive a message that says something to the effect of "The OS was not shut down properly, I'm going to give you some options or choose for myself in 30 seconds"  Usually the options are - Safe mode, Safe mode with networking, boot windows normally.    You should choose Safe Mode with networking, so you can get internet access. Then download new Anti Virus, and scan the computer and delete whatever it finds.  THIS WILL MOST LIKELY NOT REMOVE EVERYTHING, but it will most likely stop the symptoms.   You will probably need someone to clean out the registry.

What is safe mode?  I'm glad you asked.  Safe mode is essentially booting into windows with limitations.  Only the bare minimum is loaded to make your computer work.  Chat programs, Steam, anything else you have that loads on startup will not be loaded.  This makes it so you can access your computer and remove files that aren't being run.  Usually if you have problems with your computer, booting in to safe mode is a good way to go.

B. Be Risky and hope you can get it out before it destroys your computer
For the record, I don't recommend this.  The safe mode way to go is much better... but I loaded into windows, and as soon as I could, opened task manager, and waited for the trojan to show its  face.  As process started loading, I turned them off.. like MSN messenger, Skype, Steam, and Turbine.  I KNOW my processes.  I can look at my processes and know where they come from and what they're doing.  If there was an unknown process I'd see it... and there it was.  FFVSTONblahblah.exe

What a nasty string.  At this point, I was seeing the pop ups again, and as I shut down this executable, the pop ups went away.

* sigh of relief *

Now, I needed to go find it.

I wandered into the registry (Kids, don't try this without adult supervision) and wandered to the following key:
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run, and there it was.  The location of the trojan, I ran out to that folder location under App Data, and deleted the ENTIRE folder(the trojan folder, not app data folder.. that's bad!).  Then came back and deleted the key.  Then I went out to make sure it wasn't in HKEY_LOCAL_MACHINE in the same place.  And it wasn't.

This would stop it from loading every time my computer was run.

This is the point when you would research anything you knew about what happened, to make sure you get everything.  I ran a search for AntiVirus Soft, which was the name of the interface, found all the registry keys, removed them, and THEN, ran a scan from a virtual drive outside my harddrive via a Boot CD to INSURE that it wasn't on my computer anymore.

Now. One thing I should point out. Some Viruses will change your internet options so you can't get on the internet.  This one did for me.  In fact, it made it so that when you launch your browser, it would take you to a page where you had to buy software to 'remove' this virus.  If this is the case you have to make a quick edit:

1. Open your browser.  Go to your internet options.
Chrome -> the Wrench Icon - options:

Under the hood -> Change proxy settings:

IE: Tools -> Internet options

These 2 will take you to the same place:

Click LAN settings, and make sure that the proxy is unchecked.  And Voila... your internet should work again.  

So. I'm actually typing this on the computer that should have been screwed.  Just because you get a virus, doesn't mean its the end of the world.  If you're careful with what happens after you get one, it IS possible to save everything.  And if you're scared, there are people around who know how to do it themselves (Like me). 

Anything  I forgot? Or any other ideas?  Let me know! If you need help... let me know!

Just an FYI.  I'm usually not that stupid.... I was just severely preoccupied with boy problems... it could happen to anyone... :)