PC Tips‎ > ‎

Cleaning up a virus

Recently I took in a PC that was infected with a virus.  I had some fun cleaning it up because I found it relatively easy, and had a good feeling that the malware was totally eradicated by the time I finished.

-- What were the symptoms?
The infected machine was barely usable.  The wallpaper had been replaced with a large "your pc is infected with a virus!!!" high-contrast banner, popups with fake scans and virus alerts were rampant, and features such as ctrl+alt+del were disabled.  Many of these popups were from "Internet Security 2010," a bogus program.

-- What was the cause?
This computer had been hit with a couple "low" threat droppers/trojans.  Symantec called them Packed.Generic.271 and Downloader.MisleadApp.

-- How'd the cleanup go?
Four steps, basically.  Fairly quick and easy.
1) Image the hard drive.  ALWAYS start with a good backup.  I use Acronis TrueImage Home, and highly recommend their product.

2) Plug the hard drive in to another PC and run a scan across it to remove the infected files.  I use a cheap USB to IDE/SATA adapter.  I've been through a few of these with varying results.  I used one from VanTec this time.

3) Open the software registry hive of the infected PC and fix HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/Userinit key.  The value was: c:\windows\system32\winlogon32.exe, and should be c:\windows\system32\userinit.exe,

  This step took me a little while.  The symptom here was that windows was stuck in a logon loop, where once I logged in, windows would log right back out automatically.  Safe mode was also affected.  Google told me pretty early on that my problem was the aforementioned registry key, but what I didn't know how to do was open a registry hive from one PC in another PC.  Turns out it's easy, and can be done using regedit.  Just run regedit, select any key, then file -> load hive.  I found the aforementioned key in the 'software' hive at windows\system32\config\software.  Once loaded, you'll see the hive below whatever key you loaded it into.  Now you can make the change above!  To unload the hive, just select the top key (of the loaded hive), and file -> unload hive.
   Before I figured out how to load hives in regedit, I tried restoring a previous version of the registry with windows.  I started by backing up windows\system32\config\[sam & default & system & software & security], and then I copied versions in from windows\repair.  I got this idea from a knowledgebase article.  This did not work out.  After this change, I was able to log in, but I could not get windows to recognize the keyboard or mouse!

4) Return the hard drive to the original PC, boot it, and fix the following items:
   4a) A registry tweak that had disabled the ability to change the active desktop wallpaper
         The string NoActiveDesktopChanges should be 0 to allow changes to the desktop.
   4b) A group policy setting that had disabled ctrl+alt+del
        Here's a site with a few methods to repair.
   4c) Repair the TCP/IP stack and winsock layer.
         I figured it was corrupted because I wasn't really online.  The symptoms were that no application could get online, but I had correct DHCP information from my DHCP server.  But when I went to ping, I would see weird ASCII characters in place of the IP address and get a beep from the terminal before I got the ping results (but I did get the ping results).  Repairing this trouble has gotten easy, and a simple search on cnet got me a program that will fix both TCP/IP stack, and winsock layer (not sure if my terminology is accurate there, I just know when I get weird ascii when pinging, this is my goto fix).  I simply installed the program, ran both fixes, rebooted, and then uninstalled the program.