Virus Identification and Removal
In this part of our series we are going to discuss virus identification and removal. I am not going to quote any sources or send you off on an info-chase to cross reference what we go over here. But instead, I am going to give you a sort of show and tell based upon some of the experiences we have documented over the years.
Please note, there are a wealth of different interpretations and acronyms for the various types of virus’s and malware variants in the wild today. The differences between Trojans, Rootkits, Adware, Scareware and the many variant’s out there are sometimes vast, and sometimes almost identical depending upon what you stumble across. It is quite easy to end up in the middle of a digital debate if you use the terms interchangeably in front of the wrong person. So for the sake of this part of the series we will be going over one of the newer TrojanFake.Alert variants.
Playing in the Lab
Back in the day I was among a few others who would get into all kinds of trouble with my teacher for experimenting with viruses in the lab (we called it “The Matrix”). He would tell me “Do not create viruses because you cannot quarantine them with 100% certainty!” But the ignorance of my youth would overwhelm good sense, and I ended up creating experimental boot sector viruses’ for analytical purposes.
It was not until my teacher conveniently found an infected blank “test virus” floppy disk that I inadvertently misplaced, did I realized how right he was. As a consequence I spent the next day or so scanning every floppy disk in the lab to ensure that none of the disks had been cross contaminated.
I am able to laugh about it now looking back on the situation, yet at that time it was not funny at all. Yet the reason I even mention the lab event at all is to highlight one very important fact. Once a computer virus is created by someone for whether for benevolent or malicious purposes, if it is released into the wild, it becomes extremely difficult if not impossible to quarantine the problem.
Do You Know How to Remove a Virus?
This is a common question customers ask when they call us. Although the simple answer is “Yes.” There are a few other questions we ask as well. For example, we often ask:
- “What type of symptoms are you experiencing?”
- “How long has this been happening?’
- “Did these symptoms happen all at once or did the change happen gradually?”
The answer to each of these questions can quickly help us determine what actions to take in removing the virus from the infected computer.
Fake Virus Alerts
Over the last four or five years there have been several variations of Trojan.Fake Alert Viruses released in the world wild web. One of the more recent detections is the Security Shield Fake Alert (pictured below).
If you are an average to mid-level user, this program may seem harmless and even helpful. But that could not be farther from the truth. This is a screen shot of an actual Trojan.Fake Alert variant.
This virus was injected in to the coding of another website. What that means is, all you would have to do is log on to the infected website and you will almost immediately receive the following alert.
Whether you click “No” or “Yes” you will still receive the following pop-up (this photo was taken with a camera and not a screen shot because the computer had already been taken over at this point):
If you are reading this, there is a good possibility that you have already read Part 1 and Part 2 either because you think you have a virus or you are pretty sure you have a virus. If you have not covered the first two parts, you may want to consider going over them before the follow steps .
Being that you are assumed to have already tested all of your hardware at this point it is pretty safe to say that you do have some type of virus in your system. The next logical step in the process is to begin your virus removal. Again, we are proceeding under the assumption that you are pretty sure that you have a virus and all of the hardware on your computer has passed hardware testing.
How to Remove a Virus
There are a variety of different techniques you may hear about, but this technique to me, is one of the easier ones to implement. If you have another computer, you will need to need to download a boot disk of some sort. You can download AVG or Kaspersky rescue disks or whichever recovery disks you are most comfortable with using. You can find direct links to their downloads here http://computercornerhawaii.com/wpp/free-anti-virus-sofware/
I will be removing the “Internet Security” fake alert from a computer for this example. The following video is what it looks like when infecting a PC…
Once you have downloaded the recovery disk and burned it to a bootable DVD, the next step is to restart your computer with the bootable recovery disk or rescue disk inside. You may have to tap the escape or F2 or F12 to access the Boot Options and select the DVD/CD option.
Be sure to select the DVD/CD Drive during your boot option prompt. The objective is to get your computer to boot to the bootable disk you created, and not the infected hard drive in your computer. Once you have selected the DVD/CD drive and began the startup process you should see the rescue program beginning.
If you get an Error like this, no worries, it only means you need to check which boot disk you have downloaded.
Whatever program you choose, the main idea is to be comfortable with using it. In these example videos I am using Microsoft System Sweeper it is still available for download but you must create a Hotmail account to download it as of this posting. But please note that each video is just one step in the overall process, as such if you are following along, it is recommended that you watch each in sequence.
Once your boot disk has loaded completely, look for the option to update the software. This is extremely important. Some of the newer viruses in the wild are not detected by antivirus software unless it has been updated. Updating your antivirus software on your rescue disk will ensure that you are removing all of the latest threats. In addition it can literally mean the difference between spending a day removing the problem or spending a week or two of downtime trying to get your computer back up and running like normal again.
Once you have updated your antivirus software on your rescue cd, run your scan as soon as possible as it may take several hours to complete the scanning process.
When the scan is complete and you are able to see the results, be sure to look for any noticeable system files infected. Reason being if you delete a system file you may inadvertently render your PC incapacitated.
If you do not know what a system file looks like, or you are unsure whether or not you should remove the threat. You may want to ask someone who knows what these types of files look like. Or you could call us. Either way, your computer will still remain infected unless you remove or disinfect the threat.
Once you have removed the virus, when you restart your computer you should have a more stable system without the Internet Security pop-up or icons on your desktop.
I must add that once you have completed your scan from your boot disk, have removed the viruses found and restarted your computer it is always a good idea to start one more scan from within Windows. You can use your currently installed anti-virus software if you so choose. Either way I would recommend updating the software prior to running your new scan, at a minimum.
Or another option is to uninstall your old antivirus software and install a different one so for example if you originally had a version of Norton Internet Security Suite installed when you initially caught the virus, you could uninstall it and install Microsoft Security Essentials (or another antivirus software program of your choosing).
What I like to do is install, update and then run MalwareBytes and ESET. Once both have completely scanned my computer I then like to install update and scan with Microsoft Security Essentials. Then last but not lease I like to scan with CCleaner to clean out my system of any broken file associates, temporary Internet files or no longer active virus components.