Before we start - Be careful while following these steps as some of them may cause adverse effects on your computer if done incorrectly. I do not take any warranty or blame for anything you do to your computer.
For the last few days, we had been getting reports of a new security risk - a trojan (or simply, a virus infection) that shows a popup asking for money and does not let you do anything in your machine until you enter a password (which they "give" you in exchange for about 5000 US Dollars).
Earlier today, I had my own run-in with this infection when I downloaded and executed a file by mistake and was immediately met with the irritating screen asking me to enroll for "some scheme" or else risk losing my data. Unfortunately for the culprit, I'm not some regular user to be scared by such tactics, so here's what I did:-
1) I immediately pressed Alt + Ctrl + Del and then shut down my computer (Most Critical).
2) I went and personally switched off my ADSL Router (to disable internet).
These first 2 steps are critical to prevent the culprit from stealing / destroying any data in your machine.
Then, I went and lied down for a while to get my bearings straight...Back after 10 mins.
3) I restarted my computer and kept pressing F8 till I saw the Windows Boot options (This screen lets you decide which parts of Windows should be enabled when your computer starts).
4) I selected "Start Windows in Safe Mode" and pressed Enter. Windows started and I logged in.
5) I went to the start menu and clicked on "Computer". This shows the File Explorer (known as "My Computer" in earlier versions of Windows).
6) In the top right is a Search box. In that search box, I typed "generator.exe" (This is the file I had executed which brought the infection, but in your case, the file name may differ. You will easily remember the file name as the popup comes as soon as you click on the file.)
7) In the search results, I saw all places on my computer where this file exists and then I deleted all.
8) The actual infection is in a file called "svchost .exe" (there is a space between "t" and "."). I then proceeded to search and delete all files having this name. Additionally, the Windows Search feature also lets us search for files created or modified on a particular data so search without a name but give the time in "date modified". Delete all files created around the time the infection started. (Critical).
9) Goto Start and type "msconfig" and press Enter. I will display the Windows Configuration tool. This lets us customize various things about Windows such as what programs to start, the mode in which to start windows and so on. I went to the tab called "Services" and checked the "Hide all Microsoft Services" checkbox. This showed only those background programs which are not made by Microsoft (therefore not part of Windows).
Look for the service having the funniest looking name (It will be random alpha numeric text like rj3efneuftj83209 - something).Uncheck the checkbox next to it (This stops it from running the next time you start your computer).
10) Goto the tab called "Start Up" and uncheck the checkbox next to the program having the funniest looking name (Again since these names are random, I'm sorry but I can't be specific but rest assured that in case something is important for your computer to work, it won't be in this list, so it's quite safe to do this on a trial and error basis too). Click OK to save everything and close.
11) Goto start and type "regedit" and press enter. If you get and Administrator (User Access Control) Prompt, click yes. This is the registry editor that lets us change almost all Windows Settings. Please not that the changes made here and non-reversible so be careful!!
12) On the left side of your window, you will see a "tree view of entries". We then proceed to delete suspicious entries. On the left side select "HKEY_LOCAL_MACHINE" and then select "Software". Delete any entries having funny looking names. (This won't mess up your machine so don't worry).
13) Then, select Microsoft -> Windows -> Current Version. You will see "Run" and "Run Once". In each of them, delete any entries with funny looking names. (This won't mess up your machine so don't worry).
14) In the same group, select "Shell Extensions" and under that delete entries having funny looking names. Take it slow as deleting something wrong in this section can make some options disappear from Windows.
15) Then, select Microsoft -> Windows NT-> Current Version. Proceed to locate and delete entries with funny looking names.
16) Under "HKEY_LOCAL_MACHINE", select System and select "CurrentControlSet". Under this, there will be 2 entries starting with "WOW". Delete the one with the longer name. To ensure that all copies of this are deleted, also delete from any other location using the Search feature.
17) Goto "C:\Users\<Your User name>" (example - c:\users\abc). Do the same with "D:", in case your Windows is installed there. Look for a Folder called "AppData". It's a hidden folder so in case you don't see, enable viewing of hidden files and folders from "Folder Options". It has 3 subfolders - Local, Roaming and LocalLow.
Goto each of these folders and proceed to delete any files / folders having funny looking names. (This is very important as most virus infections keep one or more backup copies here).
18) When all is said and done, Restart your machine.You will not get irritated by that infection anymore.
For the last few days, we had been getting reports of a new security risk - a trojan (or simply, a virus infection) that shows a popup asking for money and does not let you do anything in your machine until you enter a password (which they "give" you in exchange for about 5000 US Dollars).
Earlier today, I had my own run-in with this infection when I downloaded and executed a file by mistake and was immediately met with the irritating screen asking me to enroll for "some scheme" or else risk losing my data. Unfortunately for the culprit, I'm not some regular user to be scared by such tactics, so here's what I did:-
1) I immediately pressed Alt + Ctrl + Del and then shut down my computer (Most Critical).
2) I went and personally switched off my ADSL Router (to disable internet).
These first 2 steps are critical to prevent the culprit from stealing / destroying any data in your machine.
Then, I went and lied down for a while to get my bearings straight...Back after 10 mins.
3) I restarted my computer and kept pressing F8 till I saw the Windows Boot options (This screen lets you decide which parts of Windows should be enabled when your computer starts).
4) I selected "Start Windows in Safe Mode" and pressed Enter. Windows started and I logged in.
5) I went to the start menu and clicked on "Computer". This shows the File Explorer (known as "My Computer" in earlier versions of Windows).
6) In the top right is a Search box. In that search box, I typed "generator.exe" (This is the file I had executed which brought the infection, but in your case, the file name may differ. You will easily remember the file name as the popup comes as soon as you click on the file.)
7) In the search results, I saw all places on my computer where this file exists and then I deleted all.
8) The actual infection is in a file called "svchost .exe" (there is a space between "t" and "."). I then proceeded to search and delete all files having this name. Additionally, the Windows Search feature also lets us search for files created or modified on a particular data so search without a name but give the time in "date modified". Delete all files created around the time the infection started. (Critical).
9) Goto Start and type "msconfig" and press Enter. I will display the Windows Configuration tool. This lets us customize various things about Windows such as what programs to start, the mode in which to start windows and so on. I went to the tab called "Services" and checked the "Hide all Microsoft Services" checkbox. This showed only those background programs which are not made by Microsoft (therefore not part of Windows).
Look for the service having the funniest looking name (It will be random alpha numeric text like rj3efneuftj83209 - something).Uncheck the checkbox next to it (This stops it from running the next time you start your computer).
10) Goto the tab called "Start Up" and uncheck the checkbox next to the program having the funniest looking name (Again since these names are random, I'm sorry but I can't be specific but rest assured that in case something is important for your computer to work, it won't be in this list, so it's quite safe to do this on a trial and error basis too). Click OK to save everything and close.
11) Goto start and type "regedit" and press enter. If you get and Administrator (User Access Control) Prompt, click yes. This is the registry editor that lets us change almost all Windows Settings. Please not that the changes made here and non-reversible so be careful!!
12) On the left side of your window, you will see a "tree view of entries". We then proceed to delete suspicious entries. On the left side select "HKEY_LOCAL_MACHINE" and then select "Software". Delete any entries having funny looking names. (This won't mess up your machine so don't worry).
13) Then, select Microsoft -> Windows -> Current Version. You will see "Run" and "Run Once". In each of them, delete any entries with funny looking names. (This won't mess up your machine so don't worry).
14) In the same group, select "Shell Extensions" and under that delete entries having funny looking names. Take it slow as deleting something wrong in this section can make some options disappear from Windows.
15) Then, select Microsoft -> Windows NT-> Current Version. Proceed to locate and delete entries with funny looking names.
16) Under "HKEY_LOCAL_MACHINE", select System and select "CurrentControlSet". Under this, there will be 2 entries starting with "WOW". Delete the one with the longer name. To ensure that all copies of this are deleted, also delete from any other location using the Search feature.
17) Goto "C:\Users\<Your User name>" (example - c:\users\abc). Do the same with "D:", in case your Windows is installed there. Look for a Folder called "AppData". It's a hidden folder so in case you don't see, enable viewing of hidden files and folders from "Folder Options". It has 3 subfolders - Local, Roaming and LocalLow.
Goto each of these folders and proceed to delete any files / folders having funny looking names. (This is very important as most virus infections keep one or more backup copies here).
18) When all is said and done, Restart your machine.You will not get irritated by that infection anymore.
No comments:
Post a Comment