Viruses can be tricky. Even if your anti-virus software is kept up-to-date on a daily basis it may not catch the newest threats. What would you do if a virus infected your computer? That depends. Can you run a virus scan? Can you even login? I ran into that problem and came out victorious.
Background: A computer user was surfing the web using Internet Explorer 6 and came upon a website which launched popups saying the computer was infected. The call to action was a “scan now” button promising to remove the infections. The button was clicked which downloaded and installed the Pakes.CPL Trojan horse virus. As you can see from the link, not much information is known about that virus.
Symptoms: After logging in you are immediately logged out.
How to remove the infection:
The first thing I always do when working on someone’s computer is make an image of the hard drive using Acronis True Image Home 11. It comes on a bootable CD which makes imaging the drive very easy. Pop in the CD, boot from it, select “backup”, choose the source and destination drives, and wait. Now that you have a validated backup (Right? Please tell me you validate your backups!), you can dive in and get your hands dirty.
I nabbed the infected hard drive from the machine and hooked it up to my test computer which runs AVG 8 Free anti-virus and is NOT connected to the internet or my local network. During the full anti-virus scan, AVG found the aforementioned virus: Trojan horse Pakes.CPL at location C:\WINDOWS\system32\svchostw.exe. I quarantined the virus.
A few Google searches later and a great tip from a friend led me to an article about userinit.exe. I checked for that file in the system32 folder (where it’s supposed to be) but it was nowhere to be found. Following the steps from that site I was able to restore userinit.exe and copy it to wsaupdater.exe.
Next I took the hard drive out of the test machine and put it back in its regular case. I booted the computer and was able to successfully login. An error message popped up complaining about a missing executable called svchostw.exe. That explains the login/logout problem; the virus was being executed during login which kicked the user back out. I opened the registry using regedit and did a search for svchostw.exe. It came up under a key called Shell and the value was “Explorer.exe svchostw.exe”. So after windows explorer was launched, it tried to execute the virus. I removed “svchostw.exe” from the value and rebooted the computer. I was still able to login successfully and the error message was gone.
To make sure the system was clean, I used SpyBot Search & Destory and Lavasoft AdAware SE to check for malware. All clean. As an extra security precaution, I updated all system components: Windows, Office, Java, Flash, Norton Systemworks, etc. And for good measure I installed Firefox because it’s safer, faster, awesome, etc.
How have you solved virus or malware problems in the past?