How to cure a system from a file virus? How to remove a virus that creates shortcuts to files and folders on a flash drive, memory card or USB drive How to disinfect files

Using the tips "How to clean an infected computer" given in this article, you can remove any type of malware from your computer and return it to working condition

1. Make sure your computer is really infected

Before you try to remove any infection from your computer, you need to make sure that the computer is actually infected. To do this, please refer to the recommendations I give in the article "". If this does indeed indicate that your computer is infected, then continue with the steps in the next section. Make sure you do them in the proper sequence.

2. How to clean your computer and make sure it's really clean

Please note that experienced users here they can simply skip to the last part about that and clean up the computer accordingly. This is the most effective approach, but it is also one of the most time-consuming. However, if necessary, you can go straight to that section and then return back to the beginning again if the infection was not completely removed.

2.1 Cleaning your computer using CCE and TDSSKiller

Download Comodo Cleaning Essentials (CCE) from this page. Make sure you select suitable version for your operating system. If you are not sure whether your computer is running a 32-bit or 64-bit operating system, see. Also, download Kaspersky TDSSKiller from this page. If you are unable to download any of these programs, or if your Internet connection does not work, you will need to do it using another computer and transfer it to the infected one using a flash drive. Make sure there are no other files on the flash drive. Be careful with the flash device as malware can infect it when you insert it into your computer. Hence, do not connect it to any other computers after transferring these programs. Also, I would like to point out that both programs are portable. This means that once you're done using them, you won't have to uninstall them. Just delete their folders and they will be deleted.

Once you have downloaded CCE, unzip the file, open the folder and double-click the file named "CCE". The Comodo Cleaning Essentials main window will open. If it doesn't open, press and hold the Shift key and double-click the file named "CCE". Once CCE has successfully opened, you can release the Shift key. However, do not release it until the program is completely loaded into memory. If you release it at least during the UAC prompt, it will not be able to open correctly even with the forced method. Holding Shift will help it open even on heavily infected computers. It does this by suppressing many unnecessary processes that could prevent it from running. If this still doesn't help get it running, then download and run a program called RKill. It can be downloaded from this page. This program will stop known malicious processes. Thus, once it is launched, CCE should launch perfectly.

Once it's running, run a Smart Scan in CCE and quarantine everything it finds. This program also views system changes, which could have been produced by malware. They will be shown in the results. I would advise allowing the program to fix this too. Restart your computer when prompted. After restarting the computer, launch Kaspersky TDSSKiller, scan and quarantine what is found.

Also, if your Internet connection was not working previously, check if it is working now. A valid internet connection will be required for further steps in this section.

Once the CCE scan is complete and you are sure your internet connection is working, open CCE again. Hopefully it will open this time, but if not, then open it while holding down the Shift key. Then from the "Tools" menu in CCE, open KillSwitch. In KillSwitch, in the "View" menu, select the "Hide Safe Processes" option. Then click right click on all processes that are marked as suspicious or dangerous and select the option to delete them. You should also right-click on any unknown processes that remain and select the "Kill Process" option. Do not remove processes marked as FLS.Unknown. Next, in CCE, from the tools menu, launch Autorun Analyzer and select the "Hide Safe Entries" option from the "View" menu. Then disable any items belonging to files that are flagged as suspicious or dangerous. You can do this by unchecking the boxes next to the items. You should also disable any items that are marked as FLS.Unknown, but which you think are likely to be malware. Do not remove any items.

Now restart your computer. After rebooting, check your computer again using the advice I give in the article "". If everything is good, then you can move on to the " " section. Remember that disabled registry entries are not dangerous. Also, note that even if your computer is clear of active infections, there may still be pieces of malware on it. They are not dangerous, but don't be surprised if scanning with another program still finds malware on your computer. These are the dormant remnants of what you just deleted. If you are not happy with the presence of these residues on your computer, then you can remove the vast majority of them by scanning them with the programs mentioned in the next section.

However, if your computer is not yet cleared of active infections, but at least one of the programs was able to start, go through the steps described in this section again and see if this removes the infections. But, if none of the programs were able to start, please proceed to the next section. Additionally, even if following the instructions in this section again is not enough to clean up your computer, you need to move on to the next section.

2.2 If your computer is still not clean, scan using HitmanPro, Malwarebytes and Emsisoft Anti-Malware

If the above steps did not help to completely eliminate the infection, then you need to download HitmanPro from this page. Install the program and run "Default Scan". If it doesn't install, skip to the next paragraph and install Malwarebytes. When prompted during HitmanPro installation, I recommend that you select the option to perform a one-time scan of your computer only. This should suit most users. Also, if malware is preventing it from launching correctly, then open the program by holding down the CTRL key until it loads into memory. Quarantine any infestation she finds. Keep in mind that this program will only be able to remove infections for 30 days after installation. During uninstallation you will be asked to activate your trial license.

Once HitmanPro has removed all detected infections, or if Hitman Pro fails to install, you need to download free version Malwarebytes from this page. Note that it has chameleon technology, which should help it install even on heavily infected computers. I advise you that during installation you uncheck the "Enable free trial period" checkbox Malwarebytes Anti-Malware Pro" ("Enable free trial of Malwarebytes Anti-Malware Pro"). Make sure the program is fully updated and then run quick scan. Quarantine any infection she finds. If any program asks you to restart your computer, be sure to restart it.

Then download Emsisoft Emergency Kit from this page. Once it finishes downloading, extract the contents of the zip file. Then double click on the file named "start" and open "Emergency Kit Scanner". When prompted, allow the program to update the database. Once it is updated, return to the Security menu. Then go to "Verify" and select "Quick", then click "Verify". Once the scan is complete, quarantine all detected items. Restart your computer every time you need to.

After scanning your computer with these programs, you must restart it. Then check your computer again using the tips I give in the article "". If everything is good then you can move on to the " " section. Remember that disabled registry entries are not dangerous. However, if your computer is still not clean, then go through the steps in this section again and see if it helps remove the infections. If the programs in section 2.1 were previously unable to run correctly, then you should go back and try running them again. If none of the above programs were able to start, boot into Safe Mode network enabled and try scanning from there. However, if they were able to start correctly and the threats still remain even after following the advice in this section again, then you can move on to the next section.

2.3 If necessary, try these less-quick methods

If the above measures did not completely remove the infection, then there is probably some very unresponsive malware living in your machine. Thus, the methods discussed in this section are much more powerful, but will require more time. The first thing I recommend doing is to scan your computer with another anti-rootkit scanner called GMER. It can be downloaded from this page. Remove anything that will be shaded in red. Be sure to click the Scan button immediately after the program finishes its quick analysis of the system. Additionally, if you are running a 32-bit operating system, you must download the ZeroAccess rootkit scanner and removal tool. Information about this rootkit and a link to a program for removing it from 32-bit systems can be found here. AntiZeroAccess can be downloaded from the link in the second paragraph.

After scanning in the above programs, the next thing you should do is open CCE, go to settings and select the option “Scan for suspicious MBR modification”. Then click "OK". Now in CCE, perform a full scan. Reboot when required and quarantine anything found. Please note that this option can be relatively dangerous as it may reveal problems where there are none. Use it with caution and make sure everything important is already backed up. Please note that in rare cases, scanning with these options may render the system unbootable. This rarely happens, but even if it happens, it is fixable. If your computer stops starting after running this scan, use the Windows installation disc to perform a system recovery. This should help get your computer running again.

Once CCE is completely finished, open CCE again while holding down the SHIFT key. This action will end most of the unnecessary processes that may be preventing you from scanning. Then open KillSwitch, go to the "View" menu and select "Hide Safe Processes". Now, remove all dangerous processes again. Then, you should also right-click on all the unknown processes that remain and select "Kill Process". Don't delete them. You should follow the advice in this paragraph every time you restart your computer to ensure that the next scans are as effective as possible.

After completing all processes that were not considered reliable, you should open the HitmanPro program while holding CTRL keys. Then run a "Default Scan" and quarantine everything it finds. Then run a full scan in Malwarebytes and Emsisoft Emergency Kit. Quarantine what they find. After that, download the free version of SUPERAntiSpyware from this page. Be very careful during installation as there are other programs included with the installer. On the first page, make sure to uncheck both options regarding Google installations Chrome. Now select the "Custom Install" option. During a custom installation, you will have to once again uncheck two checkboxes from the add option Google Chrome.

Apart from this, the program will install perfectly. When prompted to start a free trial, I advise you to refuse. Once the program is fully loaded, select the Complete Scan option and click the "Scan your Computer..." button. Then click the "Start Complete Scan>" button. Delete any detected files and restart your computer when required.

After completing these steps, you must restart your computer. Then test it again using the advice I give in the article "". If everything is good, then you can move on to the " " section. Remember that disabled registry entries are not dangerous. However, if your computer is still not cleaned, then follow the steps described in this section again and see if this helps in eliminating the infection. If not, then you need to move on to the next section.

2.4 If necessary, do boot disk

If the above methods do not completely eliminate the infection, or if you cannot even boot your computer, then in order to clean your computer you may need a bootable CD (or flash drive), also called a boot disk. I know this may all seem like a lot of work, but it's actually not that bad. Just remember that you need to create this disk on a computer that is not infected. Otherwise, the files may be damaged or even infected.

Since this is a boot drive, no malware can hide from it, disable it, or interfere with its operation in any way. Therefore, scanning in different programs This should allow you to clean almost any machine, no matter how infested it may be. The only exception here is if the machine itself was infected system files. If this is the case, then removing the infection may cause harm to the system. This is mainly the reason why you have backed up all your important documents before starting the cleaning process. However, sometimes you can get around this by following the advice I give below.

To do this you must download . This is an excellent program that will allow you to create a single bootable disk with multiple antivirus programs. She also has many others useful functions, which I will not discuss in this article. Several very useful textbooks for SARDU can be found on this page. Be very careful about the additional offers now included in the installer. Unfortunately, this program is now trying to scam people into installing additional programs that are mostly unnecessary.

After downloading it, unzip the contents and open the SARDU folder. Then run the executable that matches your operating system - either sardu or sardu_x64. On the Antivirus tab, click the antivirus applications that you would like to write to the disk you are creating. You can add as much or as little as you see fit. I recommend that you scan your computer with at least Dr.Web LiveCD, Avira Rescue System and Kaspersky Rescue Disk. One of the nice things about Dr.Web is that it sometimes allows you to replace an infected file with a clean version of it, instead of simply deleting it. This will help you clean up some computers without harming the system. Thus, I highly recommend including Dr.Web in your boot drive.

Clicking on the names of various antivirus applications will often direct you to a page from which you can download an ISO image of the corresponding antivirus. Sometimes you will be given the option to download it directly through SARDU instead, which can be found under the Downloader tab. If given a choice, always select the ISO download option. Also, after downloading ISO file you may need to move it to ISO folder, located in the main SARDU folder. Once you have moved the ISO images of all the antivirus products you need into the ISO folder, you are ready to create an emergency boot disk. To do this, go to the Antivirus tab and make sure that all the antiviruses you have selected are checked. Now click on the button to create either a USB device or a disk. Any of these options will be acceptable. It just depends on how you want to run the rescue disk - from USB or from CD.

After creating the rescue disk, you will likely need to change the boot sequence in your BIOS settings to ensure that when you insert a bootable CD or bootable flash device, the computer will boot into it rather than the operating system as usual. For our purposes, you should rearrange the order so that "CD/DVD Rom drive" comes first if you want to boot from a CD or DVD, or "Removable Devices" (" Replacement Devices") if you want to boot from the flash drive. Once this is done, boot your computer from the rescue disk.

After booting from the disk, you can choose which antivirus you would like to start scanning your computer with. As I mentioned earlier, I would recommend starting with Dr.Web. When this program has finished and you have restored or deleted everything it finds, you will need to turn off your computer. Then be sure to boot from the disk again and then continue scanning with other antiviruses. Continue this process until you have scanned your computer with all the antivirus programs that you included on the boot disk.

After cleaning your computer in the programs you burned to disk, you now need to try starting Windows again. If the computer is able to start under Windows, then check it using the instructions that I give in the article "". If everything is fine, then you can move on to the " " section. Remember that disabled registry entries cannot pose a risk.

If your computer has not yet been cleaned, but you can boot from Windows, then I would advise you to try cleaning it while in Windows, starting with this article and following the suggested methods. However, if your computer still cannot boot Windows, then try again to fix it using installation disk Windows. This should help get your computer started again. If even this does not help make it bootable, then try adding more antiviruses to the emergency boot disk and then rescan the computer. If doing this still doesn't help, then read.

3. What to do if the above methods did not help clean your computer

If you have followed all of the above steps and are still unable to clean up your computer, but you are convinced that malware is causing the problems, we would be very grateful if you leave a comment and explain what you tried to do to clean up your computer and what remained signs that make you think that the computer is still not cleaned. This is very important in order to improve this article. Really hope no one ever gets to this section. This article is intended to give you the opportunity to completely clean up your infected computer.

You can also seek advice from a specialized forum dedicated to malware removal. A very useful forum, which is our partner -. However, if even after seeking help from a malware removal forum, your computer is still not free of malware, you may need to format your computer and run it that way. This means you'll lose anything you didn't copy ahead of time. If you do this, be sure to make full formatting your computer before reinstalling Windows. This will destroy almost any type of malware. Once Windows is reinstalled, follow the steps in .

4. What to do after all malware is finally identified for removal

Once you've made sure your computer is clean, you can now try to recover anything you've lost. You can use the Windows Repair (All In One) utility - an all-in-one tool that allows you to fix a large number of known Windows problems, including registry errors, file permissions, Internet Explorer, Windows updates, Windows firewall. If after completing all the procedures, your computer is working normally, then you can also open Comodo Autorun Analyzer and select the option to remove those registry items that you previously only disabled. Thus, they will no longer be on your computer at all.

Once you have safely removed all infections from your computer and eliminated any remaining destructive effects, you must take steps to ensure that this does not happen again. For this reason, I have written a guide, How to Stay Safe Online (coming soon to our website). Please read it afterwards and implement the methods that you think best suit your needs.

After securing your computer, you can now recover any of the files lost during the cleanup process that were previously stored in backup copy. Hopefully you won't have to do this step. Also, before restoring them, make sure that your computer is very well protected. If you do not protect your computer sufficiently, you may accidentally infect it, and then you will have to clean it out again. Additionally, if you used a USB device to move any files to the infected computer, you can now insert it back into the computer and make sure that there is no malware on it. I recommend doing this by deleting any files remaining on it.

Found a typo? Highlight and press Ctrl + Enter

Unzip and burn it to a CD or DVD; you can also write it to a flash drive if the manufacturer provides a data protection mode against changes (read-only). Otherwise, an active virus will damage the utility before it even starts. Do a full scan of the infected computer in Safe Mode, then in normal mode.

This method may not work if the signature of DrWeb products does not contain this modification of the malware that has infected your computer. Send several infected files to Dr. analysts. Web.* and within 24 hours CureIT! will be “taught” how to treat the virus, the utility will have to be downloaded again on a known “healthy” computer.

2) This method assumes the presence of a “healthy” computer on which Dr. antivirus is installed. Web or Kaspersky, which focus on signature detection, which allows you to most effectively combat classic viruses. To combat this, it is necessary to have the latest anti-virus databases. It is necessary to connect the hard drive (HDD) of the “infected” computer to a clean machine and conduct a full scan. After testing/treatment hard drive needs to be returned to its place.

This method does not give an absolutely positive result. Your antivirus may not know this modification of the virus, then there is a risk of infecting a “clean machine” (if you run programs and files from a connected hard drive). In this case, you need to send the infected file to the vendor* and the detection will be added in the near future. The presence of a warranty on one of the computers or the lack of knowledge on how to remove a hard drive will force you to completely abandon this method. In this case, you must contact your nearest service center(if there is a warranty, go to the warranty service center).

P.S. During treatment file virus the second method. those. When connecting a hard drive to a clean machine, you should be very careful and careful, because You can infect a clean machine. If you do not doubt your capabilities, it is better not to try.

Links where you can send files for analysis
This address email protected from spam bots. You must have JavaScript enabled to view it.
Drweb

Added after 31 seconds
Another fairly effective technique is the use of LiveCD, compiled specifically to clean your computer from malware that is difficult to destroy using conventional means.

1 . In our case ( file virus infection) you must use Dr.Web LiveCD, it allows you to restore the functionality of a system affected by malware. This LiveCD build will not only clean your computer of infected and suspicious files, but will also try to disinfect infected objects.

Included in the assembly Dr.Web LiveCD The following applications are included:
1. Scanner Dr.Web® for Linux;
2. Browser Firefox;
3. File manager Midnight Commander;
4. Terminal for working with command line just before from under the graphical shell;
5. Text editor Leafpad.
More detailed information is in documentation.

2 . If it is not possible to use a DVD/CD drive, then Dr.Web® LiveUSB will come in handy - this is a utility that allows you to create a bootable flash card with a portable operating system on Linux based and built-in software, designed to check whether your computer has been cured (Dr.Web LiveUSB anti-virus solution), work with file system, viewing and editing text files, browsing the web and conducting email correspondence. Using a bootable flash card, you can restore the system in cases where, due to virus activity, it is not possible to boot the computer from the hard drive in the usual way.

Dr.Web® LiveUSB comes as an executable file drwebliveusb.exe.

3 . You can also use Avira AntiVir Rescue System, which is a Linux application that allows you to gain access to a computer that cannot boot. This allows you to:

• restore a damaged system,
• save data,
• scan the system for viruses.

If you have an old one installation file, then you will have to download it again because Avira AntiVir Rescue System is updated several times a day.

Don't forget that the installation file ( rescuecd.exe approximately 60 mb) must be downloaded and run on a known healthy computer.

4 . Or you can use Kaspersky Rescue Disk 10, which is formed on the basis of the operating kernel Linux systems and is an .iso file that includes:
systemic and configuration files Linux;

• a set of utilities for diagnosing the operating system;
• a set of auxiliary utilities ( file manager etc.);
• Kaspersky Rescue Disk files;
• files containing anti-virus databases.

If you have one of the LC 2010 line products installed, then the image can be kept up to date.

5 . Another treatment option would be Live CD Vba32 Rescue which contains:

• Console scanner for *UNIX (VBA32.L)
• File Manager MidnightCommander

Key product features:

• Scan your PC for malicious objects;
• Creating system scan reports for subsequent contact with technical service. support;
• Performing basic operations with files located on the user’s computer (renaming, copying, moving, etc.);

Download LiveCD Vba32 Rescue

Good luck with your treatment.

A virus can get onto a computer from the Internet or from another computer via removable media. To find and cure it, use special software.

Instructions

If you do not have an antivirus program installed on your computer, install it. It is needed not only to cure the infected file, but also to prevent viruses from entering your PC in the future.

Double-click the antivirus icon in the notification area on the taskbar to open the control panel. Select the “Check” section in the menu and click on the “Check system” button (“Scan”, “Check”).

Specify the area on your computer that you want to scan for viruses and wait until the operation is completed. The program will identify infected files and quarantine them, notifying you about this.

Through the control panel, open the “Quarantine” folder and left-click the file with the virus. On the toolbar or in the top menu bar, find the “Clean file” button (command) and click on it. In cases where it is impossible to cure a file infected with a virus, there is only one available action - “Delete”.

If you do not need to scan several folders or drives, try the following option: move the cursor to the suspicious file and right-click on it. In the drop-down menu, select the item with the image of the branded icon of your antivirus and the “Scan file” command.

After scanning, the antivirus will offer you several options: disinfect the file, delete it, or quarantine it (that is, isolate it). Select the action that suits your case by clicking on the appropriate button.

In any case, remember that it is better to prevent virus-infected files from entering your computer than to deal with them later. Except antivirus program, install a firewall and scan the system from time to time using “one-time” utilities, for example, Dr.Web CureIt!®

If a text message appears on your computer saying that your files are encrypted, then do not rush to panic. What are the symptoms of file encryption? The usual extension changes to *.vault, *.xtbl, * [email protected] _XO101, etc. The files cannot be opened - a key is required, which can be purchased by sending a letter to the address specified in the message.

Where did you get the encrypted files from?

The computer caught a virus that blocked access to information. Antivirus programs often miss them, because this program is usually based on some harmless free utility encryption. You will remove the virus itself quickly enough, but serious problems may arise with decrypting the information.

Technical support from Kaspersky Lab, Dr.Web and other well-known companies involved in the development of anti-virus software, in response to user requests to decrypt data, informs you what to do this in acceptable time impossible. There are several programs that can pick up the code, but they can only work with previously studied viruses. If you encounter a new modification, then the chances of restoring access to information are extremely low.

How does a ransomware virus get onto a computer?

In 90% of cases, users themselves activate the virus on their computer, opening unknown letters. Then a message is sent to e-mail with a provocative subject - “Subpoena”, “Loan debt”, “Notification from the tax office”, etc. Inside the fake letter there is an attachment, after downloading which the ransomware gets onto the computer and begins to gradually block access to the files.

Encryption does not happen instantly, so users have time to remove the virus before all information is encrypted. Destroy malicious script you can use Dr.Web CureIt cleaning utilities, Kaspersky Internet Security and Malwarebytes Antimalware.

File recovery methods

If system protection has been enabled on your computer, then even after the effect of a ransomware virus there is a chance to return files to their normal state using shadow copies of files. Ransomware usually tries to remove them, but sometimes they fail to do so due to lack of administrator rights.

Restoring a previous version:

In order for previous versions to be saved, you need to enable system protection.

Important: system protection must be enabled before the ransomware appears, after which it will no longer help.

1. Open Computer properties.
2. From the menu on the left, select System Protection.
   
3. Select drive C and click "Configure".
4. Select restore settings and previous versions files. Apply the changes by clicking "Ok".

If you took these steps before a file-encrypting virus appeared, then after cleaning your computer malicious code you will have a good chance of recovering your information.

Using special utilities

Kaspersky Lab has prepared several utilities to help open encrypted files after removing the virus. The first decryptor you should try is Kaspersky RectorDecryptor.

1. Download the program from the official Kaspersky Lab website.
2. Then run the utility and click “Start scan”. Specify the path to any encrypted file.

If the malicious program has not changed the extension of the files, then to decrypt them you need to collect them in a separate folder. If the utility is RectorDecryptor, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

The latest utility from Kaspersky Lab is called Ransomware Decryptor. It helps decrypt files after the CoinVault virus, which is not yet very widespread on the RuNet, but may soon replace other Trojans.

Infection when visiting sites from mobile devices

Some sites on the Internet have been hacked by attackers targeting mobile device users. By visiting such a site from a computer, you will be taken to a harmless Internet resource, but by accessing it from a smartphone, you will secretly redirected to a site with an unpleasant “surprise”. Using hacked websites, attackers can distribute various malware, the most “popular” of which are various modifications. The victim’s losses depend on what family of Trojans infiltrate your mobile device, i.e., on its malicious load. Read more about this phenomenon in our news.

Attention mobile device users!

Set to mobile device Dr.Web antivirus for Android with component URL filter. Cloud Filter will restrict access to inappropriate and potentially dangerous sites in several categories - this is especially important for protecting your children from inappropriate Internet content.

URL filter present only in the full-featured version of Dr.Web for Android (it is not in Dr.Web for Android Light). For buyers of Dr.Web Security Space and Dr.Web Anti-virus, use of Dr.Web for Android - for free.

Attention PC and laptop users!

Install Dr.Web Link Checker

This free extensions to check Internet pages and files downloaded from the Internet. Install the extension to your browser and surf World Wide Web without fear of a virus attack!

Download Dr.Web Link Checker for free for

	Opera

Using the Dr.Web online file scanner, you can check files that you suspect for free for viruses and malware.

You send your files using your browser, they are uploaded to our server, checked by ourselves latest version Dr.Web with a full set of virus database add-ons, and you get the scan result.

How to scan a file or several files with Dr.Web Anti-virus online?

• To check 1 file: click on the “Browse..” button and select the file that is suspicious. Click the "Check" button to start scanning.
• The maximum file size is 10 MB.
• To check multiple files: place the files in an archive (WinZip, WinRar or ARJ format) and download this archive by clicking on the “Browse” button. and then click on the “Check” button. The verification protocol will include a report on each file in the archive.

IMPORTANT! The Dr.Web anti-virus scanner will help you determine whether the file(s) you provided for scanning are infected or not, but will not answer your question whether your computer is infected. For full check hard drives And system memory use our free healing utility CureIt! .

You can also check local network using the centrally managed network utility Dr.Web CureNet!

Send a suspicious file