TroyGrosfield.com TroyGrosfield.com

Headline

How to Find and Remove a Computer Virus

Author
by Troy Grosfield
Date
February 27th, 2011
Category
Developer
Story

For the first time in about 10 years my computer has been infected with a virus.  My first thought was “shit!”.  My second thought was “interesting”.  My third thought was “sounds like a challenge”.  So I set off to find ways to cure my computer of this virus.

How I think I got the computer virus

I was searching through forum when programming one night.  I followed a link to another site that claimed to have an answer.  The page immediately prompted me to run Java.  I said no, but noticed that the Java ran on the page anyway.  I closed my browser thinking the site was malicious and I seemed to be right.  When I opened my browser back up I would randomly be redirected to other spam sites.

Symptoms

When I rebooted my computer I started noticing a huge lag between when I would login and when icons or explorer would be displayed on the screen.  Then I started seeing this message popup every time my computer loaded:

Error loading itelijos.dll

Error loading itelijos.dll

After a few more times using my computer my windows theme would suddenly go back to windows classic and I would get this message:

Host Process for Windows Services stopped working and was closed

Host Process for Windows Services stopped working and was closed

After a few more reboots I would sporadically not see any icons after logging in.  There would just be a blank black screen with my mouse.

I searched around on the internet for a bit to see if I could find anyone else having the symptoms I was having.  I found a few posts that showed similar virus traits, but nothing quite like what I was seeing.

I decided to download Norton Anivirus to see if this could cure my problems.  It found a few things like corrupt media files, but still didn’t solve my problem.  So I decided to dig a little deeper.

When my computer screen stayed completely black and didn’t load any icons, one of the only things I could do was hit ctrl + alt + delete to get to my task menu. So I attempted to switch my user accounts and go to my other account I have on my computer. I logged out of the admin account and logged into the other account I have. I ran a virus scan there and I didn’t really pickup anything relevant there.

I tried logging back into my main admin user account. I noticed that the icons loaded quicker and I was no longer seeing the issues I was seeing before. This was interesting so I decided to get a printout of all the processes running on my computer when the symptoms were showing, then get a printout of all the processes running after switching accounts then loggin back in when I wasn’t seeing the virus symptoms.  This can be done with the following windows command:

C:\>TASKLIST /V /FO CSV
  • TASKLIST – This will show all running processes on your computer.
  • /V -displays verbose task information
  • /FO – is the format output you wish to see the data in. You can also set this value to LIST or TABLE

This is a sample of the output you would receive if /FO was set to LIST:

Image Name:   firefox.exe
PID:          5412
Session Name: Console
Session#:     5
Mem Usage:    213,116 K
Status:       Running
User Name:    TJGDesktopHome\Troy Grosfield
CPU Time:     0:01:48
Window Title: Troy Grosfield - WordPress - Mozilla Firefox

I chose CSV so I could sort through the output and compare processes by name.  However, it didn’t seem to be a process that was running that was causing issues either.

The virus was affecting all browsers so that ruled out the fact that it was a browser plugin that may have gotten downloaded.  Even when I had started my computer in safe mode with networking capabilities I was still seeing the issue.

It wasn’t until I came upon my Windows host file that noticed some fishy behavior.  Your windows hosts file will allow you to locally map hostnames to ip addresses.  I use this for local development at times.  When I opened the file I was confronted with values I never added.  The following values were appended to the bottom of the file (NOTE: DO NOT GO TO THESE SITES! THEY LIKELY CONTAIN VIRUS’):

127.0.0.1 www.8minutedating.com
127.0.0.1 whysohardx.com
127.0.0.1 protectyourpc-11.com
127.0.0.1 checkserverstatux.com
127.0.0.1 xinmin.cn
127.0.0.1 xy95.cn
127.0.0.1 koralda.com
127.0.0.1 weirden.com
127.0.0.1 nanocloudcontroller.com

These are some of the sites I was randomly being redirected to.  I removed these from the hosts file and rebooted my computer and see if the file was once again changed and it was.  All the sites listed above were once again in the hosts file.  So I change the permission of the hosts file to read only.  This prevented it from maliciously being modified.

Solution

My solution oddly enough came when I was dual booting my computer.  When I partitioned my C drive, it magically seemed to fix all my problems.  I also hadn’t been receiving windows updates and after the partition I was once again able to receive the updates.  This was all a little anti-climatic for a solution because it didn’t really address the root issue and I wouldn’t expect someone to partition a disk just to remove a computer virus.  However, no more virus for me!

Tags
Comments
3 Comments »

3 Comments

Leave a reply

 
  1. Author
    Kenneth Ellman
    Date
    August 16th, 2012 at 1:25 am
    Comment

    I am interested in the subject . I have also used partitions as a last ditch effort to save/access documents on a hard drive and bypass the malicious program. Anyone with similar problems or information is requested to email me with their comments or solutions. Thank you. My email address is : ke@kennethellman.com Kenneth Ellman, Box 18, Newton, NJ 07860

  2. Author
    Kenneth Ellman
    Date
    March 20th, 2012 at 2:48 am
    Comment

    I enjoyed reading this. Thank you for this post.
    Partitioning the c drive does normally provide an “escape” from this problem. I have done that also. But it would be better to delete the malicious file or program if we can figure out how to do that.
    Thanks again for this interesting post.

  3. Author
    De Anna Nordland
    Date
    September 12th, 2011 at 9:47 pm
    Comment

    This is some really good information. I think that this information can really help people clean up their computers and be aware of viruses that are on their computer.