As the volume of malware programs is growing extremely fast in the last years, it is difficult for antivirus programs to deal with them. This happens because every antivirus program must update its database with the new virus signature (first) in order to disinfect an infected system or to prevent a system from being infected.
Apart from that, there is another problem that has appeared in the last year: the appearance of ransomware software that once it infects a computer, it prevents the user to use it in all Windows modes (Normal, Safe Mode, Safe Mode with Networking) and, as a result of that, the user cannot disinfect his PC. A well known example of this type of ransomware is the FBI Moneypack Virus or FBI Virus or Police virus. For all these reasons, I decided to write a removal guide to disinfect your computer from almost any malicious program (Virus, Trojan, Rootkit, etc.) or ransomware program that prevents you from using your computer.
To be able to clean your infected system, first of all you need a clean bootable media CD (or USB) image in order to start your computer in a clean environment and then disinfect it from malware. For that reason, in this guide, I use the Hirens BootCD media, because it contains a clean bootable image integrated with some amazing free antimalware and cleaning utilities that can help you easily disinfect your computer from any malware.
In this tutorial you can find instructions on how to use Hirens BootCD to disinfect any computer system.
How to disinfect an infected computer using Hiren's BootCD.
Step 1. Download Hiren’s BootCD
1. Download Hiren’s BootCD to your computer.*
* Hiren’s BootCD Official Download page: http://www.hirensbootcd.org/download/
Scroll the page down and click on “Hirens.BootCD.15.2.zip” )
2. When the Download is complete, right-click on “Hirens.BootCD.15.2.zip” file to extract it.
Step 2: Burn Hirens BootCD into an optical disk.
Note: If you don't have a CD/DVD drive on your computer (e.g. if you own a netbook) then follow this guide: How to put Hirens BootCD into a USB stick.
1. In “Hirens.BootCD.15.2” folder, find the “Hiren's.BootCD.15.2.ISO” disc Image file and burn it to a CD.
Step 3: Boot the infected computer with Hirens.BootCD.
1. First, make sure that your DVD/CDROM Drive is selected as first boot device in BIOS (CMOS) Setup. To do that:
- Power On your computer and press "DEL" or "F1" or "F2" or "F10" to enter BIOS (CMOS) setup utility.
(The way to enter into BIOS Settings depends on the computer manufacturer).
- Inside BIOS menu, find the "Boot Order" setting.
(This setting is commonly found inside "Advanced BIOS Features" menu).
- At “Boot Order” setting, set the CD-ROM drive as first boot device.
- Save and exit from BIOS settings.
2. Put the Hirens Boot CD on the infected computer's CD/DVD drive in order to boot from it.
3. When the "Hiren’s BootCD” menu appears on your screen, use your keyboard arrows keys to highlight the “Mini Windows Xp” option and then press "ENTER"
Step 4. Delete Temporary files.
In this step we proceed to delete all contents from infected system’s temporary folders: “Temp” & “Temporary Internet Files”.
* Note: “Temp” & “Temporary Internet files” folders are created and used by Windows to store temporary files that are created by Windows services or other software programs (e.g. “Internet Explorer”). These folders are also used by malware programs (viruses, Trojans, adware, rootkits, etc.) to store and execute their malicious files. So, when we delete the contents of these folders, we remove all scrap files and also all potentially malicious files, without affecting computer operation at all!
First let's find out the main local disk’s drive letter. The main local disk is the disk where Windows are installed on. To do that:
1. From “Mini Windows XP” desktop, double-click at Windows Explorer icon.
When Windows Explorer opens, you should see all the drives that installed on your system. The list includes the Hirens BootCD drives (“RamDrive”, “HBCD 15.2” & “Mini Xp”) and your local disk drive (or drives).
For example in a Windows XP based system with one hard disk installed on it, you should see the following drives:
- (B:) RamDrive
- (C:) Local Disk
- (D:) HBCD 15.2
- (X:) MIni Xp
2. In the above example the main local disk is marked with letter “C”. If you see more than one “Local Disk” listed on your computer, then you have to explore all “Local Disks” contents, until you find in which “Local Disk (Drive Letter)” Windows are installed.
3. When you find out, the main local disk drive's letter, navigate to the following locations and delete all contents found inside the “TEMP” and “Temporary Internet Files” folders.
C:\Documents and Settings\<USERNAME>\Local Settings\Temp\
C:\Documents and Settings\<USERNAME>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\Default User\Local Settings\Temp\
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\
Windows 8, 7 & Vista
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\
4. Also clear the contents of “Temp” & “Temporary Internet files” folders for any other user that using the infected computer.
5. Close Windows Explorer.
Step 5. Activate Mini Windows XP Network connection.
Now we ‘re going to activate the network connection in order to be able to connect and download files from the Internet.
Attention: If you work on a laptop computer, then connect your laptop to network by using an Ethernet cable before you continue to this step. “Network Setup” utility doesn't recognize properly the Wi-Fi cards,
1. From “Mini Windows XP” desktop double-click at “Network Setup” icon.
2. When “PE Network Manager” starts, drag and leave your mouse on “State” sign to check if your computer is connected (to the network).
3. After that, make sure that your network card has obtained a valid IP Address. To do that click the “Info” button.
4. At “Network DHCP information” window you must see a similar screen:*
* Note: The “IP Address”, “Subnet Mask”, “Default Gateway” and “DNS Server” fields numbers may differ on your computer.
If the “IP Address”, “Subnet Mask”, “Default Gateway” and “DNS Server” fields are empty, then you won’t be able to connect to the network. If this happens, check your cables or specify manually the Network Address settings. **
**In order to manually specify your Network settings, from the main “PE Network Manager” window, click “Obtain an IP address automatically”.
Type manually your “IP”, “Subnet Mask”, “Default Gateway” and “DNS Server” addresses and click “Apply”.
5. Close “PE Network Manager” utility.
Step 5. Disinfect the infected computer with RogueKiller.
1. From Mini Windows XP desktop, double-click at “Internet” browser icon.
2. Navigate to “https://www.adlice.com/softwares/roguekiller/” and scroll the page down until you find and click the “RogueKiller” download link. *
* Note: You can also find the “RogueKiller” download page from “www.wintips.org” website (Under “Tools & Resources” section).
3. At the pop-up window, click “Run” to run “RogueKiller.exe” file.
4. When the pre-scan is completed, read and “Accept” the license terms.
5. Press the “Scan” button to scan your computer for malicious threats and malicious startup entries.
6. Finally, when the full scan is completed, press the "Delete" button to remove all malicious items found.
7. Close “RogueKiller” and continue to the next step.
Step 6. Remove Malware with Malwarebytes Anti-Malware.
1. From Mini Windows XP desktop, double-click at “HBCD Menu” icon.
2. At Hiren’s BootCD 15.7 – Program Launcher window, go to “Programs” > “Antivirus/Spyware” and click “Malwarebytes’ AntiMalware”.
3. Press any key when the following screen appears.
4. When “Malwarebytes’ Anti-Malware” appears on your screen, select the “Update” tab and click “Check for Updates”.
5. When the update is completed, press “OK” to close the information pop-up window.
6. Now click the “Scanner” tab.
7. Click to activate the “Perform full scan” option and then press the “Scan” button.
8. At the next screen leave only your main local disk drive's letter selected (e.g. “C” in this example) and unselect all other drives listed. Then press the “Scan” button.
9. Wait until Malwarebytes Anti-Malware scan your computer for malware.*
* Note: When the program finds threat objects, you 'll see that "Object detected" field becomes red counting the infected items as the scanning procedure continues.
10. When the scanning is completed, press the “OK” to close the information window and then press the "Show results" button to view and remove the malicious threats.
11. At the "Show Results" window check – using your mouse's left button- all the infected objects found EXCEPT the following three (3) objects:
- Malware.Packer.Gen | File | X:\I386\System32\keybtray.exe
- Malware.Packer.Gen | Memory Process File | X:\I386\System32\keybtray.exe
- PUM.Hijack.Help | Registry Data | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp
12. Finally press the “Remove Selected” button to disinfect your computer.
13. When the removal of infected objects process is complete, answer “Yes” to "Restart your system & remove all active threats properly" and then remove the “Hirens BootCD” from the CD/DVD drive in order to boot normally into Windows.
14. When Windows are loaded, ensure that your computer is totally disinfected from malicious programs by following the steps in this guide: Malware Removal Guide to clean your infected computer.