logo
background
 Home and Links
 Your PC and Security
 Server NAS
 Wargames
 Astronomy
 PhotoStory
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Cleaning up after a virus infection

Virus clean-up

How can I avoid any possibility of (re-)infection ?

You can't. Despite all your precautions, you can still get infected. Microsoft Updates, Firewalls, Anti-viruses etc. and Malwarebytes can only ever protect you against 'known' threats - so if you encounter a 'brand new' threat (the so called 'zero day exploit') you can still get caught.

All you can do is minimise the chances - never use Microsoft Internet Explorer, MS Mail, MS Chat, MS Messenger - or, in fact, ANY MS application that uses the Internet (it's not that MS apps are necessarily any worse than any other app., just that they are so common that they are the Virus writers 'number one' target). Don't visit dubious web sites (and that means don't use Torrents and especially NEVER install 'hacked' software) and make sure Windows Updates is running and keep your (non-MS) Firewall and AV is 'up to date'.

How do I know I have been infected ?

Often the first sign that you PC is infected with 'something nasty' will be when your web browser suddenly opens a different 'home page' or when every 'search' you make gives you nothing but spam advertising. However, more often than not, you will notice nothing until one of your email friends contacts you to complain you are sending them spam or virus infected emails.

The fact that your PC is 'running slow' or 'taking ages to open a web site' or even 'crashing' (more than usual) is not usually an indication of a virus = it's just that your Windows configuration is becoming over stuffed with applications and utilities (all loading themselves at start-up & thus forcing Windows to use more and more 'virtual memory') and your hard drives are filling up and becoming over-fragmented.

Of course WinPatrol should have alerted you when an installer attempts to run software at 'start up', however if case you missed some, a quick check with HiJack This will let you flush out most of the 'RUN at start' rubbish (and, after a reboot) will typically cure slow running. Rebooting your Router will often solve slow Internet access

Will my other networked computers be infected ?

Unless every PC in your home has it's own Firewall, when one gets infected it's almost certain the infection will spread to the others. So the first step to successfully 'disinfecting' a networked system is to power-off every PC and remove ALL the Ethernet cables (and turn off your WiFi Router). To disinfect each computer, power them up one at a time - once one is 'disinfected', power it down again until EVERY computer has been checked.

Be aware that any 'writable' media in your house could also be infected - choose one computer to check all your 'media' (USB sticks, CF / SD cards etc.) - and don't move the media to any other computer until it's been cleared (see below}

Having disinfected a PC, and checked that 'Auto-run' is DISABLED** (see here), you can use that PC to reformat all your USB devices (memory sticks & cards, media players etc. etc. since anything that can be 'written to' may have been infected.

**If Auto-Run is enabled, your just disinfected computer is likely to be quickly reinfected by one of your USB sticks - which will then go on to infect every other USB device you plug in ...

How do I 'disinfect' my computer ?

How you proceed depends on how 'bad' the infection is. Simple 'search engine redirect', 'home page hijacking', 'adware', 'trial-ware' or commercial 'file type' hijacking can usually be 'fixed' by using System Restore to 'go back' to a point before your were foolish enough to install them (see at end for launching System Restore from Safe Mode Command Prompt).

'Older' infections were typically too 'dumb' to stop you downloading the current version of Malwarebytes and using that to 'kill' the infection. However many current infections are clever enough to block access to anti-virus software or even prevent you accessing the web at all (in an attempt to discover how to delete them). As soon as you discover such an infection, you should proceed as follows :-

1) Prevent re-infection

By the time you discover it, the infection has likely already spread within your home PC network. This means that, as soon as you 'dis-infect' one PC, chances are, it will be immediately re-infected from another PC. So TURN OFF ALL the PC's in your household and unplug their Ethernet cables. It is especially vital to turn off your Home Server / NAS (and remove the Ethernet cable).

Don't forget that a virus is quite happy to travel by WiFi. If your Router has WiFi enabled, turn it off immediately you realise you have become infected

2) Protect your vital data

If you are unable to remove the infection from your system, you will have no choice but to totally reformat your hard drive. Your system is infected so there is no point in backing it up. However your DATA files may well be OK - and even if they are infected, having copies of infected data files (which you can try to 'disinfect') is better than having no files at all.

2a) Remove your D: drive

Boot up into Safe Mode. If you built & configured your PC to my recommendations, all your data files will be on D:, however your application settings (things like your eMail Address Book) will still be on C:.

So boot into Safe Mode and copy the entire folder "C:\Documents and settings\.." to D:\MaybeInfected\(Documents and settings\..) and then remove the drive.

If you are unsuccessful in removing the infection, at least your data will now be safe.

2b) Copy to DVD

Boot up into Safe Mode. If you don't have a D: drive you will have to 'burn' your most vital documents to DVD+/-R.

NOTE. You almost always need to be in Safe Mode when dealing with an infection. Any half clever exploit will consist of multiple parts, most of which will 'monitor' each other and act to restore any part you successfully remove. Since at least one part will load at power-on and remain in memory (from where it can replace any file you manage to delete from your hard drive), the first step to removal is to boot up into 'Safe Mode'. This will prevent most exploits loading any part of themselves at power-on.

3) Turn off System Restore

A clever infection will use System Restore to 'protect' itself. Successful removal thus requires that you disable System Restore before starting removal.

4) Disinfect your system

a) Run Malwarebytes anti-malware.

If you followed my advise you would have installed Malwarebytes when initially setting up your system. You also would have run it once a month or so and thus have a reasonably up-to-date 'signature' file. If Malwarebytes is unable to find the infection and you believe your 'signature' file is out of date, then you need to reboot into 'Safe Mode with Networking' and HOPE that the infection is unable to prevent it updating. As soon as you have obtained the latest signature file, remove the Ethernet cable (or reboot into safe-mode without networking) - one thing you don't want whilst trying to remove the infection is to allow the infection to 'repair' itself by downloading copies of itself from the web.

If you find a 'real' infection (as opposed to a 'cookie' or just some annoying 'adware'), continue as detailed in (b) below.

b) Run "HijackThis" from Safe Mode

You should also have installed this utility and have used it before to examine your Registry and discover what components has been set up to 'RUN' at power on and what will be left running in memory as a 'service'. So you should already be familiar with what's 'normal' and thus be able to detect (and 'fix') anything that you don't recognise.

How do I get Malwarebytes / HiJackThis (or search for virus removal tools) ?

Wire a single PC direct to your Router using an Ethernet cable. Turn on the Router and make sure WiFi is disabled 'just in case'. Use that PC to access the Internet and download 'disinfection' tools

What if the infection prevents me accessing the Internet ?


WARNING - power off the infected computer before turning on another one - otherwise you risk your second PC being infected by the first.

Booting into 'Safe Mode with Internet' will usually allow you to connect to the web and download virus removal utilities. If not, you will have to find a 'Live CD' (a system CD that boots into RAM, so even if it becomes infected the infection is wiped along with everything else in RAM when you power down).

If possible (i.e. not using the CD/DVD drive for a 'Live CD'), burn the removal utilities to CD/DVD and make sure you 'close' (or 'finalise') the disc.

The problem with using a USB stick or memory card on an infected PC is that it will become infected as soon as you plug it in. So whilst you may write a 'clean' USB stick from a 'Live CD' booted PC, it may become infected by the first PC you use it on. Even if you manage to avoid re-infecting that PC, you can still end up (re-)infecting the next PC you use it on.

Note that the 'write protect' switch on SD cards DOES NOT 'write protect' the card - it's simply a 'flag' to the software 'driver' telling it not to write - any virus will simply ignore this 'flag' and write to it anyway.

Can using System Restore remove a virus ?

If Malwarebytes is unable to remove the infection, you could try using System Restore from "Safe Mode with Command Prompt" which should run without the virus interfering. To launch the System Restore application, at the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.

Unfortunately most virus writers know all about system restore and take the 'precaution' of replacing all the 'clean' restore points with their own infected files.

Why does Windows refuse to delete a file ?

One 'cunning trick' of the Virus writers is to have two (or more) Process components each 'monitoring' the other. Of course you can't delete the executable file whilst the process is running, and whilst you can use 'End Process' to 'stop' one, the other immediately restarts it ! Fortunately, booting into Safe Mode usually ensures neither process is started thus allowing both files to be deleted.

Of course files can also be marked as 'read only' (using the Security Permissions). If the file 'ownership' is set to 'system', even an Administrator gets 'access denied', although an Administrator can usually just right-click and use the Properties / Security tab to 'take ownership' and remove the Read Only tag.

However, with owner = System, it's actually possible to explicitly 'deny access' to Administrators ! In this case, when you open the file Properties, the Security tab won't even be shown !

Of course, commercial software vendors soon got onto this trick = it's not unusual to discover files from Adobe (such as Flash10.ocx) 'stuck' on an old systems disk that has not been reformatted before being 'reused' as a data drive. Needless to say, using Safe Mode or a 'command prompt' (DOS Box) won't help overcome the Administrator 'access = denied' setting (the 'flag' is in the NTFS directory, not in the User Accounts or Registry - so even moving the drive to a totally different PC won't help).

If the file isn't actually being 'held open' by another running Process, the file unlocker should do the trick (just watch out for it's attempts to install the 'Bing' search bar and link you to eBay etc).

If 'file unlocker' website becomes inaccessible, you can download the .exe from here

If the file really is being 'held open', you will have to use the modify on boot utility, which can delete files before Windows actually 'launches' on boot.

If all else fails, you may be able to use a non-Windows Live CD, where the 'root' user can usually over come any NTFS file access restrictions

Can I use a 'Live PE XP CD' ?

Yes - if you still can't remove the infection any other way, and have a ('Win PE' style bootable Operating System on CD) you can use that to examine your C: drive

If this still fails to reveal the virus you may have little choice but to re-install Windows

How do I re-install Windows ?

Most recent computers have a hidden 'Factory restore' partition on the hard drive. Access depends on your manufacturer. If you have a Dell computer, you can follow the instructions below.

WARNING

Make sure you have all your LICENCE KEYS before wiping your existing configuration !


Whilst your Windows Licence Key will be found on a 'sticker' on the back of the computer, other licence keys may be more difficult to find. Fortunately, various utilities exist (such as the Magic Jelly Bean Keyfinder or CD Key Reader ) that will allow you to recover many other Licence Keys installed on your computer.

In todays 'Internet connected world', many Licence keys (and software installer download links) may have been sent by eMail - so make sure you print out all the relevant eMails from your archive before wiping it !

A1. Windows XP (Dell Dimension and Inspirons prior to mid 2009)

During power-on, press 'Ctrl F11' (hold down both the 'Ctrl' key and 'F11' key)

A2. Vista and OptiPlex, Latitude, Vostro, Precisions, Studios, XPS and Inspirons (from mid 2009 on-wards)

During power-on, press the F8 key. From the Advanced Boot Options menu, select the (first listed) 'Repair Your computer' option. After logging in as an Administrator, you can choose the "Dell Factory Image Recovery and DataSafe" option.

Next subject :- Network security

[top]