Need to know how to clean a virus infected Windows computer? This post is for you. While no actual step by step process to clean a PC will work the same way every time, I will include some though processes that can help you determine how to rid your PC of malware, viruses, and rootkit infections.
These days the worst PC virus and malware infections I come across are from “drive by” infections, usually from hacked websites.
What this means is that the computer user actually did nothing wrong, they just visited a website that is normally safe and respected, McAfee Site Advisor lists it as “green”, yet the site has been hacked such that everyone who simply visits the site gets nasty malware and usually a rootkit installed.
The First Indication Of A Malware Infection
The first indication that your computer is infected can take any one of a number of forms. In the case of this PC, it was loaded with Windows Vista and not even service pack 1, let alone SP2. This was an oversight on my part; while we have been intending to get it upgraded to Windows 7 for some time, it hasn’t happened and I never realized that SP1 was not installed either.
But here is what you might see when your PC is infected:
- A BSOD (Blue Screen Of Death). This is what we had on the Windows Vista PC.
- Additional icons on the desktop. In our case, it was a program called WhiteSmoke.
- Browser redirections. Google searches were being redirected elsewhere.
- Computer Security sites blocked. Many malware programs will block your access to sites known to be of help in cleaning an infected PC. Popular antivirus software vendors, BleepingComputer where you will find ComboFix, etc, even Microsoft itself will be blocked.
- Popups indicating your computer is infected. Some of these are disguised to look like Microsoft Windows Security Center and usually offer to “fix” your problem. DO NOT CLICK ON THOSE LINKS! They will infect you further or at BEST charge you a ransom to clean your PC and then likely use your credit card information for nefarious purposes.
- Inability to run registry editor.
- Inability to change Windows Explorer file view options (so you cannot find their program files).+
- Programs will not run when you double click a desktop icon or select them from the Start Menu.
What To Do When Your PC Is Infected
In our case with the Windows Vista PC that was drive by infected with Alureon rootkit, WhiteSmoke and a few miscellaneous malware, we had no data on the PC that we were concerned with. All of our data is stored on a fileserver, backed up on a Small Business NAS (Network Attached Storage) device, and backed up on tape – locally and remotely stored.
Hopefully, you have your important data backed stored and or backed up to a home NAS, backed up to an online backup service or in some other way do not have your only copy of important data on your PC.
If you have data on the infected PC
When you have important data on an infected PC with no backup, you may want to consider calling in an expert right away. Tell them you have data on the PC that you need. Give them a list of what you need and preferably where to find it.
If you don’t know where on your drive your data is stored then that is one of your high priority tasks when you get your computer cleaned and back up and running.
What they (or you if you have the tools and know how) is to remove the infected hard drive and connect it with a USB hard drive adapter to a working computer and copy the data off right away.
Cleaning Your Hard Drive By Removing It and Connecting To Another PC
(If this is not your likely option, click to go to Cleaning Your Infected Hard Drive Without Removing It)
Does this put the good computer at risk of infection? Not really, as long as you make sure the hard drive is NOT connected when you boot up the PC or make DARN GOOD AND SURE that the PC will not try to boot from the infected drive!
Connecting your infected hard drive to another PC is also a way you can begin the process of cleaning the malware from the PC. Often these viruses and malware will be operating from the Internet Explorer temporary files directory, if you use IE and not something better like Firefox or Chrome, the Windows “temp” directory, or one or more Windows system directories.
The files that are suspect often have either weird names of random characters or names that look like Windows files themselves, yet they will often have a data and time stamp of the time of infection. Renaming/moving these files is preferable until you know they are malicious.
You can also use a number of free or paid antivirus programs/scanners/cleaners to clean the infected hard drive but this will many times NOT do anything for registry entries or even rootkits. The popular free rootkit removers only seem to work on the boot drive.
You can even edit the registry on the infected hard drive – if you know what you are doing – using the method described here: Remote Registry Editing and Registry Recovery.
If you are forced to, or choose to clean your PC the “standard” way, here is how I go about it.
- Boot your computer into Safe Mode With Networking, if possible.
- Delete all temporary files, both Windows “temp” directories and Internet Explorer temporary files.
- Check all startup programs and remove malware:
- Windows Startup Folder
- Registry “autoruns”
MSConfig is a good tool to use so that you can temporarily eliminate a suspicious startup program that may actually be valid and you just don’t know it. HijackThis is another tool that can show you and optionally remove a malware registry entry also.
These tools DO require some level of expertise.
- Reboot the computer, again in safe mode with networking, just in case any of these programs were starting up even in safe mode.
- Download and run ComboFix. If you find the file “disappear” after downloading, then download as “temp.exe” and realize that you DO have malware running. You will be asked by ComboFix to disable any other antivirus programs you have running. That’s OK. Note: Backup your LMHosts and Hosts file first if you have made any customizations to them, CombFix assumes any changes were made by malware and deletes them!
At this point, your computer may or may not be clean. In our case we still had Alureon rootkit, WhiteSmoke and some other garbage.
The PC had been running the corporate version of Trend Micro Worry Free Business Security Advanced. It was useless. Well after the fact, as I was trying to clean it, my management console sent me emails that there was an infected PC. The PC itself did nothing.
We scanned the drive when installed on another PC with Microsoft Security Essentials and it told us what we had but was unable to remove.
For Alureon, we downloaded TDSSKiller. There are good instructions for use from BleepingComputer.com, but you may have trouble figuring out that all of the download links readily visible near the top of the page are ADS.
TDSSKiller did the job very nicely.
Afterwards, I ran HijackThis again to see what else might be lurking. HijackThis can fix somethings, others not, but even then it is a convenient tool to give you an idea of what is out there that still needs to be cured.
I then followed all of that up with the download from MalwareBytes.org. This found and cleaned a number of items, some of which were very minor and may have even been on the system for a while. MalwareBytes free scanner is top notch and finding AND fixing a number of malware/virus type infections.
What To Do Now That Your PC Is Clean
There are a number of things you want to do now that your computer is clean.
First, you want to reboot to normal Windows after the last cleaning of anything. If you see any suspicious activity, keep cleaning.
If you used MSConfig to disable some startups, you will want to re-enable ONLY those you know you want. You may find out over time that others need to be re-enabled, but better safe than sorry.
Any data you did NOT have backed up, back it up. Do NOT overwrite any old backups until you KNOW that the data you have on your system is good, complete and not infected. If you do not know how to back up, keep reading, we will get to that after a couple of other items on the list. Now is NOT the time to install new software other than what it takes to keep you protected.
- Open Control Panel, Internet Options, and check to make sure your home page is set to something safe – like maybe just www.google.com. If some malware reset your browser’s home page, the last thing you want to do is open your browser without resetting it!
- Open Internet Explorer and select Tools | Windows Updates. If you don’t have the toolbar enabled (shame on Microsoft for hiding it), you can enable it or use a shortcut from the Start Menu or go back to Control Panel, Automatic Updates and click the hyperlink there for the Windows Update Website. Install the necessary Windows Updates. If you cannot get to that website, you’re still infected.
- Update Java, if installed. Many malware are installed via vulnerabilities in Java. Two points here: One is that you can check (in control panel), Add/Remove Programs or Programs (depending on which version of Windows) and make sure you only have one version of Java installed. Early versions like 3, 4 or 5 might still be installed. Java 6 Update 23 is current as of today. There is a Java applet in Control Panel whereby you can initiate a Java update.
- Make sure you have 1 and ONLY 1 antivirus security program installed and that it is fully up-to-date. If you need a FREE antivirus program, Microsoft Security Essentials is really quite good and recently updated to version 2.
- Do a COMPLETE scan of all hard drives in your system, if you have not done so already. This will take a long time.
By now you have probably rebooted several times. Everything look OK?
I don’t want to rewrite everything I have written on computer backup, but here are some highlights you should know.
- Some malware disables Windows System Restore, preventing you from “cleaning” your PC by restoring to a restore point made when your machine was clean. If you need help turning it back on, you can google the problem or get help on my Free Support Forum.
- Taking an “image” of a working Windows PC is a great idea for computer backup. Not only can you restore that image to a new hard drive, larger hard drive, or overwrite an infected hard drive, but you can also restore individual files by “mounting” the image and simply drag and drop with Windows Explorer. I highly recommend Acronis True Image for computer backup and imaging, which can be done to an external hard drive.
- Daily, automated backups to an off-site online backup storage service (which can be free, depending) is a fantastic idea. Here again is the link I posted higher up. Online Backup Services
Cleaning an infected PC can be challenging, frustrating and time consuming. That’s why some people with good backups simply get out their disk image and RESTORE!
No one set of steps works perfectly for everyone every time. It can include some trial and error.
One thing for sure is that once clean, you want to keep it clean. Check my other posts for more on this topic, but one thing for sure is that Windows and Java updates are a must. You can set them to automatic, but even then you need to pay attention to the icons in the task tray; sometimes user intervention is required.
A Note On Virus Scanning and Free Online Scanners
Virus scanning, if you do a “complete” scan of your hard drive, can take a LONG TIME due to the incredible number of individual files included with Windows and many software programs. While I think it borders on criminal, there is not much we can do about this file bloat.
“Quick Scans” should be enough to get your PC running, but you will want to do a complete scan when you are done.
You may notice that I did not talk about free online virus scanners in this post. The reason is three-fold:
- This post is long enough already
- Often, and in the case we had with the Vista PC the other day, the computer will not navigate to any free online scanners because they will be blocked by the malware. If you can navigate there, they may very well not run – or complete the scan if they do run at all.
- An online scan can take a very long time to perform. I wanted this PC cleaned quickly and back in service.
Final note on the Windows Vista PC: Once we had everything cleaned up we uninstalled the Trend Micro corporate software, installed the new Microsoft Security Essentials version 2.
When the user began going about her work (at some of the same sites she had been to when it got infected), MSE popped up with a warning that it found and cleaned Alureon.c – so obviously it all started with a drive-by infection! I wish Trend Micro had been so effective…
The next day I took the time to upgrade the PC to Windows 7 Professional, using the upgrade path that I normally do not take. But, for experience and due to all of the installed software – some with limiting “keys”, we took that option which is only available from Vista, not Windows XP.
Here are some important computer security links:
- ComboFix – Note: Do NOT use ComboFix.org or any site other than BleepingComputer.com
- SysClean Free Offline Scanner
Online Antivirus/Malware Scanners
Recommended Antivirus Software
No antivirus software is perfect, and how much you pay does not necessarily get you better protection. Here are some that I have worked with and found to be at least REPUTABLE and, for the most part, as effective as you can expect. (Alphabetical Order)
- Microsoft Security Essentials
- Norton (Much improved over last year or two)
- Trend Micro
Once installed, verify periodically that the signature files are indeed automatically updating.