Last update: January 28, 2012 09:11 AM      

When your computer is infected

allen's personal collection
of ideas, articles and links
to computer security resources .

When your computer is infected, what do you do?  Here is how I proceed.  No guarantees, though.

1. Consider carefully how you will protect your important files, if any. 
   
   If you can, get them copied off the machine, without taking the infection along.  Maybe you had the foresight to make frequent backups?  Then things are much easier.
   
   Sometimes a virus corrupts data files and they may or may not be unrecoverable.  Occasionally, removing a virus can lose data, or even wipe disks.  Usually, however, the process proceeds without a hitch.
   
   If your data are very important consult a specialist and be prepared to pay.  Make sure he or she is very good.  some aren't.  Ask for references and a guarantee.
   
   Otherwise, if you have nothing important, consider just reformatting the hard drive and reinstalling the software.
   
   The best solution is often to wipe the hard drive and re-install the operating system, then immediately install and update the firewall and virus protection -- then update Windows® -- before the machine gets infected again. This can be a bit difficult, since it may be necessary to download the virus software from the Internet, and there is a small risk of some 'exploit' coming in during the process!
   
   Otherwise,

2. Start by going to the web browser 'options' and setting days in history to zero, completely emptying the cache, deleting all the offline content and cookies, and resetting the home page to 'default', for the time being.  Set these things back to what you like, later, when you are finished cleaning.  Don't worry about your 'favorites', but be aware that malware sometimes adds its home page and dangerous sites to a victim's favorite list.   Therefore be careful when using your favorites in the future, especially if you see a favorite you do not recognize.

3. Go to 'Dialup Networking' and make sure that only your own connection with its proper local phone number is listed there.  Delete any strange listings, inserted by dialers.

4. Then run a virus checker, Ad-Aware, Spybot, and any other scans you happen to have.  (Make sure the scanners are very recently updated).

5. Empty the Recycle Bin, and also the cache again, if you have used the browser since emptying it.

6. Reboot and do it all again until you are satisfied you got it all, and that the machine still works.  Some of these things re-install themselves or try to access the internet when you try to kill them.  If necessary, hunt them down if you can, (using search for files and folders), and delete their folder.  Some nasties protect their files and it is necessary to use DOS to get at them.  You may need help in such cases.

7. Then check the hard drive for errors and defrag (accessed from My Computer | Drive C | Properties | Tools).

8. Run Regclean (optional).  I don't care what they say, I use it on XP.  Works for me, but YYMV.

9. Visit Windows Update and do all the critical and driver updates.  This can take a while and several reboots.

10. Defrag again.

11. Make sure your protection is set up correctly.  (Check out the advice on the main security page).

12. Be careful in the future.

A horror story
(from Saturday 20 December 2003)

I was checking my web logs this morning and noticed that I had visitor referred from a link on a site with which I was unfamiliar.  I clicked on the link and was surprised to see an install message that appeared to be certified by a Chartered Accountant firm, accompanied by a message that I needed to install the add-in to view the next page.

I wrote about such things just the other day in my security advice page, and, since I was not expecting a download, I said "no", and then got another series of messages with only an 'OK' button only.  I clicked the 'X' system button in the upper right corner to kill each one in turn. 

Then a download dialogue showed up again.  I clicked the 'cancel' button, and the thing went away, but not without opening several porn pages, which I killed.

I think it is all gone now, and scans show no problems, but this is an example of how tricky these guys are, and how they try to install trojans, key loggers, hijackers, and more on your computer.  Unless you are persistent and smart, they will get you.  I think that, if I had clicked. "Yes", that PestPatrol, running in the background on my computer, would have warned me to stop the download -- if I had time to do so because  some such downloads only take a second, but, nonetheless, there was an attack on my computer that many people would have fallen for.  WinPatrol would have hopefully allowed me to reverse the changes.

Naturally, I felt violated, and have kept an even closer watch fro problems since.

A cleanup story
(from Wednesday 25 February 2004)

I was up off and on during the night working on a computer that had been dropped off here by a friend. I used the software listed on my security page and found at least six viruses and trojans with my first sweep, as well as about 10 dialers or references to dialers. Then if found over fifty pests with the next program, and another dozen or more with a third.  I had to drop into DOS to kill one particularly nasty bug that had protected its files in Windows somehow, and also manually delete a dialer connection from 'Dialup Networking'.

Updating Windows took about six hours of downloading, since I am on dialup. The connection got dropped at one point and I found the 'disconnect when inactive] setting under 'modem' was set at 20 minutes. I unchecked that feature so things would proceed without hanging up again. I thought that I got pretty well all of the garbage off the machine, but noticed that I was getting a virus warning on boot. The offending file was in a 'system restore' folder, however and is harmless unless I decide to restore, but could be killed by turning off 'system restore', then immediately turning it on again. .

The computer had been used on the Internet with no protection: no firewall, and no virus checker. In no time at all, it had been plugged up with dangerous software that had come in via various routes. The most obvious symptoms were the flashing porn on the screen, I am told, (I did not see that, since I cleaned the machine immediately on bootup) and several large phone bills from the 900 number(s) the computer had dialed, unbeknownst to its owner.

Without basic protection of a firewall or virus checker, malicious attackers use various tricks to hijack machines. Cleaning these machines up can be a big job. Actually, the best solution is often to wipe the hard drive and re-install the operating system, then immediately install and update the firewall and virus protection, then update Windows® before it gets infected again. This can be a bit difficult, since it may be necessary to download the virus software from the Internet, and there is a small risk of some 'exploit' coming in during the process!

In retrospect, that approach would have made sense here, since the machine has not seen much use and had no important content. 

But I like a challenge, and I had some fun.

Another Cleanup Story
(from Tuesday 23 December 2003)

A friend brought over a computer that had been hijacked by a popup that looked like an innocent MSN message, but, when clicked, set his home page to a porn site and ran unstoppable picture shows.   I spent some time studying up on the problem before he came over, to be ready for the repair, but the the actual cleanup turned out to be easy -- other than that fact that the machine hardly ran at all, and I had long waits between clicks. 

To fix it, before I even ran the browser, I simply opened the Internet options from the Control panel and changed the home page back to MSN, and deleted all the history and deleted the caches.  The cache was huge, and I cut it down to 25 megs to speed things up.  After that, I updated Ad-aware and ran it, finding 83 pests and an exploit, which Ad-Aware removed.  When I opened the browser, no bad stuff happened, so I guess this was not the really persistent type of hijack exploit that requires drastic measures to eliminate.

The system had not been defragged, updated, or checked for errors for 590 days, so I defragged several times and updated Windows.  There were about 20 updates backlogged, so that took about 10 hours and numerous reboots.  The machine, which ran slow and was totally unresponsive when it came in the door, now runs quite well, but when I turned of the swap file to defrag it, I learned that it lacked enough memory to run without swapping, even on boot up with nothing running!  A quick check revealed only 64 megs!  Time to get some memory.  I saw 512s at Costco the other day for about $100, if I remember correctly.  This machine needs older memory, though, and if I can find it, it should be dirt cheap.  64 megs would double what it has.

One More Tale
(from Jan 04)

I heard that a friend saying his computer got hijacked and was flashing porn at him. Moreover, a 'dialer' had installed itself with his knowledge and had called out to a 900 number, resulting in a $75 phone bill. He is hoping that he caught in time and that this month's bill won't be even higher.

When I got home, I continued some earlier reading on security, and came across www.webroot.com  and tried their scan. It quickly sorted my favorites according to their categories and I was surprised to find, among more likely subjects,

Adult/Mature Content (2 URLs)
Personals/Dating (1 URL)
Pornography (7 URLs)
Files with Profanity (0)

Well, I don't visit porn sites and have no interest in dating, but I have found myself at one at least once when doing an innocent Google search for some unrelated topic. What some porn purveyors do, is take over expiring legitimate domains when the owner accidentally fails to renew them on time, and put up a dating or porn site at that URL. People expecting to go to the old site, find themselves unexpectedly at the new site, and, unless they have high security settings, a script there can add the URL to their favorites without their knowing it.

In past times, I used lower security settings.  After all, no one realized what this net would come to, and this must have happened. I carry my favorites from old machine to new machine, so who knows when I picked them up, or if the sites were once non-porn? Anyhow, these days, traces of porn on a computer is not definite proof that the user has been deliberately visiting porn sites.

More ideas on the security advice page.  This page is a supplement to the main security page, which should be consulted for more detailed info. 

Use this information at your own risk.
Of course, I can't give you any guarantees.