When your computer is infected
of ideas, articles and links
to computer security resources .
When your computer is infected, what do you
do? Here is how I proceed. No guarantees, though.
carefully how you will protect your important files, if any.
If you can, get them copied off the machine, without taking the infection along.
Maybe you had the foresight to make frequent backups? Then things are much easier.
Sometimes a virus corrupts data files and they may or may not be unrecoverable.
Occasionally, removing a virus can lose data, or even wipe disks. Usually, however,
the process proceeds without a hitch.
If your data are very important consult a specialist and be prepared to pay.
Make sure he or she is very good. some aren't. Ask for references and a guarantee.
Otherwise, if you have nothing important, consider just reformatting the hard drive and
reinstalling the software.
The best solution is often to wipe the hard drive and re-install the operating system, then
immediately install and update the firewall and virus protection -- then
update Windows® -- before
the machine gets infected again. This can be a bit difficult, since it may be necessary to
download the virus software from the Internet, and there is a small risk of some 'exploit'
coming in during the process!
going to the web browser 'options' and setting days in history to zero, completely
emptying the cache, deleting all the offline content and cookies, and resetting the home
page to 'default', for the time being. Set these things back to what you like, later,
when you are finished cleaning. Don't worry about your 'favorites',
aware that malware sometimes adds its home page and dangerous sites to a victim's favorite list.
Therefore be careful when using your favorites in the future, especially if you see a
favorite you do not recognize.
Go to 'Dialup
Networking' and make sure that only your own connection
with its proper local phone number is listed there. Delete any strange listings,
inserted by dialers.
Then run a
virus checker, Ad-Aware, Spybot, and any other scans you happen to have. (Make
the scanners are very recently updated).
the Recycle Bin, and also the cache again, if you have used the
browser since emptying it.
do it all again until you are satisfied you got it all, and that the machine still works.
Some of these things re-install themselves or try to access the internet when you try to
kill them. If necessary, hunt them down if you can, (using search for files and
folders), and delete their folder. Some nasties protect their files and it is
necessary to use DOS to get at them. You may need help in such cases.
the hard drive for errors and defrag (accessed from My Computer | Drive C |
Properties | Tools).
I don't care what they say, I use it on XP. Works for me, but YYMV.
Visit Windows Update
and do all the critical and driver updates. This can take a while and several
Make sure your
protection is set up correctly. (Check out the advice on the
main security page).
Be careful in
A horror story
(from Saturday 20 December 2003)
I was checking my web logs this morning and noticed that I
had visitor referred from a link on a site with which I was unfamiliar. I clicked on the
link and was surprised to see an install message that appeared to be certified by a Chartered
Accountant firm, accompanied by a message that I needed to install the add-in to view the
wrote about such things just the other day in my
security advice page, and, since I was not expecting a download, I said "no", and then
got another series of messages with only an 'OK' button only. I clicked the 'X' system
button in the upper right corner to kill each one in turn.
Then a download dialogue showed up again. I clicked the
'cancel' button, and the thing went away, but not without opening several porn pages, which I
I think it is all gone now, and scans show no problems,
but this is an example of how tricky these guys are, and how they try to install trojans, key
loggers, hijackers, and more on your computer. Unless you are persistent and smart, they
will get you. I think that, if I had clicked. "Yes", that PestPatrol, running in the
background on my computer, would have warned me to stop the download -- if I had time to do
so because some such downloads only take a second, but, nonetheless, there was an attack on
my computer that many people would have fallen for. WinPatrol would
have hopefully allowed me to reverse the changes.
Naturally, I felt violated, and have kept an even closer
watch fro problems since.
A cleanup story
(from Wednesday 25 February 2004)
I was up off and
on during the night working on a computer that had been dropped off here by a friend. I used
the software listed on my security page and found
at least six viruses and trojans with my first sweep, as well as about 10 dialers or
references to dialers. Then if found over fifty pests with the next program, and another
dozen or more with a third. I had to drop into DOS to kill one particularly nasty bug
that had protected its files in Windows somehow, and also manually delete a dialer connection
from 'Dialup Networking'.
took about six hours of downloading, since I am on dialup. The connection got dropped at one
point and I found the 'disconnect when inactive] setting under 'modem' was set at 20 minutes. I unchecked that
feature so things would proceed without hanging up again. I thought that I got pretty well
all of the garbage off the machine, but noticed that I was getting a virus warning on boot.
The offending file was in a 'system restore' folder, however and is
harmless unless I decide to restore, but could be killed by turning off
'system restore', then immediately turning it on again. .
The computer had
been used on the Internet with no protection: no firewall, and no virus checker. In no time
it had been plugged up with dangerous software that had come in via various routes. The most
obvious symptoms were the flashing porn on the screen, I am told, (I did not see that, since
I cleaned the machine immediately on bootup) and several large phone bills from the 900
number(s) the computer had dialed, unbeknownst to its owner.
protection of a firewall or virus checker, malicious attackers use various tricks to hijack
machines. Cleaning these machines up can be a big job. Actually, the best solution is often
to wipe the hard drive and re-install the operating system, then immediately install and
update the firewall and virus protection, then update Windows® before it gets infected again. This
can be a bit difficult, since it may be necessary to download the virus software from the
Internet, and there is a small risk of some 'exploit' coming in during the process!
that approach would have made sense here, since the machine has not seen much use and had no important
But I like a
challenge, and I had some fun.
Another Cleanup Story
(from Tuesday 23 December 2003)
A friend brought over a computer that had been hijacked by
a popup that looked like an innocent MSN message, but, when clicked, set his home page to a
porn site and ran unstoppable picture shows. I spent some time studying up on the problem
before he came over, to be ready for the repair, but the the actual cleanup turned out to be
easy -- other than that fact that the machine hardly ran at all, and I had long
waits between clicks.
To fix it, before I even ran the browser, I simply opened the Internet
options from the Control panel and changed the home page back to MSN, and deleted all the
history and deleted the caches. The cache was huge, and I cut it down to
25 megs to speed
things up. After that, I updated Ad-aware and ran it, finding 83 pests and an exploit, which
Ad-Aware removed. When I opened the browser, no bad stuff happened, so I guess this was not
the really persistent type of hijack exploit that requires drastic measures to eliminate.
The system had not been defragged, updated, or checked for
errors for 590 days, so I defragged several times and updated Windows. There were about 20
updates backlogged, so that took about 10 hours and numerous reboots. The machine, which ran
slow and was totally unresponsive when it came in the door, now runs quite well, but when I
turned of the swap file to defrag it, I learned that it lacked enough memory to run without
swapping, even on boot up with nothing running! A quick check revealed only 64 megs! Time
to get some memory. I saw 512s at Costco the other day for about $100, if I remember
correctly. This machine needs older memory, though, and if I can find it, it should be dirt
cheap. 64 megs would double what it has.
One More Tale
(from Jan 04)
I heard that a friend saying his computer got hijacked and
was flashing porn at him. Moreover, a 'dialer' had installed itself with his knowledge and
had called out to a 900 number, resulting in a $75 phone bill. He is hoping that he caught in
time and that this month's bill won't be even higher.
When I got home, I continued some earlier reading on
security, and came across www.webroot.com and
tried their scan. It quickly sorted my favorites according to their categories and I was
surprised to find, among more likely subjects,
Adult/Mature Content (2 URLs)
Personals/Dating (1 URL)
Pornography (7 URLs)
Files with Profanity (0)
Well, I don't visit porn sites and have no interest in
dating, but I have found myself at one at least once when doing an innocent Google search for
some unrelated topic. What some porn purveyors do, is take over expiring legitimate domains
when the owner accidentally fails to renew them on time, and put up a dating or porn site at
that URL. People expecting to go to the old site, find themselves unexpectedly at the new
site, and, unless they have high security settings, a script there can add the URL to their
favorites without their knowing it.
In past times, I used lower security settings.
After all, no one
realized what this net would come to, and this must have happened. I carry my favorites from
old machine to new machine, so who knows when I picked them up, or if the sites were once
non-porn? Anyhow, these days, traces of porn on a computer is not definite proof that the user has been
deliberately visiting porn sites.
More ideas on the
security advice page. This page is a supplement to the main security page, which
should be consulted for more detailed info.
Use this information at your own risk.
Of course, I can't give you any
They say that free advice is worth exactly what you pay
I hope these pages are an exception, but even the pros don't have 100% success and new threats come
out of the blue with great regularity. A few years ago, all this nonsense and nastiness
we combat daily was not even imagined.