Cleaning an Infected Windows PC. Final Thoughts
That is an overall process for cleaning an infected Windows PC. There are maybe ultimate points to arrive at, but, in general, you just need to do away with operating system.
If you come across an infected Windows PC, just reinstall Windows. As I say to my clients, just wipe and reload: if you have pictures – Ok, we will add data recovery. If you do it with data recovery, you know that you give your client a silent working computer. If you try to get rid of the viruses, you never know if it’s going to be 100% success.
What about me, I am a bit of a perfectionist in this subject trying to give back my clients operating system that corresponds to golden standards. The system I give back to my clients is going to keep on running until something that has whatever nothing to do with resolved problems causes crash. So, if they bring their computers back to me, it is going to be something entirely different, I am not going to fix a virus problem and then next week fix it again.
There are a lot of technicians that would disagree, saying Eli does not know what he is talking about, and that they can clean viruses, no problem. To an extent, they are correct. You can clean viruses out of the computer, make computers function properly 80 to 90% of the time, which may sound pretty good, a success for a newbie who has cleaned but a few computers in his entire life.
Well, if you are in there for a long time and all you know is dealing with computers everyday, having 1 or 2 computers fail out of every 10 becomes a significant number, a problem. If you are a consultant running with your own toolbag charging 100 bucks per hour, and 1 out of 10 times you are going to fail to fix the problem, that means 1 out of 10 clients is going to quarrel with you and that is going to be evil.
The suggestion is to do wipe-and-reload if you have a virus, especially if you are a consultant.
If time is more or less free to you, if you are working on your own system, or you’re an employee and you’re going to get salary anyway, you can go and try clean the infection. Please note that is going to take a long time; doing the scans, updates, etc. take a long time. Even if everything goes Ok, cleaning the virus takes 1 to 2 days, and that is if absolutely everything goes Ok.
If things are going bad, I saw my employees struggling for a few weeks and still not having the problem fixed. So, the first thing to do is wipe-and-reload whenever possible. If you cannot do wipe-and-reload, go and try to fix it. When you start this, it is good to come up with a checklist, even if it is for the first time, even if you deal with a server.
So, write down the list: Windows Updates, Spybot Search & Destroy, write everything down and check it out as you do the process.
Again, cleaning a computer may take a long time, up to two weeks. That is, it is easy to forget what you have done in the past and start doing the steps already done. Like anything else, this is going to waste time, so you are going to come up with a checklist.
The next thing is that you need to know when you are going to pull the plug on the system; even if you have all the time in the world, even if you are a 40 hours a week employee and have no other work to do, you still have to know when you have put too much effort into the project. Whether you give it up to one day, two days, or five weeks, no one is to tell you what your limit should be, but you do need to come up with a limit. If you do not come up with a limit, you are going to work on the system for a year. Or you think that is a joke?
When you are going to be starting to work on your computer, you should be able to boot up your PC and hopefully it will function well enough in the normal mode so that you can start working on it. If you cannot start working on it, you will need to boot in what is called Safe Mode. Basically, you boot up the computer and hit F8 in a BIOS screen. There will be a number of options of how to boot up a computer and you can go with Safe Mode. In that mode you will be able to work on the computer, because Safe Mode only starts the processes and services needed just to gear up and running, a bare minimum.
Many times when you cannot work in the normal mode, you may work in Safe Mode. In the latter mode you can use the tool called MSConfig. So, you need to go to Start, select Run and type MSConfig and reboot the computer. This allows you to disable startup processes so that you only have those that you need. Sometimes when you run an antivirus, antimalware processes, this enables you to have a minimum number of processes, but you still have more than in Safe Mode.
Once you put a computer on a bank, you are going to need to secure the computer, to ensure that nothing goes worse than it is now. Again, the nice thing is that if it is your personal computer, or you are in employee’s relationships, you are most likely to have a problem while it is very new. Somebody will have a problem, you will have a problem – you immediately will know you have a virus. So, you can do System Restore, which basically restores the computer back to the configuration before the virus happened. You still need to do the virus scan, the rest of the processes, but if you can get your PC back to a state before the virus got really bad, you have a better chance to clean up the virus you are working on.
If you try to clean the virus at the state when it is really entrenched in your computer, that may be really hard, but if you can get your PC back to the state a couple of days before the virus got really entrenched, that might really help you to clean it out a lot quicker.
When putting a computer in the network, the suggestion is to secure it on its own little DMZ , its own private network, and have the router connected to OpenDNS. DNS, domain name services, this is what resolves domain names into IP addresses, e.g. CNN.com into 126.96.36.199. These little viruses phone home based on domain names, they do not do this based on IP address. So, using OpenDNS can block some of these malicious or bad domains so that your computer cannot phone home. That could be the way to keep the infection from spreading on your computer.
The next thing is that you need to change or, at least, to put a password, on your computer. A lot of people have blank passwords for Administrator account that enables scripts to do a lot of stuff on your PC, to really mess it up. So, the password is going to stop viruses from doing more damage to your computer.
Another thing is that you need to adjust settings for Internet Explorer (IE), which is more than just an explorer on a Windows computer. It refers back to the 90s’ big law suit when Microsoft was trying to say that IE was an inalienable part of Windows. Well, now in today’s world IE affects more than your web browser, it affects how you update your computer and a lot of things. If you want to reset DNS configuration, again, you open IE, go to Tools, Internet Options, Advanced tab and reset IE, so that would put everything back.
After you to that, you want to uninstall all the crapware, antivirus software, tune-up software, any security software installed on your computer. All these pieces of software can actually cause problems. So, you are going to get rid of all the toolbars, antispyware stuff, Java games, all the garbage that people put on a computer. You also need to get rid of security software as it is right now. The reason is that security software may be corrupted and, especially with clients and even employees, they often install just a stupid amount of security software on their computers, they install multiple AV software, they install five different types of tune-up software, etc. Well, all of these pieces of software change configuration on your computer. That is sometimes good, sometimes bad. Sometimes the changing of configuration causes problems on your computer.
The suggestion is to have one piece of software for what you like: one antivirus, one antimalware software, one firewall software. I suggest:
– Microsoft Security Essentials for antivirus;
– Spybot Search & Destroy for spyware protection;
– Windows Firewall for firewall.
Again, if your security software causes more problems than it helps, then it is really not any better than a virus. Have only one piece of antimalware software on your computer. You can technically have more, multiple tune-up software, but AV software will attack AV software, that may crash the system. McAfee will attack Norton, Norton will attack Kaspersky, Kaspersky will attack Panda, it can cause any kind of havoc. AV software, again, is like condoms. One is good, two do not work so well.
When you are going to uninstall AV software, sometimes it is just not going to uninstall properly. So, remember those removal tools; Norton is huge for this. I used Norton removal tools hundreds of times, literally, I tried to uninstall Norton and then it failed in the middle for some reason. So, you just use Norton removal tool, and it will rip out Norton, or use McAfee removal tool and it will rip out McAfee, the same for Kaspersky, Panda, etc.
When you try to get rid of crapware on your PC, sometimes you will not be able to uninstall toolbars from the Uninstall Wizard of Windows. They just will not allow you to do this for some reason. So, you are going to see Program Files, find where the application is installed, and from that you are many times able to uninstall this by simply clicking the uninstaller. So, basically what goes on there is an attempt to hide an uninstaller from you, but it is still available. They technically do not break the law – again, it is a pain in the butt, but that’s how it works.
Sometimes you will not be able uninstall software cleanly no matter what you do, so in this case you will have to rename the folder where the application is installed. So, if you have FreezeBox toolbar, let us say, you have to boot your computer in Safe Mode, go to Program Files, find FreezeBox toolbar and rename it to “FreezeBox Toolbar Old”. The reason is that if an application tries to go to the original folder name, that folder name is changed so that it is not able to start. Therefore, applications will not start for you.
Again, after that you are going to make basic tune-up of your computer, remove all temp files, defragemnt the Registry, and you disable startup items. The big thing is to clean temporary files, because, if you run a scan, it will inspect temp files as well, and if you have 50GB of these, that will take quite a while. Is there any point in that? No, so delete temp files. Then you do not have to waste time.
Defragmenting the Registry is another good idea; and disabling startup items enables you to avoid a lot of issues as it may prevent malware from running.
Also, do all updates for you computer, update Windows operating system, Office, etc. Do all updates for Java, Adobe Reader, Flash, QuickBooks, iTunes. A lot of these viruses look for weaknesses in various pieces of software. Many times all you have to do is update your computer and you are fine, all of these weaknesses simply go away. Even if a virus technically stays at your computer, it cannot do anything as soon as there are no security holes anymore. You will be surprised how often updates do it to fix it.
Finally, you are going to install your antivirus software, antimalware software, etc., you are going to immunize the system. Again, you do not want to use something called Registry Guard, in Spybot it is called TeaTimer (counterpart of the former), any of those registry protection software, because, again, it can cause you more problems than help. All you see will be pop-ups coming to your screen saying “WGook is going to do WGook. Do you want this to happen?”
If you hit No, but it should happen, it can cause you more problems than the viruses cause.
Once you have installed AV software and all of that, you just run the scan, run and run until, hopefully, you clean up your computer. If you do not get your computer cleaned, then the real work starts.
Then, ComboFix is a very good tool to try, Bleepingcomputer.com is where you can download it. It will fix things when Task Manger grays out, Control Panel does not seem to exist, etc., as well as try to combat malware and viruses.
Malwarebytes is another good tool with free trial. That will help with nasty little spyware, malware and all of that.
If that does not work, just do a Google search, say, for Task Manager graying out problem, etc. by asking Google: “My Task Manger is graying out.” And then you google for the rest of the solutions, e.g. how to disable specific registry keys. This can be horrible, but at that point it is really all what there is.
So, that is basically what you need to clean your PC. We do not do any demos, because this stuff changes all the time. There are classes available for such topics as Spybot, OpenDNS, but these technologies and tools change. So, this class is general, it is going to be used for years, and therefore it does not contain any specific instructions that are likely to quickly become obsolete. So, this is meant to make you think of the process of cleaning up a computer and to figure out the way you are going to be doing it.
The final thing is, if you have a server infected with viruses and you simply do not have software to replace, before proceeding make sure you have made backup for the system, especially if you work for a client, because you do not want the operating system to crash for any other reason later. If you have no operating system disk, software disk, but it crashes, it is going to be bad. Make sure you do backup of the system so you have something to go back to.
Then, if it is still infected with viruses, you will simply have to lock down the system as much as possible. That is, if you work on the computer and have a server, and it is doing something on your network but it is infected, and you cannot just wipe everything out, just start locking it down:
– install firewall to protect it from doing something stupid on the network;
– make User Account (not just Administrator) so that new applications cannot get installed.
Basically, if that system has to keep running, all you have to do is lock it down so that the virus cannot get any worse. Just try to make it running as closed as possible. Make a user account, make sure that Internet Explorer is not infected, put Google Chrome, Firefox out there. Basically, you just need to try to work around it and realize that any time the entire computer may just go caput. That is why you need to make a backup so that when the computer goes caput, you may get back.
That is an overall class on cleaning an infected Windows PC. It is really not suggested to do this in general. However, professionals need to do it, so this class has to be done.
If you clean up a PC, it may work 80 to 90% of the time, that sounds really very great until you are pushing out lots of computers, say, five PCs a day, that nearly means that one computer a day will fail. So, you go back to client and so that… just goes to hell.
This was the class by Eli the Computer Guy on fixing a Windows PC.
Posted in: KnowledgeBaseLeave a Comment (0) ↓