How To Get Rid Of Computer Viruses.

(Written September 2004)

Before you even begin working on getting rid of the viruses on your computer, you need to ask yourself how you got infected in the first place? If your computer is adequately protected, the chances of your being infected are slim. You should never connect to the Internet or use anyone else's data without being protected by both a personal software firewall and up-to-date antivirus software. Once your computer is adequately protected, you can still be infected if you ignore your computer's warnings. If your antivirus program warns you about an infected file and you allow it anyway, it's your own fault. If you click on a hyperlink with an unknown extension, it's your own fault. If you download files and open them without first scanning them for viruses, it's your own fault. And if you let anyone use your computer in anything other than a limited account, (see Control Panel/User Accounts,) it's your own fault.

Removing Computer Infestations

But you didn't begin reading this for me to badger you. You want to know how to get rid of the blasted viruses. The easiest and most successful way is to reformat your hard drive or use your system recovery disk. For most people, this will be the option of last resort. If you are willing to go through a great deal of pain, you can probably clean the infection yourself. It may take a while, longer perhaps than the more drastic (and sure) step of reformatting or system recovery, but with care and patience you should eventually be successful.

Most computers sold today have antivirus programs installed. Sometimes people let the subscriptions lapse. Other times they never update the programs. If this is your case, you will likely now be unable to connect to their website, as most virus programs block access to both the programs themselves and their company's websites. Most computers sold today do not come with any software firewall other than that provided by Windows XP. This firewall does not secure outbound communications, so once you are infected your computer becomes a node in someone else's spam/pr0n/bootleg/hacker network. You will likely be unable to connect to any website offering firewall software, as the viruses block access. We'll fix that later.

If you have gotten this far, you know your computer is infected with a virus. If you know that, you should have written down the name of the virus. Connect to the Internet and do a search on the virus name. It may tell you what it does and what the file names are you should look for. Open the Task Manager, (Control-Alt-Delete,) and look at the active processes. Write down the names of the ones you are unfamiliar with, then do a little more research to find out what they are. One way to do this is with Process Explorer, a free download from Sysinternals that is referenced in the Microsoft Knowledge Base. Another way is just to Google the process name and view the results. You can also use sites such as Pacman's Portal: Startup Tips and AnswersThatWork.com: Task List Programs to find out which active processes are viral and which are not.

The Task Manager networking tab will show you how much of your bandwidth is in use. It is not unusual for someone with a dialup account to find that 80-90% of their bandwidth is in use by rogue programs. While this information doesn't help you get rid of these infestations, it will help you determine if and when you've successfully cleaned your system.

The latest viruses don't allow the antivirus programs to work properly, often knocking them off line. As mentioned earlier, sometimes they won't allow you to access antivirus or firewall websites. Using the task manager to end processes may end the active viral process long enough to allow you to download the virus cleaner program for your specific infection. These are not perfect, and will often not remove the entire infestation, but will start the process. Once you do that, you may be able to get your antivirus program online long enough to run a scan. The scan and clean will often not remove the entire infestation either, but will get you that much further along.

If you have a second, uninfected computer with an open drive bay slot, remove your hard drive from your infected machine. Change the jumper settings to either cable select or slave, then install in into the second machine. Run your antivirus scanner, and let it clean any viruses it finds. Even with the best antivirus program, you will probably not clean them all. Antivirus programs are designed more to block infections than remove them. You'll need to do more---much more---to be sure you have eliminated the threat.

Reboot your computer into Safe Mode with Networking. Safe mode opens your computer with a minimum or drivers, and most of those are the generic Windows drivers. This should prevent viruses that masquerade as drivers from loading. Connect to the Internet and search for an "online antivirus scanner." One I've used is from Trend Micro, currently at http://housecall.trendmicro.com/. Another good one is from Panda, currently at http://www.pandasoftware.com/activescan/com/activescan_principal.htm. (The Panda online scan would not run on one of my Windows XP machines with Service Pack 2 installed---I don't know why.) Other free online scanners exist, and are probably very good, too. Be sure you use an online antivirus scan that actually cleans the virus, not just notifies you of the problem---you already know you have a problem. If you were not able to access your antivirus program's website before, you should be able to do it now. Download the virus cleaner for your specific infection, if known, and run it. This may not clean everything, but every little bit helps.

Once you've run one online antivirus scan, download and install both Lavasoft AdAware and Spybot S&D. You'll want to download the latest detection updates for Spybot; follow the instructions to install the detection updates. Run Lavasoft, deleting all known spyware. (Some programs you might like are listed as spyware. It is your choice as to whether or not to keep them. Also, some spyware is bundled into freeware programs you like and use, and disabling/removing the sypware will also keep the freeware program from functioning.) Run Spybot, deleting all known spyware. (Previous caveats still apply.) Now immunize your system, being sure to put check marks in the blocks for Resident SD Helper and Tea Timer. (For an explanation of what Spybot Immunization actually does, see this posting.)

Once you have removed all spyware and immunized your system, run another online scan---this time a different one from a different company. Antivirus detection and removal is something of a black art, especially with polymorphic viruses that randomly change their viral signature, so one companies scanner may find something the other missed. When the scanner begins to remove any viruses you find, the Spybot resident protection will popup and tell you a program is attempting to make a particular change. You will be asked accept or deny the change, and to click a check box to make your decision permanent. You want to accept the change, and for the change to be permanent.

Now you can reboot into Windows. Check your task manager to see if any rogue processes are running. Check your networking tab to see if your bandwidth is still being eaten up. Check to see if your firewall and antivirus programs are running. If everything looks good at this point, you may be home free. To be safe, run another antivirus scan. If everything comes up clean, great. If not, and the program still is unable to clean all the viruses, then you are pretty much done. Your only option at this point is to reformat your hard drive or use the system recovery disk.

Reformatting and System Recovery

The easiest way is simply to reformat your hard drive. This will "kill" the infection, but you'll loose all your data files and have to reload your software. You can mitigate the effects of this by backing up all your data first. Move your "My Documents" folder out of your profile and into a subdirectory on your hard drive. Back up your email the same way. Now burn them to a CD, if you can. Most new computers come with a system recovery disk that returns the computer to its original state. Older software would eliminate everything that wasn't original. The newer software may protect some of your system, replacing mainly the operating system and just the software that came with the computer, but leaving everything else alone.

Do not connect to the Internet at this point. First, make sure your antivirus and software firewall are working. If you don't have a software firewall, at a minimum you should activate the Windows XP firewall. (The Windows XP firewall is barely adequate, so you should replace it with something better immediately.) Once you are sure you are protected, you may connect to the Internet. Do not, under any circumstances, use your email program at this point. Now load all available updates to both your antivirus and software firewall. Once you have accomplished this task, and verified both your antivirus and software firewalls are still functioning, you may check your email. You will have to reload programs that didn't come with your computer, mainly to get them into the registry, and into the Start/Programs folder.
Updating Your System

One reason people's systems get infected is that they haven't patched their systems. I helped clean one family's computer which hadn't been patched since it was purchased three years ago. Even using broadband, it too quite some time to download and install the several hundred megabytes worth of patches.

Use the Windows Update site to check your system for patches. Download and install all critical patches and hotfixes. At this point you don't have to install the optional components. Take a look at them, though, and install the ones you might need. (You don't need the .NET pack, you probably don't need the Journal Viewer, and you probably don't need the CD HiMAT support, for example.) If the system prompts you to install Windows XP Service Pack 2, DON'T DO IT! At least, not yet.

Go to your computer manufacturer's web page and look for the support for your system. Often they'll have a link to information about preparing your system for Windows XP Service Pack 2. Follow their instructions, installing all available fixes. You should also take this opportunity to download and install the latest drivers, especially if you haven't done so in a while. Pay particular attention to your video drivers, as these are often the most sensitive and failure prone.

Once your system has been updated---once you have installed all the updates recommended by your system manufacture and the latest driver updates---you can return to Windows Update and install Service Pack 2. Whatever else you may here, it is a significant security improvement over Windows XP. In fact, it is more than a simple bug fix---it is almost like installing a new operating system. Many things work differently. Many security enhancements were planned for Longhorn, the successor to Windows XP, found their way into Windows XP SP2. It takes some getting used to, as some things are blocked that used to happen without your knowledge, (running Active X scripts, for one,) but if you pay attention you'll be much less likely to get infected again.

Final Thoughts

A computer is not like a Toyota. A computer will not run for weeks, months, even years with little or no maintenance. A computer is more like an old Jaguar; it requires constant attention and tinkering to keep it running smoothly. It has likely been several days now since you started the process of eliminating your virus problem, unless you don't have a life and sat at your computer for hours on end. To extend the automotive metaphor, you just rebuilt your computers engine. It has been a long and arduous process, and you want to prevent this for as long as possible. Here is how.

  1. Create a password protected Administrator account. Never use this account for ordinary computing. If you have to install something, do it from this account, then switch back to a limited account.
  2. Each user account should be a limited account, which prevents the installation of most programs.
  3. Set your antivirus and firewall program to automatically update themselves.
  4. Always update your antivirus program before you open your email program.
  5. Maintain your antivirus and firewall subscriptions. The money you'll pay is worth it in the long run.
  6. Use the Automatic Update feature of Windows. If you are not technically proficient, then set it to download and install updates automatically. If you are technically proficient, then set the Automatic Update feature to automatically download the updates, but don't install them until you tell it to.
  7. While Norton AntiVirus regularly is an editor's choice, I suspect this is because they spend so much money on advertising. Many computers also come complete with a temporary Norton Antivirus subscription installed. But anecdotally it appears that Norton provides incomplete protection. I personally choose to use something else.
  8. Finally, the standard statements apply. Don't install a program unless it is from a trusted source. Scan all files you download from the Internet. Update your antivirus program daily. Scan your computer weekly. Don't open emails from unknown sources. Don't open email attachments until you scan them, and perhaps even call the sender to make sure they intended to send it. Don't click on hyperlinks in emails, especially if they have multiple extensions, (.doc.vbs).