Cleaning up an infection

Some suggestions on how to recover from an infection to your computer.

Decorative virus imageSo the worst has happened and despite taking all of the usual precautions, your computer has become infected.  What do you do now?  Can you get back to normal?  How can you stop it from happening again?

Well first and foremost you have to accept that you may not be able to fully recover your computer; you may have to completely wipe it and start all over again.  At this point I hope you’ve been taking regular backups of any important files and that you know the passwords for any on-line accounts (more on this at another time).

I think I’m infected but I’m not sure…

It is not always easy to tell and quite often an infection can go unnoticed for a long time.  Other times your anti-virus program (you do have AV installed, right?) will recognise and alert you to an infection but it will be unable to clean it up automatically.  Most often the infection will fall somewhere in between and there will be some indications that all is not well, such as sluggish performance or windows popping up randomly.

What makes it more difficult to spot an infection is that they will not all be after the same thing; some sit silently in the background waiting for instructions, some silently gather information like banking credentials, some lay dormant waiting for a specific event such as a predetermined date, others will get in your way with windows popping up trying to sell you something (fake AV is a common pitch as some sort of twisted joke).

It’s not causing me any problems, can’t I just ignore it?

The tires on your car might be threadbare but the car still drives so would you ignore them?  You could choose to ignore these problems but leaving them untreated increases the likelihood of a bigger problem down the road.

What might seem like a trivial little bug now can open doors to bigger and bigger bugs with each one bringing their own raft of problems.  It’s best to squash the bugs while they’re small, before they get too big and numerous to handle.

You’ve convinced me, what do we do?

Decorative virus imageIt bears repeating that you may have no alternative but to wipe your hard drive and start all over again.

One thing that makes the clean up job tricky is that not all infections are created equal; some are relatively harmless and can be easily removed, others will make changes to your computer that we may or may not be able to reverse, the worst ones however will intentionally and irreversibly ruin your computer to render it completely unusable.

Also, it’s important to note every infection will be different so the advice given below is only meant to point you in the right direction, it is not a step-by-step guide and it does not guarantee success…

Be prepared…

First, back up any documents, photographs, videos, music and anything that you’ve accumulated over the years.  I’ll draft an article soon on easy ways to back up your information but for now, any external storage will do.  Burn the files to a CD or DVD, or copy them to an external hard drive. !WARNING! The files that you are backing up here may be carrying an infection so take extra care when you use these files on a clean computer later!

Second, if you’ve been relying on your web browser to save your passwords for you, take a look at the list of stored usernames and passwords to make sure you know them all.  Make a list if you have to, but try to avoid writing down the passwords, perhaps a cryptic hint will be enough.  Of course keep this list safe and destroy it as soon as you’re back to normal.  This would also be a good time to make note of any websites you use regularly because if we have to wipe your computer you’ll lose any bookmarks/favourites/links.

Third, check that you have installation media and license keys for all of your software, or that you know where to find it again if you need to download it.  This includes your operating system!


Assuming that you either don’t have AV installed (tut tut!) or it has failed, running an anti-virus sweep might be enough to clear up some minor infections.  Considering the nature of the problem we’re dealing with, and the popularity of fake AV programs, try to stick with companies or products that you’re familiar with or that have been directly recommended by someone that you trust. Fake AV can sometimes do a pretty good job of imitating a legitimate tool so be on the lookout.

Most people think that an AV tool will be 100% protection but this is far from the truth.  As such when cleaning up, it helps to run an AV tool from more than one vendor but this would add too much of a burden to your computer in every day activity.  (More information on AV detection rates is available here)

! usual disclaimer of software applies ! 

On-line Scans

Several reputable AV vendors  provide free scanners that require very little installation and pretty much run from within your web browser.  These can be very useful in an emergency situation like cleaning up an infection but are not very practical for everyday protection.

Traditional (installed) Scans

If the on-line scanners fail to find the problem, or fail to run, or if you’re worried about further damage or data leaking and you don’t want to connect your infected PC to the web (which is an entirely reasonable precaution!) then there are several flavours of free traditional installed AV clients.

If you download an AV tool at another computer to transfer over to the infected computer, there’s a few things to consider. 1) Make sure you download the correct version, some websites will recognise your operating system and will suggest an appropriate version which may not be compatible. 2) If possible, burn the AV tool installation files to a CD so that the infected computer can not infect the disc, if you use re-usable media like a USB stick then the infected computer may infect that media.

That didn’t work…

Some infections are really nasty and can stop you from browsing to an anti-virus vendors website, or stop you from installing new anti-virus tools, or allow you to install an anti-virus tool but modify the installation so that the AV is blind to the current live infection.  Other times the anti-virus might not be able to clear the infection.  If this happens the AV tool will usually give you some pointers of why it has failed, what files are causing a problem and what might be done to delete, repair or replace them.

Make a note of any discoveries, any files or services that are highlighted.  More than likely someone else will already have encountered (and hopefully fixed) the infection that you’re dealing with so take a look on the web.  Of course use caution with any advice given by a source that you’re not familiar with.  There are several advisory forums where such things are discussed and quite often there will be some very clever and experienced people hanging around to give advice.  One thing they might often ask you to do is download, install, run and report back on the output of a program called HijackThis; while this sounds rather suspect it is actually a legitimate tool that can be used to track down the root of the infection.

Another common task is to start your computer in “Safe Mode” which means that Windows will load in a more basic and restricted mode which can make it easier to delete, repair or replace infected files that would otherwise be hard to reach.

Still getting nowhere…

Unfortunately if you’ve made it this far without success then it’s probably time to consider wiping your computer, going back to the beginning and reinstalling everything.  You will most likely need a license number to complete the installation; this is most often a small sticker with a barcode, numbers and holograms somewhere on the outside of the case of your computer.

If you have the original installation discs then this should be reasonably straight forward.  Some computer manufacturers include a recovery option which is a small section of the hard drive that is usually hidden from view and so should remain clean from infections.  To enable this recovery option you’ll probably need to hit a particular key at a particular point in the loading sequence.  You should be able to find this in the documents that came with your computer or it will be a quick web search away.

If don’t have a license number, installation media or in-built recovery options then perhaps consider taking Linux for a spin!  You can download the installation files completely free, burn them to a CD and then run Linux straight from the CD to try it out without having to worry about any installation hassle.  Two common Linux versions are Ubuntu and Fedora.  You’ll typically be able to do everything with Linux that you could with Windows, using all of the same file types, and all of the common software is free including web browsers, office programs, media players, graphics editors, and so on.

What’s the worst that could happen?  Your computers dead in the water anyway!!! 🙂

Feel free to drop me a line if your computer is infected (or if you think it’s infected) and you’d like some specific help clearing it up.  Also if you’d like more info on moving over to Linux, I’m always happy to welcome more converts to the light side…

Image Attribution: Thanks to jscreationzs @ for both images