How to prevent or remove PC virus infestations

Section I: Why are we here, or, how did we get into this mess?

Microsoft Windows is the operating system of more than ninety percent of the personal computers connected to the Internet. It’s also the least secure operating system available, because it was designed before the advent of the public Internet, and after Internet usage became widespread, Microsoft chose to implement a technology called “ActiveX,” which permits remote computers to execute programs on your local PC, usually through Internet Explorer. Since that time, Microsoft has integrated Internet Explorer deeply into the operating system, so that every time Internet Explorer connects to the Internet, it “opens a hole” directly into the heart of your PC. Outlook Express (later renamed “Windows Mail”) relies heavily on Internet Explorer, so any email received through Outlook Express also has a clear shot at your PC’s heart. It should be noted that Outlook, the email program bundled with Microsoft Office, has no relationship with Outlook Express other than the one common word in their names; while it is still a relatively unsecure email client, it is vastly better than Outlook Express when it comes to security – if, and only if, it is kept up-to-date using Microsoft Update.

Unsurprisingly, then, because Windows is both the most-widespread OS and the easiest OS to break into, it is the biggest target for viruses and trojans – malicious software designed to, in essence, transfer control of your PC to some anonymous remote operator, usually running as a “background process” so that you don’t even know it’s there. That’s if you’re lucky. Some malware is trying to steal your personal information – sometimes for simple identity theft, sometimes to access your bank accounts; and some is simply destructive, and will wipe your hard drive (or enough of it that you can’t recover your files).

Section II: A kilobyte of prevention is worth a terabyte of cure.

It’s fairly easy to protect yourself from most malicious software, also known as “malware,” and it’s a whole lot easier than removing an infestation after it happens. Here are the simple preventive measures:

1. Create a “limited user” account for running software on a routine basis. Log in to this account except when you absolutely must have local administrator privileges.

2. Make sure the administrator account has a complex password assigned to it; use a combination of upper- and lowercase letters, symbols, and numbers, and never use a password of less than eight characters. Since the idea is to protect your PC from outside attackers, it’s OK to write this password down so you won’t forget it. Anyone who has physical access to your PC and wants to get into it badly enough can break ANY Windows password in a matter of minutes anyway; I have to do it all the time when users have forgotten their passwords.

3. Never use Internet Explorer for anything except:
a. Windows Updates and Microsfot Updates.
b. Downloading a different Web browser. Mozilla Firefox and Google Chrome are both freeware; Opera is popular and relatively inexpensive.

4. Never use Outlook Express or Windows Mail for anything. Period. There is nothing they do that you absolutely can’t live without, adn there are a whole lot of things they do that are malicious and harmful from a user’s security point of view.

5. Use available freeware protections to block even accidental access to malicious Web sites, viruses, and spyware. My recommendations on those follow this section.

6. Whenever you need to install anything, try to use the Shift-Right-click and “Run as…” method to temporarily elevate permissions to the local administrator account, instead of logging off and back on as Administrator. There are some packages that won’t install this way (notably, recent HP printer drivers), and my best advice is to avoid those if you can. if you can’t, try to install them with your Internet connection disabled (by unplugging the network cable, for example).

7. Log into the Administrator account only when you absolutely must. I know I covered that in Point 1 above, but it’s very important and bears repeating.

Section III: I need protection, but I’m a cheapskate!

For private (home) users, there are a lot of freeware antispyware and antivirus packages that are at least as good or better than the packages that require a paid subscription. Here are my favorites; your mileage may vary.

NOTE: If you are downloading these in an attempt to clean up an already-infected (or suspected-infected) PC, do it from another PC that is known to be uninfected, and then burn a CD containing the tools. Otherwise, you run the very high risk that your clean-up tools will get “dirty” before you can even use them.

Sophos Rootkit Remover
Norton Removal Tool
McAfee Consumer Product Removal Tool
Malwarebytes Anti-Malware (Download the free version.)

ANTI-VIRUS (pick one; I prefer Avast but you may like AVG better):
Avast Home
AVG Free

SuperAntiSpyware (Get the free edition.)

Hostsman (with Serverman)

Mozilla Firefox
Google Chrome

Mozilla Thunderbird
Evolution for Windows

SECTION IV: Cleaning Up After Unpleasantness.

If you already have an infection, or believe you have one, you should have already downloaded all of the packages mentioned in Section III (using another, “clean” PC) and burned them onto a CD. Because a USB thumbstick can be infected, unless you have one you consider disposable, you don’t want to plug it into your infected machine; once you’ve done that, you can’t ever assume it’s safe to use again.

We’ll assume here that you have managed to contract a PC virus of some sort (or more likely, you have several; any PC that’s vulnerable usually has multiple infections). So, set aside a day to perform the work, and here’s the order of events to clean things up; expect to be prompted to reboot after some of these steps:

1. Disconnect your network cable if you haven’t already done so. If your PC is connected wirelessly, disable the wireless networking adapter. I can’t really give detailed instructions for this because every wifi manufacturer has their own interface, but if you’re trying to do your own cleanup, we’d guess that you know how to do this.

2. Install the Sophos Rootkit Remover and run it.

3. If you are using Norton or McAfee anti-virus, and you have an infection, you might as well remove them. they didn’t protect you, did they? If you have Norton, run the Norton Removal Tool. If you have McAfee, follow the instructions here.

4. Install Hostsman. Once it’s running, connect your Internet connection (briefly; you’re going to get back off the Internet in a moment), pull down Hosts from menu and select Check for Updates. Check the radio button to “Overwrite current Hosts” and then click Update. As soon as the update is done, disconnect the Internet connection again.

5. Still in Hostsman, pull down Tools, and select Options. Click on System and make sure “Automatically run on Windows Startup” is checked. Click Apply. Then click Protection and make sure “Enable Hosts on exit” is checked. Click Apply. Click Update And make sure “Enable Hosts file Auto-Update” is checked. Click OK.

6. Again pull down Tools, and select HostsServer, then Control Panel. Click “Start Server,” then Options. Make sure “Start HostsServer automatically” is checked. Click Apply. the minimize the HostsServer control panel; do not exit.

7. Minimize HostsMan. Now restart Your PC and make sure HostsMan’s icon shows in the “tray area” near the clock. Note that if you are running Vista you may need this workaraound, or for Windows 7 you may need this workaround, to start HostsMan as a scheduled task with elevated privileges instead of as an autostart program.

8. After the restart, install Malwarebytes Anti-Malware (MBAM). It will need an Internet connection to perform updates, so before finishing the install, reconnect your network cable or re-enable your wireless. As soon as the update is complete, disconnect again. Then perform a full scan, and let MBAM remove whatever it finds. Reboot your PC.

9. Install the anti-virus (AV) you have chosen. It’s going to need that Internet connection to update, so once more, reconnect, finish the install, then disconnect. Allow the AV to perform a full scan upon reboot, and delete anything it finds. WARNING: If your machine is very badly infected, this may make Windows crash, because some necessary system files may have been replaced with trojans. With XP, you can then perform a “repair” from the original CD, which will replace all system files with the originals. You will need to do a long and complete sequence of Windows Updates afterward, too.

10. Install SuperAntiSpyware (SAS), connect your Internet connection again, let it update, then perform a full scan. Once again, delete whatever it finds. (In my personal opinion, this is the dumbest name ever for a software package, but it’s a really good package, so they can call it Uncle Bob’s Rat Poison and Bait Shop for all I care.)

11. Repeat the scans with MBAM, the AV, and SAS until they all come up “clean.”

12. You can connect to the Internet again now. Perform Windows Updates until there only optional updates remaining.

13. To be completely safe, burn all of your data files to CDs or DVDs, flatline the hard drive, and reinstall Windows and everything else. Most experts will tell you that you can’t trust a computer (no matter what OS it runs) that has been infected. If you choose to skip this step, don’t be surprised if you get a reinfection soon.

SECTION V: Staying Out of Trouble.

This is that “ounce of prevention” you’ve heard of. The best way to get rid of a computer virus is to avoid getting one in the first place. So, re-read Section II, and then follow these additional steps:

1. You need Hostsman, MBAM, the AV of your choice, and SAS; check Section IV above.

2. Choose a Web browser that is not Internet Explorer, install it, and set it as your default browser.

3. Choose an email client (if you have not switched completly to Webmail, such as gmail) that is not Outlook Express, install it, and set it as your default email client.

4. Be paranoid. Everyone on the Internet is out to get you. Some of them don’t know it, but it’s still true. If you get a popup that says “your computer is infected,” disconnect the Internet connection immediately, reboot, and scan with your installed AV product. Chances are you just went to a site that wants to install a “rogue antivirus” package – in other words, a trojan horse that pretends to be an AV package, but is actually malicious software. You might want to make a note of that site and never go there again.

Good luck, and be careful out there; the cloud is full of pirahna!

By icesnake

Icesnake, known to Law Enforcement the world over as Rich Tietjens, retired from the US Army in 1992 and has spent the intervening years attempting to die with the most gadgets, and thus, win. To this end, he has written software both as a freelance programmer and a paid consultant, tested network products and built driver disks for Intel, operated a Web hosting service for ten years, built more personal computers than any sane man would ever want, collected seven cats, and finally settled down in Oregon as the Information Technology Training Coordinator (fancy talk for "help desk and PC tech") for a small manufacturing firm. Rich started playing Dungeons and Dragons in 1976 and has never given up the RPG habit, progressing through Diablo, Everquest, Asheron's Call, Diablo 2, and World of Warcraft. Most evenings you can find him on Trollbane-US playing his mage, Icesnake - who is an Engineer and is trying to collect all the cool gadgets in Greater Azeroth... And so it goes.


Leave a comment