Remove viruses from an infected PC, and keep them from coming back

Our family PC gets quite a workout. It's a five-year-old machine that runs Windows XP and is used primarily by my daughter and teenage grandson for instant messaging, e-mail, social networking, and downloading audio and video files. Since I rarely use the system, I didn't notice that its antivirus subscription had expired.

Which explains why I was a bit surprised when my grandson called when I was out of town to tell me that the PC was acting strangely. Ads appeared on the desktop as soon as Windows started and Firefox and other programs would occasionally close without warning or fail to open at all.

I immediately suspected a virus and instructed my grandson to perform a virus scan. Unfortunately, the machine's antivirus app had gone AWOL. I talked him through the process of using System Restore to revert the PC to an earlier time. This improved matters somewhat, but the system continued to act flaky.

When I returned from the trip, I started the troublesome machine and attempted to open the Microsoft Update site to make sure its copy of XP was up-to-date. But the malware had managed to disable several Windows services intermittently, including Services.msc, so Internet Explorer would shut down repeatedly.

At this point, I was seriously considering a hard-disk reformat and XP reinstall. I even had the XP installation CD in the drive and was ready to begin the process. But even though my daughter and grandson assured me that they had backup copies of all their personal files, I decided to try one more time to salvage the existing setup.

I'm very glad I did, because it turns out there were lots of vacation and holiday images and videos on the machine that hadn't been backed up. First, I installed a free copy of Malwarebytes' Anti-Malware antivirus program on the infected PC, updated the app's virus definitions, and ran a complete scan.

The initial Malwarebytes Anti-Malware scan detected 104 separate infected files and folders.

(Credit: Malwarebytes)

That first scan turned up a mere 104 infected files and folders. Here's a list of the nasties the machine had picked up:

• Trojan.Vundo
• Troja.Vundo.H
• Trojan.FakeAlert
• Rogue.Installer
• Trojan.Downloader
• Trojan. Dropper
• Trojan.Agent
• Worm.KoobFace
• Rogue.AdvancedVirusRemover
• Rogue.SystemSecurity
• Adware.BHO
• Rootkit.Agent
• Spyware.Agent
• Trojan.BHO
• Hijack.LSP
• Rogue.Multiple
• Disabled.Security

After viewing the report, I rebooted the PC and ran another malware scan. This time, Malwarebytes' app found only nine infected files.

The second Malwarebytes Anti-Malware scan detected only nine infected items.

(Credit: Malwarebytes)

I rebooted once more and ran yet another scan, which indicated that the PC came up clean.

The third Malwarebytes Anti-Malware scan indicated that all viruses and other malware had been removed from the infected PC.

(Credit: Malwarebytes)

Once I was assured that the PC was malware-free, I revisited the Microsoft Update site to download and install all the XP security patches the machine required. Then I sprang for the $25 version of Anti-Malware to get the program's real-time virus scanning and automatic updates.

I knew all attempts to alter the user behavior that led to the infections would be futile, so instead, I instructed my daughter and grandson to run Malwarebyte's scanner each time they start the system and just before each shutdown. That was a little over two weeks ago, and so far, the PC remains free of infection. Still, you can bet I'll be paying much closer attention to that machine from now on.

[Ptulg1]

Wow, the exact same steps my dad uses...

[azadam24]

Simple solution: spring for either Norton 360 or Norton Internet Security (the 2010 version will be released any day now, but 360 is just as good, and if you buy it now you'll get the new version 4.0 for free when it's release in February or March of 2010. If you are a Costco member, you can get the Premier version of N360 which also give you 25GB of free online backup space for just $59.99 with free shipping - that's 40 bucks off the regular price, you just have to purchase from costco.com during the month of September). Both are rock-solid security suites that install lightning fast and use very little system resources. As a second and third layer of protection, I also use two free programs that complement Norton quite well (they are designed to run alongside your existing security software), Prevx 3.0 (prevx.com), and ThreatFire 4.x (threatfire.com). I can guarantee with a 99.99% certainty that with these programs on your PC, there is no way you'll get an infection - believe me, I even paid a highly-trained member of Geek Squad to TRY and infect my system - he could not so I got a refund of half what I paid him lol. Anyway, you can read reviews of all of these products on pcmag.com if you want more detailed information - I'm not schilling for any of them, I just did my research and have had great success using all of them - I wish they were paying me to say such nice words! :) Have a great Labor Day all, and thanks to all of our troops for their service!!!

[ravi16aug]

Malwarebytes Antimalware is not an Antivirus replacement. I would strongly suggest running an online scan from either Kaspersky, TrendMicro, or Panda to be sure that the system is clean. Better still, use a rescue CD from Avira.

[doreilly]

I agree that PCs require multiple layers of security and that an online virus scan should be performed in addition to use of a program such as Anti-Malware. I'll cover free online virus-scanning services in my next post.

Thanks,
Dennis

[Forked_Tongue]

I agree but I use Eset's online scanner since they are the makers of Nod32 usually ranked the top AV by most professional sites. I would recommend getting Avast Home from Cnet for free or see if your ISP gives you a free security suite (I have Cox cable and they give you three free license from McAfee security suite, I give these out to friends or family since I prefer Avast) for those members who don't pay attention to expiring security software warnings. I agree with OP, it may not make a difference what they use if they don't pay attention to their usage.

[Seaspray0]

Dennis O'Reilly, if you are still using XP, you also need to do the following. Set up seperate user and administrator profiles and only use the administrator profile when you need it. Chances are, your computer would have never been infected had you done this.

[exactlyy]

if it was me i'd have reformated my pc

[G-Skaf]

"I knew all attempts to alter the user behavior that led to the infections would be futile, so instead, I instructed my daughter and grandson to run Malwarebyte's scanner each time they start the system and just before each shutdown. That was a little over two weeks ago, and so far, the PC remains free of infection. Still, you can bet I'll be paying much closer attention to that machine from now on."

If you can't change user behaviour, change the system's behaviour. You should seriously consider creating a standard (non-priviledged) user account for use by the youngsters and only use the (password-secured) administrator account e.g. when you have to install a program or change system settings. They might still catch something, but at least it won't affect the entire computer. It's not much good running around the house and looking for burglars if there are no locks on your doors.

"It's a five-year-old machine that runs Windows XP and is used primarily by my daughter and teenage grandson for instant messaging, e-mail, social networking, and downloading audio and video files."

For that kind of use, you may be better off installing any modern-day Linux distro (e.g. Ubuntu) and disabling sudo (root access) for the kids. They will have to try really hard to get that system infected.

[doreilly]

They do use two separate standard Windows accounts. I agree that a Linux setup may be the safest approach and may eventually replace the family Windows PC with a Linux box.

Thanks,
Dennis

[Forked_Tongue]

The best free AV for this situation would be Avast Home, it monitors all those activities and will alert the user when they're receiving a dangerous file or script. Linux might be ideal but unfortunately there are situations where MS must be used like receiving certain files in a MS proprietary format which is beyond the skills of the Linux novice to use wine to remedy.

[rseek]

Denis writes:

"Then I sprang for the $25 version of Anti-Malware to get the program's real-time virus scanning "

Malwarebytes doesn't have Anti virus capabilities.Also it is surprising Denis didn't mention any Scans with any regular antivirus *** antivirus Programs.

This story appears to mislead novice computer users that Malwarebytes can replace a regular Antivirus/anti malware Apps.

[doreilly]

I agree that a free online virus-scanning service adds an important layer of security and will describe several such services in my next post.

Thanks,
Dennis

[Grimbles]

Hmmm, yes I agree with 'rseek'....there are some real anomalies in this story.

Denis, as you are no doubt a very experienced PC user, I find a lot of what you have written here to be surprisingly inaccurate. First of all, a system restore is the last thing you want to be doing when a machine is heavily infected. Second up, just because MBAM says the machine is clean doesn't necessarily mean it is so. MBAM is an excellent product but even the best security software cannot identify 100% of malware all the time. You would need to run scans through multiple engines and even then there are no guarantees.

Your biggest error is the lack of any mention of anti virus software for the kids machine. MBAM, even with real time protection in the commercial version, is not a fully fledged anti virus and is a poor substitute for one. MBAM should be used in conjunction with anti vrius software not instead of it!!

Good read though....LOL. I am grandad (Pop) to 12 so I can definitely relate.

cheers....Jim

[QA_Tester]

Actually MBAM is not a substitute for anti virus at all

[doreilly]

As you suggest, the best way to protect your PC is by using a multilayered security strategy that includes products such as Anti-Malware as well as a comprehensive antivirus service. I'll describe several free online virus-scan services in my next post.

Thanks,
Dennis

[firewallconfiguration]

Hi! Its nice to see this and its very creative one,I really appreciate this and topic on computer security is really nice so let's starts our pc with safely,keep up post cont..................stay tune with us.Thanks a lot.

[Ari Britt]

decided to 'give it a try (free download) it 'detected' 104 items, trouble is one doesn't get 'all the information' on what that item is, just the usual c\: thisnthat\. followed by a few 'dots' and no other info to make an intelligent decision.
it even listed my errorfix prog!! and a few other apps I use, including a spyware app . decided not to purchase and stick with spyware detector.

[Vepar_S]

Hey Denis,

As other has mentioned you should try scan your PC with different anti-virus software (not at the same time!) and perform the scans in safe mode with networking, also clean up your junk files and temp folders.I Never use system restore if it is malware related, that can bring the nasty back and even corrupt your registry. After seeing what the MBAM log file shows check for any rootkits and run Hijackthis. Some virus are really good at hiding and can only be knocked off manually. Use programs that shows the directory of the malware, after you clean it up and reboot go to the directory and make sure it is gone. Never let children or "friends" use the Admin accounts, I learn that the hard way. I hope my advice is helpful, if there is anything missed out on let me know guys :) take care.

~Edgardo

[Bill Veik]

I recommend an additional step not specifically mentioned as being taken.......go to System Resore and turn it off, then turn it back on. This will delete the old restore points, and then instantly create a new Restore Point of the clean machine. The old restore points may very well contain the ability for any of the infections to resurrect themselves. The list of cleaning & protecting steps I follow ( and the no-cost programs that perform them) is too long and boring to detail here. But the systems I direct remain problem-free..............

[86lg4b4c]

clearly a lame out of date plug for malwarebytes.If you spent $25 for this protection only then how much do you pay for actual antivirus programs a year?,wheew.Sounds like a completely made up story.Slow day,I guess

[doreilly]

Nope, true story, unfortunately. And I'll cover free online virus-scan services in my next post.

Thanks,
Dennis

[shorty6100]

MBAM is an excellent addition to fight spyware, trojans, viruses etc. Many of the previous comments are correct in that this should not be used alone. I clean nasty stuff off of computers as a hobby and this is one of the tools I use along with SuperAntiSpyware and Spyware Terminator. Avira Antivir is the free Antivirus program I recommend to complete your arsenal of freeware to care for your computer. MBAM worked extremely well against a particularly nasty strain of vundo. Highly recommended.

[QA_Tester]

The article sounds like a sales pitch for MBAM. It took almost three hours to ran the scan
It is important to have multiple defense mechanisms:

Firewall - in today's world actually two hardware and software versions. Devices provided by high speed ISPs usually have firewall built in.
Antivirus - I'd also go with two.
Malware/Spyware detection and removal - also two

The reason to have more than one program doing the same thing is that different vendors implement their apps differently. Having two programs doing same helps in case when one doesn't catch a problem the other hopefully would because the logic behind each application is different.

I also ran CCleaner and Advanced System Care (free version, just don't want to spend $30 for just a couple of features). That keeps my hard drive clutter free.

[bozotheclown138]

hehe 2 antiviruses? i recommend none if you know what your doing all you need is a good firewall comodo with maximum defense and your all set, but scanners that don't run as a system resource don't hurt

[DMBoricua]

Malwarebytes Antimalware has saved my life quite a few times from trojans and viruses. This program actually removes viruses and trojans, something very rare and excellent for a free program like this to do. I have an antivirus (AVG Free) up and running at all times but I do a daily scan with this program as I trust this program 100% to detect very nasty infections. It can also detect any infected files that have been either directly downloaded to the computer or been bypassed by the antivirus somehow, so this really means that even if you got an antivirus doesn't mean you're fully protected. Have a copy of this beautiful program, it might save you from making that cliche reformat-your-computer decision.

[tikoro]

I'll try to spell this out: Ask your average every day computer user (which is probably the vast majority of comments so far) to absolutely define each of the following: virus, trojan, worm, spyware. Chances are you'll get much of the same answers. These days it's all lumped in to "malware".

Dennis did exactly the right first-form steps on cleaning a computer though. Most infections that occur are of the spyware and trojan types. That being said, typically when a machine is as infected as he describes, the first priority is to get the computer into some semblance of usability. Usability in this case would be stopping pop ups and restoring as much of the normal system functions as possible. Once you've eliminated the threats that keep you from doing normal work (like launching applications, etc...) then it's time for deep scanning the system.

While the title may be a bit misleading if you consider a virus as something other than malware (which would be incorrect as generally any virus is unwanted). The article itself doesn't state not to run antivirus, it was a depiction of how Dennis got a computer back in to normal working mode using a specific program. A typical user can usually download one of every flavor of antivirus and anti-spyware and anti-malware software and run them each one at a time and still have each and every one of them find problems and still not have a clean PC afterwards. Welcome to the world we live in.

Let's all go back to the day when trolls just flamed user comments for no reason instead of the author.

[JimmyPage22]

I have what's left of my MS Windows LiveCare anti-virus as my main AV, which over past year has found only a single virus, which was quarantined (that was over 7 months ago). I have since supplemented with MBAM, Glaries Utilities, IObits PC Tune-up, and recently Security 360.
Lately I have been depending on mainly Security360 deep scans which has found dozens of tracking cookies and several virus-installers. MBAM at its first implentation found 3 threats (virus installers) , but since keeps telling me my system is clean (...which according to Security360, it definitely is NOT).
Currently I scan almost daily (over-night) with Security360, and once a or twice a week with MBAM. (to supplement main my anti-virus LiveCare, which is auto daily)
My internet browser activity is quite conservative lately as my knowledge of threats on-line increases I realize NO MATTER WHAT A-V or MalWare product you use, they will not prevent 100% the totality of the threats out there. There this awareness and resulting paranoia is limiting my choice of surfing risk.
Despite limiting my on-line activities to a 'low-risk' sites, this morning (Sept 14) IObit Security360 came up positive with 19 threats (18 TrackingCookies, and a Trojan.Agent). The Trojan.Agent was downloaded on Aug 31 via a download of e2eSoft 'VCam and VAudio (same bundle), so it took Security360 more than 2 weeks itself to find this trojan. AND, I still have NO IDEA what program the trojan 'dropped' on my drive.
My Vista Premium is kept up-to-date, as are my AV,and supplemental 'malware' and maintenance programmes. I scan and clean daily, yet I know there are bugs and likely viruses, malware that still remain because of slowness, crashes caused by DEP and COM Surrogate when using IE and opening AVI and media files, and COM Surrogate trying to access the internet.
All we can do is minimize, the criminals and ******-bags that are responsible. They and their malware/viruses are similar to the spiders and cockroaches all around us in our walls and under the floors. You may scrunch a few of them you see out in the open, BUT there is no way for the foreseeable future to find and kill them all.

Running ANY scan from an infected machine is sure not to be sufficient to claim it as 'clean'. Good virusses intercept Windows file access and therefore prevent ANY and ALL scanners from detecting them. You can only run a conclusive scan by inserting the harddrive into a clean pc (as secondary drive) and scanning from there.

On top of that, most anti virus programs only very limitedly recognise something called 'droppers'. These are initiators of virusses that come in so many different forms that scanning for them is near impossible. Having one of these on your machine will guarantee the return of a virus, despite it being found 'clean'. Good Anti-virus software will detect its launch, but can do nothing to prevent it from happening again.

The advice to given in this article is not good advice. SBAM is not a substitute for an antivirus program, and the right thing to do for this machine is to format and reinstall it. Surely taking of the photo's is not a problem....

[Forked_Tongue]

You never drop in an infected hard drive onto a second clean machine as secondary drive, if that drive has a boot sector virus you can infect the main drive as it's initial read (unless it's a Linux OS or Mac OS machine is the exception). The only way you should ever hook up an infected drive to a clean computer is when that machine is already on, your defense aware immediately reacts to anything plugged in by firewire or usb (like Avast Home, Kaspersky, and Eset Nod32), then you can connect it by firewire or usb drive reading tools (http://www.newegg.com/Product/Product.aspx?Item=N82E16812156102) which makes the drive similar to a hot swappable usb drive. I agree with mbam being a poor substitute for an AV program and the need to low level format the drive only way to make certain that drive is clean.

[pandacake]

so do i have to back up my files before using this? can i use still even if im using avira??? please helpp D: