There is no shortage of articles these days on how to prevent spyware, viruses, and other unwanted software from invading your computer. But many people already have an infected PC. What can you do if you think your computer is affected by spyware or a virus or other malicious software (malware)?
First let me assure you that you aren’t in this alone. There are excellent resources and community sites dedicated to helping dig people out of the mess that malware can make. Many of them are free and I’ll point you to them in this article. I’ll also explain how to recognize if your computer has malware running on it and point you to antivirus programs and antispyware tools to help you get rid of it. And I’ll describe how to use recovery options that help get your PC back to working the way it’s supposed to. And, finally, I’ll talk about “The Last Resort”—rebuilding your PC from scratch.
How to Recognize Malware
Malware is designed to run undetected in the background. So how can you tell if you have undesirable software on your system? The signs to look for include:
• Advertising pop-ups that appear every few seconds.
• Extra toolbars in your browser that won’t go away
• Browser going to sites you didn’t tell it to go to.
• Browser settings changing so your home page won’t open.
• Unexplained system slowdowns.
• Sudden rise in computer crashes.
If you’re experiencing these kinds of problems, it’s a good idea to treat your PC as if it might be infected and check it out thoroughly. Although there are other reasons why your system might slow down or frequently crash, if you’re noticing these obvious indications of malware, your system has probably been compromised. It’s time to take defensive action.
Update Antivirus Programs
The first step in any attempt to repair or recover a compromised PC is to update your defensive tools. Your antivirus or antispyware tools need to be updated to the absolute latest versions and the most recent definition files. If you can do this on the PC that has the problem, then do it there. If not, you’ll need to use another PC to download the latest versions and put them on a CD or USB drive that you can use to work on the infected PC. I like the USB drive because it’s highly portable and easy to update if you need to. And everything you’ll need fits easily on a 128 MB USB drive.
Gather your original software CDs and disks as well, including your original Windows CD and the Windows XP Service Pack 2 (SP2) CD. You may need them before this is over, and it’s good to get everything organized and ready before you start. Windows XP SP2 provides better protection against viruses, hackers, and worms. If you don’t have a copy of the Windows XP SP2 CD, you should borrow one from a friend or download the Network Install version copy it to a CD.
Important: Uninstall any antivirus software you are currently using before installing a new product; having two different programs might cause problems on your computer.
Typically, these software companies make special offers of free trial versions of their antivirus and firewall packages, which should be enough to get you through this process. But to help avoid being back in this mess again, you’ll want to choose one of them and get a full subscription to it so you stay up to date.
If you still have good working Internet connectivity, you can also use one of the excellent, free, online virus scanners. I’ve used both Trend Micro’s HouseCall Online Virus Scanner and Panda Software’s Panda Free Online Scanner.
One of the most annoying and difficult to remove pieces of unwanted software is Cool Web Search and its variants. To remove this, your best bet is CWShredder, a dedicated program that just goes after this.
You’ll also need a good antispyware product that can detect and remove spyware or other malware. Here, one is good and two or more are sometimes better. They don’t interfere with each other, generally, and they each seem to have slightly different strengths. The three I use regularly and recommend are LavaSoft’s AdAware, Spybot search & destroy, and Microsoft Windows AntiSpyware, new anti-spyware software from Microsoft, which is in beta testing now. (Beta software is pre-release software that is distributed for feedback and testing purposes.) The Microsoft product detects and removes spyware from your PC and can also prevent spyware from getting on your computer in the first place. I’ve been using it and really like the way it works, but because it’s a beta version, it won’t be the right choice for everyone until the final release. For one thing, Microsoft doesn’t provide technical support for beta releases. Although formal support is not offered for this beta, you can go to the newsgroups to help get your questions answered.
Finally, it’s a good idea to have a couple of other programs available. LSPFix and WinSock XP Fix can help restore your Internet connection if the cleanup process messes that up.
Back Up Critical Files
If you can, now would be a really good time to back up critical files you’d hate to lose. Don’t try to back up programs or the operating system—there’s no point since they may be compromised and can be replaced. But those pictures of your daughter’s wedding, your résumé, and your doctoral thesis—those are irreplaceable. Please, copy them somewhere safe, since anything you do to remove this kind of malicious software is serious and could leave your PC in a state where it might be difficult to recover or save your critical files.
Where or what you copy them to doesn’t really much matter. A CD or DVD if you’ve got the hardware and software to do that, or a Zip disk, or just plain old floppy disks will work. But whatever medium you use, having a backup will give you the confidence to attack this malicious software without fear of losing something critical. Ed Bott’s Windows XP Backup Made Easy explains how to let Windows XP do most of the backup work.
Scan and Remove
Once you have your defensive programs ready, located your original CDs and DVDs, and made a backup of your critical data files, it’s time to start figuring out exactly what you have on your system that shouldn’t be there. But before you start, disable System Restore. The last thing you’d want to do is restore to this point anyway, and this will prevent versions of the noxious software from being saved in the restore point.
The first step should be to try the obvious. Use Add/Remove Programs in Control Panel for programs that shouldn’t be there and try to uninstall them first. Some of the annoying adware programs will actually uninstall and stay uninstalled so you might as well get rid of them first.
Next I scan for conventional viruses. Use the antivirus software that you downloaded and updated or one of the online scanners if you’re still online. Deal with anything it finds, either by deleting or cleaning as appropriate. Microsoft offers a Malicious Software Removal Tool that is updated on the first Tuesday of each month. This tool checks computers running Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When you’re done, it’s time to disconnect from the Internet. Unplug the network connection or disconnect the modem.
Next, run CWShredder. Although it only deals with a single (but pervasive) problem, many of the Cool Web Search variants can prevent the other anti-spyware programs from doing their job correctly, so it’s best to go after this one first.
Now it’s time to run the antispyware scanners. It doesn’t really matter what order you run them in, but be prepared for a fairly lengthy list of things to deal with. Initially, I’d ignore any that are described as cookies—they’re low on our list of concerns for now. But everything that looks like a program or that they report as a critical issue should be quarantined or deleted.
Running in Safe Mode
One recommendation that some experts make is to run your antivirus and anti-spyware scans and cleanup in safe mode. Some problems that can hide from these programs in normal user mode are exposed in safe mode. Other experts disagree and suggest that there is little difference. I’m of the school that thinks it can’t hurt, so I suggest you try running your scans first from a normal boot, but when you’ve done all you can from there, start in safe mode and try running the scans again.
Finally, when you’re done fixing everything and you think you’ve got it all, I think it’s wise to install or reinstall Windows XP Service Pack 2. Now turn on Windows Firewall, turn on System Restore, and you can connect your PC back to the Internet. Before you do anything else, go to the Microsoft Update site and download all of the latest security fixes. Then, turn on Automatic Updates to make sure you stay up to date.
The Last Resort
Finally, I want to talk about the last resort, which is performing a clean installation of Windows XP. This is not something to do casually, since you will certainly lose data and have to re-install all your programs, but it is an option if all else fails.