182

This is an attempt to ask a canonical question as discussed in this old meta post. The goal is to create something helpful that can be used as a duplicate when non experts ask about virus infections.

Let's say that I have determined beyond doubt that my home PC is infected by a virus. If necessary, you can assume that my computer runs Windows. Answers aimed at the non-technical reader are encouraged.

  • What do I do now? How do I get rid of the virus?
  • Do I really need to do a full reinstall? Can't I just run a couple of anti-virus programs, delete some registry keys, and call it a day?
  • I really don't have time to deal with this right now. Is it dangerous to keep using the computer while it is infected?
  • I don't have backups of my family photos or my master thesis from before the infection occurred. Is it safe to restore backups made after the infection occurred?
  • Do I need to worry about peripherals getting infected? Do I need to do anything about my router or other devices on my home network?
Anders
  • 65,052
  • 24
  • 180
  • 218
  • 26
    Easy: you use the system restore disk which was provided with your computer to safely get it back to its factory condition and then apply system updates... Oh, manufacturers do not provide restore disk to end-users anymore, how nice of them :'( ... – WhiteWinterWolf Oct 03 '16 at 13:41
  • 10
    There really isn't just one good answer for this question. Do you have Backups? Do you need backups? Is it spyware? Is it malware? Is it a ransom ware? Do you need to change every password you own? What OS? What Version? Do you have your install CD? Do you actually have a CD ROM? Do you know how to config bios options for boot-able media? Does the Bios have a password? – CaffeineAddiction Oct 03 '16 at 13:51
  • 14
    Related question on Super User: [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](http://superuser.com/q/100360/194694) – gronostaj Oct 03 '16 at 15:44
  • 6
    And the somewhat related Server fault question [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Zoredache Oct 03 '16 at 23:24
  • 1
    @WhiteWinterWolf: actually, if you buy an OEM-installed machine (HP, Dell, et al), they typically come with a *recovery partition*, which is the same as a recovery disk, except it's on your hard disk. If you've wiped this to use the partitioned space, well, that's really your own fault. – flith Oct 04 '16 at 04:55
  • 1
    Don't have time for a full answer but disconnect from the Internet immediately. One of the first things virus will do is disable virus protection so you will just get more. – paparazzo Oct 04 '16 at 06:40
  • @filth: They are basically the same except that recovery partitions can be infected by the virus as well, unlike (physically) read-only storage like CDs / DVDs, making recovery partitions more useful to recover from a wrong manipulation or reset the computer before selling it than to recover from a malware or a hacked environment. Thanks for your message anyway since I was already "pushing" in a comment below CaffeineAddiction post that such point should be addressed in a canonical answer :). – WhiteWinterWolf Oct 04 '16 at 08:35
  • @WhiteWinterWolf: I was under the impression that most recovery partitions were set to be read-only. Sure, that can be circumvented, but it doesn't lead it to be quite the attack vector that you seem to be implying! – flith Oct 05 '16 at 05:56
  • 7
    @filth Here is [a procedure from Microsoft](https://blogs.technet.microsoft.com/askcore/2016/04/26/customizing-the-recovery-partition-after-upgrading-the-os-from-windows-8-1-to-windows-10/) to customize the recovery partition to add *"additional drivers, languages, Windows PE Optional Components, and other troubleshooting and diagnostic tools"*. I do not see any reason why a malicious software or hacker could not use this to increase its persistence. – WhiteWinterWolf Oct 05 '16 at 07:37
  • 1
    A recovery partition on the same secondary media could be altered by a virus. Recovery should of course be from a **read-only** source. And it should rewrite everything on the hardware that is alterable including bios, firmwares - anything that a virus could try to alter. – mathreadler Oct 05 '16 at 16:17
  • A major problem with answering this is deciding how far someone should go. It could potentially include: throwing away all hardware and peripherals (BIOS rookits), changing all credit cards, and more. I wonder if you should put some restrictions in the question, e.g. "This is for a home user so BIOS rootkits are unlikely and we will accept that risk". – paj28 Oct 06 '16 at 08:05
  • @paj28 Thanks for the input. I don't want to put that kind of limitations in the question - it would feel like asuming the answer in the question. I do say it is for a home user, and I think it is up to the answers to decide what is reasonable for the average home user. To some extent that is opinion based, but not completely. – Anders Oct 06 '16 at 08:08
  • If you don't have time to deal with this, plug the computer off the outlet/UPS and, if it is a laptop, remove the battery as well. Do not let anyone put the battery back, i.e. put the battery (and the device) in a safe place where only you have physical access to it. No malware will run during this time. When you have time, NUKE IT FROM ORBIT!! – EKons Oct 07 '16 at 11:56
  • I find it sad to see that people confuse 'best' with 'safest'. It is good to mitigate the worst case scenario somewhat, but please don't ignore the time and discomfort that is incurred each time you would 'nuke it from orbit' just because you have a virus that may be cleaned up easily enough. – Dennis Jaheruddin Oct 08 '16 at 11:17
  • It should be noted that there is a world of difference in perspectives. Most non-technical users just want someone to do the minimally disruptive thing to provide an "apparent" fix. Few are willing to actually tolerate the disruption a _reliable_ fix would require. Most professionals are only willing to offer the reliable fix as they cannot afford to take responsability for the unknown value of the users data (online banking ? are they a scientist ? famous scriptwriter ?) – John McNamara Oct 11 '16 at 14:28
  • Nuke it, and providing you know what you are doing, back to a running state should be fairly quick. Files should be recovered only through offline virus scanning, but you can likely recover most if not all important files. – Baldrickk Dec 18 '18 at 17:06

11 Answers11

177

What do I do now? How do I get rid of the virus?

The best option is what is referred to as "nuke it from orbit." The reference is from Aliens:

Nuke from Orbit

The idea behind this is that you wipe your hard drive and reinstall your OS. Before you do this, you should make sure you have the following:

  • A way to boot your computer off installation media. This can be in the form of the Install CD that came with your computer, or a DVD you burnt from an ISO file (Windows can be downloaded legally here). Some computers do not have CD-ROM drives anymore. Microsoft provides a tool to convert their ISO files to bootable thumb drives. Do not create the install media on the infected computer.
  • Your Original Windows License Key. This can either be on a sticker on the side of your computer or you can recover it from your computer a program like The Magical Jelly Bean Keyfinder (which might contain malware, but it really doesn't matter because you are wiping it all after you get the key anyway). Or an official tool supplied with Windows called slmgr.vbs.
  • Drivers. If you don't have a second computer, you are really going to want to have at the minimum video drivers & network card drivers. Everything else can be obtained online after you reinstall.
  • Any files you want to save. You can back them up to a thumb drive for now, and scan them before putting them on your freshly installed machine (see below).

Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?

In theory, it is not always necessary to fully reinstall. In some cases you can clean the virus off the hard drive without a full reinstall. However, in practice it's very hard to know that you have gotten it all, and if you have one virus it is likely you have more. You might succeed in removing the one that causes symptoms (such as ugly ad popups), but the rootkit stealing your password and credit card numbers might go unnoticed.

The only way to kill everything is to wipe the hard drive, so your best option is always to nuke it from orbit. It's the only way to be sure.


I really don't have time to deal with this right now. Is it dangerous to keep using the computer while it is infected?

You may not have time for it right now, but you really don't have time for your email getting hacked and your identity being stolen. It's best to take the time to fix it now and fix it right before the problem gets worse.

While your computer is infected all your keystrokes might be recorded, your files stolen, it might even be used as a part of a botnet attacking other computers. You do not want this to be going on for longer than necessary.

If you really don't have time to deal with it right now, power down the computer and use another one until you have time to fix it. (Be careful with file transfers from the infected to the uninfected computer, though, so you do not contaminate it.)


I don't have backups of my family photos or my master thesis from before the infection occurred. Is it safe to restore backups made after the infection occurred?

Any backups made after the virus infection occured could potentially be infected. A lot of the times they are not, but they could be. Since it is very hard to pinpoint exactly when the infection occured (it may be before you started to notice symptoms) this applies to all backups.

Also, Windows restore points can be corrupted by a virus. It is better to archive copies of your personal files on external or cloud storage.

If you are restoring them from external or cloud storage on a computer that has already been nuked from orbit make sure you scan all the files you are restoring before you open them. Executable files (such as .exe) can contain viruses, and so can Office documents. However, picture and movie files are likely safe in most cases.


Do I need to worry about peripherals getting infected? Do I need to do anything about my router or other devices on my home network?

Peripherals can be infected. Once you have re-installed your OS you should copy all the files off your thumb drive, scan them with antivirus, format the thumb drive, and restore the files to the thumb drive as needed. Most routers will be fine, however, it is possible for DNS settings to be compromised either through a weak password or malicious use of UPnP. This can easily be resolved by resetting the router to factory defaults. You may also want to configure your DNS settings to either google dns or OpenDNS. If you have some type of network attached storage, you should do a full scan of it with antivirus before using any of the files on it.

See Also: Help! My information has been stolen! What do I do now?

THIS IS WORKING DRAFT FEEL FREE TO WIKI/EDIT AS NEEDED

Elhitch
  • 413
  • 3
  • 11
CaffeineAddiction
  • 7,567
  • 2
  • 21
  • 41
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/46530/discussion-on-answer-by-caffeineaddiction-help-my-home-pc-has-been-infected-by). – Rory Alsop Oct 09 '16 at 10:55
  • 3
    This answer needs a section about recovering from the infection because of potentially compromised accounts – Stephane Jun 12 '17 at 06:34
  • @Stephane are you talking about resetting passwords and such or something else? – CaffeineAddiction Jun 07 '18 at 03:45
  • @CaffeineAddiction Passwords are of course part of what I mean but it's larger than just passwords: financial details that could be stored on the machine, credit cards numbers, login cookies, everything that can be used for blackmailing or ID theft, etc. – Stephane Jun 07 '18 at 05:21
  • @Stephane I agree that information should exist though I think it is beyond the scope of this particual question ... I have instead created another question here: https://security.stackexchange.com/q/187436/92213 ... though it might be closed due to having such a broad scope – CaffeineAddiction Jun 09 '18 at 17:11
32

I'm sorry to hear you've got a computer virus. Fortunately, thousands of people deal with virus infections daily, and in most cases, the computer and all data can be restored. By following good online practice you can avoid future infections.

There are two main approaches for removing a virus:

  • Use anti-virus software to perform a "deep scan and clean".
  • Wipe and reinstall the computer - colloquially known as "nuke from orbit".

Using anti-virus software is quicker and easier, but has a greater risk that the virus will silently remain and cause problems later. Wiping and reinstalling is recommended for knowledgeable users. It is normally possible to keep all your data while doing this.

Using anti-virus software

If you do not have anti-virus software already there are various free options (e.g. Windows Defender, AVG Free) and many paid options (e.g. Symantec Endpoint Protection, Kaspersky Internet Security).

Make sure the anti-virus software is up-to-date.

You can then run a full scan of your computer. Some AV software calls this a deep scan. If any viruses are found, you will get the option to quarantine the affected file.

Some advanced viruses have the ability to hide from anti-virus software. To cope with this, some AV software has the ability to "scan on boot". The AV runs before Windows starts, and in this mode, the virus is crippled, allowing the AV software to more effectively remove it. Once complete you can boot into Windows as normal. Other AV software allows you to create a boot disk instead of "scan on boot".

The precise instructions for all this depend on your anti-virus software. Consult the manual for further information.

Wipe and reinstall

The basic idea is to copy all your data onto an external hard drive, then reinstall Windows. This will give you a blank - and hopefully uninfected - Windows installation. You will then need to reinstall all your software, restore all your data, and customise the settings you had before.

Before you start, make sure you have installation media and license codes for all your commercial software. If necessary, you can extract a Windows and Office product key from your installation. You can also download disk images from Microsoft - provided you have a product key.

You need to carefully backup all your data onto an external hard drive. It can be difficult to get everything. People often forget their address book and bookmarks. This is a stressful point, because once you start reinstalling Windows, you lose the ability to recover further data. As an alternative, you can buy a new hard disk, and put the old hard disk in a USB enclosure like this.

You then need to reinstall Windows, all your other software, then restore your data and settings.

Avoiding reinfection

You must follow basic security practice:

  • Keep all software up-to-date. Secunia PSI helps you check software is up-to-date.
  • Run anti-virus software, and keep it up-to-date.
  • Enable the firewall (this is on by default in recent Windows versions)

Beyond this, you need to exercise care. It is difficult to explain precisely how to do this, but here is some basic guidance:

  • Be careful where you click.
  • Be especially careful when downloading software. Every exe file you download gets full access to your computer.
  • Take care with removable media. Some viruses have executable files that look like folder icons. But if you click them, you will be infected.
  • Take care with shared drives, which may be on a NAS, or in cloud storage like DropBox.

While your computer had a virus, it is possible that all your passwords have been captured. You should at least change your passwords for online accounts that are important to you, e.g. web mail, social media, online banking. It usually isn't necessary to change low value passwords for forums and e-commerce sites.

It's also possible that credit card numbers have been compromised if you have used them on this computer. I believe this is fairly rare, and changing your cards is a (modest) hassle. Instead, hold on to your cards, keep a close eye on your statements and change the cards if fraud occurs.

If you've followed this through to the end, well done! It is not an easy process, and you will hopefully have recovered from the infection. Take care online - but don't be afraid of your computer.

paj28
  • 32,906
  • 8
  • 93
  • 130
25

Honestly, "non-technical users" are typically unaware of the basic conceptual difference between a data "file" and an "application", nevermind the minefield of subtleties in the advanced war game between malware and anti-malware experts. The only sane answer is...

  1. Don't panic.
  2. Switch off the PC immediately and disconnect ALL cables and removable batteries.
  3. Go to a trusted PC and change all your online passwords immediately.
  4. Bring your PC (and any and all attached devices including your internet "box") to a competent professional and tell them ...
    • "I think I have a virus, please verify that before continuing"
    • "backup all my user files to DVDs"
    • "wipe EVERYTHING on the devices and install a new operating system on the PC"

If they act like an anti-virus tool will "fix it" instead, they are not professionals, find someone else.

John McNamara
  • 696
  • 5
  • 7
  • 9
    This is the best answer for non-technical users by far. If they come here to ask what to do about a virus, they cannot be trusted to disconnect from wifi or sufficiently nuke a hard drive on their own. – thunderblaster Oct 07 '16 at 14:50
  • 2
    "If they act like an anti-virus tool will "fix it" instead, they are not professionals, find someone else." - very good point! – Andrey Sapegin Feb 01 '17 at 11:30
15

I really don't have time to deal with this right now. Is it dangerous to keep using the computer while it is infected?

The very first thing you should do upon determining your machine is infected is isolate it. This means you must completely disconnect it from the internet and your local network, and disconnect any peripheral devices with the exception of the bare necessities to clean it.

To take it offline, if the machine is connected via a network cable, pull it out. If it is connected via WiFi, then perform these steps if possible (in order):

  1. Unplug your WiFi router. (Not necessary, but the safest thing possible.)
  2. Disconnect from WiFi.
  3. Disable your WiFi driver on the infected machine.

Recommended:

  1. If your local WiFi network has a password to connect to it, change it. If it does not have a password, create one using the strongest encryption algorithm your router and clients support.
  2. If your router has the option, block the MAC address of the infected machine from connecting to WiFi.

Note that the reasons for 2-4 above is that a sophisticated virus could re-enable the WiFi driver and reconnect to your network (or any network). It's possible the virus could also know all of your current passwords for anything you access form that machine, including your WiFi password.

Once the machine is isolated you should be relatively safe to continue on with your life until you have time to deal with it. Until the machine is cleaned all file transfers should be done via a thumb drive, CD/DVD, external drive, etc. That being said, before you do anything else, immediately change your email password and all passwords that you have ever typed in from (or stored on) the infected machine from a non-infected machine. You probably cannot remember anything, so focus on:

  1. Email passwords: Gmail, Yahoo, Hotmail, Outlook, and any corporate accounts

  2. Financial passwords: banks, retirement, stock broker, sites like Mint.com

  3. Shopping passwords

Anders
  • 65,052
  • 24
  • 180
  • 218
TTT
  • 9,132
  • 4
  • 19
  • 32
  • 18
    I think this is wrong: *If you know with 100% certainty the exact moment that you got the virus, then you could just limit it to those passwords you entered in after that moment in time*. Other passwords could have been saved in browser, email apps, etc. or even swap space. that would be readable by the malware. You really need to treat *all passwords ever entered on the machine* as compromised. – R.. GitHub STOP HELPING ICE Oct 03 '16 at 16:37
  • @R.. - Right. I tried to address that re: password managers, but I agree with you that wasn't sufficient. I've updated the wording. Thx. – TTT Oct 03 '16 at 17:03
  • Why can't the virus spoof the mac address? And why do you need to block the address when you have a strong password? – Tim Oct 03 '16 at 21:57
  • @Tim the virus CAN spoof the mac address, I imagine that's the point. If you suddenly see a machine with a new mac address appear on your network, or you see the infected one pop up, in either case you now know something more about the infection. As for blocking the address even when you have a strong password, as explained in the answer even a strong password can be compromised (read from memory, saved in a configuration file somewhere, lots of possibilities). – Cronax Oct 04 '16 at 07:20
  • @Cronax a newly changed password can be compromised?! I get this is [security.se] but at some point it gets to paranoia... – Tim Oct 04 '16 at 07:27
  • 2
    @Tim Many consumer-market routers use the same or similar firmware. All it takes is one exploit and your new password is equally compromised. Either way, this is not a question of "is this too paranoid", it's a question of risk/reward vs opportunity cost. It's very easy to block the mac address and keep an eye on the list of mac addresses in the router to see if a new one pops up. It may not be necessary, but since you don't have to go too far out of your way to do it, it may well be worthwhile. – Cronax Oct 04 '16 at 07:32
  • @Tim - yes, a virus could spoof a MAC, but you shouldn't not lock a door just because it's possible a thief could pick the lock. As for why block the MAC if you have a strong pw- I agree with you that is probably overkill if you use strong encryption and a strong pw. But there are still some old routers out there with weak encryption, or some people have very old WiFi devices and choose to use the weaker encryption on their router. We also can't guarantee that the average person would choose a strong password. – TTT Oct 04 '16 at 16:04
  • 3
    @TTT I'd treat my newly installed machine as being on parole for a few days. That means I wouldn't immediately change my email passwords etc using that machine: I'd do it from a different one that I trust. Certainly I wouldn't change them using the PC before it was "dealt with". Is that worth emphasizing in your answer? (I guess it's implicit - you can't change email pw if you've isolated it from network, but it's not quite clear). – SusanW Oct 05 '16 at 17:58
  • You shouldn't do file transfers from a compromised machine ***period***. And certainly not with read\write media - any r/w device that comes in contact with the infected machine should also be assumed to be compromised. – Comintern Oct 05 '16 at 18:29
  • 1
    How do you deal with BIOS alteration, USB firmware modification etc.? – Harper - Reinstate Monica Oct 06 '16 at 02:15
  • 2
    @Tim sure, how many times have we seen it on TV? Bad guys create a false situation where the hero would need to use his Secret Access Code. Hero uses Secret Access Code. Bad guys go "Thank you" and cause mayhem. Happened a lot on ST:TNG because that was before we thought about 2-way challenges. Classically, Picard sees a holodeck exit door (he didn't call for it), goes through it, closes the door, and uses his codez. *He's still in the Holodeck.* Same with your PC, you're frantically trying to recover everything unawares the virus is still listening. – Harper - Reinstate Monica Oct 06 '16 at 02:19
  • @SusanW - somehow I missed your comment until now. Yes, that was implicit. I thought it was obvious that you would have to change your passwords from a different machine since the infected one is completely disconnected. Looks like someone already added that edit to make it more clear. – TTT Dec 05 '16 at 16:09
  • @TTT I thought _implicit_ made it a bit weak. I was hearing _"... but obviously I had to reconnect it to change my password! How else would I...?"_ from people who only have one computer. Much clearer now, cool. – SusanW Dec 05 '16 at 19:47
8

Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?

Unless you know a lot about malware and understand how the malware you have works, then no, you will never be certain that you've caught everything.

For example, with ransomware, it is very common for it to plant a second "sleeper" virus on the computer which won't trigger for maybe 6 months.

Ideally, as others have commented, you need to reset the BIOS and completely reset all disks removing all trace of existing partitions before getting a new copy of the OS and starting again.

However, if you really can't do that and you can't afford to pay someone to do it for you and you don't mind living on the edge and don't want to do online banking and don't mind running additional anti-malware tools for the next year - then you could take a punt, there's a reasonably chance that, if you cleaned it well, you might get away with it.

Julian Knight
  • 7,102
  • 18
  • 23
  • I would recommend putting them all in the same answer. (But maybe I should not have asked such a broad question in the first place.) – Anders Oct 03 '16 at 19:58
  • I don't mind them being combined if someone wants to compile the best canonical answer. However, I think that the answer becomes long and difficult to follow if everything is lumped together. Either way, you might want to wait until things settle and then you can pick out the best parts. Maybe someone should flag your Q as too broad ;-) – Julian Knight Oct 03 '16 at 20:01
  • Yeah... I was worried about the flagging but so far reception seems to be positive. Not sure I was clear, what I meant was putting all *your* answers in one post, not putting all of everybodies answers in one. – Anders Oct 03 '16 at 20:08
  • I think the idea is sound. Actually I deliberately kept them separate to allow each to be commented on more easily. I noticed that it is really hard to follow what is happening with @CaffeineAddiction's post. Happy to combine if nobody comments on them. – Julian Knight Oct 03 '16 at 20:15
4

I don't have backups of my family photos or my master thesis from before the infection occurred. Is it safe to restore backups made after the infection occurred?

It is not totally safe but it is likely to be fairly safe as long as you take basic precautions.

Assuming you have now a clean machine. Ensure that it has up-to-date and good anti-virus, also create a non-admin user and log in with that.

Images are less likely to be infected so start by downloading those. Now's a good time to run a couple of additional anti-malware checkers as a one-off. Then make a new backup assuming your tools found no issues.

Next do the same with your really critical documents. Make sure you open them to ensure that they are not corrupted and also to find out the worse in case they are infected. Run the malware checkers again then run another backup.

Then do the same with other documents.

Finally, change your backup routine to automatically make multi-version backups no more than 1 day apart if you can, preferably on file change if possible.

If you want even more safety as you go through this, consider using a virtual machine such as using VirtualBox.

Julian Knight
  • 7,102
  • 18
  • 23
4

Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?

A virus (or more likely a worm) has to operate on its own to circumvent your security. For most attack vectors it has to do so using moderate amounts of code. Antivirus software may eventually be able to detect that bit of code based on some of its characteristics, even if it rewrites itself to avoid detection.

But once you have the virus on your system, it can contact some controlling server and invite additional code onto your computer. In this case, there are fewer size limitations, and there may even be some live interaction with the person or team which initiated the virus. So here you are up against clever people loading a ton of malicious code onto your machine, as opposed to the one solitary piece of code you had before. Chances are that amongst all that stuff there is at least some code (which probably doesn't propagate on its own) which hasn't been recorded by antvirus specialists yet.

Furthermore, an active piece of malware may well be able to prevent antivirus software from doing its job. It may have installed a rootkit into your OS kernel which hides the files it's using from all other software, so they can't be scanned. It might be terminating your malware removal tool and then show an “all is fine” message it generated itself. You can never be sure that this is not what's happening.

So the moment your computer is compromised, it's no longer your computer. Anything you do on it may be intercepted and redirected by whoever got the infection there. Nuke it from orbit.

MvG
  • 745
  • 5
  • 10
3

Prevention

An ounce of prevention is worth a pound of cure. You should be running virus protection and regular updates. Have virus eradication (different than protection) software already installed. An example is Malwarebyte Anti-Malware. There are also root-kit specialty virus removal.

Have backups of you data. Cycle them so you also have some old(er) backups. Don't leave your backup device plugged in - if the virus is going to corrupt or lock data then it has access to your backup. Cloud service for the $5 / month is money well spent.

Use Firewall protection.

Symptoms

Sluggish. High CPU but no programs admits to using the CPU. Update on OS and / or virus protection fails. Virus protection won't start.

Removal

Removal is not always successful and it can be very time time consuming but if it works then you still have all your programs, setting, data.

I have gotten dozens of viruses and have always been able to remove them. In one case it had hacked up the registry enough to be a problem. But I was going to upgrade anyway so I just applied and upgrade.

Hopefully you already have removal program(s) installed.

Don't just Google Virus Removal and download the first you find. Some are just viruses themselves. There are known names. And some good free stuff.

Disconnect from the Internet. A virus will typically disable virus protection so 1 virus can quickly turn into 20. And it may be scanning to PC to send data to the mother ship.

Run you virus removal program(s). Sometimes you need to boot in Safe Mode. By booting in Safe Mode some of the viruses don't load so they are easier to find and delete. Hopefully that cleans up some stuff.

Connect to the Internet and update the virus program and run them again. If they say clean you may be good to go.

The run all your OS updates.

Some times the virus is gone but it hacked with the registry and thing still don't run right. There are registry repair tools - typically free from the OS vendor.

Recovery

Run recovery from you recovery partition or original media. Make sure and immediately install updates. You might lose minor stuff with a recovery.

Worse Case

Some viruses require a reformat and re-install. The problem here is you have to re-install EVERYTHING.

paparazzo
  • 181
  • 7
  • Are you saying that you should not always do a complete reinstall? – Anders Oct 04 '16 at 12:56
  • @Anders You can if you want. A complete reinstall will include reinstalling all your applications. Even a successful recovery can leave you with some clean up. And then you have to download and install all the updates. – paparazzo Oct 04 '16 at 12:59
1

In agreement with @CaffeineAddiction: Nuke it from Orbit. Reinstalling the operating system is the only way to be sure that your OS is safe. The difficult process is identifying everything that must survive a reinstall. Here are some pointers to consider.

If I left anything out, feel free to update/edit.

Identify Critical Files

Identify files on the current system that must be saved. Common places to check include:

  • Documents/My Documents - typical location for saving files of all sorts.
  • Downloads - look through this folder for photos and other personal files. Do not save installers as those should be downloaded again.
  • Desktop - another location where critical files are saved.
  • Browser Bookmarks/Favorites - each browser handles bookmarks/favorites in a different manner. Identify what browsers are installed and export/backup.
  • Alternate Drive - some users will store files on a separate drive. Whether that drive is a different partition on the same disk, a thumb drive, or an external drive.
  • Photos - identify where photos are stored.
  • Music - identify where any music files are stored.
  • Email - if email clients are used, identify where the files are stored.
  • Other - work with the user to identify what they use the computer for. If they work on CAD files, find where those are stored. If they work in Photoshop, find where those files are saved. Etc.

Identify Critical Programs and Licenses

Look through the installed programs and find those that are required. Ensure you have the install media and licenses for those programs. If not, identify how the installers and licenses can be obtained before reinstalling the OS. Examples include Photoshop, AutoCAD, Antivirus, etc.

If possible, download a fresh copy of the program after the operating system has been installed. Ensure the fresh copy can be used with the applicable license.

Identify Website Logins

Many users will save their credentials for autologin. Ensure they have the password before reinstalling.

If a password manager is being used, note the program being used and its version. Confirm an export/backup of the installed version is compatible with the most current version available.

Consider asking the individual to test their logins before reinstalling. Preferably the verification should occur on a clean system.

Identify Peripherals

Identify any peripheral equipment connected to the system that will need drivers.

  • Printers
  • Scanners
  • etc.

Document Network Configuration

Document the network configuration and any wireless network configurations that need to be saved.

Consider downloading a fresh copy of the network drivers onto a clean system and copy/burn them onto a CD, thumb drive, etc. This is because some drivers are not natively supported by the operating system. Having a clean copy of these drivers to install after reinstalling the operating system will greatly expedite the process.

Identify Sensitive Credentials

Identify any sensitive credentials used on the compromised system.

Change these passwords as soon as possible on a clean system. If this isn't possible, change the passwords after the system has been reinstalled and all security updates applied.

Examples include:

  • Banking website credentials
  • Priviledged Account credentials

Perform Backup

Backup all files, licenses, etc. to an external/thumb driver, network share, or cloud drive. Exclude any programs that can be downloaded as a fresh install such as Firefox.

Reinstall the Operating System

With everything critical saved, wipe the entire disk and reinstall the desired operating system.

Install Drivers

Install the necessary drivers to get the system functional, not optimal.

Restore Network Config

Configure the network cards to the previous configuration so updates can be downloaded.

Install Security Updates

Ensure that all security updates are installed for the operating system as well as any drivers.

Install Programs and Update

Install any critical programs identified from above and ensure all associated security updates are installed for it.

Post-Install Config & Restore Files

Restore files that were previously backed up. Configure programs/applications with the appropriate licenses. Restore browser bookmarks/favorites. Ensure the user's environment is similar to how it was prior.

Change Passwords

If you know when the virus got onto the system, change passwords for any accounts that were used on the system during that time. For example email accounts, forums, etc. If any of the prior accounts have the same password as an account that wasn't used, change the password on that account too. In fact, consider that password compromised. Any account using the same password as one used when the system was compromised, change the password to something complex and unique.

user2320464
  • 1,832
  • 1
  • 16
  • 18
0

Coming from a different question to this one I have to note that currently malware may reside in (from most common to least common):

  • UEFI BIOS
  • SSD/HDD flash ROM
  • NIC/Ethernet flash ROM
  • Old GPU ROM (modern GPUs ROMs are digitally signed and it's impossible to circumvent it)

The development of malware for any of these ROMs costs astronomical amounts of money, so if you're an average user who's not targeted by foreign states or three-letter agencies there's no need to worry. A complete disk wipe is enough to rid your PC of any malware.

Artem S. Tashkinov
  • 2,217
  • 6
  • 17
  • Do you have any references to back this answer up? – user Jul 23 '20 at 20:37
  • UEFI Malware: https://arstechnica.com/information-technology/2018/10/first-uefi-malware-discovered-in-wild-is-laptop-security-software-hijacked-by-russians/ HDD ROM Malware: https://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html NIC ROM Malware: https://www.computerworld.com/article/2505096/researcher-creates-proof-of-concept-malware-that-infects-bios--network-cards.html GPU ROM Malware: https://arstechnica.com/information-technology/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/ – Artem S. Tashkinov Jul 23 '20 at 20:47
-4

COMPACT answer:

I am always happy to help non-technical users. If you are not sure, what should you do, you can follow these instructions (compressed decription, I will not explain everything in detail, but willing to edit upon ask). This is not an ideal situation, and nothing is 100% secure, BUT:

  1. Backup your files which are more important to keep than securing your computer from them if they are infected.
  2. Do a full reinstall. If you do not wipe your drive properly, the virus will be still there (recommended to change partitions and rewrite SSD with a pattern - if you do not know what it is, just wipe your full drive).
  3. Set up new password for new usernames.
  4. Run a scan with your updated antivirus on your personal files.
  5. Reset the admin and wifi password on the router and the user passwords. Reset other password/security question in email, or banking.

  1. Download a recent, popular, easy-to-use Linux (Mint/Ubuntu https://www.youtube.com/watch?v=VUDhb_HGInQ), and start learning it, to convert your files(if needed) to leave Windows. Yes, I am serious, this will dramatically decrease chances for viruses.
  2. Install a firewall, antivirus and antirootkit app on Linux, be suspicious about the internet, pendrive, and your computer.

Feel free to ask.

TriloByte
  • 241
  • 2
  • 8