What should you do when someone hands you a computer, tells you they think it has a virus, and asks you to clean it?
Proceed carefully, that’s what. You don’t want to infect your other computers with whatever it has.
To get it gone safely and effectively, you really need two things: an antivirus live CD, and a spare router.
Several antivirus vendors offer free live CDs. These boot into a Linux-based environment, then scan the Windows installation on the computer. This is more thorough, since it has free reign over every file on the drive. And theoretically it can be faster, since the antivirus software doesn’t have to compete with viruses and spyware for computer power. I still hesitate to call any virus scan “fast,” however. The last scan I did took about a minute per gigabyte, so if you’re scanning a system with a large drive that’s nearly full, expect it to take a while.
There are lots of live CDs out there. I like Bitdefender, since it’s been around a long time. You can even load the Bitdefender CD onto a USB flash drive, for greater portability and boot speed.
Bitdefender will boot up, connect to the Internet, download signature updates, then scan the drive and ask what you want to do about its findings.
I strongly suggest having a spare router for the next step. Configure this router to work on straight DHCP, and to use a non-routable network different from your regular home network (if your home network is 192.168.1.x, configure the router to use 192.168.2.x). Plug this router’s WAN port into an available Ethernet jack, then plug the suspect computer into one of the router’s ports. This safely firewalls the suspect computer off from the rest of your network.
Now, boot the computer into Windows and see if you can figure out how it got infected in the first place. Why firewall it now that it’s been cleaned? As effective as Bitdefender is, I don’t want to bet that it found everything. Not when my network is at stake. Your goal is to get the system healthy enough to be usable again, and let the natural course of antivirus updates catch anything you can’t catch immediately. The only way to absolutely, positively guarantee it’s perfectly clean is to do a total rebuild, which you probably don’t have time to do.
So, now that you’re safely firewalled off, boot the computer, and let the antivirus software (if any) download updates. If the software is expired, uninstall it and install Microsoft Security Essentials. If there’s no software installed, install Microsoft Security Essentials. (If you’re going to be doing this a lot, it’s a good idea to keep the installation files for MSSE handy on a USB drive.)
Do whatever you have to do to get current, functioning antivirus software installed, then let it do its own scan. It’s probably a good idea at this point to install and run a couple of antispyware utilities like Ad-Aware and Spybot Search and Destroy. When it comes to viruses and spyware, it’s a good idea to get a few opinions, since nothing cleans absolutely everything.
While you’re at it, be sure to configure Windows Update to automatically download updates, and let Windows Update apply all of its patches.
If you’re going to do this a lot–there are plenty of infected computers out there, and people are understandably nervous about the repair services offered at consumer electronics stores–I suggest you keep the following on a flash drive to save yourself time and effort:
ctupdate — for downloading and installing service packs and updates
MSSE installation files
Ad-Aware installation files
Spybot S&D installation files
And, especially during the holiday season, there’s always a very good chance you’ll be asked to look at relatives’ computers. Be sure to keep people’s expectations in check. It takes a minimum of an hour to clean an infected computer based on the conservative assumption that it has about 40 GB of data on it. That’s 20 minutes to download and burn a live CD, and 40 minutes to clean it. It can take several hours to actually clean an infected computer properly.
If you expect you’re going to get bombarded with these sorts of requests as you travel for the upcoming holidays, you may want to head it off by burning a few copies of live CDs, then handing a CD to anyone who asks you the question.
You may not be able to cure everyone’s computer issues that day. Just like my dad, who was a radiologist, couldn’t cure everyone’s medical maladies before and after Christmas dinner. Of course people asked him questions, but most people also understood he didn’t carry his office with him, and that being a radiologist didn’t make him an expert in every field of medicine. Dad spent a lot more time watching football on holidays than he did practicing medicine. On the holidays where he wasn’t actually working in a hospital, that is. And while my uncle, who’s a carpenter, undoubtedly will field a few questions about tools and woodworking, he doesn’t spend his holidays doing odd jobs around his relatives’ houses. So I don’t necessarily think it’s bad form to hand a relative a CD if they think they have a virus. It’s better form than writing a URL down on a napkin and saying “Download and burn this.”
And if you’re looking for a little work on the side, here you go. It would be easy to give faster turnaround and better prices, not to mention better quality work, than the consumer electronics stores for this service. And there’s more than enough of this kind of work to go around. Do a dry run on a couple of junker PCs to get your process down, then put an ad on Craigslist and wait for your phone to start ringing.
For anti-spyware anti-bad-things software, may I also recommend MalwareBytes ?
I’d seen it recommended for a while, and when I started having trouble getting updates from AdAware, I tried MalwareBytes. Works a treat – quick and easy, and picks up things that AdAware and Spybot S&D miss (just as they pick up things it misses). Highly recommended to use at least two of them – too often for complacency one will leave something for the other.
As for the standard of use of the English language by USAmericans, David as a professional writer you disappoint me. All too often of late I have noticed that USAmericans can’t tell the difference between rein and reign, or if they can tell it they have forgotten when to use it. The term is free rein, as in letting the horse have his head, letting loose the reins, not reining him in. Altogether different from what you wrote, being a fan-boy of George III, and approving his policy towards the Americas and the Americans.
It’s called getting in a hurry and making a mistake, even though you know the difference. For some reason, when I do that as a writer it’s a much bigger deal than when I do it as a sysadmin.
How effective is it to put the infected computer behind a firewall, but have that firewall on your own network? The infected PC can initiate scans. Of course, hopefully it won’t be smart enough to figure out what IP space your real network is using, but if it is, you’ve essentially protected the infected computer from your network, not the other way around.
But certainly for most things, just isolating the IP space is all you need.
The router should block traffic on the NetBIOS ports, correct? That’s the main goal–getting the computer on a separate IP space, and blocking the ports the malware is most likely to be able to use to spread.
Dave. Thanks for the information in this article.
Don disappoints me with his rude comment about your grammar. I have a degree in communication disorders and believe he would benefit from some therapy in the area of pragmatics(social skills).
Yes. Grammar is part of my degree also. Keep up the awesome writing! You rock! Way to reign in the readers! Will definitely use YOUR information for my computer.
Happy Holidays! Cheerio! Emily