Helping people with computers... one answer at a time.

I had a machine that was having troubles accessing common sites like Hotmail and Facebook. A virus was suspected. I'll walk you through the steps I took to clean the machine.

This is another of those questions that no one specifically asked (though it does come in frequently, in various forms). Rather, this is a scenario that I experienced myself earlier this week.

A friend who has one of my older laptops on loan came to me and told me that it had become slow and that websites like Hotmail and Facebook had stopped working. Sometimes, it wouldn't even connect to the network.

My first suspicion was malware, for which I had good cause. You see a couple of weeks earlier, my friend had clicked on one of "those" links – the ones that come to you as a result of someone else's email account having been hacked.

Whoops.

While it hadn't done anything immediately, it was high on the list of suspects.

The machine's working again, so I want to outline the steps that I took to clean it up. They're fairly generic and can be used in many, many situations, but perhaps not all of them are obvious.

Back up

Regular readers will have seen this coming.

The very first thing that I did was create a backup image of the machine. Yes, this backs up the potentially infected machine.

I do this as a safety net; it establishes a "can't get any worse than this" point in time. No matter what I do to the machine from this point forward I still have all the original files backed up should they need to be restored. By having a complete image of the system, I can also revert to this state should something I do in the process of "fixing" it actually end up making things worse. By restoring the backup, I can start over and try again.

The technique that I used was perhaps novel, but an important one.

I did not boot the machine normally. In fact, I didn't boot the machine from its hard drive at all. Instead, I booted the machine from a copy of Macrium Reflect rescue media on CD.

Most backup programs allow you to create bootable rescue media of some sort, with the intent that when you need to restore a complete disk image, you can boot from that media and perform the restore.

Overlooked is the fact that in many cases (including that of Reflect), the rescue media can also be used to perform a backup.

So, that's what I did. I booted from the rescue media, attached an external USB drive, and created a complete image of the laptop's hard drive on that external drive. I then saved that elsewhere, should I ever need it.

Turns out I did not, but as I said – it's the ultimate safety net.

Windows Defender Offline

My next step was to run anti-malware tools on the machine, but ideally once again, without actually booting Windows from the hard drive.

There are several bootable anti-malware tools available. I selected Windows Defender Offline (formerly known as the Microsoft Standalone System Sweeper). Using another machine, I downloaded a copy and burned it to CD. I booted the laptop from this CD and let Defender perform a complete scan.

The reason why booting from something other than the machine itself is so important is that when you boot from an infected hard disk, any malware that may be on it gets the opportunity to execute. That means that it can interfere with anti-malware scans that you perform, sometimes even preventing them. It also gives the malware an opportunity to try and hide from the scanners.

By booting from anything but the possibly infected system, that malware never gets the chance.

After the Windows Defender scan came up clean, I felt that booting the machine was somewhat safe.

Microsoft Security Essentials

With the machine now running Windows XP (SP3, fully up to date), I then made sure that Microsoft Security Essentials was also up to date and ran a complete scan again.

It's possible that this is redundant with Windows Defender Offline. They are basically the same technology and quite possibly could be running off the same malware databases. But without absolute confirmation that they would be the same, I simply elected to take the safer route and run a complete scan again.

And once again, the scan came up clean.

Malwarebytes

Particularly because Windows Defender Offline and Microsoft Security Essentials might have been the same scan run twice, and they were likely to at least be similar, running a scan with a different tool is always a good idea.

I often recommend running the free tool Malwarebytes Anti-Malware. In this case, I took my own advice. I downloaded the latest copy and ran a complete scan.

Once again, the scans came up clean.

I'll admit part of me liked how this was looking. Smile

Rootkit Revealer

What distinguishes a rootkit from other forms of malware is its ability to hide. A rootkit actually infiltrates the operating system at a low level and causes the very functions that report the presence of files to "conveniently" overlook the files that comprise the rootkit itself. The rootkit might live in C:\Windows, but listing the files in that folder would simply not list the rootkit's own files by virtue of the rootkit filtering the results.

Theoretically, the effects of a rootkit would have been bypassed by having booted Windows Defender Offline from CD. However, when malware is suspect, I'm a big believer in scanning too much rather than not enough.

Rootkit Revealer is a tool from the same folks at Microsoft that bring you Process Explorer.

And it turned up nothing.

At this point, I made the careful assumption that malware was not at play here and moved on to more generic cleanup activities.

CCleaner

With the browser acting as it had been, it's tempting to just clear the browser cache. In fact, clearing the browser cache is one of our more common answers to assorted questions that come in to Ask Leo!.

In this case, however, I wanted to be a little more thorough, so I elected to fire up CCleaner instead.

CCleaner will clear the browser cache, but it'll also clean much more. The biggest additional offender is often Windows own temporary files folder, but CCleaner actually runs around and cleans up many additional things as well. (Note: I did not use the registry cleaner, only the file cleaner.)

I ran CCleaner for two reasons: to hopefully stabilize the browser, of course, but also to prepare for the next step.

Defraggler

Normally, I'd be tempted to run Windows own disk defragmenting program – and indeed that would probably be sufficient. But I wanted to see just how bad things were, so I chose to run Defraggler, another free tool from the same people that make CCleaner.

Besides having a more informative display (to us geeky types at least Smile), my sense is that it's slightly more thorough in its defragmenting work. Given that this machine hadn't been defragmented in years, I wanted it to be aggressive, if perhaps time consuming. (If you defrag regularly, then Windows' own defragmenting tool is quite sufficient.)

The drive was most definitely severely fragmented when I started. In addition, the 17 gigabytes still in use on the 60 gigabyte drive was spread out across almost the entire disk surface resulting in lots of disk head movement even for unfragmented files.

After defragging, not only were the files contiguous, but they were also clustered together near the beginning of the disk.

The result

The machine's once again working fine, albeit still a tad pokier than we might want. More on that in a moment. It's booting properly, the browser's working as expected, and Hotmail and Facebook are once again working as well.

We appear to have dodged a bullet with respect to actual malware. The link that had been clicked on was most likely already rendered inoperative by prior victims. It's true that we can never know that the machine isn't still infected, but I feel that the steps taken give us a very high level of confidence that we're clean.

As I mentioned, the machine's still a tad slower than we might like, and I believe I understand why. In cleaning up, I installed additional security software – specifically Malwarebytes – which had not been running before, and is now present constantly. It's very likely that I'll turn that off, leaving day-to-day security in the hands of Microsoft Security Essentials and WinPatrol.

The machine is an older Dell Latitude 131L with 2GB of RAM and a 70GB hard drive. The processor is running at 1.6Ghz. As I said, it's running Windows XP SP3. My belief is that with current versions of OS and security software assuming today's slightly more powerful machines, the addition of one more security program might just be taking it to the boundaries of acceptable performance.

Article C5522 - June 28, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

33 Comments
Freddie
June 29, 2012 8:35 AM

Pity I did not read this 18months ago. I have a HP machine, which had got so slow, I upgraded to my present machine. Igot it out of mothballs when I read this article, followed the bsteps outlined, and voila, a restored machine which is still slowwer than my new one, but is acceptable as a back - up . Many thanks , Leo.

Scott
June 29, 2012 8:36 AM

This is great! Thanks for all the info you provide Leo.

Lord Rayne
June 29, 2012 9:00 AM

Thank you Leo, you have confirmed that my cleaning exercise is pretty well as you describe but I have one extra step and that is:

After running CCleaner, I then open "EasyClean", click on "Unnecessary Files" and then "Find".

EasyClean finds other files that CCleaner seems to bypass and when these have been "Deleted" I run CCleaner again which effectively empties the Recycle Bin. EasyCleaner can find up to a further 14Mb to get rid of.

Mind you - I still have a couple of sites I cannot get to but that is another work in progress.

Christo
June 29, 2012 9:04 AM

Remember to check if you restore points are still there after running CCleaner. It sometimes removes them.

Lynn Houston
June 29, 2012 9:19 AM

Just FYI, the rootkit revealer link just takes you to your home(?) page and not the rootkit page. Found the page with a search, but just wanted to let you know that the link wasn't taking ppl to the intended page.

Mike
June 29, 2012 9:42 AM

I, too, have cleaned up VERY slogging, pokey machines with nothing more than CC Cleaner. For an easy, free app, it's a much better alternative to the stores that want to charge $85 or more for "spyware removal". That's not to say that it couldn't be malware, but more often it's not.

Mark J
June 29, 2012 10:22 AM

@Lynn
Thanks, it's fixed now.

David G
June 29, 2012 10:26 AM

Excellent info, thanks Leo.
In addition to the above I tend to run superantispyware for any remaining malware http://www.superantispyware.com/ which is another free utility and it seems to find stuff that others fail to do.

Gwyn
June 29, 2012 11:48 AM

Leo, can a machine that is running too hot also be slowed down? Mine was hot and very slow a while back, but after I switched off and rebooted some time later things were back to normal.

Don Randall
June 29, 2012 11:51 AM

When my computer gets a little bit slow, I do the following: 1) reboot the modem, 2) clear the cache, 3) run a complete CCleaner scan with a very complex overwrite (35 passes), 4) run a complete scan with MS Security Essentials, and 4) run a complete scan with MS Safety Scanner.

These procedures have worked well for me.

Here's the link for MS Safety Scanner.

http://www.microsoft.com/security/scanner/en-us/default.aspx

Rene LeBlanc
June 29, 2012 12:14 PM

You suggest RootkitRevealer, but fail to mention that this does not work on Windows 7 x64. On the link you supplied, it is stated that this program works on Windows XP 32-bit. A google search finds many posts about it failing to work with Windows 7 x64

True. The machine I was working on happened to be a 32bit Windows XP machine.
Leo
01-Jul-2012

Mark J
June 29, 2012 1:24 PM

@Don
35 passes might be necessary for protecting military secrets from determined spies with astronomical budgets, but for the data most of us have, the expense of recovering a sing pass wipe would be too much. 3 passes are fine for the super paranoid. In any case wiping will do nothing to speed your system. The other steps you listed can be helpful.

bob
June 29, 2012 1:29 PM

Note: CCleaner only cleans up the currently logged in user; usually that's enough.
Question: Suppose one of the anti-malware tools turned up malware. Would you have used the tool to clean the PC, restarted, rescanned, used a few more tools to confirm it was cleaned, and then celebrated? Or would you have formatted the drive and either restored from a known good backup, or re-installed Windows, or taken the opportunity to upgrade Windows? "That depends."?

Was wondering if someone would ask that. Smile


It boils down to a judgement call. In an absolute sense, as I've said before, once infected a machine can't really be trusted even after you think you've removed the malware. In a more practical sense the fix for that is rather extreme (reformat/reinstall). Had I found malware my next steps would have been dictated by the malware found and its visible impact on the system, and the results of my attempts to remove it. Low impact, quick removal and I would probably have moved forward. Had the removal been problematic, or had the machine still seemed unstable after a removal I probably would have reformatted and reinstalled. That's why, by the way, I started with a full backup - so that I could reformat/reinstall if I needed to, knowing that everything previously on the machine was saved somewhere.
Leo
01-Jul-2012

Michael
June 29, 2012 3:24 PM

Do you use the CCleaner enhancer? It adds a lot to CCleaner

Mark Magill
June 29, 2012 3:56 PM

@Gwyn: Just an FYI - Yes, a hot computer can slow down significantly. My Dell machine's CPU cooling fan failed recently, and one of my first clues something was seriously wrong (since the computer is on all the time) was very slow performance. After reboot, the system announced the CPU Fan Failure.

One of the things that Dells do (and no doubt, others) is start slowing down the processor when the chip's core temperature gets critical to reduce the load and as a result, the temperature. If your system reports no error on reboot, it would not hurt to open the case and make sure all fans are running.

Gwyn
June 29, 2012 4:18 PM

@ Mark Magill : Many thanks for the info. And, yes, my laptop is a Dell too ! ( But the fan is still working fortunately.)

Vinod
June 29, 2012 6:06 PM

Generally your articles are very nice and informative. However, this article is an exception. Instead of being informative, it sounds like an advertisement for programs available and which programs to use. Sorry, but that is the truth

Not quite sure how you come to that observation, considering that every piece of software I mention in the article is free.
Leo
01-Jul-2012

johnpro2
June 29, 2012 6:33 PM

1. Ccleaner including the reg clean option.
2. Defrag
3. Stop all unnecessary Start ups' {type msconfig into run box for XP or search box for Vista & Win 7}
Un-check all except anti virus ..they can be rechecked at any time in the future.

Jp

I have to disagree with the reg clean option - I never recommend registry cleaning as one of a series of steps like this. It's simply too dangerous. Registry cleaning, in my opinion, should be performed only when there's specific reason to believe that the registry is at fault. (And then CCleaner's registry clean is a fine choice. Backup first, of course.)
Leo
01-Jul-2012

bevinp
June 29, 2012 8:31 PM

Vinod,
Your criticism that the article is no more than an advertisement for programs, is not only unfair it is unjustified. Obviously you haven't used any of those programs. Not only are they free, they are professionally written by experts in the relevant field and are very effective. They are standout products among the many that proliferate the net with overstated claims and inadequate performance.

Try them out and compare with your favourites.

John Ellis
June 29, 2012 8:43 PM

How in the world, as a somewhat responsible and serious IT-Professional, could you EVER recommend using a P-o-S program such as "Windows Defender"??? It is an absolutely WORTHLESS P-o-S Program! And on the same line, your recommendation for MS Security Essentials is definately NOT what I would call THE hit! This program has a lot of short-comings!
I myself am an IT-Professional, with my own company (the rest is irrelevant), which is why I question some of your "calls", especially when you "promote" certain programs; ie: for making a back-up? Where is the/your neutrality? BR!

In my opinion Windows Defender Offline and Microsoft Security Essentials are valid and useful tools. I know that I'm also not alone in this opinion. I'm not sure what you're referring to with respect to backup programs. I'm most decidedly NOT neutral: I recommend in favor of programs that I believe are good and useful, and don't mention (or occasionally recommend against) programs that I think are bad or harmful - regardless of who makes them or where they come from in either case. I have opinions and I share them here - you're quite welcome to disregard them (and me) if you feel that they're inappropriate or incorrect.
Leo
01-Jul-2012

johnpro2
June 29, 2012 8:57 PM

@leo
"leaving day-to-day security in the hands of Microsoft Security Essentials and WinPatrol."

I also use this combo & have not been infected for years now. For added safety I run my browser with 'Sandboxie '..free when doing banking & credit card transactions.... just to be sure!
Jp

Nigel
June 30, 2012 2:38 AM

I have fixed a few pc's now using Leo's Technical advice and i personally Applaude you. I use mse and malware bytes and cccleaner , and as Leo says there FREE, Thanks Leo,ps, some people need to learn how to use the tools

Kevin
June 30, 2012 7:38 AM

Hi
Would like to disagree with Vinod in particular
Do know his point but he misses out totally on the basics.
In this particular article Leo is trying to deal with people who have gotten their comp. into a terrible mess over a year or two. Ergo they are not in the least computer literate. Ergo his approach in my opinion has to be simple and explicit. While not that good at comp's myself I am pretty good at speeding them up, and am sometimes asked to do so. Usually I am quite successful in doing this. My own laptop is 4 1/3 years old and despite using Vista is a lot faster than the day I got it.
While I do have certain modifications from Leo's article, I do in general do more or less the same.
I certainly am not going to nitpick at this time.
Some people should wise up a bit and stop being so selfish and self knowledgeable

Zale Town
June 30, 2012 4:16 PM

As usual, great no nonsense advice coupled with easy to follow, step by step instructions. Thanks a bunch.

FL
July 1, 2012 6:49 AM

Excellent article. You should put procedures to print (digital or hard copy). Many of us missed printing out many of your "pearls of wisdom".

You're quite welcome to print my articles for your own use.
Leo
01-Jul-2012

Alphonse
July 1, 2012 12:46 PM

I have Microsoft Security Essentials on a machine that encountered a problem in June. Microsoft Security Essentials was not on. I couldn’t turn it on. Windows said it had a serious error and needed to restart after counting down 60 seconds. This happened continuously.

I downloaded Windows Defender on another machine and put it on a USB key. I booted up the problem machine from the USB key. Windows Defender wanted to be updated, which is impossible as it doesn’t include drivers for network access.

I called Microsoft PC Safety Dept. They told me if you use Microsoft Security Essentials, you can’t use Windows Defender. But it will work if you turn off Microsoft Security Essentials 1st.

I booted up normally and managed to turn off Microsoft Security Essentials before I got the message saying Windows needed to shut down.
I tried again to boot off the USB key and run Windows Defender but was asked again to update it. I called Microsoft back and was told that Windows Defender is outdated anyway, and that I should use Safety Scanner instead.

http://www.microsoft.com/security/scanner/en-us/default.aspx

So I am surprised that some people seem to be able to run Windows Defender offline when they have MSE installed on their machine. My experience, confirmed by Microsoft, or at least by an agent of theirs, is that you have to choose one or the other.

Incidentally, I managed to fix this problem by doing a System Restore as a Boot Option.

The problem here is Microsoft's horrible selection of names. Windows Defender and Windows Defender Offline are two different things. Windows Defender is outdated and replaced by Microsoft Security Essentials. Windows Defender Offline is more like a copy of Microsoft Security Essentials that runs from CD or USB.
Leo
02-Jul-2012

Alphonse
July 2, 2012 10:06 AM

Thanks. I am using, or trying to use, Windows Defender Offline: downloading it and setting it up on a USK key from a clean machine, booting from it on the problem machine. I’ve just found out that the WDO’s request to be updated and the inability to do so seems to be a known issue:

http://answers.microsoft.com/en-us/protect/forum/protect_updating/cant-update-definitions-when-i-run-windows/4973eeee-fc3e-40b3-b976-4f993627b088

I’m just surprised that others who have commented here don’t seem to have encountered this problem.

Felix
July 3, 2012 5:38 AM

Please how do i use avast to avoid virus.

Carnegie111
July 3, 2012 2:47 PM

Thank you very much for your articles, they are truly invaluable. The tools you pointed out may be practical, but oh how we forget these important steps.

Al Paca
July 5, 2012 11:23 AM

Excellent article, thanks. I've printed it out as my wife's Dell & my daughter's Viao but run XP and seem slow. One small "international" point: pokey in British English (no doubt other territories too) means quick and suped-up - I had to read that bit twice to understand the problem!

Really? I didn't realize that. Here it means exactly the opposite - slow and pondorous. "without speed or energy; slow" - via http://dictionary.reference.com/browse/pokey - I know there are other words on which the definitions between British and American English are not just different but actually completely opposite from one another. "Two countries divided by a common language" indeed. :-)
Leo
06-Jul-2012
Leda March
July 5, 2012 5:14 PM

I thought that Microsoft Security Essentials only came with Windows 7. I never saw it on my Windows XP.

Mark J
July 5, 2012 10:30 PM

@Leda
Microsoft Security Essentials is a separate program which you can download from Microsoft and can run on Windows versions XP through Windows 7.

MoreOff
September 25, 2012 12:22 PM

Leo,
Thanks for the Hint about booting from Macrium Reflect rescue media, I will start doing that with the Recovery CD I made for my old Acronis True Image 10.0 I purchased back in 2007.
Can't be too careful, You know?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.