This is another of those questions that no one specifically asked (though it
does come in frequently, in various forms). Rather, this is a scenario that I
experienced myself earlier this week.
A friend who has one of my older laptops on loan came to me and told me that
it had become slow and that websites like Hotmail and Facebook had stopped
working. Sometimes, it wouldn’t even connect to the network.
My first suspicion was malware, for which I had good cause. You see a couple
of weeks earlier, my friend had clicked on one of “those” links – the ones that
come to you as a result of someone else’s email account having been hacked.
Whoops.
While it hadn’t done anything immediately, it was high on the list of
suspects.
The machine’s working again, so I want to outline the steps that I took to
clean it up. They’re fairly generic and can be used in many, many situations,
but perhaps not all of them are obvious.
]]>
Back up
Regular readers will have seen this coming.
The very first thing that I did was create a backup image of the machine. Yes, this backs up the potentially infected machine.
I do this as a safety net; it establishes a “can’t get any worse than this” point in time. No matter what I do to the machine from this point forward I still have all the original files backed up should they need to be restored. By having a complete image of the system, I can also revert to this state should something I do in the process of “fixing” it actually end up making things worse. By restoring the backup, I can start over and try again.
The technique that I used was perhaps novel, but an important one.
I did not boot the machine normally. In fact, I didn’t boot the machine from its hard drive at all. Instead, I booted the machine from a copy of Macrium Reflect rescue media on CD.
Most backup programs allow you to create bootable rescue media of some sort, with the intent that when you need to restore a complete disk image, you can boot from that media and perform the restore.
Overlooked is the fact that in many cases (including that of Reflect), the rescue media can also be used to perform a backup.
So, that’s what I did. I booted from the rescue media, attached an external USB drive, and created a complete image of the laptop’s hard drive on that external drive. I then saved that elsewhere, should I ever need it.
Turns out I did not, but as I said – it’s the ultimate safety net.
Windows Defender Offline
My next step was to run anti-malware tools on the machine, but ideally once again, without actually booting Windows from the hard drive.
There are several bootable anti-malware tools available. I selected Windows Defender Offline (formerly known as the Microsoft Standalone System Sweeper). Using another machine, I downloaded a copy and burned it to CD. I booted the laptop from this CD and let Defender perform a complete scan.
The reason why booting from something other than the machine itself is so important is that when you boot from an infected hard disk, any malware that may be on it gets the opportunity to execute. That means that it can interfere with anti-malware scans that you perform, sometimes even preventing them. It also gives the malware an opportunity to try and hide from the scanners.
By booting from anything but the possibly infected system, that malware never gets the chance.
After the Windows Defender scan came up clean, I felt that booting the machine was somewhat safe.
Microsoft Security Essentials
With the machine now running Windows XP (SP3, fully up to date), I then made sure that Microsoft Security Essentials was also up to date and ran a complete scan again.
It’s possible that this is redundant with Windows Defender Offline. They are basically the same technology and quite possibly could be running off the same malware databases. But without absolute confirmation that they would be the same, I simply elected to take the safer route and run a complete scan again.
And once again, the scan came up clean.
Malwarebytes
Particularly because Windows Defender Offline and Microsoft Security Essentials might have been the same scan run twice, and they were likely to at least be similar, running a scan with a different tool is always a good idea.
I often recommend running the free tool Malwarebytes Anti-Malware. In this case, I took my own advice. I downloaded the latest copy and ran a complete scan.
Once again, the scans came up clean.
I’ll admit part of me liked how this was looking. 
Rootkit Revealer
What distinguishes a rootkit from other forms of malware is its ability to hide. A rootkit actually infiltrates the operating system at a low level and causes the very functions that report the presence of files to “conveniently” overlook the files that comprise the rootkit itself. The rootkit might live in C:\Windows, but listing the files in that folder would simply not list the rootkit’s own files by virtue of the rootkit filtering the results.
Theoretically, the effects of a rootkit would have been bypassed by having booted Windows Defender Offline from CD. However, when malware is suspect, I’m a big believer in scanning too much rather than not enough.
Rootkit Revealer is a tool from the same folks at Microsoft that bring you Process Explorer.
And it turned up nothing.
At this point, I made the careful assumption that malware was not at play here and moved on to more generic cleanup activities.
CCleaner
With the browser acting as it had been, it’s tempting to just clear the browser cache. In fact, clearing the browser cache is one of our more common answers to assorted questions that come in to Ask Leo!.
In this case, however, I wanted to be a little more thorough, so I elected to fire up CCleaner instead.
CCleaner will clear the browser cache, but it’ll also clean much more. The biggest additional offender is often Windows own temporary files folder, but CCleaner actually runs around and cleans up many additional things as well. (Note: I did not use the registry cleaner, only the file cleaner.)
I ran CCleaner for two reasons: to hopefully stabilize the browser, of course, but also to prepare for the next step.
Defraggler
Normally, I’d be tempted to run Windows own disk defragmenting program – and indeed that would probably be sufficient. But I wanted to see just how bad things were, so I chose to run Defraggler, another free tool from the same people that make CCleaner.
Besides having a more informative display (to us geeky types at least
),
my sense is that it’s slightly more thorough in its defragmenting work. Given
that this machine hadn’t been defragmented in years, I wanted it to be
aggressive, if perhaps time consuming. (If you defrag regularly, then Windows’
own defragmenting tool is quite sufficient.)
The drive was most definitely severely fragmented when I started. In addition, the 17 gigabytes still in use on the 60 gigabyte drive was spread out across almost the entire disk surface resulting in lots of disk head movement even for unfragmented files.
After defragging, not only were the files contiguous, but they were also clustered together near the beginning of the disk.
The result
The machine’s once again working fine, albeit still a tad pokier than we might want. More on that in a moment. It’s booting properly, the browser’s working as expected, and Hotmail and Facebook are once again working as well.
We appear to have dodged a bullet with respect to actual malware. The link that had been clicked on was most likely already rendered inoperative by prior victims. It’s true that we can never know that the machine isn’t still infected, but I feel that the steps taken give us a very high level of confidence that we’re clean.
As I mentioned, the machine’s still a tad slower than we might like, and I believe I understand why. In cleaning up, I installed additional security software – specifically Malwarebytes – which had not been running before, and is now present constantly. It’s very likely that I’ll turn that off, leaving day-to-day security in the hands of Microsoft Security Essentials and WinPatrol.
The machine is an older Dell Latitude 131L with 2GB of RAM and a 70GB hard drive. The processor is running at 1.6Ghz. As I said, it’s running Windows XP SP3. My belief is that with current versions of OS and security software assuming today’s slightly more powerful machines, the addition of one more security program might just be taking it to the boundaries of acceptable performance.
Pity I did not read this 18months ago. I have a HP machine, which had got so slow, I upgraded to my present machine. Igot it out of mothballs when I read this article, followed the bsteps outlined, and voila, a restored machine which is still slowwer than my new one, but is acceptable as a back – up . Many thanks , Leo.
This is great! Thanks for all the info you provide Leo.
Thank you Leo, you have confirmed that my cleaning exercise is pretty well as you describe but I have one extra step and that is:
After running CCleaner, I then open “EasyClean”, click on “Unnecessary Files” and then “Find”.
EasyClean finds other files that CCleaner seems to bypass and when these have been “Deleted” I run CCleaner again which effectively empties the Recycle Bin. EasyCleaner can find up to a further 14Mb to get rid of.
Mind you – I still have a couple of sites I cannot get to but that is another work in progress.
Remember to check if you restore points are still there after running CCleaner. It sometimes removes them.
Just FYI, the rootkit revealer link just takes you to your home(?) page and not the rootkit page. Found the page with a search, but just wanted to let you know that the link wasn’t taking ppl to the intended page.
I, too, have cleaned up VERY slogging, pokey machines with nothing more than CC Cleaner. For an easy, free app, it’s a much better alternative to the stores that want to charge $85 or more for “spyware removal”. That’s not to say that it couldn’t be malware, but more often it’s not.
@Lynn
Thanks, it’s fixed now.
Excellent info, thanks Leo.
In addition to the above I tend to run superantispyware for any remaining malware http://www.superantispyware.com/ which is another free utility and it seems to find stuff that others fail to do.
Leo, can a machine that is running too hot also be slowed down? Mine was hot and very slow a while back, but after I switched off and rebooted some time later things were back to normal.
When my computer gets a little bit slow, I do the following: 1) reboot the modem, 2) clear the cache, 3) run a complete CCleaner scan with a very complex overwrite (35 passes), 4) run a complete scan with MS Security Essentials, and 4) run a complete scan with MS Safety Scanner.
These procedures have worked well for me.
Here’s the link for MS Safety Scanner.
http://www.microsoft.com/security/scanner/en-us/default.aspx
You suggest RootkitRevealer, but fail to mention that this does not work on Windows 7 x64. On the link you supplied, it is stated that this program works on Windows XP 32-bit. A google search finds many posts about it failing to work with Windows 7 x64
01-Jul-2012
@Don
35 passes might be necessary for protecting military secrets from determined spies with astronomical budgets, but for the data most of us have, the expense of recovering a sing pass wipe would be too much. 3 passes are fine for the super paranoid. In any case wiping will do nothing to speed your system. The other steps you listed can be helpful.
Note: CCleaner only cleans up the currently logged in user; usually that’s enough.
Question: Suppose one of the anti-malware tools turned up malware. Would you have used the tool to clean the PC, restarted, rescanned, used a few more tools to confirm it was cleaned, and then celebrated? Or would you have formatted the drive and either restored from a known good backup, or re-installed Windows, or taken the opportunity to upgrade Windows? “That depends.”?
It boils down to a judgement call. In an absolute sense, as I’ve said before, once infected a machine can’t really be trusted even after you think you’ve removed the malware. In a more practical sense the fix for that is rather extreme (reformat/reinstall). Had I found malware my next steps would have been dictated by the malware found and its visible impact on the system, and the results of my attempts to remove it. Low impact, quick removal and I would probably have moved forward. Had the removal been problematic, or had the machine still seemed unstable after a removal I probably would have reformatted and reinstalled. That’s why, by the way, I started with a full backup – so that I could reformat/reinstall if I needed to, knowing that everything previously on the machine was saved somewhere.
01-Jul-2012
Do you use the CCleaner enhancer? It adds a lot to CCleaner
@Gwyn: Just an FYI – Yes, a hot computer can slow down significantly. My Dell machine’s CPU cooling fan failed recently, and one of my first clues something was seriously wrong (since the computer is on all the time) was very slow performance. After reboot, the system announced the CPU Fan Failure.
One of the things that Dells do (and no doubt, others) is start slowing down the processor when the chip’s core temperature gets critical to reduce the load and as a result, the temperature. If your system reports no error on reboot, it would not hurt to open the case and make sure all fans are running.
@ Mark Magill : Many thanks for the info. And, yes, my laptop is a Dell too ! ( But the fan is still working fortunately.)
Generally your articles are very nice and informative. However, this article is an exception. Instead of being informative, it sounds like an advertisement for programs available and which programs to use. Sorry, but that is the truth
01-Jul-2012
1. Ccleaner including the reg clean option.
2. Defrag
3. Stop all unnecessary Start ups’ {type msconfig into run box for XP or search box for Vista & Win 7}
Un-check all except anti virus ..they can be rechecked at any time in the future.
Jp
01-Jul-2012
Vinod,
Your criticism that the article is no more than an advertisement for programs, is not only unfair it is unjustified. Obviously you haven’t used any of those programs. Not only are they free, they are professionally written by experts in the relevant field and are very effective. They are standout products among the many that proliferate the net with overstated claims and inadequate performance.
Try them out and compare with your favourites.
How in the world, as a somewhat responsible and serious IT-Professional, could you EVER recommend using a P-o-S program such as “Windows Defender”??? It is an absolutely WORTHLESS P-o-S Program! And on the same line, your recommendation for MS Security Essentials is definately NOT what I would call THE hit! This program has a lot of short-comings!
I myself am an IT-Professional, with my own company (the rest is irrelevant), which is why I question some of your “calls”, especially when you “promote” certain programs; ie: for making a back-up? Where is the/your neutrality? BR!
01-Jul-2012
@leo
“leaving day-to-day security in the hands of Microsoft Security Essentials and WinPatrol.”
I also use this combo & have not been infected for years now. For added safety I run my browser with ‘Sandboxie ‘..free when doing banking & credit card transactions…. just to be sure!
Jp
I have fixed a few pc’s now using Leo’s Technical advice and i personally Applaude you. I use mse and malware bytes and cccleaner , and as Leo says there FREE, Thanks Leo,ps, some people need to learn how to use the tools
Hi
Would like to disagree with Vinod in particular
Do know his point but he misses out totally on the basics.
In this particular article Leo is trying to deal with people who have gotten their comp. into a terrible mess over a year or two. Ergo they are not in the least computer literate. Ergo his approach in my opinion has to be simple and explicit. While not that good at comp’s myself I am pretty good at speeding them up, and am sometimes asked to do so. Usually I am quite successful in doing this. My own laptop is 4 1/3 years old and despite using Vista is a lot faster than the day I got it.
While I do have certain modifications from Leo’s article, I do in general do more or less the same.
I certainly am not going to nitpick at this time.
Some people should wise up a bit and stop being so selfish and self knowledgeable
As usual, great no nonsense advice coupled with easy to follow, step by step instructions. Thanks a bunch.
Excellent article. You should put procedures to print (digital or hard copy). Many of us missed printing out many of your “pearls of wisdom”.
01-Jul-2012
I have Microsoft Security Essentials on a machine that encountered a problem in June. Microsoft Security Essentials was not on. I couldn’t turn it on. Windows said it had a serious error and needed to restart after counting down 60 seconds. This happened continuously.
I downloaded Windows Defender on another machine and put it on a USB key. I booted up the problem machine from the USB key. Windows Defender wanted to be updated, which is impossible as it doesn’t include drivers for network access.
I called Microsoft PC Safety Dept. They told me if you use Microsoft Security Essentials, you can’t use Windows Defender. But it will work if you turn off Microsoft Security Essentials 1st.
I booted up normally and managed to turn off Microsoft Security Essentials before I got the message saying Windows needed to shut down.
I tried again to boot off the USB key and run Windows Defender but was asked again to update it. I called Microsoft back and was told that Windows Defender is outdated anyway, and that I should use Safety Scanner instead.
http://www.microsoft.com/security/scanner/en-us/default.aspx
So I am surprised that some people seem to be able to run Windows Defender offline when they have MSE installed on their machine. My experience, confirmed by Microsoft, or at least by an agent of theirs, is that you have to choose one or the other.
Incidentally, I managed to fix this problem by doing a System Restore as a Boot Option.
02-Jul-2012
Thanks. I am using, or trying to use, Windows Defender Offline: downloading it and setting it up on a USK key from a clean machine, booting from it on the problem machine. I’ve just found out that the WDO’s request to be updated and the inability to do so seems to be a known issue:
http://answers.microsoft.com/en-us/protect/forum/protect_updating/cant-update-definitions-when-i-run-windows/4973eeee-fc3e-40b3-b976-4f993627b088
I’m just surprised that others who have commented here don’t seem to have encountered this problem.
Please how do i use avast to avoid virus.
Thank you very much for your articles, they are truly invaluable. The tools you pointed out may be practical, but oh how we forget these important steps.
Excellent article, thanks. I’ve printed it out as my wife’s Dell & my daughter’s Viao but run XP and seem slow. One small “international” point: pokey in British English (no doubt other territories too) means quick and suped-up – I had to read that bit twice to understand the problem!
06-Jul-2012
I thought that Microsoft Security Essentials only came with Windows 7. I never saw it on my Windows XP.
@Leda
Microsoft Security Essentials is a separate program which you can download from Microsoft and can run on Windows versions XP through Windows 7.
Leo,
Thanks for the Hint about booting from Macrium Reflect rescue media, I will start doing that with the Recovery CD I made for my old Acronis True Image 10.0 I purchased back in 2007.
Can’t be too careful, You know?