Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I clear up these lingering problems after a malware infection?

Question:

My Windows XP PC was infected by some viruses, which had changed some registry settings before they were removed. I noticed the infection after I found the malware called “SmartProtection 2012” was unexpectedly installed in my PC. After the virus removal, I now have both McAfee and Malwarebytes up to date and run regular full system scans to check if there is still something lurking around. Nothing suspicious is reported. But two problems remain:

(1)After this, the internet browsers (both I.E & Mozilla) always crash unexpectedly, especially when downloading a file (even just a small 20MB file).

(2)My Windows Security Center has been stopped and there is no way I can find to turn it back on.

You’re not going to like my answer.

And, unfortunately, it’s an answer that I end up giving somewhat often, and in fact, I’ve even written up before.

I’ll give you a thought or two on perhaps dealing with at least one of the issues that you’re facing.

But…

You’ll quickly understand why malware infections are best avoided completely rather than trying to clean up after them.

Become a Patron of Ask Leo! and go ad-free!

The ideal solution

Once you’ve determined that your machine has been infected, the simplest solution by far is to restore your machine to the most recent backup taken immediately prior to the infection.

Poof! Infection gone. Completely.

Pretty cool, huh?

Given how easy and complete that solution is, it’s very disheartening to hear how many people don’t have that as an option.

Because they haven’t been backing up their machine at all.

The bottom-line solution

At the opposite end of the spectrum is the only other way to guarantee that the malware has been completely removed and that all lingering traces are gone as well.

“The problem is that no one wants to do that. They’d rather live with the risk of still being infected.”
  • Backup your data.
  • Reinstall Windows and all your applications.
  • Restore your data.

I’m tempted to add a fourth step: Start backing up.

The problem is something I’ve mentioned several times before:

Once it’s infected, it’s no longer your
machine.

Even if you think you’ve successfully removed the malware, you have no guarantee – none – that there’s not still something left over. Perhaps it’s malware still quietly doing whatever malware does. Perhaps it’s just a missing file that you won’t realize until you need it some weeks from now.

Perhaps there’s nothing wrong at all.

The problem is you just don’t know.

The only way to know is to wipe the slate clean and start over.

The problem is that no one wants to do that. They’d rather live with the risk of still being infected.

Because, of course, it couldn’t happen to them.

Even though it already did.

Fixing symptoms

What we’re left with is what you’re asking for: fixing the symptoms you notice.

For Firefox, I’d uninstall it and reinstall it.

For Internet Explorer and the security center, I’d start by running the System File Checker, and if that doesn’t clear it up, look into performing a repair reinstall.

I honestly can’t tell if you that will in fact resolve the issue.

But short of the other solutions that I’ve mentioned above, it’s your next best bet.

The real solution

I’m not trying to be a smart-ass, but there’s only one “real” solution.

Don’t get infected in the first place.

As you can hopefully see by now, the cost of getting a malware infection can be very high, particularly when you factor into account properly and completely recovering from it.


Staying safe
to begin with is much more effective.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

11 comments on “How do I clear up these lingering problems after a malware infection?”

  1. That is a very dramatic answer , a shorter answer would be : Run ComboFix, it will probably clean any leftovers.

    While ComboFix is a good solution and does clear up many things, there’s no guarantee after running it that everything has, in fact, been cleaned up. You just don’t know.

    Leo
    24-Mar-2012
    Reply
  2. ComboFix is not a tool like Malwarebytes for which untrained users can use without supervision.

    The scary looking disclaimer on ComboFix is not there for fun.

    Reply
  3. I’ve had to fix computers a number of times here with similar problems after an infection. My first step is to run malawarebytes. If that doesn’t fix it, I wipe the machine clean and start over. I find that in the end that’s what I do anyway and I can do it in the time that it takes to mess around with alternate solutions that don’t work anyhow.

    Reply
  4. I was going to point out that ComboFix doesn’t run on 64-bit Windows, but according to BleepingComputer, it has apparently been updated to run on 64-bit Vista and Win7. (Though not 64-bit XP.)

    Quick question related to your “most recent backup taken immediately prior to the infection” answer. How can you be sure when the infection happened? Perhaps the original infection happened weeks (months?) before you noticed anything “wrong” with your system. I can certainly tell you that, when someone calls us and says “I think my computer has a virus”, you can be pretty sure that the system is crawling with infections.

    I’ll admit that the most recent backup solution does imply you know when the infection happened. There are many scenarios where it’s obvious, but as you say – there are many scenarios where it’s not. Hence avoidance is the best solution, followed by wipe & reinstall as often the most practical.

    Leo
    28-Mar-2012
    Reply
  5. Internet Explorer can often be fixed, as I will detail below. But if these steps don’t do it, then there is some left over problem that would be better served by Leo’s answer of a complete Windows reinstall.

    The first thing to try for any version of Windows is to use Internet Explorer’s option to reset itself to default values. For Vista or Windows 7, if that doesn’t solve the problem, then uninstall back to the oldest IE you can get to (also resetting that to the original settings), then run it, and finally upgrade again to the latest version from Microsoft.

    In Windows XP (not Vista or Windows 7), if resetting IE fails to solve the problem, you can then try Dial-A-Fix. You can find that on majorgeeks.com, along with other good download sites. Before you run Dial-A-Fix, you should first uninstall both IE 8 and IE 7, so you are back to IE 6. Then run Dial-A-Fix, and click the hammer icon on the bottom. In the new Tools Window, first highlight “Flush DNS”, then click “Go”. Next, go down the list and highlight “Repair permissions” and run that. Next highlight and run “Reset networking interfaces”. Finally, highlight and run “Repair/reinstall IE”. Then close the Tools window. For the last step, on the main window, put a checkmark in “Fix SSL/Https/Cryptography” (which selects everything in that section), and then also select everything in the Registration Center section below that. Then click “Go”. When that finishes, reboot, start IE, and make sure that is fine. After that, go download IE 8 from Microsoft.com and reinstall that.

    Reply
  6. Really only one way..even after running anti malware and seemingly deleting the problem..is to revert to an image backup that you trust..other things like photo’s etc can be backed up separately in the interim..and then just revert..is safest and surest in the long term

    Reply
  7. Sadly, with a couple of the newest variants of virus/malware such as “System Security 2012” it gets even worse. The nasty program creates one or two partitions on your hard drive with no volume labels. You merrily do a complete wipe and re-install, but unless you go in and delete those partitions, after you format C: and install everything, the virus re-installs itself and you’re back where you started! Like Leo says, imaging, backup and prevention are truly the only smart answers!

    wow. I hadn’t yet heard of malware that creates hidden partitions, but I guess we shouldn’t be surprised.

    Leo
    28-Mar-2012
    Reply
  8. This is really just a question for Leo. Can Malware/Malware remnants somehow occupy the free space and then reinfect used space later. I ask, as 4 years ago my Golf Club got 3 items of malware on the yearly disc (What a stink that caused in 4 countries. I still have this trio of nasties and there seems to be no trouble getting rid of them now). Anyway after trying for 3 days to get rid of these unsuccessfully as they just kept coming back, in desperation I ran a “Wipe Free Space” App. (Revo) immediately following the anti-virus. Well it worked. But was I just lucky ???

    I’ve never heard of malware resurecting itself from freespace, and in all honesty I can’t think of a way that it could. Some sort of file that actually exists would have to at least begin the process, and if that file can get on there then there’s no need to resort to freespace.

    Leo
    28-Mar-2012
    Reply
  9. Whoa! Wait a minute!…There are serious implications of your claim that “you just don’t know” if your system infection has been totally eradicated! If that is true, it means: 1) NO currently available antivirus/antimalware/antispyware or combinations thereof, can detect all infections, and the claims of both reviewers and the companies that they can – is a lie. If you know that they can’t, so do they, and that means that they are purposely deceiving the public.

    2) If they can’t find the malware, or evidence of its behavior on your system, then their claims that they can eliminate these infections is also untrue and they are encouraging a false sense of security in the public that their application can clean the customer’s system.
    3) If the antivirus, etc. firms cannot find and fix these problems, then it follows that even BRAND NEW systems may be infected with some lurking type of malware (i.e., a trojan) hiding inside the Operating System that even Microsoft, etc., could not find. 4) Your suggestion to not get infected in the first place is nearly impossible, since malware developers can hide their malware in so many ways. Basically, it means you can’t go anywhere because what you think is a”safe” legitimate site may be another deception. 5) So, if nobody can find the infection, how do you know it even exists? So, now what? Junk the whole system? Stop using computers?

    Ultimately you are very correct (except for the deceiving part). There is no way to prove a negative – no way to prove that your machine is NOT infected. Obviously it’s not practical to let that terrorize you into avoiding computers all together. One can safely assume (but cannot prove) that your new machine is probably malware free. One can safely assume (but cannot prove) that anti-malware tools remove most malware – but even there is it known that not all anti-malware tools remove all malware. All this is to point out that once you know you’ve been infected, many of those unprovable assumptions that you previously made are no longer safe to assume. The probability has shifted, and it is no longer safe to make those assumptions until you reformat/reinstall where you then revert to making those assumptions (that you cannot prove).

    Leo
    28-Mar-2012
    Reply
  10. Suggestion to original poster: McAfee is nearly worthless protection. As the first line of defense, I suggest researching for better protection. A reliable independent source I’ve relied on for determining the best Antivirus software is http://www.av-test.org (see their: Tests/Test Reports tab). Kind regards,

    Reply
  11. Sadly, Leo is correct as I have recently learned.

    A charity that I am a part of has an infection of Conficker/Downadup. The computer it’s on is old and the harddrive is small and there is no room for an antivirus. But with little contact with the outside world, thought the risk was minimal.

    Was first alerted when I used a USB stick to copy a file to my home computer. AVG on my computer identified it upon inserting the USB stick into the computer. I brought my laptop and via a shared c: drive over the network, I scanned the harddrive with AVG running on my laptop. AVG found the infection but had troubles eliminating it.

    I found tools on both F-Secure’s website and Symantec’s website. I tried both tools. Both tools reported that they cleaned the infection. Yet seemingly a few days later, the same infection would pop-up on several different USB sticks used to test the machine. Repeated cleaning to the point where the tool said nothing was found, didn’t seem to work either because a day or too later it would reinfect the USB stick.

    I recently found an uninstalled Windows update that blocks the autoplay. After running that update, it has stopped infecting USB sticks. But I no longer can trust that the machine is clean, just that the risk of infecting another computer is minimal, provided the AV product on the other networked computers continues to run.

    Sadly, I think the only way to solve this one is to reformat the harddrive and start over.

    (We’re a charity. If we had the funds to replace the computer, we would. It really needs more RAM and larger harddrive. I don’t really like running with no AV, even though exposure to the outside world is minimal).

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.