Helping people with computers... one answer at a time.

It's frustrating to go through the steps of cleaning your machine of malware only to have it return almost instantly. We'll look at possible causes.

I have a virus on my computer that's blasting out spam emails. This has been going on for the past two months and I've tried every kind of tool out there and have not been able to get rid of it. I have spoken with Microsoft senior tech's at length trying to get the infection off the computer. After lengthy discussions they recommended I re-install Windows. With over a quarter of a million files and folders on the computer I was reluctant but I did it.

The problem is still there. The computer is back down to a crawl even after this a clean install.

What can I do?

Reinstalling the operating system is the safest and frequently the only course of action after a serious malware infestation.

But as you've seen here, what if the malware comes back right away?

There's one school of thought that once your machine has become infected, the only solution is to reformat and reinstall. The problem is that you may know you're infected, but there's no way to guarantee that the infection has been completely removed. The only guaranteed way to erase the virus is to erase everything - i.e. reformat your hard disk - and then reinstall everything.

However, reinstalling is painful, so naturally we try to avoid it whenever possible. Certainly for certain types of well known viruses we do, pretty much, know what they do and what needs to be removed. There's no blanket guarantee that we get it right, but the risks are often fairly small.

Sometimes, though, a reformat really is the only answer. And it can take a lot of work and time. And even then there are risks.

Here are some of the things I can think of that could result in the symptoms you describe:

  • As you reinstalled Windows, you connected to an untrusted network (like the internet) before your firewall was turned on, or before your anti-virus software was installed and running.

    The problem here is that there is a large class of viruses that propagate simply and quickly if you connect to the internet without protection. With your firewall down, and particularly with an older unpatched version of Windows, I recall hearing that you can be infected within just a couple of minutes of being connected to the net.

    At a minimum, disconnect your network cable until you have Windows installed and its built-in firewall enabled, or connect only through a NAT router.

  • "... any backup taken after an infection occurs is suspect."

    You didn't patch Windows immediately. After getting connected to the network the very first thing you should do is visit Windows Update and take all the updates offered.

    The problem here is that even with the firewall up, or a NAT router in place, there are vulnerabilities that may be exploited should you start to try and use your computer normally. Get it up-to-date first.

  • Your anti-virus software is out of date. This applies to your anti-spyware software as well. It's not enough to get it and run it if you don't keep the database of known malware up to date. Most anti-malware programs have an option to automatically update those databases, and it's critical that you do so. I prefer doing so daily; that's how quickly new viruses and spyware appear.

    Similarly, if your anti-malware program is in the form of a subscription, and you let that subscription lapse, then you're likely not getting the latest updates to that database. Re-subscribe, or switch to one of the free alternatives.

    With an out-of-date database, you could easily think you're protected when you're not. Your machine could quickly get infected with a virus that appeared after the last time you updated your malware database.

  • You backed up and then restored the malware. This is an easy one to overlook. The scenario works like this: you have an infected machine; you know you're going to reformat, so you back everything up including programs and data; you reformat and you reinstall everything; unbeknownst to you, the malware was in a program that you restored and ran - and it reinfected your machine.

    Unfortunately the hard cold truth is this: any backup taken after an infection occurs is suspect.

    It's not perfect, but at a minimum you must virus scan the backup before restoring it. Quite often that means copying the contents of the backup to a location where is does not run, but can be scanned by your anti-virus software. External or additional hard drives are perfect for this kind of thing.

    A safer solution is never restore software from suspect backups. Always reinstall software from their original CDs, DVDs or re-download them. Then restore only your data from your backup. (After virus scanning that anyway.)

  • It was your behavior that caused the problem, and your behavior hasn't changed. Particularly in the case of spam-sending viruses or "bots", if you regularly open attachments from people you don't know, or fall for phishing and other scams, there's nothing about a reformat that's going to fix that. The first time you run that unknown attachment, your machine isn't yours any more - it's infected.

    You cannot count on automated solutions to protect you from yourself. All those are meaningless if you invite the intruder back into your newly cleaned home.

Is that all a pain in the ass?

Absolutely, it is. That's why prevention is so much easier than the cure. The cure is a pain in the ... well, you know.

The good news in all this is that prevention isn't that hard. Take a couple of tools (anti-malware and firewalls), mix in a little bit of common sense, add a dash of healthy skepticism and you've got a recipe for safety. It really is that simple.

Article C3153 - September 18, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

15 Comments
Mark
September 18, 2007 9:28 PM

Another obvious one, but I toss it out for the newbies. Even if you don't do risky things on your computer or your network, others who have access might. And just because they swear up and down that they don't go to THOSE sites or open risky email, its always a possibility. Even if they cover their tracks well (deleting histories and the cache and whatnot). One solution is to install parental control software for a time and see if the infections at least slow down. It's not a cure-all, and there are ways around it, but it might cause help you catch who's been naughty on your machine.

As Leo has said time and again, your comp must be secure at the terminal. Know who uses it and what they are using it for.

Houssam Mousa
September 18, 2007 10:55 PM

Even using an Anti-Virus is not enough, I use three and sometimes four , I know you will tell me that an updated anti-virus is enough, but it's not, on my experience and many times, one Program find a virus or a Trojan that the other did not find, and the most problem is that the anti-virus delete or clear the infected file, but as soon as you re-boot the virus (or trojan) will come again, and you will have to start tweaking around the Reggistry and Booting files using utilitis, it's very annoying, not to mention that using a real-mode anti-virus will make your Rabbit computer seemed slower than a turtle , and using on-demand scanner is sometimes late, anyone can help??

vincent
September 19, 2007 3:47 AM

Hi,

There is a procedure, developed by the nice folks at majorgeeks.com that, if followed to the letter, will get rid of almost anything infecting your system.
Maybe not everything, but it's sure worth a try, most certainly if you have hundreds of thousands of files and folders you do not wish to loose/reinstall.
Here it is:
http://forums.majorgeeks.com/showthread.php?t=35407

Give it a try. It has removed some nasty sh** from many of the pc's I receive for repairs!

Best,
Vincent

Chris
September 20, 2007 3:53 PM

#1 Format and re-install
#2 Disconnect your internet from the source (router,ethernet, whatever)
#3 Install a trusted firewall or at least make sure windows firewall is enabled
#4 Install your virus scan (optional)
#5 Connect to the internet and update your virus scan definitions
#6 Run Windows Update several times to get all the updates (may require several restarts)
#7 Download Windows Defender off of the Microsoft website (also optional)
#8 You are now protected and anything else that happens form this point on is subject to the user.
If you have other people also using this machine, I highly recommend some Parental Control software that runs in the background and a Browser other than Internet Explorer (Firefox is a good one).

Greg
September 21, 2007 10:48 PM

I have a MySpace page & I am looking for an online job. I go everywhere. Get a Gmail account NOW! Gmail has a separate spam box for the crap. I am running about 6,000 spam emails a month. After 30 days they are deleted. I do not see them until I check them in case 1 email is put in by accident. I have had that happen only 1 time. When spam does come through, you dump it into spam so I see only about 3 a day. The more you dump the less you see. I also use Norton System Works. After I go to MySpace I run the 1 Button Check Up which cleans unwanted files. I run the Speed Disk often when ever the laptop slows down, at night when I go to bed, about every 2 - 3 days. I also run the virus scam 2 X a week or more. Norton also comes w/ Firewall but the Windows XP the Windows Service Pack 2 has to be turned off. They will not work together. Norton Systems Work is around $80.00 a year & seams to be well worth it. I got botnet attacked yesterday on MySpace & Tom, Pres. MySpace, put the whip to Fling.com, I did complain, & that did them in. My laptop is back to running fine now. I did blow everything out last night & this morning. Good job Tom! Thanks to Leo for telling me what a botnet is I would have not figured it out on my own. It is not your machine, these Aholes are ruthless. Gmail gives you 3Gig of storage & it is not on your machine. Spam does not count. Gmail.com is FREE. GOOD LUCK!

Mike
October 1, 2007 7:55 PM

I've had a similar problem getting rid of a virus after reformatting with a clean install. When you boot from the install CD you'll see two different options for formatting. One is identified as quick format, one as format. Use the reqular format instead of the quick format. I'm not sure what the difference is but it takes about four times as long to format and it does a more through job. This method has helped me get rid of some serious monters. Good luck.

Shell
January 5, 2008 9:15 PM

if its infecting ur cookies(spyware) just block ur cookies from sites or get a firewall.

Jeremy
March 17, 2008 10:44 PM

How do i unsubscribe from this chat site thing called fling.com, I didn't realised it charged.

charlie
August 11, 2009 3:59 PM

The easiest way to get rid of a stubborn virus without paying, is download malwarebytes.org . I had the same problem. I kept running my spyware in safe mode, and disconnected my server. It kept coming back. I downloaded a free program. malwarebytes.org, and it took it right out.

While I agree that MalwareBytes is good, please don't get complacent and think it will get everything. Some are better than others, sure, but no anti-virus tool will get everything.
Leo
12-Aug-2009

Steve Waskow
September 21, 2010 10:35 AM

Leo, please stop propagating the old advice to refrain from opening attachments from "people you don't know." Nowadays, it doesn't matter if you know them or not...spammers and phishers have taken over millions of computers and many can access the associated contact lists and send out malware apparently "From" the infected computer "To" all contacts on the system.

One should open attachments only from folks you know when you are expecting them, or check BY PHONE OR IN PERSON before opening them, since if bad guys have taken over the sending email account, they can simply confirm the authenticity of the bogus attachment.

I agree it's no longer as simple as accepting "only" from people you know. You're right - attachments need to "make sense" in that they're expected and about something that makes sense in your normal conversations with the sender. If there's ANY doubt, check with them first - not using that email address.

By the way, it's rarely an infected computer, but rather a compromised email account where the scammers are out using the web interface to login and sent the spam/scam email.
Leo
21-Sep-2010

Bob Stromberg
September 21, 2010 4:24 PM

I sometimes need to update a computer that needs many, many Windows Updates (or Microsoft Updates). So, I gingerly connect to the Internet and start the downloads. All this time, sometimes hours, until the updates are downloaded and installed, the computer is out-of-date. Using a well-protected computer, can I download the updates to a flash drive or external hard drive, and hand-carry them over to the out-of-date computer and then run do the updates, without connecting the computer to the Internet?

See http://msdn.microsoft.com/en-us/library/aa387290%28VS.85%29.aspx, which seems to be oriented to programmers providing this service. ("After you download the latest WsusScan.cab, the file can be provided to the AddScanPackageService method, and the WUA API can be used to search the offline computer for security updates. WUA validates that the WsusScan.cab is signed by a valid Microsoft certificate before running an offline scan."

How do ordinary resourceful careful users do this?

Ariel
September 21, 2010 8:41 PM

"A safer solution is never restore software from suspect backups. Always reinstall software from their original CDs, DVDs or re-download them. Then restore only your data from your backup. (After virus scanning that anyway.)"

When I download programs and install them I compress a copy of the program and keep it in a folder. We shouldn't use these files in this situation? Can Zipped files be compromised?

ZIP files can be compromized, but it's rare. Best is to keep those saved downloads off-line - perhaps burn them to a CD or external hard drive that you disconnect. That way you know they won't be infected.
Leo
25-Sep-2010
Harold Rossi
September 22, 2010 5:55 AM

I have run across malware that infects the restore partition of some computers so when you think you are restoring, you reload windows with the infection to start with. The only way to get a clean install is to completely reformat the hard drive, all partitions.

lee
September 22, 2010 6:51 AM

i recently installed Microsoft Security Essentials and SUPERAntiSpyWare because i was having some concerns about email from a friend who isn't computer literate enough to stop getting trackers and viruses. i am continuing to receive COOKIE TRACKERS and even thought these programs are quarantining/removing them they pop right back...always the same names. could they be a part of the programs i am using? they are Adware, it seems,and someone suggested that they are a part of AOL? How do i PERMANENTLY remove them, or, is that even possible? I also use MALWAREBYTES, which, like you wrote above, did not find it! not all programs find everything!


Carlos Coquet
October 15, 2010 10:19 AM

Without details about the so called infection and what it is doing, it's not possible to tell for sure but there is another scenario. The virus may be targeting the machine by IP address if they are exploiting a known Windows vulnerability. I have seen hackers even turn on a machine that is off via the Internet by knowing it's IP address. (Remote wakeup is sometimes permitted by default in CMOS Setup.)
In this case, unless the subscriber is paying for a static IP address, it is possible to get a new address by turning the cable or DSL modem off then back on. Success will vary by provider. Cox Communications, the cable modem must be off for well over a day before it will get another IP address. I've never actually measured it but it is a long time. Qwest assigns the location a new IP address if the modem goes off the air only for a few minutes. Other ISP's may have varying policies. Just check the modem/router's WAN IP address before and after by looking at the device via your browser.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.