How do I recover from a bad virus infection?

Helping people with computers... one answer at a time.

Recovering from a bad virus infection isn't always easy, but there are some things to try before drastic measures need to be taken.

Over the past weeks on my machine:

I've had frequent re-infections of some virus or Trojan that resets my IE home page, disables Task Manager, and blocks my access to System Restore.
Several times each day, I run AdAware, Spybot, and my virus program (Panda) to remove identified infections and spyware.
I read where disabling System Restore and then running a virus scan would clean out any virus strands that were inadvertently being backed-up with each shutdown/startup cycle.
My virus and spyware programs sometime identify Services.exe and Winlogon.exe as viruses. When this happens, these files are referenced as being in located in the C:\Windows\inetdata sub-directory (which is not where they should be).

Did I royally screw things up by disabling System Restore? I understand by doing this, I erased all existing restore points so that wouldn't surprise me.

•

First, let me say this...

YIKES!

You've got a serious infection here that some of us would technically characterize as a "mess".

In all honesty, I'm not sure that the patient will survive.

Before we bring out the big guns, let's run through the steps that I'd consider using to try and recover without just giving up and starting over.

Then, after all that, I'll explain why starting over might well be the most pragmatic, safest thing to do.

•

Virus Recovery Checklist

Infected Computer

Here's how I'd proceed:

Disconnect the infected machine from the network. Not only do we not want things to get worse, we also don't want any malware on this machine to start sending spam or perhaps propagate to other machines over the net.
Backup the infected machine - ideally, a system image. Yes, this "backs up" the infection as well, but it also captures all of your data files and other system components and represents a "can't get any worse than this" point in time.
Use another machine to download and burn to CD the Microsoft Standalone System Sweeper. It's important that you do this on another machine - one that is presumably not infected - so that you're assured of a clean and un-infected result. It's also important to download a recent copy so that the Sweeper itself contains as much information to detect the latest malware threats as possible.
Reboot the infected machine from the MS System Sweeper CD and have it run a thorough scan of all of the hard drives on that machine.
Reboot the infected machine in safe mode.
On another machine, download RKill from the folks at BeepingComputer.com. (Be careful: at this writing, there's an ad immediately above the download link that looks like the download link. It is not. Be sure to grab Rkill itself). Also download the latest free copy of Malwarebytes' Anti-Malware. Copy both of those tools to a flash drive or other media that you can use to take them to the infected machine.
Run RKill on the infected machine. Quite often, malware that is running on your machine will actively prevent you from downloading or even running anti-malware tools. Rkill kills those that it knows of so that you can move on to the next step.
Run Malwarebytes Anti-Malware and perform a through scan of all of the hard disks on the infected machine.
Run the anti-malware tools that you already have on your infected machine. Once again, have them do a thorough scan of all hard disks.
Run the system file checker for good measure, to replace any system files that were lost or damaged after all this. (You may need your Windows installation media for this.)
Reboot in normal mode and connect back to your network.
Run RKill again.
Re-run the anti-malware tools that you already have on the infected machine, but this time, force them to update their malware databases first.
Re-run Malwarebytes Anti-Malware, having it also update its database first.

If your machine is working properly at this point and all scans return nothing found, you can start to breathe a sigh of relief.

Maybe.

If that didn't work and perhaps even if looks like it did...

“The bottom line is that even after all of the steps to remove the problem, there's simply no guarantee that you did.”

If your system is still infected after all of that, then things begin to look fairly bleak. It's at this point that I typically throw my hands up and move on to this:

Backup your system entirely, if you didn't already.
Reformat the hard disk, erasing everything.
Reinstall Windows from scratch.
Install updated security software.
Install the applications that you need.
Recover your data from the backup or from other sources.

While that's a shorter and clearer list, it's also a fair amount of work.

But here's the deal: when all is said and done, it's often less work than all of the flailing around for days trying to remove a virus. Frequently, you'll spend less total time starting over in this manner than you would trying to "fix things".

Starting over is the only guarantee

At the end of the recovery checklist above, we assume that if things appear to be operating properly and the tools don't report any infections that we must have successfully eradicated the threat.

Not so fast.

The problem is simple: once your machine has been infected with malware, it's not your machine any more. The malware authors could have done just about anything, including installing malware that appears not to impact your system and avoids detection.

The bottom line is that even after all of the steps to remove the problem, there's simply no guarantee that you did.

None.

I hate to say it and I know that it's not always practical, but once infected, the only way to guarantee that you're no longer infected is to reformat and reinstall.

A shorter version

What I've just given you is the long version of all of the steps that you might take to recover from a malware infestation.

Here's a much, much shorter version:

Restore the machine to an image backup taken prior to the infection.

That's it.

Of course, it assumes that you've been backing up regularly and properly. If you haven't been, then this one-step solution simply isn't available to you.

Now, perhaps, you can see why frequent full-system backups are so valuable. Do them daily and recovery from these kinds of crisis are often as simple as "restore to yesterday's backup".

What about System Restore

System Restore doesn't restore your system.

I tend to think of System Restore as a glorified registry backup and not a lot more. Yes, it does more than that, but what it doesn't do is restore files to their pre-infected state. It can remove some symptoms of malware but it doesn't actually remove the malware.

Turning off System Restore as you describe for the malware scans can make sense and certainly wouldn't make things worse. In a sense, it gets System Restore "out of the way" to allow the anti-malware tools to clean up what they find.

But that's about it.

I hear of enough failures with System Restore - both technically and with respect to what people expect it to do that it does not - that I simply disable it completely. I rely on my regular backups instead.

Reinfection

If you quickly get re-infected ... well, that would concern me.

It means that in addition to doing what I've outlined above to recover from the infect, you also need to re-evaluate your safety measures and your own behavior.

Naturally, using things like anti-malware tools and firewalls and keeping your system as up to date as possible are all important and you should make sure that those are in place and properly configured.

Perhaps what's even more important are your own habits. No amount of security software can protect you from yourself. Make sure that you're approaching the internet with the appropriate amount of skepticism and not opening unidentified attachments, visiting malicious web sites, downloading from untrusted sites and so on.

Next Steps

If you're not backing up, do so. Start with How do I backup my computer? There's also a full list of articles on maintenance and backup that might be of interest.

It's probably also worth reviewing what I consider perhaps the most important article on Ask Leo! - Internet Safety: How do I keep my computer safe on the internet? Review your situation and make sure that you're doing everything that you can to keep a malware infection from reoccurring.

(This is an update to an article originally published January 30, 2005.)

Article C2271 - October 23, 2011

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult. yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.
Microsoft Standalone System Sweeper - Clean malware from your machine The Microsoft Standalone System Sweeper is a standalone, bootable tool from Microsoft that allows you to scan for and remove malware in difficult situations.
How do I remove a virus if it prevents me from download or installing anything? Some malware go through great lengths to prevent you from downloading, running or trying to apply a fix. I'll look at what you can try.
I run Anti-Virus software; why do I still sometimes get infected? It seems like even the most up-to-date anti-virus software package isn't always enough. It's frustrating, since you'd think that it would be.

Recent Comments

50 Comments

Last year, my hubby had malware and it wouldn't let us d/l or update Malwarebytes on his computer so I d/l it to a thumb on my computer, and ran it on his computer from the thumb drive and it worked beautifully. I felt so smart. thanks for giving so much help. I'll be trying this since my computer is giving me fits now.

Posted by: Kitty at November 13, 2011 9:42 AM

First, I would get rid of any 'anti-malware' program that lists Winlogon.exe and Services.exe as virus, these files are necessary for Windows to run properly. Sounds to me like your anti-virus may actually be the culprit to me.
What I generally use on my customers' computers is AVG Free 2012 anti-virus (with the 2012 version you now need to go in and change some settings when installing like making it scan every day), Malwarebytes anti-malware, replace Windows Firewall with Comodo Pro Firewall (also free to use), and then I put A-squared Free Emergency Kit somewhere (it does not install, but you can still put it under 'Program Files' and make a shortcut to the desktop) I can easily find it if needed. In over 3 years of using this combination, I have not once had to do a complete re-install as this level of protection has always done the trick! The problem is getting the customer to actually USE software. Many tell me they do, then I open Malwarebytes for example, and find it hasn't been updated in 182 days or something. I've also had a couple of customers "say I just click OK when the Comodo 'thing' pops up" (letting virtually anything in and out of their computers) - security programs don't help if they aren't used!!!
As far as System Restore, it is far from perfect, and often doesn't work at all. I wouldn't recommend disabling it, but I certainly wouldn't rely on it except as a last resort. As far as System Restore hiding virus', any good anti-virus (like AVG) should be scanning the System Restore folder(s) anyway!

Posted by: Dave Markley at November 29, 2011 9:54 AM

@Dave Markley
Just a little comment on Winlogon.exe and Services.exe. In the question, these files were not located in the correct folders, a strong indication of malware posing as system software. And even a legitimate system file may be infected or replaced by malware.

Posted by: Mark J at November 29, 2011 12:10 PM

So long as you’re not dealing with one of those monsters demand a ransom to unencrypt your data, it is possible to eradicate an infection without wiping the system.
Some of the infestations can be truly annoying. Every last little bit must be removed or it comes right back when the computer connects to the Internet. Virtumonde is one such example. It loads infected DLL filles, an infected wallpaper, an infected Add-on which redirected the home page to an infected website along with some hidden registry changes to reload the mess in the event all others were removed. The DLL files were the tough ones to crack as they would immediately hook into winlogon as soon as Windows started to boot. It was simply not possible to delete them from Windows even with a pre-boot scan. I finally identified the two phony DLL files, booted up a Linux CD and deleted them.
I’ve seen malware that turns off anti-virus software and automatic updates. I’ve dealt with malware that infects the System Restore files. Really, you need someone experienced in malware removal. Of course, it’s much like finding a good doctor, plumber or mechanic. You may or may not find a good technician at your local store.

Posted by: Gerald Dreisewerd at December 10, 2011 10:53 AM

Another VERY EASY thing I'd recommend is install ERUNT. Had an occasion a while back that had me pulling hair out. Days trying to recover from "something". Had about given up and started taking notes on tweaks and programs I needed to restore ect.
Was going to do a clean install and just thought what the hell, couldn't hurt so I did a reg. restore (from ERUNT) and in seconds was working fine (and ever since then).
NOW I keep the latest reg backups from ERUNT and CCleaner (a couple of the latest of each).
Might help to save them to a stick.

Posted by: GeorgiaCowboy at December 20, 2011 7:32 PM

See all 50 comments...

Post a comment on "How do I recover from a bad virus infection?":

Name: (Required - will be included when your comment is published.)

Email Address: (Required - will not be published.)

Remember Me? YesNo

Comments: (You may use HTML tags for style)

Before commenting, please...

READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored.
Comment only on the article. Use the search box at the top of the page if you have a question about something else.
NO PERSONAL INFORMATION in the comment. No email addresses. No phone numbers. No physical addresses.

Anything that looks the least bit like spam will be deleted. Links to unrelated sites or links that appear to be primarily promotional will be deleted, or the comment will be deleted.
Don't ask me to recover lost passwords or hacked accounts. I can't. Those comments will be deleted.
I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2012 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/how_do_i_recover_from_a_bad_virus_infection.html