Helping people with computers... one answer at a time.

Recovering from a bad virus infection isn't always easy, but there are some things to try before drastic measures need to be taken.

Over the past weeks on my machine:

  • I've had frequent re-infections of some virus or Trojan that resets my IE home page, disables Task Manager, and blocks my access to System Restore.
  • Several times each day, I run AdAware, Spybot, and my virus program (Panda) to remove identified infections and spyware.
  • I read where disabling System Restore and then running a virus scan would clean out any virus strands that were inadvertently being backed-up with each shutdown/startup cycle.
  • My virus and spyware programs sometime identify Services.exe and Winlogon.exe as viruses. When this happens, these files are referenced as being in located in the C:\Windows\inetdata sub-directory (which is not where they should be).

Did I royally screw things up by disabling System Restore? I understand by doing this, I erased all existing restore points so that wouldn't surprise me.

First, let me say this...

YIKES!

You've got a serious infection here that some of us would technically characterize as a "mess".

In all honesty, I'm not sure that the patient will survive.

Before we bring out the big guns, let's run through the steps that I'd consider using to try and recover without just giving up and starting over.

Then, after all that, I'll explain why starting over might well be the most pragmatic, safest thing to do.

Virus Recovery Checklist

Infected Computer

Here's how I'd proceed:

  • Disconnect the infected machine from the network. Not only do we not want things to get worse, we also don't want any malware on this machine to start sending spam or perhaps propagate to other machines over the net.

  • Backup the infected machine - ideally, a system image. Yes, this "backs up" the infection as well, but it also captures all of your data files and other system components and represents a "can't get any worse than this" point in time.

  • Use another machine to download and burn to CD the Microsoft Standalone System Sweeper. It's important that you do this on another machine - one that is presumably not infected - so that you're assured of a clean and un-infected result. It's also important to download a recent copy so that the Sweeper itself contains as much information to detect the latest malware threats as possible.

  • Reboot the infected machine from the MS System Sweeper CD and have it run a thorough scan of all of the hard drives on that machine.

  • Reboot the infected machine in safe mode.

  • On another machine, download RKill from the folks at BleepingComputer.com. (Be careful: at this writing, there's an ad immediately above the download link that looks like the download link. It is not. Be sure to grab Rkill itself). Also download the latest free copy of Malwarebytes' Anti-Malware. Copy both of those tools to a flash drive or other media that you can use to take them to the infected machine.

  • Run RKill on the infected machine. Quite often, malware that is running on your machine will actively prevent you from downloading or even running anti-malware tools. Rkill kills those that it knows of so that you can move on to the next step.

  • Run Malwarebytes Anti-Malware and perform a through scan of all of the hard disks on the infected machine.

  • Run the anti-malware tools that you already have on your infected machine. Once again, have them do a thorough scan of all hard disks.

  • Run the system file checker for good measure, to replace any system files that were lost or damaged after all this. (You may need your Windows installation media for this.)

  • Reboot in normal mode and connect back to your network.

  • Run RKill again.

  • Re-run the anti-malware tools that you already have on the infected machine, but this time, force them to update their malware databases first.

  • Re-run Malwarebytes Anti-Malware, having it also update its database first.

If your machine is working properly at this point and all scans return nothing found, you can start to breathe a sigh of relief.

Maybe.

If that didn't work and perhaps even if looks like it did...

“The bottom line is that even after all of the steps to remove the problem, there's simply no guarantee that you did.”

If your system is still infected after all of that, then things begin to look fairly bleak. It's at this point that I typically throw my hands up and move on to this:

  • Backup your system entirely, if you didn't already.

  • Reformat the hard disk, erasing everything.

  • Reinstall Windows from scratch.

  • Install updated security software.

  • Install the applications that you need.

  • Recover your data from the backup or from other sources.

While that's a shorter and clearer list, it's also a fair amount of work.

But here's the deal: when all is said and done, it's often less work than all of the flailing around for days trying to remove a virus. Frequently, you'll spend less total time starting over in this manner than you would trying to "fix things".

Starting over is the only guarantee

At the end of the recovery checklist above, we assume that if things appear to be operating properly and the tools don't report any infections that we must have successfully eradicated the threat.

Not so fast.

The problem is simple: once your machine has been infected with malware, it's not your machine any more. The malware authors could have done just about anything, including installing malware that appears not to impact your system and avoids detection.

The bottom line is that even after all of the steps to remove the problem, there's simply no guarantee that you did.

None.

I hate to say it and I know that it's not always practical, but once infected, the only way to guarantee that you're no longer infected is to reformat and reinstall.

A shorter version

What I've just given you is the long version of all of the steps that you might take to recover from a malware infestation.

Here's a much, much shorter version:

  • Restore the machine to an image backup taken prior to the infection.

That's it.

Of course, it assumes that you've been backing up regularly and properly. If you haven't been, then this one-step solution simply isn't available to you.

Now, perhaps, you can see why frequent full-system backups are so valuable. Do them daily and recovery from these kinds of crisis are often as simple as "restore to yesterday's backup".

What about System Restore

System Restore doesn't restore your system.

I tend to think of System Restore as a glorified registry backup and not a lot more. Yes, it does more than that, but what it doesn't do is restore files to their pre-infected state. It can remove some symptoms of malware but it doesn't actually remove the malware.

Turning off System Restore as you describe for the malware scans can make sense and certainly wouldn't make things worse. In a sense, it gets System Restore "out of the way" to allow the anti-malware tools to clean up what they find.

But that's about it.

I hear of enough failures with System Restore - both technically and with respect to what people expect it to do that it does not - that I simply disable it completely. I rely on my regular backups instead.

Reinfection

If you quickly get re-infected ... well, that would concern me.

It means that in addition to doing what I've outlined above to recover from the infect, you also need to re-evaluate your safety measures and your own behavior.

Naturally, using things like anti-malware tools and firewalls and keeping your system as up to date as possible are all important and you should make sure that those are in place and properly configured.

Perhaps what's even more important are your own habits. No amount of security software can protect you from yourself. Make sure that you're approaching the internet with the appropriate amount of skepticism and not opening unidentified attachments, visiting malicious web sites, downloading from untrusted sites and so on.

Next Steps

If you're not backing up, do so. Start with How do I backup my computer? There's also a full list of articles on maintenance and backup that might be of interest.

It's probably also worth reviewing what I consider perhaps the most important article on Ask Leo! - Internet Safety: How do I keep my computer safe on the internet? Review your situation and make sure that you're doing everything that you can to keep a malware infection from reoccurring.

(This is an update to an article originally published January 30, 2005.)

Article C2271 - October 23, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

52 Comments
Phil O
February 17, 2005 4:31 PM

I have a question related to this one. I recently went away for a trip for 4 days and forgot to shut down my computer and most importantly my MSN Messenger 7.0 (terrible program when it came to security, I'm glad they pulled it!)and when I got back I was infected with over 200 adware and spyware items. I also had the WINIS.EXE virus and some REBATES.EXE program that would endlessly re-install itself.
Anyway, I have rid my computer of all virus and spyware infections, but the virus cause me to not be able to log in to MSN Messenger, Hotmail or any other Passport sites, and it is not allowing me to download from microsoft.com and a couple other sites once in a while. I can't reformat my computer as my CD-Roms were stolen from me and I also have an abundance of files that are near and dear to me.
When I enter my login and password to hotmail.com I get the "page cannot be displayed" message. When I log into Mesenger, it acts as if I don't have an internet connection, but when I click "help" it runs a test and tells me that I should be able to connect. When I open Outlook Express, I can check my emails from my ISP's mail, but once I click a Hotmail folder, I get an error in Shlwapi.dll and Outlook Express shuts down. I stupidly uninstalled Outlook Express and Messenger (I did back up my emails and my history for when I re-install) however, I didn't realize that now I cannot download anything from Microsoft.com!!! Then when I try to go to Windows Update, I'm told I clicked "no" to the trust certifcate or that my security settings are too high. This is not true, to the naked eye all these things should be working!
What kind of steps can I do (I'm very good with following directions on fixing things) to allow access to hotmail again and to allow MSN Messenger to work and to download from Microsoft. These problems don't occur on other machines, so I know it's only this one. Nobody can help me - can you? I beg you! Thanks!

Critter
February 19, 2005 12:38 PM

I just emailed you a reply, then realized your address is @hotmail, which you can't get into. I'll post again here in case you don't get to another machine to check your mail for a bit...

try start>run and type in:

regsvr32 softpub.dll

and click OK. If that doesn't work, check the KB article below:

http://support.microsoft.com/?kbid=813444

kim
March 20, 2005 5:24 AM

i had a msn virus which i have now got rid of but when i got it, it took the sound and even though i have got rid of it the sound hasnt come back can u email plz letting me know what i can do

David
April 17, 2005 6:36 PM

I have a computer that was running extremely slow and locking up from time to time.
I tried to do a restore but it won't go all the thru the install. It stops running in the middle.
I had a similar problems years ago and it turned out to be a boot sector virus. Is there anything out there that can be run on a computer without an operating system

david
August 1, 2005 7:30 PM

Dear Leo,
I am a bit if a novice when it comes to computers. Recently, it seems like some nasty virus or whatever has invaded my computer. IE got a new toolbar and a whole bunch of programs kept trying to access the internet, but my firewall kept blocking it. I downloaded a few free anti virus programs(AVG, ad-aware se, spybot and hijack-this)and apparently it got rid of the whole system. Just today, however, the stuff has come back in more force, stopping all my anti virus programs opening and stopping firefox from working (I also have this problem with IE that it sais that my security doesn't allow downloading and i can't find the option to turn it off in the options dialogue box)I re-opnened firefox from the windows task manager and downloaded these anti virus programs, but now they just aren't getting rid if everything (adawre-se keeps on finding stuff, but half of my programs are still messed up. It does look like there are similar experiences here, however, I as I said I am a novice to computers and I don't want to mess things up.

Daniel Leather
September 14, 2005 10:58 AM

I have a question for leo when i was on msn people were sending me files and they could of been carying viruses ( might not have been ) and the next day i was downloading backgrounds for my pc and it suddenly just went of so i thought i would have a chat on msn without people sending me files and when i was half way through a conversation with one of my friends it just went of and about 5 internet explorers came up and i couldunt get back onto the convo unless i sign out and back in agen or someone sends me a nudge and it also affects internet explorer when i load something up it just goes straight of or onto and different wesite it is happening now so please help me from daniel leather

Leo
September 14, 2005 9:04 PM

I'm having trouble understanding your question, but it sounds like you simply need to run anti virus and anti virus scans. Review this article: http://ask-leo.com/how_do_i_keep_my_computer_safe_on_the_internet.html

jhovany
October 8, 2005 8:59 PM

how do you now that you have a virus and i need help getting rid of the trojan virus plz right back as fast as possible

Vic
October 29, 2005 3:29 PM

Hi,
I came upon this site when trying to find a way to fix my msn. I'm having a similar problem to the like of the one that Phil O posted. I cannot open my msn (MSN Messenger 7.0), hotmail or any othe passport sites, and it is not allowing me to download from microsoft.com and a couple other sites once in a while.
When I enter my login and password to hotmail.com I get the "page cannot be displayed" message. When I log into Mesenger, it acts as if I don't have an internet connection, but when I click "help" it runs a test and tells me that I should be able to connect. What can I do? I tried following the help link that someone posted, but it's for an microsoft page and I can't access it. I've done numerous virus scans and nothing is coming up, and re-installing windows is an option I would leave to the utmost last if I can't fix this problem. No one else I knows is having this trouble...can someone please outline steps I can take to fix this problem?

Leo A. Notenboom
October 29, 2005 6:06 PM

You might try this article: http://ask-leo.com/how_do_i_resolve_my_msn_hotmail_sign_in_problems.html

chantel
November 21, 2005 9:38 PM

hi
my windows messenger is working fine..but my msn messenger 7.0 is not working. i have tried uninstalling it from my computer, then re-installing it..but when i try to sign in, it says 'sorry, we were unable to sign you in to the msn messenger at this time. please try again later. 80072efd '...what am i supposed to do to get it working?! (why is it not fnctioning properly??) please help. thankyou..

elmer
February 2, 2006 9:49 PM

HI my name is elmer im trying to help a friend her sons computer has 200 virus's what do i do it has a worm in it. thats what it said when i ran a test and then the price . so i tried to run norton 2006 internet (she bought that) but can't get it to do the test so i was think of using the sfc to see if that works the pc is a dell and has 20gb hard drive and 128mb or memory can you help me(have windows xp homeon it know and she has xp pro how to undo this mess help me pull my head out. thank you p.s thank you lol and have a year

Matt
February 3, 2006 4:32 PM

I am having similar problems as described above except I am unable to access anything. That includes all my firewall downloads and ad-aware(which I have had on my computer for some time). I cannot even get into programs like MS Word. I just keep getting a message that Windows cannot open this file... Please help

Aygen
February 16, 2006 6:08 PM


Hi leo
with attack of virus , my all files becomes 1kb and i couldnt open them!
Could u help me to recover my files?
i think i deleted the virus but files are still not opening
Thanks alot for your help
and greetings from turkey

shaw
May 29, 2006 6:46 PM

this isn't really about recovering but im asking how to get rid of one. the icon for microsoft will appear in the quick launch icons and then it will turn into a red circlewith a white x in it and a ballon will pop up saying "your computer has been infected" and then it will tell me about clicking it to buy an anti spyware program i dont have the money to get a new one and i can't logon to all password protected sites/accounts to anything nor can i watch any sort of movie on my computer. do you have somthing to help me?

Leo
May 29, 2006 6:49 PM

My guess is that icon is, itself, a spyware or virus infection. These articles include links to some free scanners: http://ask-leo.com/viruses_how_do_i_keep_myself_safe_from_viruses.html and http://ask-leo.com/spyware_how_do_i_remove_and_avoid_spyware.html

Lemana
June 12, 2006 10:00 AM

Hey. I have been trying to recover from this virus for a while. It makes my mouse click a million times at once and it makes screens dissappear as soon as they appear such as IM screens or the taskmanager and it erases everything i type on a website while im online. I have try ad-aware, spybot, i have a brand new version of norton but NOTHING is working. Please help.

Hannah
June 13, 2006 2:50 AM

Hi.
I recently got a virus from Msn messenger.
My friend sent this link and it send "hey check out these pics of us on myspace" and then had a link.
So I clicked it and now while I am on msn it opens all my contacts and writes in that same thing and I cant talk to anyone unless i sign out and back in agin. please help.
Hannah

junelle
June 29, 2006 3:48 PM

i know this isnt in the article above but i dont know what to do!!! i use avg and have been told that sometimes it stops my internet connection.Can i fix this without having to buy a different security program

charlotte
July 28, 2006 8:26 AM

a comment on my computer keeps sayin your computer is infected! windows have detected a spyware infection. what do i do about it please help

sarah
December 22, 2006 4:57 AM

hey i need help i have had 22 trojan horses and now my pc is realy slow it wont let me do anthing on it and things kep going missing i dont thinnk that the viruses have gone i use McAfee. plz help thank you

Laura
March 24, 2007 9:32 PM

My virus/ spyware is gone! My computer goes way slower now even though my virus is gone. How do I get back to normal?

Leo Notenboom
March 25, 2007 10:50 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't understand what's "gone". You believe you've cleared yourself from
infection, but things are still slow? Then I'd have you read this article:
http://ask-leo.com/why_is_my_machine_slowing_down.html

Your anti-virus and anti-spyware programs are gone? Reinstall them.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGBrZfCMEe9B/8oqERAsavAJ9RiQvdYzIiR3HZ+ubQKlS+EB1ODgCfRm84
NsgwNrPmp+YX2aNe5/M8sZQ=
=IZUQ
-----END PGP SIGNATURE-----

Josh
June 13, 2008 1:05 PM

My computer started shutting down on its own after about 5 minutes. I was able to download an antivirus software that I bought from office depot and when it said restart, it shut down again but now it won't come on at all. It sounds like it is running and one green light lights up but that is it. WHAT DO I DO, PLZ HELP.

JL
August 28, 2008 10:53 AM

Hello,

I got some Trojan Viruses by email, machine would not even boot up, ran system recovery instead of system restore.

Can I go back and run system restore now.

Mr.Will
October 21, 2008 6:42 PM

I think I may be virused - very odd things have been happening, though I used AVG and other products!

Basically opening files seems to take much longer, and every time I open a folder the system hangs slightly. This never happened before, I got the system built to spec so I could do plenty of photo and music editing! I am running windows XP as well.

ALso folders on the desktop seem to just go missing. My concern is that nothing seems to pick up anything wrong - is there any way I can check for sure I am being virused and are the steps there what you would reccomend in this instance?

Thank you!

Mr.Will

Tiffany
December 7, 2008 3:57 AM

A Few Days Ago When I Had Norton Security scan i found 42 cookies and 8 Bugs, I thought i got rid of them, and they came back, why wont they go? i system restored but they still came back. Plz Help!

Huda
January 7, 2009 7:00 AM

Hi i had this problem.. i used my usb on some public pc and i had some important pictures in tht and now when i used it on my pc, every picture folder is missing.. im really worried plz help me out how can i get those pictures back

andy84
March 18, 2009 6:39 AM

U have option in windows explore where in u can uncheck the option/show all hidden folders and then check.....

Sofia Brown
July 20, 2010 9:40 PM

Step 1: Click the "Start" menu button in the lower left-hand corner of the Windows XP screen. Select "Restart" to reboot your computer.

Step 2: Launch your antivirus program by double-clicking its icon or selecting it from the Windows XP Start menu. Click "Scan" in the antivirus-program interface to have the software scan your entire computer for viruses and Trojans. Wait for the program to finish scanning your entire computer. Depending on the speed of the PC processor, this process may take several hours.

Step 3: Delete any Trojan-horse viruses discovered by the antivirus program. Some antivirus programs allow you to simply quarantine a file. Do not quarantine a file infected by a Trojan horse.

Step 4: Back up your computer data after finding and removing the Trojan horse and deleting the infected file. You may either use blank CDs/DVDs or an external hard drive. Having a backup of your computer data allows you to remove and delete future infected files and replace them with a clean, pre-infected version of the file.

Step 5: Consider activating the built-in "System Restore" feature in Windows XP. Click the "Start" menu button and select "Control Panel." Double-click the "Performance and Maintenance" icon and click the "System Restore" tab in the "System Properties" window. "System Restore" saves the state of your Windows XP installation at regular increments. If a Trojan horse or other virus infects and corrupts your hard drive, you can simply have Windows XP revert to a previously saved version of your hard drive.
http://antivirus.iyogi.net/help-support/tech-support-to-remove-trojans-and-viruses.html

FRED
November 28, 2010 5:49 AM

multiple system restores r/t viruses it doesnt seem like it but i know bout prevention how do format all of hard drive ive done in the past not too hard or dongerous is it?

Linux
August 20, 2011 6:23 PM

Install Ubuntu (linux)

Ken B
October 24, 2011 6:33 AM

I have to disagree with your suggestion to turn off "System Restore". I don't think I've ever seen an infected system where System Restore caused any problems. I have, however, seen numerous systems where removing the infections corrupts the registry in some manner, leaving the system unbootable. (Most likely, the registry is still pointing to the now-removed infection.) On those systems with System Restore, it's about 10-15 minutes to get the system back to a running state, whereas those without it require the backup/wipe/reinstall approach at that point.

And, on a few very-rare occasions, I've seen a driver update leave the system in a "boot to BSOD" state, which is quickly remedied by a System Restore. (The system won't boot, so you can't get to the "rollback driver" option.)

Josh
October 25, 2011 8:37 AM

I see iyogi is resolute in advertising anywhere they go. Just be aware of contacting them, they maybe legit but they do carry out aggressive hard sell.

I think before you suggest re-formatting and re-installing, you should go to free help forum and bleepingcomputer is mentioned. The help is free and they can help you to remove.

Cindy Gioffredi
October 25, 2011 10:35 AM

I absolutely agree that System Restore must be disabled. At least if you are attempting to clean a computer that is NOT your own. Can't tell you how many times an employee has come to me to say "My computer has been acting up for a week or so . . ." Nice. (NOT) At this point, the malware has most likely been included in one of the system restore file - who's to say it can't STILL deploy? I've seen some incredibly ingenious mutations occur with root kits (at this point - root kit scenario - I xxxooo the entire hard drive, re-format, re-partition, reload the OS - I don't even trust the MBR after a root kit has been hiding out) At the very least, the A-V program you are running will continue to see this malicious file in the System Restore & flag your PC as infected. & if this is not YOUR computer & you can't know for sure WHEN it was actually infected, why risk an infected System Restore? This is why you BACKUP, BACKUP, BACKUP!!!! The question to ask is not WILL you ever need a backup, the question is WHEN will you need a backup. It's just a question of time when you manage multiple PCs on a network. I also scan the server(s) as soon as I disconnect the infected PC from the LAN.

Jim H
October 25, 2011 10:39 AM

Yes, a virus inSystem Restore has caused problems. It happened to me once some years ago. By default my anti-virus software DID NOT scan the System Restore back-up files. Maybe today this has changed and they are scanned as part of the routine. If not, the anti-virus can be configured to scan them.

In my case a complete system scan showed my system to be clean. Then when I would use my computer I would get an alert that a trojan had been detected. I would then run a complete scan which always came up clean. I finally went to the manufacturer's site (of my anti-virus software) and ran a remote scan which found the virus in my System Restore files. It wasn't active, but was stored in them.

That brings me to the second point. If you disable System Restore and reboot as instructed to, your System Restore files are dumped. When you re-enable System Restore there are no previous restore points recovered. I imagine with some kind of file recovery software it may be possible to recover them but i don't know why anyone would want to, especially if there was a risk of infection. This info is based on the XP operating system. I am not sure about Windows 7 and if it is possible to keep the restore files.

Jim H
October 25, 2011 10:52 AM

I forgot to add that reading all these 'I'm having problems' posts makes the arguments I have read that anti-virus software is all but obsolete seem pretty silly.

daffey
October 25, 2011 11:03 AM

Regarding RKill, it's possible it may not run as downloaded, and may require a slight name change to be run. (the virus knows about RKill ) I have changed it to something like RBill (dot) exc to circumvent the virus. The dot is a real dot, but most scanners prevent me from sending it as such. Once run, the rest of Leo's commentary worked as stated.

Ron Hirsch
October 25, 2011 11:48 AM

Too many people think that Windows System Restore can resolve all the problems their system might run into, including viruses et al. This is simply not so.

System Restore helps you restore your computer's system files to an earlier point in time. It's a way to undo system changes to your computer without affecting your personal files, such as e-mail, documents, or photos. So, when complex problems arise, System Restore my not work at all.

To me, the best approach is to get a program called True Image, by Acronis. This program can create a complete image of your entire hard drive. and store it where you dictate. I have used True Image for many yeas, and it has saved my butt more times than I can remember.

Obvioulsy you cannot store the images on the same drive letter that you are imaging.

Then when a serious problem arises, you can have True Image do its thing, and remove everything on your drive, and replace it as it was when you created the image. I create images weekly on all my computers. Then when any problem arises, I can go back in time and fix things nicely. For most people, the best place to store these images is an an external USB or eSata hard drive

You must remember, that all files that you added to your system C drive since the last image created, will now be gone. So it also makes good sense to back up such files - photos, documents, et al, to the external backup drive. If your system has internal drive(s) other than the C drive, you can also use them for storing the images, and other backups. In fact, it might be easier storing such files on the other internal drive to begin with, since the System C drive is generally the one that gets "attacked" or corrupted.

Every system I've had in the past 25 years has had a hard drive "fail". While they may claim hundreds of thousands of hours for the MTBF, don't count on it. If you want real protection here, here, I say that True Image is the way to go

Using this approach, you're protected when your C drive gets hit by malware, when it fails, when files get corrupted, et al.

I personally recommend doing images weekly. And, as your library of images grows, you can just delete some of the older ones to make room for newer ones.

David
October 25, 2011 12:54 PM

I recently had a nasty rootkit that made so many bad things happen (and good things not happen) quite similar to those described here that despite my best efforts with antivirus, Malwarebytes, and more, I found no relief. I downloaded Combofix from bleepingcomputer.com and ran it in Safe Mode and voila -- back in business.

Mic
October 25, 2011 3:34 PM

Great article! This hasn't happened to me (knock, knock) but I'm saving a copy of this for reference.

Al K
October 26, 2011 5:05 AM

Leo ... Another great, comprehensive article ... Thanks ... Al

Laverne
October 26, 2011 5:33 PM

Question. After rebooting into Safe Mode, I thought you could not read CDs nor Flash Drives. You said to put MalwareBytes etc on media to carry to the infected machine. But how do you read these in Safe Mode?

You should be able to read CDs and USB drives in Safe Mode.

Leo
27-Oct-2011
JoHan
November 5, 2011 9:31 PM

Well written, informative article. Thanks Leo!
In my 20+ years I have never had a "mess" such as was described - but I have saved this article.
You never know what the next millisecond will bring.

Kitty
November 13, 2011 9:42 AM

Last year, my hubby had malware and it wouldn't let us d/l or update Malwarebytes on his computer so I d/l it to a thumb on my computer, and ran it on his computer from the thumb drive and it worked beautifully. I felt so smart. thanks for giving so much help. I'll be trying this since my computer is giving me fits now.

Dave Markley
November 29, 2011 9:54 AM

First, I would get rid of any 'anti-malware' program that lists Winlogon.exe and Services.exe as virus, these files are necessary for Windows to run properly. Sounds to me like your anti-virus may actually be the culprit to me.
What I generally use on my customers' computers is AVG Free 2012 anti-virus (with the 2012 version you now need to go in and change some settings when installing like making it scan every day), Malwarebytes anti-malware, replace Windows Firewall with Comodo Pro Firewall (also free to use), and then I put A-squared Free Emergency Kit somewhere (it does not install, but you can still put it under 'Program Files' and make a shortcut to the desktop) I can easily find it if needed. In over 3 years of using this combination, I have not once had to do a complete re-install as this level of protection has always done the trick! The problem is getting the customer to actually USE software. Many tell me they do, then I open Malwarebytes for example, and find it hasn't been updated in 182 days or something. I've also had a couple of customers "say I just click OK when the Comodo 'thing' pops up" (letting virtually anything in and out of their computers) - security programs don't help if they aren't used!!!
As far as System Restore, it is far from perfect, and often doesn't work at all. I wouldn't recommend disabling it, but I certainly wouldn't rely on it except as a last resort. As far as System Restore hiding virus', any good anti-virus (like AVG) should be scanning the System Restore folder(s) anyway!

Mark J
November 29, 2011 12:10 PM

@Dave Markley
Just a little comment on Winlogon.exe and Services.exe. In the question, these files were not located in the correct folders, a strong indication of malware posing as system software. And even a legitimate system file may be infected or replaced by malware.

Gerald Dreisewerd
December 10, 2011 10:53 AM

So long as you’re not dealing with one of those monsters demand a ransom to unencrypt your data, it is possible to eradicate an infection without wiping the system.
Some of the infestations can be truly annoying. Every last little bit must be removed or it comes right back when the computer connects to the Internet. Virtumonde is one such example. It loads infected DLL filles, an infected wallpaper, an infected Add-on which redirected the home page to an infected website along with some hidden registry changes to reload the mess in the event all others were removed. The DLL files were the tough ones to crack as they would immediately hook into winlogon as soon as Windows started to boot. It was simply not possible to delete them from Windows even with a pre-boot scan. I finally identified the two phony DLL files, booted up a Linux CD and deleted them.
I’ve seen malware that turns off anti-virus software and automatic updates. I’ve dealt with malware that infects the System Restore files. Really, you need someone experienced in malware removal. Of course, it’s much like finding a good doctor, plumber or mechanic. You may or may not find a good technician at your local store.

GeorgiaCowboy
December 20, 2011 7:32 PM

Another VERY EASY thing I'd recommend is install ERUNT. Had an occasion a while back that had me pulling hair out. Days trying to recover from "something". Had about given up and started taking notes on tweaks and programs I needed to restore ect.
Was going to do a clean install and just thought what the hell, couldn't hurt so I did a reg. restore (from ERUNT) and in seconds was working fine (and ever since then).
NOW I keep the latest reg backups from ERUNT and CCleaner (a couple of the latest of each).
Might help to save them to a stick.

dr.noni
April 2, 2013 2:06 PM

if i make backup of my infected sys ,then clean install new windows,then as u recmnded install a updated antivirus then recovr data..wht if this new antivirus when scan my infected data make it corrupt or damaged..especially photos...n can u suggest me wht i must do, my comp is infected n i hav huge collection of photos now where n how i safly transfer them ...i usualyy burns thm to dvd bt now if i burn virus would go them in dvd....n is dvds good medium to save photos for many years...thx..i luvd ur forum

Connie
April 2, 2013 2:20 PM

@dr.noni
All the same you need to back up your data. You can work at cleaning up any residual viruses later.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.