Helping people with computers... one answer at a time.
There's no one answer as to what to do if your computer is infested, but my own personal experience may give you some guidance.
This computer's infested, what do I do?
There's no one answer to this question, because virus and malware infestations can be so insidious and so different from machine to machine. However, it might be helpful to walk through a real life example.
You see, this article's question was one I asked myself when I started looking at my brother-in-law's machine.
So this article will be less of an "answer", and more of an example of what recovery looks like as I walk through the steps I took.
First, a bit about the machine. It's a Dell with 96Meg of Ram and a 9Gig hard drive, running Windows 98 second edition. I didn't determine the processor speed. It's used on dial-up only, though it does conveniently have a network card. It's a "hand me down" machine, having been used in a business setting prior to getting moved into the home. It was not reformatted or rebuilt in between.
The machine is used mostly for email and web surfing. The complaints were overall sluggishness, porn links that wouldn't go away, unwanted search windows, unexplained error messages on startup, and the occasional need to use the reset button to clear a hang.
Sadly, it sounds all too familiar, doesn't it?
I did not hook the machine up to my network initially. Not knowing what was on the machine, I didn't want to take the risk of spreading an infection behind my firewall.
Based on the symptoms, my first priority was spyware. However, in order to get the machine to run for more than a few minutes, it turned out I needed to boot into safe mode which on this machine appeared to disable the CD-ROM. Using a file splitting tool, I discovered that Spybot Search and Destroy 1.3 can be copied onto three floppy disks.
Running Spybot in safe mode detected over 150 traces of various forms of spyware/malware.
At this point I decided to risk the network. This allowed me to connect to the internet, update the Spybot database and run it again. It discovered around 25 more traces of spyware.
I then tried to share the drive out, only to have Windows Explorer hang when I tried to use it to get to the sharing options. I eventually discovered that the machine was attempting to load a list of users for access control from a domain controller that probably existed when it used to be a corporate machine. If that doesn't make any sense to you that's ok, the bottom line is that the network configuration had to be changed to share level access rather than user. Once that was done, I was able to share the root of the drive and access it from my desktop.
The next step was to immediately run a remote virus scan. My virus scanner, CA's eTrust, will scan a drive across the network. Once again, over 150 traces of viruses in various forms. All killed but one. To kill that one, I had to reboot Win98 into MS-DOS mode and rename the offending file.
At last, some progress.
I then installed eTrust directly on the Win98 machine. After updating its virus database I ran it again locally, and it came up with everyone's favorite: Cool Web Search. While it continued, I grabbed a copy of cwshredder (Cool Web Shredder). I ran that and Cool Web Search was gone. (I was lucky - more recent versions of Cool Web Search are apparently much harder to remove.) I re-ran Spybot, and naturally it picked up a couple more small things.
With the machine somewhat more stable, one of the items that Spybot caught in its last run, DSO exploit, reminded me that this machine had probably never seen Windows Update. Off I went, and installed the latest IE6 update on one run, and another dozen or so Windows 98 critical updates on the next.
One of the error messages on startup was about a missing device driver referenced either in system.ini or in the registry. It wasn't in system.ini, so a quick search in the registry editor turned up a few references to a software package that was no longer on the machine. A few appropriate deletes and a reboot, and that error message was gone.
With all the software up to date, and the spyware and viruses removed, it was time for a couple of more speed ups.
I emptied a very full IE cache of temporary files, and deleted all cookies and history. Then I defragged the disk.
The eTrust anti-virus scanner is now running and monitoring in real time. Spybot's inoculation is in place to prevent and/or warn of unexpected or malicious software installs.
And the machine is running quite nicely once again.
As a result of this little hands-on experience, I'll be updating my article How do I keep my computer safe on the internet? in a few days.
In the mean time, you should know the mantra by now: