Helping people with computers... one answer at a time.

There's no one answer as to what to do if your computer is infested, but my own personal experience may give you some guidance.

This computer's infested, what do I do?

There's no one answer to this question, because virus and malware infestations can be so insidious and so different from machine to machine. However, it might be helpful to walk through a real life example.

My example.

You see, this article's question was one I asked myself when I started looking at my brother-in-law's machine.

So this article will be less of an "answer", and more of an example of what recovery looks like as I walk through the steps I took.

First, a bit about the machine. It's a Dell with 96Meg of Ram and a 9Gig hard drive, running Windows 98 second edition. I didn't determine the processor speed. It's used on dial-up only, though it does conveniently have a network card. It's a "hand me down" machine, having been used in a business setting prior to getting moved into the home. It was not reformatted or rebuilt in between.

The machine is used mostly for email and web surfing. The complaints were overall sluggishness, porn links that wouldn't go away, unwanted search windows, unexplained error messages on startup, and the occasional need to use the reset button to clear a hang.

Sadly, it sounds all too familiar, doesn't it?

I did not hook the machine up to my network initially. Not knowing what was on the machine, I didn't want to take the risk of spreading an infection behind my firewall.

Based on the symptoms, my first priority was spyware. However, in order to get the machine to run for more than a few minutes, it turned out I needed to boot into safe mode which on this machine appeared to disable the CD-ROM. Using a file splitting tool, I discovered that Spybot Search and Destroy 1.3 can be copied onto three floppy disks.

Running Spybot in safe mode detected over 150 traces of various forms of spyware/malware.

At this point I decided to risk the network. This allowed me to connect to the internet, update the Spybot database and run it again. It discovered around 25 more traces of spyware.

I then tried to share the drive out, only to have Windows Explorer hang when I tried to use it to get to the sharing options. I eventually discovered that the machine was attempting to load a list of users for access control from a domain controller that probably existed when it used to be a corporate machine. If that doesn't make any sense to you that's ok, the bottom line is that the network configuration had to be changed to share level access rather than user. Once that was done, I was able to share the root of the drive and access it from my desktop.

The next step was to immediately run a remote virus scan. My virus scanner, CA's eTrust, will scan a drive across the network. Once again, over 150 traces of viruses in various forms. All killed but one. To kill that one, I had to reboot Win98 into MS-DOS mode and rename the offending file.

At last, some progress.

I then installed eTrust directly on the Win98 machine. After updating its virus database I ran it again locally, and it came up with everyone's favorite: Cool Web Search. While it continued, I grabbed a copy of cwshredder (Cool Web Shredder). I ran that and Cool Web Search was gone. (I was lucky - more recent versions of Cool Web Search are apparently much harder to remove.) I re-ran Spybot, and naturally it picked up a couple more small things.

With the machine somewhat more stable, one of the items that Spybot caught in its last run, DSO exploit, reminded me that this machine had probably never seen Windows Update. Off I went, and installed the latest IE6 update on one run, and another dozen or so Windows 98 critical updates on the next.

One of the error messages on startup was about a missing device driver referenced either in system.ini or in the registry. It wasn't in system.ini, so a quick search in the registry editor turned up a few references to a software package that was no longer on the machine. A few appropriate deletes and a reboot, and that error message was gone.

With all the software up to date, and the spyware and viruses removed, it was time for a couple of more speed ups.

I emptied a very full IE cache of temporary files, and deleted all cookies and history. Then I defragged the disk.

The eTrust anti-virus scanner is now running and monitoring in real time. Spybot's inoculation is in place to prevent and/or warn of unexpected or malicious software installs.

And the machine is running quite nicely once again.

As a result of this little hands-on experience, I'll be updating my article How do I keep my computer safe on the internet? in a few days.

In the mean time, you should know the mantra by now:

  • Run up-to-date anti-virus software.

  • Run up-to-date anti spyware software.

  • If you're on broadband, get behind a firewall.

  • If you're not sure, don't open it, don't click on it. Ask someone first.

Article C2204 - October 14, 2004 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
Kent Buckley
October 15, 2004 6:43 AM

Thanks for this site. I appreciate all the helpful information. The first day I saw the site I actually thought you were Leo Laporte from Tech/TV, sorry about that.I posted a question related tp SP2 and said something about the Screen Savers. You answered the question and sent back an e-mail informing me of my mistake. Anyway I would like to ask you about how you got Spybot onto 3 floppy disks and how you used it in safe mode. Could you post an article with the specifics related to how this is done? Again I would like to thank you for this site and let you know that you are actually quite helpful.

Leo
October 15, 2004 9:00 AM

I was kind of expecting that question ... many years ago I wrote a small program to split a file into floppy-sized pieces. Then I just use the COPY command in a command shell to concatenate them all back together into the original file. Yes, when I get a chance I will post both the tool and the instructions.

Pieter Botha
January 14, 2005 6:20 PM

Hi Leo and thanx for the very helpful site.
I have a spyware infestation called "My searchbar" which cannot be removed in "Add or remove programs". What do I do?
P

Leo
January 14, 2005 10:56 PM

That's spyware. Get thee to a spyware scanner. Microsoft's new one is good, as are Spybot and AdAware. Recommendations and links here: http://ask-leo.com/d-recommend and http://ask-leo.com/is_microsofts_new_antispyware_program_any_good.html

Howard Rubin
October 14, 2007 4:02 PM

I would look at first disabling everything in start up with msconfig. I think version 1.4 would catch more bugs that Spybot S&D 1.3 and I would run F-Prot Dos version (free also and you can make floppys) to clean out viruses and such. A good boot CD should do the job, even the original Windows 98 SE was bootable and could get you going. After you finish, you should recomend the user not use such an old system on the internet, 98's full of holes.

Clive Taylor
October 15, 2007 9:05 AM

About splitting a file: I have used this program for years. It's called Gsplit and can be downloaded from here: http://www.gdgsoft.com/gsplit/

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.