More articles

PC Special Feature

I'm infected!
So what comes next?

by Simon Edwards

Finding a virus on your PC needn't be the end of the world. Simon Edwards explains how to restore your machine back to health.

What have I got? How do I get rid of it? How do I stop it happening again? Have I been attacked?

Human nature being what it is, there's a good chance that many of us don't have any anti-virus software installed on our PCs. And life being what it is, there's also a good chance that we'll come across a nasty virus in time. If we're unlucky it will do its worst and infect your system.

This might seem like the end of the world, and you'll certainly feel rotten if it happens to you. In this workshop we're going to look at ten essential steps you should take after an attack. Some will help your PC back up on its feet, while others will help prevent a repetition of the horrors you've experienced.

WHAT HAVE I GOT?

First things first, you need to know what happened. Sometimes all you need to do to recover from seemingly terrible is to edit a couple of Registry settings and manually delete a file or two, such as with the Back Orifice 2000 Trojan.

1. Work out how you were infected

Use clues such as messages from the virus and other strange behaviour on your PC to help your research using online anti-virus databases.
There are two good reasons why you should spend some time working out exactly how you became infected with a computer virus. To ensure you get rid of it, you need to know how it got onto your system. Likewise, if you want to prevent something like this happening again you'll need to identify the weak spot in your security.

You might be able to remember opening an email attachment from someone you don't know. Did it have a .PIF or .SCR file extension? If so, it was almost certainly a virus, worm or Trojan. In most cases an anti-virus scanner will give you a clue. For example, if it detects the Swen virus, you can be fairly sure you've tried to install a hoax Microsoft security patch that you received by email.

2. Identifying the virus

The easiest way to identify your virus is to use an online anti-virus program. You can access these instantly, assuming you can get an internet connection on the infected PC. They will discover which viruses you have and offer help on how to remove them. Try the Free Online Virus and Security Check at www.symantec.com and McAfee's FreeScan at www.mcafee.com.

If you can't get onto the Internet using the infected PC, you can still identify the virus. Note down any strange happenings in Windows, log onto the Internet using a different computer and search through the virus databases on anti-virus websites.

One of the best is available at http://securityresponse.symantec.com/avcenter, which not only describes how the viruses behave but also provide removal tools and instructions for removing some viruses manually.

For example, perhaps your PC has become significantly slower and a pop-up message has appeared saying, "Memory access violation in module kernel32 at 5221:76945211" Search Google or an anti-virus site for all or part of that phrase to discover which virus you have. In this case it would be Swen.

HOW DO I GET RID OF IT?

Your data and application files can be in a mess after a virus attack. These steps will help you recover your system from any state, whether a few documents have been deleted or your applications and Windows files have become terminally corrupted.

3. Removing the virus

Philanthropic anti-virus companies make free tools available to detect and remove prevalent viruses. Running one of these tools when you're not infected won't damage your system.
Before you even start to think about restoring your system, you need to apply some first aid and delete the virus and any related files. Anti-virus companies frequently release free tools that remove high-threat viruses. If after step two you are sure which virus is involved, you can download the tool from one of the sites listed in step two. If you suspect you have a Trojan or Adware (software that , try The Cleaner from www.moosoft.com. It is free for the first 30 days of use.

4. Restore data backups

Even anti-virus software developers admit that cleaning files is tricky, and that the best thing to do is restore from a backup. In step one we said it was important to work out how you became infected. Just as importantly is 'when'. There's little point in restoring infected data, as you'll have to go through the whole onerous virus-removal procedure again later. So restore your data and scan it with your new anti-virus software before you open any documents or run any (.vbs) scripts, executable (.exe) files or screensavers (.scr).

5. Windows XP System Restore

Disabling System Restore removes the backup copies of important system files, but if they are infected this is the only way to ensure a clean system.
Windows XP's System Restore feature is designed to protect your Windows installation against critical system files becoming corrupted or replaced with older, less effective versions. As such, you would expect that it would immunise your PC to a certain extent. But it doesn't detect viruses and will even backup infected files. Restore your system and you'll restore your virus.

System Restore may need to be disabled when you discover an infection. This is because it effectively protects files from other programs, including anti-virus software which may detect the infected files in the System Restore backup but won't be able to clean or delete them.

6. Reinstall applications

It could be that a virus has latched onto one of your program files, such as word.exe. In this case you should try and clean the file using your anti-virus software and then reinstall it when convenient. A cleaned program file is rarely 100 per cent clean, and although it won't reinfect your PC, it could be less stable and more liable to crashing.

7. Complete reinstallation

Sometimes there's nothing you can do except give up and start again. In the worst case, all of your backups contain infected files and you'll have to bite the bullet and reformat.

HOW DO I STOP IT HAPPENING AGAIN?

You don't want to go through all this hassle again, so ensure you reduce the risks of becoming infected to a reasonable level.

8. Choosing and installing an anti-virus program

Create a set of rescue disks as soon as possible. While most anti-virus programs will help you do this, few come with ready-made boot disks.
Assuming that you don't have an anti-virus program installed (you are infected, after all) you'll need to buy one. We recommend McAfee's VirusScan Home Edition 8.

If you've read this far but your PC is still infected and Windows won't even boot properly, you should choose a package that comes with an anti-virus boot disk. Norton AntiVirus and Panda's Titanium and Platinum products are supplied on bootable CDs. Other packages allow you to create a set of floppy disks that you can boot up and scan your system with.

9. Adding an internet firewall

The best way to stop Internet worms, which can infect your PC over the network without your help, is to install a personal firewall.
Some threats can bypass anti-virus programs, but you don't have to throw in the towel and give up. Instead, install a personal firewall to give the hackers and virus-writers a run for their money. A firewall will prevent infection from many of the Internet worms that probe for vulnerable systems and effectively hack them, using the victim's Internet connection for further creating infections and sometimes allowing the worm's author to store files on your hard disk. We recommend McAfee Personal Firewall Plus 5, which was reviewed last month.

10. Be smart in future

None of these steps will do you any good if you instantly start running attachments in e-mails sent from someone you don't know. And you're asking for trouble when downloading software from untrusted sites on the Internet. If you need some Shareware of Freeware, go to the author's homepage or a well-known download archive like download.com. Similarly, pirated software may well contain additional 'features', such as backdoors. Avoid them at all costs.

HAVE I BEEN ATTACKED?

Tell-tale signs of virus infection 

PCs crash, run more slowly over time as you install more software and fail to pick up your e-mail or connect to the Internet properly. Whenever something goes wrong with your PC it's easy to panic and blame a virus. But if you find your PC grinds to a standstill after you connect to the Internet, kicks up error messages when you try to run your anti-virus or firewall software or your friends ask why you've been sending me strange messages there's a good chance your system has been infected. Being unable to browse the folders on your hard disk, or losing massive amounts of disk space are also likely indicators of a rampant virus. If you're lucky (relatively speaking) the virus will display strange messages, making it more easily identifiable (see step two below).

With the prevalence of email worms, which send infected messages to people in your address book, you might receive complaints from other people or even your ISP. Don't assume that you are infected, though. These worms tend to forge the e-mail address they are sent from. For example, if your friend Fred was infected, you'd expect your e-mail address as well as those of your mutual friends and a bunch of other people to exist in Fred's address book. A worm could send itself to Fred's boss, and pretend to come from yours - it has picked it at random from the list.

First Published in Computer Buyer, issue 154, March 2004.

The above article is © Dennis Publishing Limited 2004. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.