Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I fix Windows after removing a virus?

Question:

I'm facing a problem regarding my desktop. Recently it was infected with a
virus but I managed to clean and disinfect all the malware which attacked my
PC. After a restart, I wasn't able to see all my network adapters in network
connection folder. When I refresh it always gives me a message that "The
Network Connection Folder was unable to retrieve the list of network adapters
on your machine. Please make sure that the Network Connection service is
enabled and running". I checked my services and found out that network
connection services and other services were missing. How do I fix this?

What you're experiencing is fairly common. Not the "network connections"
part - I've actually never heard of that specific symptom before - but the part
where, after eradicating a virus or other form of malware, Windows is left in a
somewhat broken state.

They symptoms vary, but the bottom line is the same. To put it in terms of
some American slang: Windows "just ain't right".

I'll look at why that might be, and what you can do about it.

I'll warn you: you probably won't like my recommendation.

]]>

Malware works a couple of different ways.

The most common way these days is where it copies files containing malicious software on to your system and then causes those files to be run by adding information to places like the registry. With that information, Windows might be instructed to automatically run the software on every reboot, or under other conditions. When cleaning your system anti-malware programs both remove the malicious files, and then remove those malicious instructions that cause the malware to run.

"... it's possible that removing a virus can actually harm your system"

Another approach that malware also uses is to modify existing files. For example, malware might not copy in any additional files, but rather take an existing system file - typically an "exe" or "dll" file - and re-write it to include the malware's own code. That way, whenever the system file is used by the system the malware is run.

Anti-malware programs face a dilemma when this kind of technique is used. Where normally they might remove the infected file, since it's a system file removing it might have adverse side effects on the operation of the system. Yet, sometimes that's exactly what they do: remove or quarantine the infected system file. As we've seen in the past that can result in the system becoming unusable.

Since the specifics and the techniques vary, the side-effects of removing a virus aren't always quite so dramatic. The principle still remains: it's possible that removing a virus can actually harm your system.

And it sounds like that's exactly what's happened to you: some component of Windows networking has been compromised, either by the malware itself, or the removal of that malware.

At a minimum you'll need to somehow repair Windows. I'll get to that in a moment.

First, I need to remind you of another unpleasant fact: you don't know that your machine is actually malware free.

Once your machine has been infected, it's no longer your machine. Malware could have done anything. There is no guarantee that your anti-malware software removed everything. Not all programs detect and remove all malware.

Your machine could still be infected.

So with those two facts in mind:

  • Windows needs repairing
  • Your machine could still be infected

My recommendations, starting with the safest possible approach:

  1. Reinstall: Backup and reinstall Windows, all applications and your data from scratch. While this is extremely painful to do, it's really the only way to know that you've eradicated the virus and anything else it may have allowed to enter your machine. The initial backup is to preserve any data and other files that you may need to recover after everything has been reinstalled. Of course care will need to be taken to ensure that when you restore files from that backup you're not restoring infected files. Typically, that means you only restore data files and never programs from the backup. You'll need your Windows installation media for this approach, and the installation media or original downloads for all the programs on your machine.

  2. Revert: Backup your current system, and then revert to a system backup image taken prior to the infection. Backup first so that you have copies of any data files that changed since that earlier backup was taken. This is perhaps the simplest approach of all, but does require that you've been doing periodic image backups prior to the infection, and that you can correctly identify a point in time at which your machine was not infected by the malware you removed.

  3. Repair: A repair install of Windows uses your installation media to reinstall Windows "in place". How should I reinstall Windows? includes links to a couple of older articles on other sites on performing a "repair" install.

  4. SFC: The System File Checker, or SFC, does exactly what its name implies: for a majority of the files that comprise Windows it checks them to make sure that they are present, and that they are the correct unmodified copies. Note that SFC does not scan data like the registry, it's simply a file checker. If files need to be repaired, you may be asked to provide your original installation media so that SFC can access the unblemished copy. Sadly, SFC can get a little confused after a service pack or two (particularly if you elect not to save backup copies when the service pack is installed). But when it works it's a fairly easy solution.

Other alternatives that people may think of include:

  • System Restore: System Restore does not live up to its name: it does not restore your system. Rather, I think of it as a glorified registry backup with perhaps a few other files along for the ride. When it's available (it's often not), it uses data that has been saved on your hard disk - the very same hard disk that was just infected with malware. My implication is that you simply don't know that the data used by System Restore has not itself been compromised. I warn people against relying on System Restore for many reasons. (But yes, it can be worth a try in a pinch. But you still won't know that malware has been removed.)

  • Recovery Partition (or Disc): The recovery disc (which is different than an installation disc) varies from manufacturer to manufacturer but typically does not include a copy of the operating system. Rather, it relies on a partition - possibly a hidden partition - from which it then restores the operating system. Once again, that partition is on the very system that was compromised, so it's possible that the data to be used in recovery is itself compromised. (And yes, also once again, it's worth a try in a pinch. But like System Restore, I warn people against relying on recovery partitions.)

The safest approach, by far, is to reinstall Windows. But given how painful that is, the alternatives that follow it are often more practical.

And hopefully this will reinforce the need for a) getting Windows installation media, and b) backing up completely and regularly.

And of course not allowing your machine to be infected with malware in the first place.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “How do I fix Windows after removing a virus?”

  1. ” a good tutorial, i have had problems dealing with viruses before, i am not a whizz, but this tutorial simply helps me to learn from my mistakes, thanks leo, ur a whizzard

    Reply
  2. Having worked on countless virus-infected PCs over the years, I agree 100% with your advice above. Whenever possible, I opt for a complete reinstall. Painful and time consuming, yes, but worth the effort. The PC or laptop usually runs a lot better, too, as most people have tons of bloatware and other non-essential, performance-sapping software on their machine.

    Reply
  3. I second Reid’s comment. I scratch my head about people who claim they can “clean” Windows PCs. How, o how do you KNOW when you are done? With malware that is polymorphic (changes shape) and stealthy (hides from the OS and from anti-malware programs), the best assurance of success is by a reinstall, preferably from a “known good” clone image. There are no guarantees but I think you can get to “high assurance” that the system is infection free. NOTE: I hardly ever use a Windows computer to do online shopping or banking.

    Reply
  4. I have yet another option: Boot the system from one of the Linux-based repair CDs, such as SystemRescueCD and RIP. If you’re a Linux user and your significant other insists on using Windows, this can be a good way to restore clean copies of the files your AV program deleted. The trouble with the reinstall technique, besides being extremely painful, is that it doesn’t put everything back the way it was before theinfection occurred. In some situations it’s best to deal with the infected files you can find, and wait for the next infection to crop up, as it always will.

    Reply
  5. I’m in the computer support business and I agree that you can’t know with certainty that you have a completely clean machine, but there are times when a rebuild isn’t an option. There are a lot of tools on the web that I have used with good success to clean machines. I always use several to improve my odds of success. Malwarebytes.org, Superantispyware.com, Spybot S&D (yes it’s still in my bag of tricks),combofix, hijackthis, to name a few. You can do more harm than good with some of these tools. If you’re unsure ask for help. Two worthwhile websites are bleepingcomputer.com and majorgeeks.com. If you’re willing to pay for advice experts-exchange.com is one of the very best. Older backup software may not backup files that are in use like user.dat. I take the approach that you don’t have a backup till you have demonstrated a restore. Most non-techs aren’t willing to do that. No one solution is appropriate in every case. An ounce of prevention is worth a pound of cure. In most malware infections the problem originated between the chair and the keyboard.

    Reply
  6. Reformatting the hard drive and reinstalling Windows is the only solution I would ever consider to a virus attack. You have no way of knowing which parts of your software have been affected by the virus. Make sure your personal documents, photos etc are backed up to a disk or USB drive – yes installing all my software again is a pain but this is not an area you should take any risks with. Also be wary of using disk images if you have no idea how long you have had the infection – you may well put the virus back on your PC if you took a backup image since the infection.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.