Over the past weeks on my machine:
- I’ve had frequent re-infections of some virus or Trojan that resets my IE
home page, disables Task Manager, and blocks my access to System Restore.
- Several times each day, I run AdAware, Spybot, and my virus program (Panda)
to remove identified infections and spyware.
- I read where disabling System Restore and then running a virus scan would
clean out any virus strands that were inadvertently being backed-up with each
- My virus and spyware programs sometime identify Services.exe and
Winlogon.exe as viruses. When this happens, these files are referenced as being
in located in the C:\Windows\inetdata sub-directory (which is not where they
Did I royally screw things up by disabling System Restore? I understand by
doing this, I erased all existing restore points so that wouldn’t surprise
First, let me say this…
You’ve got a serious infection here that some of us would technically characterize as a “mess”.
In all honesty, I’m not sure that the patient will survive.
Before we bring out the big guns, let’s run through the steps that I’d consider using to try and recover without just giving up and starting over.
Then, after all that, I’ll explain why starting over might well be the most pragmatic, safest thing to do.
Virus Recovery Checklist
Here’s how I’d proceed:
Disconnect the infected machine from the network. Not only do we not want things to get worse, we also don’t want any malware on this machine to start sending spam or perhaps propagate to other machines over the net.
Backup the infected machine – ideally, a system image. Yes, this “backs up” the infection as well, but it also captures all of your data files and other system components and represents a “can’t get any worse than this” point in time.
Use another machine to download and burn to CD the Microsoft Standalone System Sweeper. It’s important that you do this on another machine – one that is presumably not infected – so that you’re assured of a clean and un-infected result. It’s also important to download a recent copy so that the Sweeper itself contains as much information to detect the latest malware threats as possible.
Reboot the infected machine from the MS System Sweeper CD and have it run a thorough scan of all of the hard drives on that machine.
Reboot the infected machine in safe mode.
On another machine, download RKill from the folks at BleepingComputer.com. (Be careful: at this writing, there’s an ad immediately above the download link that looks like the download link. It is not. Be sure to grab Rkill itself). Also download the latest free copy of Malwarebytes’ Anti-Malware. Copy both of those tools to a flash drive or other media that you can use to take them to the infected machine.
Run RKill on the infected machine. Quite often, malware that is running on your machine will actively prevent you from downloading or even running anti-malware tools. Rkill kills those that it knows of so that you can move on to the next step.
Run Malwarebytes Anti-Malware and perform a through scan of all of the hard disks on the infected machine.
Run the anti-malware tools that you already have on your infected machine. Once again, have them do a thorough scan of all hard disks.
Run the system file checker for good measure, to replace any system files that were lost or damaged after all this. (You may need your Windows installation media for this.)
Reboot in normal mode and connect back to your network.
Run RKill again.
Re-run the anti-malware tools that you already have on the infected machine, but this time, force them to update their malware databases first.
Re-run Malwarebytes Anti-Malware, having it also update its database first.
If your machine is working properly at this point and all scans return nothing found, you can start to breathe a sigh of relief.
If that didn’t work and perhaps even if looks like it did…
If your system is still infected after all of that, then things begin to look fairly bleak. It’s at this point that I typically throw my hands up and move on to this:
Backup your system entirely, if you didn’t already.
Reformat the hard disk, erasing everything.
Reinstall Windows from scratch.
Install updated security software.
Install the applications that you need.
Recover your data from the backup or from other sources.
While that’s a shorter and clearer list, it’s also a fair amount of work.
But here’s the deal: when all is said and done, it’s often less work than all of the flailing around for days trying to remove a virus. Frequently, you’ll spend less total time starting over in this manner than you would trying to “fix things”.
Starting over is the only guarantee
At the end of the recovery checklist above, we assume that if things appear to be operating properly and the tools don’t report any infections that we must have successfully eradicated the threat.
Not so fast.
The problem is simple: once your machine has been infected with malware, it’s not your machine any more. The malware authors could have done just about anything, including installing malware that appears not to impact your system and avoids detection.
The bottom line is that even after all of the steps to remove the problem, there’s simply no guarantee that you did.
I hate to say it and I know that it’s not always practical, but once infected, the only way to guarantee that you’re no longer infected is to reformat and reinstall.
A shorter version
What I’ve just given you is the long version of all of the steps that you might take to recover from a malware infestation.
Here’s a much, much shorter version:
Restore the machine to an image backup taken prior to the infection.
Of course, it assumes that you’ve been backing up regularly and properly. If you haven’t been, then this one-step solution simply isn’t available to you.
Now, perhaps, you can see why frequent full-system backups are so valuable. Do them daily and recovery from these kinds of crisis are often as simple as “restore to yesterday’s backup”.
What about System Restore
System Restore doesn’t restore your system.
I tend to think of System Restore as a glorified registry backup and not a lot more. Yes, it does more than that, but what it doesn’t do is restore files to their pre-infected state. It can remove some symptoms of malware but it doesn’t actually remove the malware.
Turning off System Restore as you describe for the malware scans can make sense and certainly wouldn’t make things worse. In a sense, it gets System Restore “out of the way” to allow the anti-malware tools to clean up what they find.
But that’s about it.
I hear of enough failures with System Restore – both technically and with respect to what people expect it to do that it does not – that I simply disable it completely. I rely on my regular backups instead.
If you quickly get re-infected … well, that would concern me.
It means that in addition to doing what I’ve outlined above to recover from the infect, you also need to re-evaluate your safety measures and your own behavior.
Naturally, using things like anti-malware tools and firewalls and keeping your system as up to date as possible are all important and you should make sure that those are in place and properly configured.
Perhaps what’s even more important are your own habits. No amount of security software can protect you from yourself. Make sure that you’re approaching the internet with the appropriate amount of skepticism and not opening unidentified attachments, visiting malicious web sites, downloading from untrusted sites and so on.
It’s probably also worth reviewing what I consider perhaps the most important article on Ask Leo! – Internet Safety: How do I keep my computer safe on the internet? Review your situation and make sure that you’re doing everything that you can to keep a malware infection from reoccurring.
(This is an update to an article originally published January 30, 2005.)