This computer’s infested, what do I do?
There’s no one answer to this question, because virus and malware
infestations can be so insidious and so different from machine to machine.
However, it might be helpful to walk through a real life example.
You see, this article’s question was one I asked myself when I started
looking at my brother-in-law’s machine.
So this article will be less of an “answer”, and more of an example of what
recovery looks like as I walk through the steps I took.
Become a Patron of Ask Leo! and go ad-free!
First, a bit about the machine. It’s a Dell with 96Meg of Ram and a 9Gig
hard drive, running Windows 98 second edition. I didn’t determine the processor
speed. It’s used on dial-up only, though it does conveniently have a network
card. It’s a “hand me down” machine, having been used in a business setting
prior to getting moved into the home. It was not reformatted or rebuilt in
The machine is used mostly for email and web surfing. The complaints were
overall sluggishness, porn links that wouldn’t go away, unwanted search
windows, unexplained error messages on startup, and the occasional need to use
the reset button to clear a hang.
Sadly, it sounds all too familiar, doesn’t it?
I did not hook the machine up to my network initially. Not knowing
what was on the machine, I didn’t want to take the risk of spreading an
infection behind my firewall.
Based on the symptoms, my first priority was spyware. However, in order to
get the machine to run for more than a few minutes, it turned out I needed to
boot into safe mode which on this machine appeared to disable the CD-ROM.
Using a file splitting tool, I discovered that Spybot
Search and Destroy 1.3 can be copied onto three floppy disks.
Running Spybot in safe mode detected over 150 traces of various forms of
At this point I decided to risk the network. This allowed me to connect to
the internet, update the Spybot database and run it again. It discovered around
25 more traces of spyware.
I then tried to share the drive out, only to have Windows Explorer hang when
I tried to use it to get to the sharing options. I eventually discovered that
the machine was attempting to load a list of users for access control from a
domain controller that probably existed when it used to be a corporate machine.
If that doesn’t make any sense to you that’s ok, the bottom line is that the
network configuration had to be changed to share level access rather
than user. Once that was done, I was able to share the root of the drive and
access it from my desktop.
The next step was to immediately run a remote virus scan. My virus scanner,
CA’s eTrust, will scan a drive across the network. Once
again, over 150 traces of viruses in various forms. All killed but one. To kill
that one, I had to reboot Win98 into MS-DOS mode and rename the offending
At last, some progress.
I then installed eTrust directly on the Win98 machine. After updating its
virus database I ran it again locally, and it came up with everyone’s
favorite: Cool Web Search. While it continued, I grabbed a copy of cwshredder (Cool Web Shredder). I ran that and
Cool Web Search was gone. (I was lucky – more recent versions of Cool Web Search are apparently much harder to remove.) I re-ran Spybot, and naturally it picked up a couple
more small things.
With the machine somewhat more stable, one of the items that Spybot caught
in its last run, DSO exploit,
reminded me that this machine had probably never seen Windows Update. Off I went, and installed the latest IE6
update on one run, and another dozen or so Windows 98 critical updates on the
One of the error messages on startup was about a missing device driver
referenced either in system.ini or in the registry. It wasn’t in system.ini, so
a quick search in the registry editor turned up a few references to a software
package that was no longer on the machine. A few appropriate deletes and a
reboot, and that error message was gone.
With all the software up to date, and the spyware and viruses removed, it
was time for a couple of more speed ups.
I emptied a very full IE cache of temporary files, and deleted all cookies
and history. Then I defragged the disk.
The eTrust anti-virus scanner is now running and monitoring in real time.
Spybot’s inoculation is in place to prevent and/or warn of unexpected or
malicious software installs.
And the machine is running quite nicely once again.
As a result of this little hands-on experience, I’ll be updating my article
How do I keep my
computer safe on the internet? in a few days.
In the mean time, you should know the mantra by now: