Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

This computer's infested, what do I do?

This computer’s infested, what do I do?

There’s no one answer to this question, because virus and malware
infestations can be so insidious and so different from machine to machine.
However, it might be helpful to walk through a real life example.

My example.

You see, this article’s question was one I asked myself when I started
looking at my brother-in-law’s machine.

So this article will be less of an “answer”, and more of an example of what
recovery looks like as I walk through the steps I took.

Become a Patron of Ask Leo! and go ad-free!

First, a bit about the machine. It’s a Dell with 96Meg of Ram and a 9Gig
hard drive, running Windows 98 second edition. I didn’t determine the processor
speed. It’s used on dial-up only, though it does conveniently have a network
card. It’s a “hand me down” machine, having been used in a business setting
prior to getting moved into the home. It was not reformatted or rebuilt in
between.

The machine is used mostly for email and web surfing. The complaints were
overall sluggishness, porn links that wouldn’t go away, unwanted search
windows, unexplained error messages on startup, and the occasional need to use
the reset button to clear a hang.

Sadly, it sounds all too familiar, doesn’t it?

I did not hook the machine up to my network initially. Not knowing
what was on the machine, I didn’t want to take the risk of spreading an
infection behind my firewall.

Based on the symptoms, my first priority was spyware. However, in order to
get the machine to run for more than a few minutes, it turned out I needed to
boot into safe mode which on this machine appeared to disable the CD-ROM.
Using a file splitting tool, I discovered that Spybot
Search and Destroy 1.3
can be copied onto three floppy disks.

Running Spybot in safe mode detected over 150 traces of various forms of
spyware/malware.

At this point I decided to risk the network. This allowed me to connect to
the internet, update the Spybot database and run it again. It discovered around
25 more traces of spyware.

I then tried to share the drive out, only to have Windows Explorer hang when
I tried to use it to get to the sharing options. I eventually discovered that
the machine was attempting to load a list of users for access control from a
domain controller that probably existed when it used to be a corporate machine.
If that doesn’t make any sense to you that’s ok, the bottom line is that the
network configuration had to be changed to share level access rather
than user. Once that was done, I was able to share the root of the drive and
access it from my desktop.

The next step was to immediately run a remote virus scan. My virus scanner,
CA’s eTrust, will scan a drive across the network. Once
again, over 150 traces of viruses in various forms. All killed but one. To kill
that one, I had to reboot Win98 into MS-DOS mode and rename the offending
file.

At last, some progress.

I then installed eTrust directly on the Win98 machine. After updating its
virus database I ran it again locally, and it came up with everyone’s
favorite: Cool Web Search. While it continued, I grabbed a copy of cwshredder (Cool Web Shredder). I ran that and
Cool Web Search was gone. (I was lucky – more recent versions of Cool Web Search are apparently much harder to remove.) I re-ran Spybot, and naturally it picked up a couple
more small things.

With the machine somewhat more stable, one of the items that Spybot caught
in its last run, DSO exploit,
reminded me that this machine had probably never seen Windows Update. Off I went, and installed the latest IE6
update on one run, and another dozen or so Windows 98 critical updates on the
next.

One of the error messages on startup was about a missing device driver
referenced either in system.ini or in the registry. It wasn’t in system.ini, so
a quick search in the registry editor turned up a few references to a software
package that was no longer on the machine. A few appropriate deletes and a
reboot, and that error message was gone.

With all the software up to date, and the spyware and viruses removed, it
was time for a couple of more speed ups.

I emptied a very full IE cache of temporary files, and deleted all cookies
and history. Then I defragged the disk.

The eTrust anti-virus scanner is now running and monitoring in real time.
Spybot’s inoculation is in place to prevent and/or warn of unexpected or
malicious software installs.

And the machine is running quite nicely once again.

As a result of this little hands-on experience, I’ll be updating my article
How do I keep my
computer safe on the internet?
in a few days.

In the mean time, you should know the mantra by now:

  • Run up-to-date anti-virus software.

  • Run up-to-date anti spyware software.

  • If you’re on broadband, get behind a firewall.

  • If you’re not sure, don’t open it, don’t click on it. Ask someone
    first.

Subscribe to Confident Computing! Tech problem solving & safety tips with a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here's the direct download. (Just right-click and "Save As...".)

6 comments on “This computer's infested, what do I do?”

  1. Thanks for this site. I appreciate all the helpful information. The first day I saw the site I actually thought you were Leo Laporte from Tech/TV, sorry about that.I posted a question related tp SP2 and said something about the Screen Savers. You answered the question and sent back an e-mail informing me of my mistake. Anyway I would like to ask you about how you got Spybot onto 3 floppy disks and how you used it in safe mode. Could you post an article with the specifics related to how this is done? Again I would like to thank you for this site and let you know that you are actually quite helpful.

    Reply
  2. I was kind of expecting that question … many years ago I wrote a small program to split a file into floppy-sized pieces. Then I just use the COPY command in a command shell to concatenate them all back together into the original file. Yes, when I get a chance I will post both the tool and the instructions.

    Reply
  3. Hi Leo and thanx for the very helpful site.
    I have a spyware infestation called “My searchbar” which cannot be removed in “Add or remove programs”. What do I do?
    P

    Reply
  4. I would look at first disabling everything in start up with msconfig. I think version 1.4 would catch more bugs that Spybot S&D 1.3 and I would run F-Prot Dos version (free also and you can make floppys) to clean out viruses and such. A good boot CD should do the job, even the original Windows 98 SE was bootable and could get you going. After you finish, you should recomend the user not use such an old system on the internet, 98’s full of holes.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.