Information Security Asked on December 17, 2021
This is an attempt to ask a canonical question as discussed in this old meta post. The goal is to create something helpful that can be used as a duplicate when non experts ask about virus infections.
Let’s say that I have determined beyond doubt that my home PC is infected by a virus. If necessary, you can assume that my computer runs Windows. Answers aimed at the non-technical reader are encouraged.
Coming from a different question to this one I have to note that currently malware may reside in (from most common to least common):
The development of malware for any of these ROMs costs astronomical amounts of money, so if you're an average user who's not targeted by foreign states or three-letter agencies there's no need to worry. A complete disk wipe is enough to rid your PC of any malware.
Answered by Artem S. Tashkinov on December 17, 2021
In agreement with @CaffeineAddiction: Nuke it from Orbit. Reinstalling the operating system is the only way to be sure that your OS is safe. The difficult process is identifying everything that must survive a reinstall. Here are some pointers to consider.
If I left anything out, feel free to update/edit.
Identify files on the current system that must be saved. Common places to check include:
Look through the installed programs and find those that are required. Ensure you have the install media and licenses for those programs. If not, identify how the installers and licenses can be obtained before reinstalling the OS. Examples include Photoshop, AutoCAD, Antivirus, etc.
If possible, download a fresh copy of the program after the operating system has been installed. Ensure the fresh copy can be used with the applicable license.
Many users will save their credentials for autologin. Ensure they have the password before reinstalling.
If a password manager is being used, note the program being used and its version. Confirm an export/backup of the installed version is compatible with the most current version available.
Consider asking the individual to test their logins before reinstalling. Preferably the verification should occur on a clean system.
Identify any peripheral equipment connected to the system that will need drivers.
Document the network configuration and any wireless network configurations that need to be saved.
Consider downloading a fresh copy of the network drivers onto a clean system and copy/burn them onto a CD, thumb drive, etc. This is because some drivers are not natively supported by the operating system. Having a clean copy of these drivers to install after reinstalling the operating system will greatly expedite the process.
Identify any sensitive credentials used on the compromised system.
Change these passwords as soon as possible on a clean system. If this isn't possible, change the passwords after the system has been reinstalled and all security updates applied.
Examples include:
Backup all files, licenses, etc. to an external/thumb driver, network share, or cloud drive. Exclude any programs that can be downloaded as a fresh install such as Firefox.
With everything critical saved, wipe the entire disk and reinstall the desired operating system.
Install the necessary drivers to get the system functional, not optimal.
Configure the network cards to the previous configuration so updates can be downloaded.
Ensure that all security updates are installed for the operating system as well as any drivers.
Install any critical programs identified from above and ensure all associated security updates are installed for it.
Restore files that were previously backed up. Configure programs/applications with the appropriate licenses. Restore browser bookmarks/favorites. Ensure the user's environment is similar to how it was prior.
If you know when the virus got onto the system, change passwords for any accounts that were used on the system during that time. For example email accounts, forums, etc. If any of the prior accounts have the same password as an account that wasn't used, change the password on that account too. In fact, consider that password compromised. Any account using the same password as one used when the system was compromised, change the password to something complex and unique.
Answered by user2320464 on December 17, 2021
COMPACT answer:
I am always happy to help non-technical users. If you are not sure, what should you do, you can follow these instructions (compressed decription, I will not explain everything in detail, but willing to edit upon ask). This is not an ideal situation, and nothing is 100% secure, BUT:
Feel free to ask.
Answered by TriloByte on December 17, 2021
Honestly, "non-technical users" are typically unaware of the basic conceptual difference between a data "file" and an "application", nevermind the minefield of subtleties in the advanced war game between malware and anti-malware experts. The only sane answer is...
If they act like an anti-virus tool will "fix it" instead, they are not professionals, find someone else.
Answered by John McNamara on December 17, 2021
Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?
A virus (or more likely a worm) has to operate on its own to circumvent your security. For most attack vectors it has to do so using moderate amounts of code. Antivirus software may eventually be able to detect that bit of code based on some of its characteristics, even if it rewrites itself to avoid detection.
But once you have the virus on your system, it can contact some controlling server and invite additional code onto your computer. In this case, there are fewer size limitations, and there may even be some live interaction with the person or team which initiated the virus. So here you are up against clever people loading a ton of malicious code onto your machine, as opposed to the one solitary piece of code you had before. Chances are that amongst all that stuff there is at least some code (which probably doesn't propagate on its own) which hasn't been recorded by antvirus specialists yet.
Furthermore, an active piece of malware may well be able to prevent antivirus software from doing its job. It may have installed a rootkit into your OS kernel which hides the files it's using from all other software, so they can't be scanned. It might be terminating your malware removal tool and then show an “all is fine” message it generated itself. You can never be sure that this is not what's happening.
So the moment your computer is compromised, it's no longer your computer. Anything you do on it may be intercepted and redirected by whoever got the infection there. Nuke it from orbit.
Answered by MvG on December 17, 2021
Prevention
An ounce of prevention is worth a pound of cure. You should be running virus protection and regular updates. Have virus eradication (different than protection) software already installed. An example is Malwarebyte Anti-Malware. There are also root-kit specialty virus removal.
Have backups of you data. Cycle them so you also have some old(er) backups. Don't leave your backup device plugged in - if the virus is going to corrupt or lock data then it has access to your backup. Cloud service for the $5 / month is money well spent.
Use Firewall protection.
Symptoms
Sluggish. High CPU but no programs admits to using the CPU. Update on OS and / or virus protection fails. Virus protection won't start.
Removal
Removal is not always successful and it can be very time time consuming but if it works then you still have all your programs, setting, data.
I have gotten dozens of viruses and have always been able to remove them. In one case it had hacked up the registry enough to be a problem. But I was going to upgrade anyway so I just applied and upgrade.
Hopefully you already have removal program(s) installed.
Don't just Google Virus Removal and download the first you find. Some are just viruses themselves. There are known names. And some good free stuff.
Disconnect from the Internet. A virus will typically disable virus protection so 1 virus can quickly turn into 20. And it may be scanning to PC to send data to the mother ship.
Run you virus removal program(s). Sometimes you need to boot in Safe Mode. By booting in Safe Mode some of the viruses don't load so they are easier to find and delete. Hopefully that cleans up some stuff.
Connect to the Internet and update the virus program and run them again. If they say clean you may be good to go.
The run all your OS updates.
Some times the virus is gone but it hacked with the registry and thing still don't run right. There are registry repair tools - typically free from the OS vendor.
Recovery
Run recovery from you recovery partition or original media. Make sure and immediately install updates. You might lose minor stuff with a recovery.
Worse Case
Some viruses require a reformat and re-install. The problem here is you have to re-install EVERYTHING.
Answered by paparazzo on December 17, 2021
I'm sorry to hear you've got a computer virus. Fortunately, thousands of people deal with virus infections daily, and in most cases, the computer and all data can be restored. By following good online practice you can avoid future infections.
There are two main approaches for removing a virus:
Using anti-virus software is quicker and easier, but has a greater risk that the virus will silently remain and cause problems later. Wiping and reinstalling is recommended for knowledgeable users. It is normally possible to keep all your data while doing this.
Using anti-virus software
If you do not have anti-virus software already there are various free options (e.g. Windows Defender, AVG Free) and many paid options (e.g. Symantec Endpoint Protection, Kaspersky Internet Security).
Make sure the anti-virus software is up-to-date.
You can then run a full scan of your computer. Some AV software calls this a deep scan. If any viruses are found, you will get the option to quarantine the affected file.
Some advanced viruses have the ability to hide from anti-virus software. To cope with this, some AV software has the ability to "scan on boot". The AV runs before Windows starts, and in this mode, the virus is crippled, allowing the AV software to more effectively remove it. Once complete you can boot into Windows as normal. Other AV software allows you to create a boot disk instead of "scan on boot".
The precise instructions for all this depend on your anti-virus software. Consult the manual for further information.
Wipe and reinstall
The basic idea is to copy all your data onto an external hard drive, then reinstall Windows. This will give you a blank - and hopefully uninfected - Windows installation. You will then need to reinstall all your software, restore all your data, and customise the settings you had before.
Before you start, make sure you have installation media and license codes for all your commercial software. If necessary, you can extract a Windows and Office product key from your installation. You can also download disk images from Microsoft - provided you have a product key.
You need to carefully backup all your data onto an external hard drive. It can be difficult to get everything. People often forget their address book and bookmarks. This is a stressful point, because once you start reinstalling Windows, you lose the ability to recover further data. As an alternative, you can buy a new hard disk, and put the old hard disk in a USB enclosure like this.
You then need to reinstall Windows, all your other software, then restore your data and settings.
Avoiding reinfection
You must follow basic security practice:
Beyond this, you need to exercise care. It is difficult to explain precisely how to do this, but here is some basic guidance:
exe
file you download gets full access to your computer.While your computer had a virus, it is possible that all your passwords have been captured. You should at least change your passwords for online accounts that are important to you, e.g. web mail, social media, online banking. It usually isn't necessary to change low value passwords for forums and e-commerce sites.
It's also possible that credit card numbers have been compromised if you have used them on this computer. I believe this is fairly rare, and changing your cards is a (modest) hassle. Instead, hold on to your cards, keep a close eye on your statements and change the cards if fraud occurs.
If you've followed this through to the end, well done! It is not an easy process, and you will hopefully have recovered from the infection. Take care online - but don't be afraid of your computer.
Answered by paj28 on December 17, 2021
Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?
Unless you know a lot about malware and understand how the malware you have works, then no, you will never be certain that you've caught everything.
For example, with ransomware, it is very common for it to plant a second "sleeper" virus on the computer which won't trigger for maybe 6 months.
Ideally, as others have commented, you need to reset the BIOS and completely reset all disks removing all trace of existing partitions before getting a new copy of the OS and starting again.
However, if you really can't do that and you can't afford to pay someone to do it for you and you don't mind living on the edge and don't want to do online banking and don't mind running additional anti-malware tools for the next year - then you could take a punt, there's a reasonably chance that, if you cleaned it well, you might get away with it.
Answered by Julian Knight on December 17, 2021
I don't have backups of my family photos or my master thesis from before the infection occurred. Is it safe to restore backups made after the infection occurred?
It is not totally safe but it is likely to be fairly safe as long as you take basic precautions.
Assuming you have now a clean machine. Ensure that it has up-to-date and good anti-virus, also create a non-admin user and log in with that.
Images are less likely to be infected so start by downloading those. Now's a good time to run a couple of additional anti-malware checkers as a one-off. Then make a new backup assuming your tools found no issues.
Next do the same with your really critical documents. Make sure you open them to ensure that they are not corrupted and also to find out the worse in case they are infected. Run the malware checkers again then run another backup.
Then do the same with other documents.
Finally, change your backup routine to automatically make multi-version backups no more than 1 day apart if you can, preferably on file change if possible.
If you want even more safety as you go through this, consider using a virtual machine such as using VirtualBox.
Answered by Julian Knight on December 17, 2021
I really don't have time to deal with this right now. Is it dangerous to keep using the computer while it is infected?
The very first thing you should do upon determining your machine is infected is isolate it. This means you must completely disconnect it from the internet and your local network, and disconnect any peripheral devices with the exception of the bare necessities to clean it.
To take it offline, if the machine is connected via a network cable, pull it out. If it is connected via WiFi, then perform these steps if possible (in order):
Recommended:
Note that the reasons for 2-4 above is that a sophisticated virus could re-enable the WiFi driver and reconnect to your network (or any network). It's possible the virus could also know all of your current passwords for anything you access form that machine, including your WiFi password.
Once the machine is isolated you should be relatively safe to continue on with your life until you have time to deal with it. Until the machine is cleaned all file transfers should be done via a thumb drive, CD/DVD, external drive, etc. That being said, before you do anything else, immediately change your email password and all passwords that you have ever typed in from (or stored on) the infected machine from a non-infected machine. You probably cannot remember anything, so focus on:
Email passwords: Gmail, Yahoo, Hotmail, Outlook, and any corporate accounts
Financial passwords: banks, retirement, stock broker, sites like Mint.com
Shopping passwords
Answered by TTT on December 17, 2021
What do I do now? How do I get rid of the virus?
The best option is what is referred to as "nuke it from orbit." The reference is from Aliens:
The idea behind this is that you wipe your hard drive and reinstall your OS. Before you do this, you should make sure you have the following:
slmgr.vbs
.Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?
In theory, it is not always necessary to fully reinstall. In some cases you can clean the virus off the hard drive without a full reinstall. However, in practice it's very hard to know that you have gotten it all, and if you have one virus it is likely you have more. You might succeed in removing the one that causes symptoms (such as ugly ad popups), but the rootkit stealing your password and credit card numbers might go unnoticed.
The only way to kill everything is to wipe the hard drive, so your best option is always to nuke it from orbit. It's the only way to be sure.
I really don't have time to deal with this right now. Is it dangerous to keep using the computer while it is infected?
You may not have time for it right now, but you really don't have time for your email getting hacked and your identity being stolen. It's best to take the time to fix it now and fix it right before the problem gets worse.
While your computer is infected all your keystrokes might be recorded, your files stolen, it might even be used as a part of a botnet attacking other computers. You do not want this to be going on for longer than necessary.
If you really don't have time to deal with it right now, power down the computer and use another one until you have time to fix it. (Be careful with file transfers from the infected to the uninfected computer, though, so you do not contaminate it.)
I don't have backups of my family photos or my master thesis from before the infection occurred. Is it safe to restore backups made after the infection occurred?
Any backups made after the virus infection occured could potentially be infected. A lot of the times they are not, but they could be. Since it is very hard to pinpoint exactly when the infection occured (it may be before you started to notice symptoms) this applies to all backups.
Also, Windows restore points can be corrupted by a virus. It is better to archive copies of your personal files on external or cloud storage.
If you are restoring them from external or cloud storage on a computer that has already been nuked from orbit make sure you scan all the files you are restoring before you open them. Executable files (such as .exe) can contain viruses, and so can Office documents. However, picture and movie files are likely safe in most cases.
Do I need to worry about peripherals getting infected? Do I need to do anything about my router or other devices on my home network?
Peripherals can be infected. Once you have re-installed your OS you should copy all the files off your thumb drive, scan them with antivirus, format the thumb drive, and restore the files to the thumb drive as needed. Most routers will be fine, however, it is possible for DNS settings to be compromised either through a weak password or malicious use of UPnP. This can easily be resolved by resetting the router to factory defaults. You may also want to configure your DNS settings to either google dns or OpenDNS. If you have some type of network attached storage, you should do a full scan of it with antivirus before using any of the files on it.
See Also: Help! My information has been stolen! What do I do now?
THIS IS WORKING DRAFT FEEL FREE TO WIKI/EDIT AS NEEDED
Answered by CaffeineAddiction on December 17, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP