Things you need to do when your pc is infected

[Capt.Jack Sparrow]

THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED​

For those who are facing the challenge of malware removal, here's a basic guide on what to do when the system is infected.
But I strongly recommend posting a question for there are times when ComboFix and MalwareBytes are unable to remove the infection. For malware that patched system files we need to determine which file is patched and replace it before we can continue the cleanup process and run diagnostic tools.



" ISOLATE THE INFECTED SYSTEM:

The very first thing you should do is to isolate the infected system from the network to stop the spread of infection.
Turn off the internet connection except while you're downloading the tools to use which shouldn't take long. Or you can use another pc with internet access to download the files into a USB. Unplug the network cable, turn off wireless connections of the infected system. Do not share removable media device.



" LEAVE SYSTEM RESTORE TURNED ON:

DO NOT disable System Restore, you need to keep those restore points intact in case you need it later, you can disable it afterwards when the PC is clean and stable.
Any viruses in the System Restore (if there are any) are harmless so they pose no threat while in that folder.
For further information about viruses in System Restore check out below link --> Viruses in the System Volume Information (System Restore).



" BACKUP YOUR DATA:

As a precaution, you need to back up your important files now while you still can just in case something goes wrong during the cleanup and you have no choice but to reformat. Bear in mind that you MUST scan the backup before you start using them.



" ERUNT (Emergency Recovery Utility NT):

Some malware will turn off System Restore and other windows features to lessen the PC's functionality. If you noticed that the System Restore had already been turned off or tabs are grayed, use ERUNT to do a complete backup of the registry. Registry export is not good enough. Removing nasties requires making registry changes and if the registry is corrupted it can prevent the pc from booting. The ERUNT backup can then be restored later if needed.

Complete ERUNT tutorial:
t-online.de

If the virus has already disabled SR and you don't have ERUNT backup then the next thing you should do is run ComboFix before you run any other tools so you have a registry backup. Post a question and we'll guide you with its usage.



" DOWNLOAD THE TOOLS AND START THE CLEANUP:

Download the programs needed for the cleanup. There are many free tools out there but these ones below are among the most commonly used, they work well and they are FREE.
Usually MBAM or ComboFix alone will remove most infections but it's good to also clean temp folders.

a). ATF Cleaner or TFC
b). MalwareBytes
c). SUPERAntispyware
d). Combofix(with a Helper's guidance). Post a question if using ComboFix and attach the log file for us to analyse.



" SCAN FOR ROOTKITS:

If the problem is not resolved after scanning with reliable scanners, then scan for rootkits, I prefer using Gmer and RootRepeal. Even if the issue no longer exist it's always a good idea to scan with these tools for the reassurance that nothing is hiding.



" DISABLE SYSTEM RESTORE:

Once the problem is resolved and the system is clean, you can then disable System Restore to purge all those restore points, then turn it back On and immediately create a new and clean restore point.

How to turn Off/On System Restore:
How to turn off and turn on System Restore in Windows XP



" PREVENTION:

Prevention is better than cure so make sure that you have the 3 basic security real-time protections in-place, without doubling each one.

1. Antivirus
2. Firewall
3. Anti-malware

Make sure all your installed programs have regular updates and windows have all the critical security patches. Tighten security features in your browsers, if using Firefox use the 'no-script' add-on.
Install the latest version of java to minimize the risk of vundo threats as lower versions are very vulnerable to vundo exploits.
Use a customized Hosts file to block unwanted nasties. Browse the internet using a limited user account, even though this (LUA) is 'not useful' against the rogue family of antivirus it is still better than browsing online with an Admin account.

NOTE: the best protection is User Education.

For more in-depth info on prevention please read below links:

TonyKlein's article "So how did I get infected in the first place?
miekiemoes' "How to prevent Malware"
Simple and easy ways to keep your computer safe and secure on the Internet:

Source: THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED

Hope this helps,
Captain

 

[joel406]

I hope they sticky this.

Also you should have mentioned Imaging your system while its virus and problem free.

Many(myself included) keep current images of our systems incase of attack, infection or general windows blunders.

It is the fastest way to get back on your feet.

 

[swarfega]

Very useful information, thanks.

 

[Dinesh]

Very nice Bhai.

 

[Capt.Jack Sparrow]

Thanks !! Glad that you find it helpful !!

 

[Corrine]

Notes:

ERUNT compatibility: Registry Backup and Restore for Windows NT/2000/2003/XP. For Windows Vista, it is necessary to turn off System Restore.

ComboFix: Strong advisory to not use unless requested by a trained member of the security community.

Tony Klein's article, "So how did I get infected in the first place?": Coincidentally, I a lot of time yesterday updating the sites where I "maintain" that article. Updated version: "So how did I get infected in the first place?" © Tony Klein.

 

[CarlTR6]

Captain, this should be a tutorial. Very good job.

 

[Capt.Jack Sparrow]

Notes:

ERUNT compatibility: Registry Backup and Restore for Windows NT/2000/2003/XP. For Windows Vista, it is necessary to turn off System Restore.

ComboFix: Strong advisory to not use unless requested by a trained member of the security community.

Tony Klein's article, "So how did I get infected in the first place?": Coincidentally, I a lot of time yesterday updating the sites where I "maintain" that article. Updated version: "So how did I get infected in the first place?" © Tony Klein.

Thanks for the additional Tips Corrine !!

 

[Capt.Jack Sparrow]

Captain, this should be a tutorial. Very good job.

Thanks Carls !!

 

[metalmania31]

You should add to run those programs in safe mode too. That way the malicious program won't run.

 

[Corrine]

Hi, metalmania31.

If at all possible, it is best to run anti-malware programs in normal mode. Malwarebytes' Anti-Malware, is intended to run in normal mode rather than safe mode as it gives it a chance to catch malware while it is active.

 

[metalmania31]

Hi, metalmania31.

If at all possible, it is best to run anti-malware programs in normal mode. Malwarebytes' Anti-Malware, is intended to run in normal mode rather than safe mode as it gives it a chance to catch malware while it is active.

Wouldn't it depend on the circumstance, because sometimes viruses will block anti-malware programs from running at all. I had this happen on my parents computer when it was infected with one of those fake anti virus programs.