Background
I recently needed to move from an old PC that had developed the click of death to a newer PC someone gave me for free—except that it was riddled with viruses and malware (spyware, adware, trojans, etc.).
I’d have liked to wipe the new PC and put a fresh Windows XP copy on it, but I didn’t have the XP installation discs for the new PC and my old PC only had Windows 2000. So in order to keep XP I had to clean off the malware.
I spent about a week researching free software options for cleaning malware and viruses from a Windows PC, and running/babysitting the PC during the process, so I thought I’d document it for anyone else who has to do this.
Clean Up Your Computer First
Before you start running malware/virus cleaner programs, you should do a different kind of cleaning first: Cleaning off unnecessary files, especially big ones.
You should look for directories of stuff you don’t need any more, or that you can burn to a CD/DVD and file away (such as old photos and music you no longer listen to). You should also clean out temporary files and any big files you don’t need; very big files (250MB+) can cause some scanners to slow to a crawl, while others just skip them entirely.
In Windows XP, you can find big files by going to My Computer, then Local Disk (C:), then right-click, Search…, What size it it? >, Large (more than 1MB), Search. Then just select ones you don’t think you’ll need any more and right-click->shift-delete (that way you don’t have to remember to empty the recycling bin). Obviously, if you don’t know what a file is, it’s safer to just leave it alone.
Programs like CCleaner and EasyCleaner can also help, especially for removing temporary files.
The main reason for cleaning up unnecessary files is that they take up scanning time, and when you run a lot of scans all that time really adds up.
Determine If You Have the Latest Windows Service Pack
At the time of this writing (Sept 2010), the most recent “service packs” (batches of Windows security and other updates) are Service Pack 3 for Windows XP and Service Pack 2 for Vista, with Service Pack 1 for Windows 7 due in the first half of 2011; see http://support.microsoft.com/sp for the latest Service Pack information about your version of Windows.
You should know which Service Pack your computer has installed and whether it’s the latest Service Pack that’s available. You can determine this by doing: Start -> Run -> msinfo32 -> OK -> System Summary -> Version.
If your PC doesn’t have the latest Service Pack for your kind of Windows, make a note of your current Service Pack (if any) and the most recent Service Pack available from Microsoft. We’ll return to updating to the latest service pack later, after cleaning your system with rescue CDs.
Download and Burn Rescue CDs
Malware/viruses that are actively running on a PC have too many ways to avoid detection and resist removal. Instead, you have to get them when they’re inert and can’t hide or fight back, and the best way is by starting up in another operating system entirely.
To do that you’ll need to download and burn at least one rescue CD, preferable all of them because each product catches different things. If you’re really careful/paranoid, use a different computer to download and burn the CDs too.
Most of the rescue CD files below are .iso files; after downloading them, double-click each to open up a Windows program allowing you to burn the image to a new CD:
(If you know of other free rescue CDs I should add to this list please let me know; I ruled out Norton Bootable Recovery Tool, Panda SafeCD, and Avast Bart CD because they are not free. If you already have a paid product like Norton or McAfee, it may have a rescue disc version too; search the company’s website for more info.)
Note: Several of these rescue CD programs require at least 512MB of memory to run. If your computer has less memory, the programs will often start up but mysteriously fail with an “unknown error” or no error at all.
Provide Internet for Rescue CDs via Ethernet (If Possible)
To work best, the rescue CDs will need to download the latest malware/virus definitions from the Internet, though if they can’t connect they all (except Trinity Rescue Disk) do have older virus definitions on the CD itself—but those can be too old if your PC was infected recently.
So it’s best if your computer is connected to the Internet so each CD can download the most recent definitions. Unfortunately all the CDs seem to assume an Ethernet connection and don’t really understand connecting wirelessly.
If you’re already online via an Ethernet cable, you’re all set—just leave it plugged in when you boot from each rescue CD.
If you connect through wireless, your PC might still have an Ethernet card; if so, just use an Ethernet cable to connect it to the back of your wireless router. If you need an Ethernet cable you can get one at a computer store like Radio Shack or Best Buy, or online via Amazon, eBay, etc.
If your PC only has a wireless card, you probably won’t be able to get updated malware/virus definition files since none of the CDs seems to work with wireless access. Â Fortunately most computers still seem to have Ethernet cards so it’s just a question of buying/borrowing a cable to plug into your router.
Start Up from Rescue CDs and Scan/Clean PC
After downloading all the CD image files and burning them to CDs, you’ll need to pick one, put it in the drive, and restart your computer—though you may wish to read the comments on each CD in the next section before/as you start up from it.
Your computer should then start from the rescue CD. If it doesn’t, and instead goes right into Windows like normal, you’ll need to go into your computer’s BIOS and change it so that it first checks the CD drive for an operating system before checking the hard disk where Windows resides.
There are many web pages describing how to change the BIOS boot order in general terms (such as this one), but if those don’t help, you’ll have to search for something like “boot from CD bios Dell Dimension 4500”.
In rare cases you might have to open up your computer and do something like fiddle with jumpers or reset the CMOS. I had to do that with one Compaq system and it wasn’t fun. Hopefully your computer will already be set to boot from its CD drive, or your computer manufacturer won’t make you jump through hoops to set that option.
Note: If you successfully start up from some rescue CDs and then do nothing, they’ll just start the rescue CD program, but for others if you do nothing they’ll go back to the normal Windows boot sequence. So after restarting your PC you should stay until the initial boot selection menu appears because if you walk away right after restarting (to get coffee, snack, etc.), you could come back to find Windows running.
Comments on Running the Rescue CDs
(Note: If you have a USB stick you should plug it in so that the rescue programs can scan it too; malware/viruses can infect USB drives and use the autorun feature to spread to new machines or reinfect yours later; this tactic even worked against U.S. Department of Defense computers in 2008.)
AVG: One of the slower programs (3 hours for 22GB). Don’t bother enabling the macro scanning option because it only tells if any macros are present, not if the macros are actually “bad”. Also if you enable the cookies option, know that “bad” cookies are just a privacy concern and not actually viruses or malware.
Avira: One of the fastest scanners (1 hour for 22GB). Starts up in German, just click the British flag in the corner to change it to English.
Kaspersky: One of the slower programs (5 hours for 22GB), but also caught a lot of things. When it first starts up and gives you the license screen, you’ll have to click somewhere in the text to activate that window, before you can press “A” to accept. Also, the first few times I ran this, I thought it only detected problems and wouldn’t fix them. Finally though I noticed a small pair of “Disinfect all” and “Quarantine” links on the lower left corner of the Detected Threats tab.
Dr. Web: The slowest program (10 hours for 22GB), but it also scanned inside big zip/archive files that other programs just skipped. Note that when shutting down with the “Eject and Shut Down” option, you have to hit F2 to view details in order to see the prompt asking you to press Enter to finish shutting down.
Trinity Rescue Kit: Has ClamAV, F-Prot, BitDefender, Vexira, and Avast; to access these, do nothing at the boot prompt to “Run Trinity Rescue Kit” in default mode, then use the down arrow to select Virus Scanning, hit Enter, then use the down arrow to choose Scan with ClamAV, Scan with F-Prot, etc. Do not choose “Set the Scan Destination” since the default is already correctly set to scan all drives. Also while there is an option to run all the virus scanners at once, when I tried this I got an error, so I tried running them one at a time and it worked fine.
ClamAV (only via Trinity Rescue Kit; requires Internet access via Ethernet): Definitely one of the slower programs (5 hours for 22GB). It’s open source so my guess is that it’s one of the more thorough scanners because many contributors constantly improve its scanning abilities.
Vexira (only via Trinity Rescue Kit; requires Internet access via Ethernet): Reasonably fast (1.5 hours for 22GB), otherwise no comments on this one.
Avast (only via Trinity Rescue Kit; requires Internet access via Ethernet): Reasonably fast (1.75 hours for 22GB). I wasn’t going to include this since it requires a license key, but I decided to because the key is freely available on request. Plus, it’s already on the Trinity Rescue Kit anyway.
F-Prot (standalone or via Trinity Rescue Kit): Reasonably fast (1.25 hours for 22GB). If running from the F-Secure Rescue CD, be careful that when the main program first starts up, it looks like pressing Enter will select the Next option, but in fact the default cursor is on Restart Computer, so you need to use the left arrow once before hitting Enter. Also its shutdown sequence ejected the disk and then just hung, so I had to turn the computer’s power off and on again in order to restart.
BitDefender (standalone or via Trinity Rescue Kit): One of the faster scanners (1 hour for 22GB). At the time of writing, the rescue disk link had two .iso files; bitdefender-rescue-cd.iso gave me an error on booting and rescue_new.iso started up fine. Also, to restart after scanning, click the little dog/bug at the bottom, which is on the same strip as the time, then Log Out.
I’ll also note that when going from one rescue CD to another, the timing is a bit tricky. You have to use the “restart” option on one CD, wait for the system to be pretty much actually shut down, and then just as it powers up again, quickly hit the eject button on your CD drive, get the old CD out, put the next rescue CD in, and then push it in (or hit the button again) and hope you did it fast enough that it gets recognized by the time the BIOS is checking the CD drive for a bootable disc. If you miss the timing, you’ll have to boot into Windows, then do a restart from there before you can boot into the next rescue CD.
If a rescue CD offers an “eject and reboot” option, use it, and as soon as the old one ejects, put the new one back in (the old one should continue with the shutdown/reboot sequence running in the computer’s memory).
Use Caution Before Downloading Other Rescue CDs
The rescue CDs listed here are what was available at the time of writing. You may be reading this long afterwards, in which case you’re welcome to search for new/better rescue discs online.
Just be sure to research any companies you’re about to download software from to make sure that they are in fact legitimate companies/software, and not malware masquerading as cleaner tools because that does happen (i.e., you can download a package to disinfect your PC and end up making it worse because you’re actually downloading more malware!).
Do not only judge legitimacy based on how “professional” a company’s website looks; scammers can make pretty sites too, including just copying other companies’ sites. Instead, Google the company name and see what comes up, especially in Wikipedia but also on other sites (and make sure the Wikipedia article doesn’t seem like it was written by the company as an advertisement!).
If you find a page where the software was “reviewed”, was the review done by a well-known independent company (e.g., C|Net, ZDNet, PCMag), or someone you’ve never heard of, so that maybe it was set up by the company itself to look like an independent review?
Also, be sure to only download from domain names associated with the company you just researched. For example, if you researched Foobar Antivirus and articles around the web seemed to say it’s a good company, you’d probably want to download from something at foobar.com or if not, something directly linked from the foobar.com site.
Update Your Winows Service Pack (If Necessary)
If you are running the latest Service Pack for your version of Windows, you can skip this section, but if you determined before that you’re not running the latest Service Pack for your version of Windows, now is the time to update it.
At this point you’ll have cleaned most/all of the malware/viruses from your system with the rescue CDs, but your Windows system still isn’t as secure as it could be against future intrusions because it doesn’t have the security fixes in the latest Service Pack.
The problem is that the Service Pack updates are big downloads, which can take an hour or more depending on connection speed—and during that time, you’ll be vulnerable to infections that exploit security holes fixed in the Service Pack you’re trying to download! This has been compared to running across a battlefield to get a bulletproof vest.
The solution is to download the latest Service Pack on another computer, copy the .exe file to a USB flash drive or burn the .iso file to a CD, disable network access on your PC (by unplugging its Ethernet cable, unplugging your wireless router, or pulling the wireless card out of your PC), then start up the PC and run the Service Pack installation program from the CD/USB drive. This should let you install the latest Service Pack files before reconnecting to the network.
You can get the latest Service Pack installation file from Microsoft, such as by Googling the version of windows and the service pack number (e.g., “Windows XP Service Pack 3”) and then looking for microsoft.com pages in the results.
The only tricky thing is that Microsoft steers you to the Windows Update page so they can automatically update the computer… except that you’ll be doing this on a different computer, not the infected one, and you don’t want to update this different computer, you want to download an installation file that you can run on your infected PC.
For example, when I searched for Windows XP Service Pack 3, the top result was to download a “white paper” about the service pack—not what I needed. This page also said, “In order to download Windows XP SP3 for one computer, you must visit Windows Update at http://update.microsoft.com. For more information, visit http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx“.
As I said, you don’t want to go to Windows Update since you’re downloading the file on a different machine in order to copy it to your previously-infected PC via CD or USB drive.
So instead I went to the second link, http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx, and at the top of that page it again told me to go to Windows Update, but further down the page was a “Manually installing SP3 using the Microsoft Download Center or a CD” section that said, “If you have problems obtaining the service pack from Windows Update, you can download SP3 as a standalone installation package from the Microsoft Download Center website, and then install SP3 manually.”
However, that brought me to a “network installation package” which was “intended for IT professionals and developers downloading and installing on multiple computers on a network”—which I didn’t really think was what I wanted. While I did try to download and run the WindowsXP-KB936929-SP3-x86-ENU.exe file on that page on my PC, I had some kind of error that confirmed my suspicions that the network installation package wasn’t right either.
Ultimately I went with the Windows XP Service Pack 3 – ISO-9660 CD Image File file and then used it to burn a Service Pack 3 CD which worked great. Hopefully, if you’re using Windows Vista or Windows 7 there will be an ISO file you can download and burn also.
Install Other Scanners & Definitions Via Another PC
To be as thorough as possible, there are a handful of other programs and definition files you can download on another computer, copy over to your still-unnetworked PC with a USB drive or CD, install the programs and definitions, and then run to scan your target PC:
With Malwarebytes and Spybot, after installing the main program you just download the definitions update program and run it. After installing Avira, download the vdf update file (vdf_fusebundle.zip), then start Avira, choose Update -> Manual Update, and locate the update file.
(Lavasoft’s Ad-Aware supposedly had an update file you could download and install manually, but I tried multiple times and each time Ad-Aware just hung.)
Install Windows Update and More Scanners
After running the rescue discs, updating your Windows Service Pack (if necessary), and possibly installing additional programs and definitions in the last section, you can finally restore network access to your PC by turning your wireless router back on, plugging your wireless card back in, or reconnecting your Ethernet cable.
The first thing you need to do once you reconnect your PC and start it up, is run Windows Update. Usually you can find this somewhere in your Start menu, such as Start -> All Programs -> Windows Update. But if you can’t find it, start Internet Explorer and go to http://update.microsoft.com
You need to run Windows Update as soon as your PC is online again because even more security issues will have been identified since the most recent Service Pack, and you running Windows Update will apply the fixes for those vulnerabilities. This may require restarting your PC, so each time it downloads updates and suggests that you restart, do it and then run Windows Update again until it says there are no more High Priority / Security updates to download.
Once that’s done you can install more programs to scan your computer for viruses/malware. Remember, not every program can catch everything out there, so if you’re serious about cleaning your computer off as much as possible you should run as many legitimate free programs as you can if your time allows.
So I’d recommend downloading and running the following programs too:
And also the following programs, if you hadn’t installed them and their definitions via another computer as described in the previous section:
Install Long-Term Protection
Additionally, for long-term protection it’s good to have one or more anti-virus programs running at all times (not just for scanning your hard drive every once in a while). This will set up a barrier to new infections by scanning web pages as you visit them, USB drives as you plug them in, files as you download them, programs as you run them, your PC’s memory as it starts up, etc.
Two decent long-term protection programs that are free for personal use (though they would love to get you to upgrade to their premium versions of course!) are:
You should install these for long-term protection and also run their scanners on your computer periodically just like the other programs.
Relax (and Pray :))
If you’ve done everything in this guide, you’ve scanned/cleaned your PC with 10 rescue disc programs, updated your PC to the latest Windows Service Pack, installed the latest Windows security updates, and run 8 additional scanner/cleaning programs from within Windows.
While there are no guarantees where viruses and malware are concerned, this is probably about as thorough as you can get with freely available tools and chances are pretty good that you’ve removed of all the viruses and malware thad had infected it.
If you found this guide useful please let me know or feel the joy of giving back by sending a donation. And of course if you have any corrections to the links or procedures please let me know too!