Monday, September 27, 2010

Windows XP Security - Cleaning An Infected PC

Every so often I'm asked for advice on PC's. Usually running Windows XP. Typically running so slow that the owner is ready to buy a new one. The question then usually comes in one of the following two flavors: "What computer should I buy?" or "What would you do?". To avoid keeping anyone in suspense, my two answers are "The computer you can afford, which you can test running all the applications you want to use." and "Backup all data, reload an operating system, prevent it from happening again." respectively.


So for those adventurous souls that want to remain on Windows XP and control their own PC destiny, I've decided to write what will likely be an article series on my recommendations for the following Windows XP Security topics: Cleaning an Infected PC; Protecting a Clean PC; Safe PC Usage; Linux Alternatives.


The series will cover malware software issues on marginally running machines. Not software boot errors. Not hardware problems. Not Windows versions other than XP.  Not using tools I personally haven't had some measure of success with.  Let's get started.


Like most who find themselves in their circle of family and friends as the designated "computer expert" I have my own answers to both questions in the first paragraph, using my own set of preferred tools and techniques. While this is not part of my current professional role, in the past I have been part of infrastructure support teams. That experience guides some of my choices but really isn't reflected directly in the tools and techniques chosen. Mostly because I've chosen to focus on tool availability and comprehension for the "average" Windows PC user. For this reason as well, some tools and techniques might not be the choice of the experienced technorati, but should be well with the grasp of most and still provide good results.


If you're unsure if this is what you want to do, those with virtually unusable PC's have the following options:


  • Pay a computer tech to fix the problem. The well known Geek Squad charges fees that start at $149 for in store service.  I've personally known friends that have paid close to $300 when everything was said and done. Too expensive for me.
  • Buy a new computer. A decent laptop will still set you back around $600.  This is the most expensive option, and does have advantage of temporarily having a new machine. If the problem machine still exceeds specs for the applications you need to run, I'd rather make sure its truly hopeless before going this route.
  • Fix it yourself. Obviously where this article comes in. The financial cost of this route is minimal, limited to a blank CD or two and possibly a USB flash drive. It's likely that most people already own both. The real cost here is time, potentially lots of it.

Realize that in order to save hundreds of dollars in support fees or for a new system, you are becoming your own computer expert.  You don't have to be an expert in every computer domain - that's impossible for anyone. You just have to become enough of an expert this one time to fix this one problem. Another thing that is impossible is for this article to contain enough prescriptive advice to cover every situation and every tool usage scenario. As an aside, its primarily for that reason that I've resisted writing an article like this before now. Therefore, the instructions provided assume some level of computer usage (not support) proficiency and leave it up to the reader to Google specific questions regarding a tool or technique recommended.


Having a cleanly running second computer available to search for information, download utilities, burn CDs and other tasks can make this odyssey a whole lot faster and easier, effectively determining the success of the effort.


Backup Data

Backing up data at this stage, before any changes are attempted has the risk at this stage of potentially backing up infected files, such as malicious macros contained in the above filetypes, but do it anyway. If something goes wrong later, it will be worth every second spent.  You can always make a second known good backup later.


  1. Create a bootable CD from a Linux live cd distribution on a working system. Linux Mint is a good choice.
  2. Boot the suspect system from the CD. You may need to set the boot order in the BIOS of the system to select the CD ahead of the hard drive.
  3. Copy all data to a USB flash drive. USB 8Gb drives under $20 can be found on sale.  Booted using Linux Mint, select Menu then Computer. Those who have used copy and paste file operations with Windows Explorer should be comfortable copying directories to the USB device.
  4. Make sure that data for all users is backed up. Look in "C:\Documents and Settings" to see the profiles of each user on the machine. Under each, good starting choices for backup would be "My Documents" and "Favorites".
  5. Only backup data files such as documents, spreadsheets, presentations, financial, music, photos, etc. Don't backup the actual applications themselves.
  6. Backup your product keys, especially for Microsoft products such as Windows and Office. Product key finders can make this easier. Some applications will list their keys under the menu items Help / About.
Set Limits

Don't skip this step. Even for experienced PC technicians, cleanup can take hours of research, utility execution and experimentation. Professional support teams usually have limits they'll expend in investigation on unknown problems - some as short as 10 minutes for a unusable machine - then they reimage (reload) the operating system on the machine. Its faster (and more enjoyable) to reconfigure a clean, fast machine once reloaded, than to spend more time trying to clean a painfully slow infected one.


Clean Up

Download the tools below on a known good machine. Malware may block and/or infect these as the download and attempt to run. Plus the performance will likely be terrible - why you started this in the first place. Burn to a CD - not a USB flash drive, but a device that malware can't corrupt. Boot the suspect machine in safe mode with networking by pressing F8 once a second or so, after the BIOS spash screen (the first screen of any type) displays. Login as administrator, insert the tools CD you just burned, run or install each one at a time, according to directions on the download site. Some may not run in Safe Mode and will tell you so. Its still best to try first.


  1. McAfee Stinger - http://vil.nai.com/vil/stinger/  Follow the steps on the download site.
  2. Ad-Aware - http://www.lavasoft.com/  Install the application and all updates. Run a full scan.
  3. Spybot-S&D - http://www.safer-networking.org/en/index.html  Install the application and all updates. Run a full scan.
  4. CCleaner - http://www.ccleaner.com/  Install and run the application. Use the Tools to investigate and Disable any suspected malware that is set to Autostart.  Google Tools you don't recognize by File, initially disabling (vs deleting) ones that are suspect.  Analyze and clean the system with the Cleaner. Scan and clean the Registry.  Reboot after usage.
  5. Malicious Software Removal Tool - http://www.microsoft.com/security/malwareremove/default.aspx  Install the application and run a full scan.  Note that the tool itself is updated the second Tuesday of every month, with additional threat removal capabilities.
  6. Browser Hijacks - For Internet Explorer, follow the steps at http://www.microsoft.com/security/spyware/browserhijacking.aspx  For Firefox, follow the steps at http://kb.mozillazine.org/Standard_diagnostic_-_Firefox  You may want to have a clean download of Firefox on the CD.

The next set of tools are actually built into the Windows operating system.  No download needed.


  1. Task Manager - Ctrl-Alt-Del, choose Task Manager. Choose the process tab and look around. Columns can be sorted by double clicking on the header. Start with Googling "Image Name"s that have high CPU utilization, either constantly or in spikes. Stop any that you believe are malware by Right Clicking, then choosing End Process. Choosing the wrong one may de-stabilize your system.
  2. Service Management - Press the Windows Key + R, type services.msc, press ENTER.  Focus initially on items that show Startup Type as Automatic. Google ones you suspect, then Disable by right clicking, selecting Properties... and using the dropdown for Startup Type.
The next tool isn't for downloading and burning to CD, but for execution on a machine that is running to the point where it can reliably bring up a browser to connect to the internet.
  1. Trend Micro Online AV Scan - http://housecall.trendmicro.com/

Deep Cleaning

Can't get the anti-malware programs to launch from the CD? Perhaps a window or splash screen opens momentarily and then goes away? You no longer own your machine - a malware supervisor program is controlling what loads. Seriously think about reformatting the drive and reloading everything. If you're still in the game, these next two bootable CD's may keep you going. Focus initially on populating only the anti-malware tools. Be sure to have your original Windows CD handy. Building these is another task to perform on a clean machne.


  1. BartPE - http://www.nu2.nu/pebuilder/
  2. UBCD - http://www.ultimatebootcd.com/

A good summary of bootable utility CDs is available on LifeHacker.  Another good summary, including using PhotoRec to recover deleted files, is from CGSecurity.

Investigate

These can be used at any time. Check for high CPU utilization, strange file/process names, listening ports open to sites you don't recognize, etc. This is the truly deep dive territory, but remember - "Google is your friend".


  1. Process Explorer - http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx  Lists all running processes and open files.
  2. CurrPorts - http://www.nirsoft.net/utils/cports.html  Lists all process and applications which have open connections (ports) to the internet, potentially sending out information or waiting for instructions
  3. HijackThis - http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html  Lists all locations on the PC that process are started from.
  4. WinDirStat - http://download.cnet.com/WinDirStat/3000-2248_4-10614593.html  Graphically displays disk space utilization

So in closing, manage your time carefully and consider my original advice: "Backup all data, reload an operating system, prevent it from happening again." Backup was covered in this article, we'll get to the rest later.


Disclaimer - no warranty is expressed or implied by this article.  Proceed at your own risk.  Understand all directions and consequences before using any tools or making any system modifications.  I have no affiliation with any product, service, or retail establishment listed above as they are given for illustration purposes only.


Edit 2010.09.28 - Added specific browser hijack advice.  Clarified a few lines.
Edit 2010.10.04 - Added product key backup.
Edit 2010.10.15 - Added bootable CD links
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)