Steps to Clean Your Windows Computer
Important Note: Due to the wide variety of malware and the constantly changing tactics employed, completing the steps below does not guarantee your computer will be clean. Additional steps may be required for your specific situation that are beyond the scope of this guide. In some cases the damage done by the compromise may be so extensive that it may be more practical to backup your data and reinstall Windows.
Before you Begin
Before you begin to use this document, take note of the following:
- Faculty, staff or students employed by the University who suspect that the security or privacy of their work-related computing resources has been compromised, should follow the Procedure for Responding to a Compromised Computer. This is especially important if the computing resource stores data that the University defines as restricted.
- If your computer is managed by a departmental administrator or DSP consultant, you should refer to them for help with cleaning your computer.
Step 1: Change Passwords
If your computer has been compromised by a malware attack, any passwords you may have typed on this computer should be CHANGED. This is an important precaution since:
- malware may include a keystroke logger which records what you type
- malware may search your computer for saved passwords
- any passwords found may be sent to the people who compromised your computer
Change passwords for your online accounts (e.g. administrative work accounts, Andrew accounts, other email accounts, financial accounts for online banking & credit cards, Facebook, MySpace, Instant Messenging, Netflix, iTunes, etc.).
Step 2: Download, Install and Run Malwarebytes' Anti-Malware
Malwarebyte has developed a tool that can identify and remove malicious software from your computer. Follow these steps to download and install Malwarebytes' Anti-Malware:
- Visit the Malwarebytes web site and click the Download free version button. When the next screen appears, click the Download Now button.
- Once the download is complete, double-click the Malwarebyte icon to run the installer.
- Through the installation process, accept the default responses. When you click Finish, make sure that the options to Update and Launch the software are checked.
- Once Malwarebytes launches and the Malwarebytes' Anti-Malware screen appears, select the Update tab and then click the Check for Updates button.
- Once any updates are loaded, select the Scanner tab, select the Perform quick scan radio button and then click Scan. The scan may take a few minutes.
- When the scan is complete, it will show you all of the potentially harmful files on your computer. Click the Remove Selected button to remove them automatically. Malwarebytes' Anti-Malware creates a log file of the results.
For more detailed information on Malwarebytes' Anti-Malware, visit the following web sites:
Note: More advanced users may also want to download and run ComboFix.
Step 3: Check Your Computer
Walk through some of the processes that had been causing problems and do one of the following:
- if the problems seem to have been corrected, proceed to Step 4: Uninstall AntiVirus
- if the problems HAVE NOT been corrected, chances are that you need to backup whatever files you can, wipe out your hard drive and reinstall your operating system. This can be a lengthy process that is NOT geared to the novice user. For a fee, this service is available through SARCOM via the Computer Sales desk in the University Store.
Step 4: Uninstall/Remove AntiVirus
Malware infections tend to damage antivirus software. Assuming that you were running an antivirus program, follow these steps to uninstall it:
- Select Start > Control Panel.
- Double-click Add/Remove Programs.
- Scroll down through the list until you find the antivirus program (e.g., Symantec AntiVirus, McAfee, etc.) select it and then click the Remove button.
- Next, verify that the removal worked by following the appropriate steps below:
- Windows XP:
- select Start > Control Panel
- double-click the Security Center icon
- click the down arrow for Virus Protection
- if the name of an antivirus software program appears, (e.g., Symantec AntiVirus, McAfee, etc.) the removal DID NOT work completely; there may be a fragment of the program left. Make note of the antivirus software name.
- Windows Vista:
- start Control Panel
- double-click the Security icon
- double-click the Security Center icon
- click Malware Protection
- if the name of an antivirus software program appears, (e.g., Symantec AntiVirus, McAfee, etc.) the removal DID NOT work completely; there may be a fragment of the program left. Make note of the antivirus software name.
- If removal fails, refer to the following vendor sites for addtional help with uninstalling it:
Step 5: Download, Install Symantec Endpoint Protection
- Download Symantec Endpoint Protection to your desktop.
- Once downloaded, double-click the Symantec icon to run the installer. As you progress through the installation, accept the default responses.
- If Symantec fails to install, repeat the processes in Step 4 to remove any fragments of the program, and then try the install again.
Step 6: Run Live Update
Once Symantec is properly installed, launch the program and click the LiveUpdate button to download the latest virus definition files. For more information, refer to Running Live Update Manually.
Step 7: Boot into Safe Mode
Follow these steps to boot your computer into Safe Mode.
Note: While in Safe Mode, you will only have access to very basic drivers, mouse, monitor, keyboard, etc.
Note: You will be unable to boot into Safe Mode if Windows required system files are corrupted
- Click Start > Shut Down.
- Select Restart.
- Depending on whether you have multiple operating systems loaded on your computer, follow the appropriate step below:
- If your computer offers only one operating system, begin tapping the F8 key before your machine reaches the Microsoft Window's display screen.
- If your computer offers multiple operating systems, select the appropriate operating system from the list, then begin tapping the F8 key.
- Use your up or down arrow keys to select and highlight Safe Mode with Networking. Press Enter.
Note: NUM LOCK must be off before the arrow keys on the numeric keypad will function.
- Select the appropriate operating system. Your computer boots into Safe Mode.
Step 8: Run Symantec Full Scan
- While in Safe Mode, launch Symantec Endpoint Protection.
- Select Scan for Threats and then select Run Full Scan.
- The scanning process begins. The duration of the scan depends on the total size of the files on your computer and may take hours to complete. Once complete, the software will display any problems that it has found and will provide further instructions.
- To exit Safe Mode, restart your computer as your normally would.
Step 9: Enable the Firewall
A firewall restricts network access to your computer. All network data entering or leaving passes through the firewall, which examines each message and blocks those that do not match the specified policies (exceptions). Firewalls can also make your computer "invisible" to the outside world so that it does not become an easy target for a malicious attacker.
Step 10: Verify/Change Passwords
Verify Adminstrator Password
Verify that an Administrator account and password has been established.
Change Passwords
Change your local Windows user account (password used to log onto your computer) and/or Windows administrator account passwords (password to install software).
For more details, see:
Step 11: Adopt a Backup Procedure
Consider purchasing an external backup drive and doing regular backups. If you have problems in the future, rather than working through all of these cleaning processes, you can restore from backup.
Note: Passwords should ALWAYS be changed if your computer is compromised, even if you just restore from a backup.
Clean? Keep it that way
Once your computer is free from infection, keep it that way!
Last Updated: 8/19/09
