Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Security
Cleaning Windows XP
Symptoms of Infection or Compromise
Basic Steps
Advanced Steps
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

Basic Steps to Clean Your Windows Computer

Step 1: Verify Symantec AntiVirus is Installed

In most cases, computers are infected by trojans, viruses or worms as a result of opening an e-mail attachment. See Securing Your Computer: General Practices for details. To clean your machine from these infections, follow these steps to determine if Symantec AntiVirus is installed on your computer and to run the antivirus software.

Note: Carnegie Mellon owns a volume license for Symantec (Norton) AntiVirus which is the licensed, supported and recommended solution for virus protection. Beginning with version 10.0.1, Symantec also guards against Spyware.

  1. In the System tray, look for a gold shield icon.


    Note: If the gold shield does not appear, you may need to click on the left arrow to reveal more icons (see graphic below).


  2. If the Symantec AntiVirus gold shield DOES NOT appear, you must download and install the program from the Portal My Accounts tab before you go any further.

Note: By default, the version of Symantec AntiVirus available from the Carnegie Mellon Web Portal is configured to run Live Update daily at 3 a.m. If you wish to change that time, see the Scheduling Live Updates section of the Symantec AntiVirus document.

Step 2: Boot into Safe Mode & Run Symantec Scan

Follow these steps to boot your computer into Safe Mode and diagnose the problem in a safe environment.

Note: While in Safe Mode, you will only have access to very basic files and drivers, mouse, monitor, keyboard, etc. You will not have access to network connections.

Note: You will be unable to boot into Safe Mode if Windows required system files are corrupted.

  1. Important! Be sure that you have updated the virus definitions files before following this procedure; for more information, see Run Live Update .
  2. Click Start > Shut Down.
  3. Select Restart.
  4. Depending on whether you have multiple operating systems loaded on your machine, follow the appropriate step below:
    • If your machine offers only one operating system, begin tapping the F8 key before your machine reaches the Window's display screen.
    • If your machine offers multiple operating systems, select the appropriate operating system from the list, then begin tapping the F8 key.
  5. Use your up or down arrow keys to select and highlight the appropriate safe mode option. Press Enter.
    Note: NUM LOCK must be off before the arrow keys on the numeric keypad will function.
  6. Once you have logged onto Windows in Safe Mode, launch Symantec AntiVirus.
  7. Select Scan to expand the drop down menu, then select Scan Computer.


  8. The scanning process begins. This can take several minutes. Once complete, the software will display any problems that it has found and will provide further instructions.
  9. Restart your computer.

Step 3: Web-Based Scans

Even if you have Symantec Anti-virus running on your computer, there are instances when a Trojan will disable the anti-virus software or render it from working properly. Thus you should make it a practice to do a free web-based security and virus scan from Symantec.

Note: The web-based scan is only possible if you have internet connectivity. If you have been removed from the campus network, obviously you must take steps to reestablish connectivity before this step is possible.

Step 4: Anti-Hijacking / Anti-Spyware

Download, install, update and run an anti-hijacking or anti-spyware product.

Note: These programs are not supported by the Computing Services Help Center.

Spybot Search & Destroy

Spyware cleaners can detect and remove a multitude of adware files and modules from your computer as well as annoying popup windows. You can download any spyware removal program of your choice, but we recommend Spybot Search and Destroy. To download and install Spybot Search and Destroy, follow the steps in the Run and Update a Spyware Removal Program section of the Securing Your Windows XP Computer document.

Ad-aware
  1. Download Ad-Aware.
  2. After downloading, copy this file into the C:\Program Files\Lavasoft\Ad-Aware SE Personal folder. Overwrite the old file when prompted.)
  3. Run Ad-aware.

Step 5: Run Process Explorer 

  1. Download Process Explorer.
  2. Run the program. Once the results are listed sort the processes by Company Name.
    proc-explorer
  3. Review the list carefully and kill any processes that DO NOT have a company name WITH THESE EXCEPTIONS: DPCs, Interrupts, System, System Idle Process. If you're not sure of what processes should be running, you can compare your list to the following list of Task Manager run on a clean Windows XP computer OR review your list with a system engineer.
    task-mgr-list
  4. Once you're sure of which processes you need to kill, right-click the process and select Kill Process from the drop-down menu. 

Step 6: Verify the Computer is Clean

Once you've successfully run the anti-hijacking / anti-spyware program, you should verify that the software on your computer is indeed software that you installed. Malicious attackers and unscrupulous websites often install "legitimate" spyware/adware software, and because the server software is legitimate it will not show up in a virus scan.

Follow these steps to remove unwanted software:

  1. Select Start > Control Panel > Add Remove Programs.
  2. Search the list for software that you did not install.

    Note: Look for items such as Toolbar Software, Casino Software, Rebate Software and Shopping Software. The illustration below shows some circled software that will cause random pop-up windows, user tracking, slowdowns, lockups and other problems. While this problematic software can be uninstalled here, to ensure it's fully removed you will need to run Adware and Spyware removal software as outlined above.


  3. Look for listening and connected ports on your machine. A listening port or connected port indicates your machine is connected, or awaiting a connection, to an external computer. Follow these steps:
  4. Download and install the Active Ports program (do NOT run the program; proceed to the following step).
  5. Close ALL programs that may use a network or Internet connection. This includes web browsers, e-mail programs, chat programs and file sharing programs.
  6. Run the Active Port program.
  7. If you notice an established connection to other machines even when your browser and e-mail programs are closed, your computer could still be compromised. Contact the Help Center for further advice.

Note: If your computer has been removed from the network, connections may not display until your connectivity has been restored. We strongly recommend that you run this program again AFTER connectivity has been restored.

In the example below, the computer indicates NO active connections and no hidden programs that are establishing connections to other computers.

In the example below, this computer indicates an active connection to "Unknown". In this case, the user should run further removal software to determine what is on the computer.

Step 7: Enable the Firewall

A firewall is a system designed to reinforce the security of the data flowing between two networks, the internal network and the outside network, such as the Internet. All messages entering or leaving pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Firewalls can also make your computer "invisible" to the outside world so that it doesn't become an easy target for a malicious attacker.

To enable Windows firewall on Windows XP follow the steps in the Configure Windows Firewall section of the Securing Your Windows XP Computer document.

Step 8: Establish Passwords

After your computer has been cleaned you should change passwords on the computer and verify that an Administrator account and password has been established. For instructions, follow the steps in the Secure Your Accounts and Passwords section of the Securing Your Windows XP Computer document.

Clean? Keep it that way

Once your computer is free from infection, keep it that way by following steps provided in the Securing Your Windows XP Computer.

Last Updated: 02/12/08