Dealing with an Infection

Published: July 10, 2007

In any organization, malicious software is an ever present threat. This section of the guide assumes that you have good reason to believe that an infection is present in your computer or other computers in your organization. You can use the 4-stage process that this section describes to help determine the nature of the problem, limit its spread, remove it using free malware-scanning tools from Microsoft and other third-party sources, verify that the malware is removed, and proceed with next steps as required.

Due to the changing nature of malware, no single antivirus or antispyware solution can guarantee to protect against all attacks. If, after following the stages in this section, you need more help with malware-related issues, contact Microsoft Product Support Services:

Stage 1: Initiate Your Response

As soon as you arrive at the computer that has the malware problem, if you cannot run antivirus software on the computer, disconnect the computer from the network, turn the computer off, and refer directly to "Stage 3, Run an Offline Scan Using the Kit."

Gather information. If possible, gather answers from the user who discovered the problem by asking the following questions:

  • What happened when the problem started?
  • How was the computer being used just prior to the problem?
  • What (if anything) did the local antivirus program report?
  • Does the computer contain any important data that is not backed up?
  • What Web sites did the system recently visit?
  • Are there processes running on the computer that are different from the standard processes?

After you have gathered as much information as you can about the infection, the next stage is to start the cleaning process.

 Note   It can be very helpful to obtain a list of suspicious process or file names that you can then research on the Internet to determine if they are malware.

Stage 2: Scan the Computer for Malware

Use the following steps in the prescribed order to most effectively use anti-malware software installed on the computer, and run online and offline scans for malware:

  1. Run antivirus and antispyware software on the computer.
  2. Run an online scan tool.
  3. Run an online scan tool using the networked option in safe mode.

Step 1: Run Antivirus and Antispyware Software on the Computer

The method for launching a full scan of a computer for virus infections depends on the antivirus application. Check the program’s Help resources to learn how to conduct a full virus scan.

Scanning for spyware is similar to scanning for viruses. Your computer should have real-time spyware-scanning software running on it. Windows Defender is available free of charge for computers running Windows XP. If you are running Windows Vista, Windows Defender is included with the operating system. To launch Windows Defender, click Start, click All Programs, click Windows Defender to open the program, and then click Scan. Allow the program to perform a full scan.

For more information about how Windows Defender works, see the Windows Defender Technical Overview on TechNet.

Step 2: Run an Online Scan Tool

Run an online scan, using a tool such as the Windows Live OneCare safety scanner, to ensure that the computer has been checked against the latest antivirus and antispyware signatures, as well as other potentially unwanted software.

Other online scan software providers include:

In addition, several online software tools provide specialty scanning, such as VIRUSTOTAL, which you can use to scan individual files for malware.

Step 3: Run an Online Scan Tool Using the Networked Option in Safe Mode

After completing an online scan, if you still suspect that malware is present on the computer, restart your computer in safe mode, and run the online scan again. After completing another online scan in safe mode, you can use offline scanning tools such as those that the guidance recommends using with this kit.

For more information about how to start your computer in safe mode, see:

Stage 3: Run an Offline Scan Using the Kit

To use the Malware Removal Starter Kit, you start the computer from the CD-ROM, and then use offline scanning tools to repair the primary hard disk drive while it is "offline." In this way, you do not use the hard disk drive on the computer to start the computer or scan it. Running an online scan requires you to start the computer using the normal boot sequence, which loads files from the computer's hard disk drive that the operating system locks during this sequence. To access and remove malware that has altered or corrupted these normally locked system files requires using an offline process like the one this guidance prescribes.

 Important   You cannot scan a disk for malware if it has been encrypted with a tool such as BitLocker™, if the disk is managed as part of a RAID volume, or if the disk is damaged. In these cases or if you are unsure of the state of the disk, consult a specialist to determine its state.

Due to the ever-changing nature of malware, no process can be considered 100 percent effective for cleaning malware from a computer. The process described in the section, "Prepare a Kit for Offline Scanning," has been tested at Microsoft and should be considered a best effort solution. The tasks in the "Planning Your Response" section of this guidance provide instructions about how to create a Windows PE kit that uses free tools you can obtain online so that you can scan for malware on computers running Windows XP SP2 or Windows Vista in your organization.

Stage 4: Next Steps

If, after using the guidance in this kit, malware appears to still be compromising the computer, you may choose to use System Restore to return the computer to a known good state. System Restore takes a "snapshot" of critical system files and some program files, and saves this information at a Restore Point on the computer's hard disk drive. You can then use the Restore Point to return the operating system to a previous state. For more information about System Restore, see the following resources:

If, at this point, the computer still shows signs of malicious software-related issues, you have two options:

  • Get specialized help.
  • Rebuild the computer.

If the malicious software has managed to avoid the malware-scanning capabilities of the Windows PE kit that this guide prescribes, it is very likely that you will need to seek specialized help to remove the malware. Because specialized help is likely to require time and money, a quicker and cheaper option is usually to delete the files on the hard drive of the computer, and then reinstall the operating system and software programs.

If you choose to rebuild the computer, ensure that you only use trusted media for that process. Rebuild the computer, and ensure that all updates and antivirus software is applied to the computer before bringing it back on to the network in case a virus is still propagating.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Malware Removal Starter Kit

Update Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions