Help! My home PC has been infected by a virus! What do I do now?
What do I do now? How do I get rid of the virus?
The best option is what is referred to as "nuke it from orbit." The reference is from Aliens:
The idea behind this is that you wipe your hard drive and reinstall your OS. Before you do this, you should make sure you have the following:
- A way to boot your computer off installation media. This can be in the form of the Install CD that came with your computer, or a DVD you burnt from an ISO file (Windows can be downloaded legally here). Some computers do not have CD-ROM drives anymore. Microsoft provides a tool to convert their ISO files to bootable thumb drives. Do not create the install media on the infected computer.
- Your Original Windows License Key. This can either be on a sticker on the side of your computer or you can recover it from your computer a program like The Magical Jelly Bean Keyfinder (which might contain malware, but it really doesn't matter because you are wiping it all after you get the key anyway). Or an official tool supplied with Windows called
slmgr.vbs. - Drivers. If you don't have a second computer, you are really going to want to have at the minimum video drivers & network card drivers. Everything else can be obtained online after you reinstall.
- Any files you want to save. You can back them up to a thumb drive for now, and scan them before putting them on your freshly installed machine (see below).
Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?
In theory, it is not always necessary to fully reinstall. In some cases you can clean the virus off the hard drive without a full reinstall. However, in practice it's very hard to know that you have gotten it all, and if you have one virus it is likely you have more. You might succeed in removing the one that causes symptoms (such as ugly ad popups), but the rootkit stealing your password and credit card numbers might go unnoticed.
The only way to kill everything is to wipe the hard drive, so your best option is always to nuke it from orbit. It's the only way to be sure.
I really don't have time to deal with this right now. Is it dangerous to keep using the computer while it is infected?
You may not have time for it right now, but you really don't have time for your email getting hacked and your identity being stolen. It's best to take the time to fix it now and fix it right before the problem gets worse.
While your computer is infected all your keystrokes might be recorded, your files stolen, it might even be used as a part of a botnet attacking other computers. You do not want this to be going on for longer than necessary.
If you really don't have time to deal with it right now, power down the computer and use another one until you have time to fix it. (Be careful with file transfers from the infected to the uninfected computer, though, so you do not contaminate it.)
I don't have backups of my family photos or my master thesis from before the infection occurred. Is it safe to restore backups made after the infection occurred?
Any backups made after the virus infection occured could potentially be infected. A lot of the times they are not, but they could be. Since it is very hard to pinpoint exactly when the infection occured (it may be before you started to notice symptoms) this applies to all backups.
Also, Windows restore points can be corrupted by a virus. It is better to archive copies of your personal files on external or cloud storage.
If you are restoring them from external or cloud storage on a computer that has already been nuked from orbit make sure you scan all the files you are restoring before you open them. Executable files (such as .exe) can contain viruses, and so can Office documents. However, picture and movie files are likely safe in most cases.
Do I need to worry about peripherals getting infected? Do I need to do anything about my router or other devices on my home network?
Peripherals can be infected. Once you have re-installed your OS you should copy all the files off your thumb drive, scan them with antivirus, format the thumb drive, and restore the files to the thumb drive as needed. Most routers will be fine, however, it is possible for DNS settings to be compromised either through a weak password or malicious use of UPnP. This can easily be resolved by resetting the router to factory defaults. You may also want to configure your DNS settings to either google dns or OpenDNS. If you have some type of network attached storage, you should do a full scan of it with antivirus before using any of the files on it.
See Also: Help! My information has been stolen! What do I do now?
THIS IS WORKING DRAFT FEEL FREE TO WIKI/EDIT AS NEEDED
I'm sorry to hear you've got a computer virus. Fortunately, thousands of people deal with virus infections daily, and in most cases, the computer and all data can be restored. By following good online practice you can avoid future infections.
There are two main approaches for removing a virus:
- Use anti-virus software to perform a "deep scan and clean".
- Wipe and reinstall the computer - colloquially known as "nuke from orbit".
Using anti-virus software is quicker and easier, but has a greater risk that the virus will silently remain and cause problems later. Wiping and reinstalling is recommended for knowledgeable users. It is normally possible to keep all your data while doing this.
Using anti-virus software
If you do not have anti-virus software already there are various free options (e.g. Windows Defender, AVG Free) and many paid options (e.g. Symantec Endpoint Protection, Kaspersky Internet Security).
Make sure the anti-virus software is up-to-date.
You can then run a full scan of your computer. Some AV software calls this a deep scan. If any viruses are found, you will get the option to quarantine the affected file.
Some advanced viruses have the ability to hide from anti-virus software. To cope with this, some AV software has the ability to "scan on boot". The AV runs before Windows starts, and in this mode, the virus is crippled, allowing the AV software to more effectively remove it. Once complete you can boot into Windows as normal. Other AV software allows you to create a boot disk instead of "scan on boot".
The precise instructions for all this depend on your anti-virus software. Consult the manual for further information.
Wipe and reinstall
The basic idea is to copy all your data onto an external hard drive, then reinstall Windows. This will give you a blank - and hopefully uninfected - Windows installation. You will then need to reinstall all your software, restore all your data, and customise the settings you had before.
Before you start, make sure you have installation media and license codes for all your commercial software. If necessary, you can extract a Windows and Office product key from your installation. You can also download disk images from Microsoft - provided you have a product key.
You need to carefully backup all your data onto an external hard drive. It can be difficult to get everything. People often forget their address book and bookmarks. This is a stressful point, because once you start reinstalling Windows, you lose the ability to recover further data. As an alternative, you can buy a new hard disk, and put the old hard disk in a USB enclosure like this.
You then need to reinstall Windows, all your other software, then restore your data and settings.
Avoiding reinfection
You must follow basic security practice:
- Keep all software up-to-date. Secunia PSI helps you check software is up-to-date.
- Run anti-virus software, and keep it up-to-date.
- Enable the firewall (this is on by default in recent Windows versions)
Beyond this, you need to exercise care. It is difficult to explain precisely how to do this, but here is some basic guidance:
- Be careful where you click.
- Be especially careful when downloading software. Every
exefile you download gets full access to your computer. - Take care with removable media. Some viruses have executable files that look like folder icons. But if you click them, you will be infected.
- Take care with shared drives, which may be on a NAS, or in cloud storage like DropBox.
While your computer had a virus, it is possible that all your passwords have been captured. You should at least change your passwords for online accounts that are important to you, e.g. web mail, social media, online banking. It usually isn't necessary to change low value passwords for forums and e-commerce sites.
It's also possible that credit card numbers have been compromised if you have used them on this computer. I believe this is fairly rare, and changing your cards is a (modest) hassle. Instead, hold on to your cards, keep a close eye on your statements and change the cards if fraud occurs.
If you've followed this through to the end, well done! It is not an easy process, and you will hopefully have recovered from the infection. Take care online - but don't be afraid of your computer.
Honestly, "non-technical users" are typically unaware of the basic conceptual difference between a data "file" and an "application", nevermind the minefield of subtleties in the advanced war game between malware and anti-malware experts. The only sane answer is...
- Don't panic.
- Switch off the PC immediately and disconnect ALL cables and removable batteries.
- Go to a trusted PC and change all your online passwords immediately.
- Bring your PC (and any and all attached devices including your internet "box") to a competent professional
and tell them ...
- "I think I have a virus, please verify that before continuing"
- "backup all my user files to DVDs"
- "wipe EVERYTHING on the devices and install a new operating system on the PC"
If they act like an anti-virus tool will "fix it" instead, they are not professionals, find someone else.