Viruses: Zero-Hour Defense
Sooner or later it happens. You accidentally click on a link you didn't mean to open, install the wrong application from a misleading ad on a download page, respond to a phishing email, or navigate to a trusted website only to find that it's been hacked. Should your computer ever contract a virus, you can use the following steps as a guideline for recovery. I've included actions to take the moment an attack occurs. Of course, malware doesn't always make itself obvious once it's installed, but these steps can still be applied.
*Verification should be performed at the time of backup. Always use the option to do so if it is available.
**This may seem like overkill since you might expect any malicious code on the drive to be overwritten by the restored files and the newly installed OS to simply ignore it, but this is not always the case. Any executable code still present on the drive could inadvertently be "revived", for example, through file recovery software. Also, the backup software itself, in order to perform the data exchange, essentially creates a temporary channel of communication (by proxy) between your infected system and the backup. It is for this reason that backups should never be restored directly onto a "live" infected system.
***In some instances of severe infection, for example, those caused by trojans and rootkits, system file damage can be so extensive that it becomes necessary to reinstall the operating system in order to return it to its normal state.
- Immediately disconnect from the internet. Do this either by physically unplugging your computer's Ethernet or modem cable, or manually switching off wireless. Why? Some viruses rely on an internet connection to actively patch themselves in order to prevent anti-virus software from detecting and neutralizing them, or to download more viruses. Also, your sensitive information may be surreptitiously relayed to an unknown web server unless the connection is terminated.
- Safely remove any mounted external storage devices and isolate them. This includes external hard disk drives and flash drives, specifically your backup drive. Do this at your earliest opportunity, as any mounted storage media will be vulnerable to infection by some viruses. Resist the temptation to yank out the data connector without first glancing at the drive activity light to see if it is flashing; abruptly terminating a connection during active data exchange is risky as this can sometimes result in irreversible data corruption.
- Keep your cool. Once the virus has loaded itself into memory, all of your system's resources may be temporarily hijacked until the virus has run its initial course. Your browser may be inundated with pop-ups and redirects. Strange icons and messages may start to appear on your desktop and in your system tray. Your anti-virus and Windows security programs may become inactive and errors may start showing up. You may be unable to perform any tasks, much less move your mouse cursor, while important personal or system files are being altered, corrupted or deleted. You could try cutting the power, but you run the risk of rendering key system files necessary for even basic operation of your computer corrupted. Relax, breathe deeply, and wait for the storm to pass until navigational control has returned. If you can, close all browsers and windows (See CLOSING THE POP-UP)
- Do not shut down or restart your computer at this point. There is a common misconception that one should immediately reboot a Windows computer into Safe mode in order to properly disinfect it. Do not change the status of your system if you have not already done so. Depending on the nature of the infection and the heuristics used by anti-virus software, detection and removal can sometimes be more successful while Windows is still running all processes under the current instance of Normal mode. This applies especially to malware with complex or insufficiently documented signatures like kernel-mode rootkits and zero-day viruses. Under the current instance of Normal mode, additional "forensic" evidence and interactive file behaviors can be analyzed by anti-virus software than would otherwise be available from the minimal processes running on a system rebooted into Safe mode. Moreover, rebooting permits potentially corrupted versions of core system files, registry root keys, executable files and drivers to take full effect, making it more difficult to isolate and remove the infection and to repair damages incurred. Reboot only when asked to do so by virus removal software. You can always reboot into Safe mode later if needed.
- Back up important personal files. Repairing an infected computer usually involves some risk to your personal files and to the integrity of your operating system. Unless you've already set up scheduled backups, copy any important personal files (including email client files) onto a fresh storage medium and keep it isolated. Do NOT save your files to your regular backup drive if it already holds a useful copy. Although it is unlikely that your documents, photos, videos or sound files themselves have been affected by the virus, simply mounting a backup or thumb drive onto an already infected system renders it susceptible to contamination.
- Thoroughly scan your computer for malware and remove them. Using a different computer, you can download several free virus removal tools such as Malwarebytes, Malwarebytes Chameleon (requires a brief internet connection to install and update), Norton Antivirus, SUPERAntiSpyware, and the offline version of Avast Free Antivirus onto a usb or cd and run them on your system. Again, keep any re-writable drives you connect to your infected computer isolated. Try installing and running these programs to detect viruses in Safe mode ONLY if they are prevented from doing so under the current instance of Normal mode. If you encounter any rootkits, remove them first and reboot if necessary. Some particularly stubborn malware may need to be removed manually. If you cannot remove the infection, you can always load a backup or call an IT professional. If you decide to load a backup, be very careful . Verify first that it still works* and that it is free of viruses (use a different computer for this, if necessary), then manually wipe the infected drive before loading the backup** (assuming the backup is a complete system image, otherwise you'll need to reinstall the operating system before restoring your files). You can use something like Darik's Boot and Nuke to do this. Newer computers often feature a built-in factory image restore option to recover your operating system, in which case the drive should NOT be manually wiped.
- Recover your files and settings. You may need to repair system files and reconfigure operating system and browser settings that have been altered by the virus. This is a necessary and time consuming process which is often overlooked. Only AFTER doing this will it be safe to scan and recover the files you've copied earlier, otherwise your system may still be vulnerable to reinfection. Please note that it is difficult to guarantee that all traces of an infection have been removed short of a clean re-installation of your operating system.***
- Change your passwords. You may want to be proactive and change the passwords for your computer and all of your online accounts as soon as possible, then monitor them for any suspicious activity. Do this even if you haven't accessed these accounts during the infection; this is in the event a virus has accessed files containing unencrypted sensitive information such as items in memory, office documents and cookies with stored passwords.
*Verification should be performed at the time of backup. Always use the option to do so if it is available.
**This may seem like overkill since you might expect any malicious code on the drive to be overwritten by the restored files and the newly installed OS to simply ignore it, but this is not always the case. Any executable code still present on the drive could inadvertently be "revived", for example, through file recovery software. Also, the backup software itself, in order to perform the data exchange, essentially creates a temporary channel of communication (by proxy) between your infected system and the backup. It is for this reason that backups should never be restored directly onto a "live" infected system.
***In some instances of severe infection, for example, those caused by trojans and rootkits, system file damage can be so extensive that it becomes necessary to reinstall the operating system in order to return it to its normal state.