Help for Windows users with infected computers

I started to write this in a blog post on this site but I decided that the subject matter would be better served as a full-fledged article where you, the reader, could post comments or questions, if wanted.

   This past Tuesday I traveled to one of my relative's home to check on their 3 computers. All 3 of their computers had issues but one of them was so infected that I opted to bring it home with me because I have a small computer lab setup with several pieces of equipment that make it easier to work on PCs. These relatives are avid windows users and until I showed them Peach OSI, neither had heard of a Linux system, let alone used one. They are both in their 70's and not very open to change so many of my standard options were and are limited. This particular computer could not be used at all for all the pop-ups and resources that were being used by the massive amount of viruses, trojans, worms, key loggers, malware - well you get the picture. According to Windows software Malewarebytes, there were over 8,000 pieces of malware on this 1 Windows PC. Malewarebytes took just over 2 hours to run to the point that it gave me that information and then the PC froze up - it was unable to handle all the open screens that the popups had brought to the surface. I've never heard of such an infected computer, let alone seen one and I've been working on computers for over 40 years. My relative is a retired photographer and as you can imagine he had a lot of important images on the infected PC as well as some important documents. In the hopes that my experiences with this PC might help someone else, I am writing this article to document what steps I had to take to return this computer to a usable state.

   Upon realizing the severity of the problems that the malware on this PC, an old Dell Optiplex - 170L, had caused I knew that the best solution was to first wipe all the data from the 2 installed hard drives and do a complete reinstall of Windows. But before I could do that I needed to copy all of my relative’s "pictures", as he referred to them, to a separate USB hard drive. This was impossible to do inside Windows as the system was so busy trying to handle all the malware requests that you could not access any part of Windows to open any folders. I had managed to remove a few of the trojans but I noticed that immediately on boot up the trojans that I had thought that I had removed were either still there or something had reinstalled them. So I moved to option 2. I booted Peach OSI from a flash drive on the infected computer. Once in Peach OSI, I accessed the Windows partitions from the hard drive icon on Peach OSI's desktop. Once in the Windows partition I searched for any files ending with the most common image filenames (jpg, jpeg, tif, bmp, gif, etc.) with Searchmonkey, an application preinstalled in Peach OSI. By the same means, I was also able to locate and copy any files with the standard documents extensions. (.doc , .docx, and even .txt as well as a few others). There also were some music files as well as some movie files that I copied to the USB hard drive. If you are ever doing this type of search and backup of important files yourself it is important to make a list of what the PC's owner uses the most. In my case I knew that his most important files had to do with his love of photography. You may not save everything but for the most part you can save what is most important if you understand what it is that the PC’s user does the most of. Once you have what you consider to be the best backup of the user’s files, shutdown the computer completely and remove the USB hard drive. DO NOT plug this hard drive into any other computer. We will check the files on the USB hard drive for malware later. I do want to interject here that I noticed a couple of files that I did not place on my USB hard drive. I also noticed a couple of unusual files on the flash drive that I used to boot into Peach OSI. So I cannot stress it strongly enough. DO NOT plug either of the USB appliances that were used on the infected PC into another PC until you’ve followed this article to its conclusion.

   I didn’t know where the suspicious files had originated from on my USB appliances but from experience I suspected they came from one of two places. They had to come from either the Windows partitions themselves or possibly from the infected computers BIOS. No one can store anything in RAM, right? RAM clears itself once the computer is shut down. Well, almost. It is possible to setup a RAM drive in such a way that a small percentage of RAM is repopulated with data upon reboot – known as a RAM drive which mimics a small hard drive.  But I hadn’t rebooted into Windows. I booted live with Peach OSI from a flash drive.  Whatever happened during the boot-up of Peach OSI had to come from the BIOS. So the first step was to re-flash the BIOS. I acquired the latest copy of the BIOS for the infected computer and burned it to a CD and re-flashed the infected computers BIOS.  I then made a second flash drive bootable with Peach OSI and booted the computer with the newly installed copy of Peach OSI. I re-opened the Windows partitions and did some of the same searches that I had done before and there was no other transfer of suspect files to the flash drive. I shut down and rebooted the infected PC with Peach OSI one last time and checked it all again. Next, while booted inside Peach OSI,  I ran Gparted, a Linux partition manager also pre-installed in Peach OSI. I deleted all the Windows partitions while inside Gparted and set both of the hard drives to where each hard drive only had one large partition and then I formatted each hard drive with the ext4 format. Next, while still in Gparted I reset both hard drives to all unallocated space or free space. The reason for the formatting the hard drives to ext4 is a lengthy article in itself but all you really need to understand is that by completely erasing the NTFS volumes that Windows created and reformatting them to ext4 you will have helped to eliminate the possibility that some sort of malware has embedded itself into the NTFS formatted hard drives.

   Before shutting down I opened the DVD’s tray and placed a fresh valid Windows 7 DVD into the tray and closed the tray. I rebooted with the DVD and did a complete reinstall of Windows 7. The installation went as normal. After completing the Windows installation I wanted to try to help my elderly relative to never have these sorts of issues again. There are a lot of steps that you can take to accomplish a pretty secure computer environment but I’m going to keep it to 5 basic steps.

1. After installing Windows, complete all of the Windows Updates.
2. Never run any PC in the Windows environment without Virus checking and removal software.
3. Never run any PC in the Windows environment without Malware checking and removal software.
4. Never run any PC in the Windows environment without a properly configured “Hosts” file.
5. After completing all of the above, install Peach OSI as an alternative operating system.

       Complete all of the Windows Updates

   Ok you now should have a fresh copy of Windows installed. Windows sometimes has updates as many times as 3 per week. During the Windows installation you should have selected to allow Windows to update itself. But after a fresh install there will probably be hundreds of updates available for your Windows system. These updates include bug fixes and security updates. So you should run the Windows update repeatedly until you can search for new updates and Microsoft reports to your PC that there are no other updates available. You should also make it a habit of running the update check manually at least once per month. If you don’t know how to initiate the update program, click on your Windows start icon and in the search box on the bottom of the open window type in Windows Update. The system will find it and it will display a clickable link in the menu box above where you typed in the search. On Windows 8 it is a little different. If you have problems finding Windows Update contact me and I'll work with your specific issue.

       Antivirus Software

   There are a lot of antivirus software options out there for Windows based systems and I’m not going to try to explain why one is better than the other. For my own personal use, I choose Avast. The reasons are plain and simple. Avast has a free version and Avast is one of the few antivirus options that does a great job of blocking viruses before they are installed on your Windows PC. Many claim to do that but after 5 years with Avast, both on my own PCs and on PCs that belong to my clients, over a 5 year period, I can claim that Avast has reduced the issues that I’ve seen. Feel free to do your own search for the best available antivirus software. Google what others say about Avast.  Make your own decision as I’m not advocating one over another. I’m just stating my own personal experience. Whichever one you choose, install that antivirus software immediately after completing and fully updating the Windows installation. After you’ve completed the Antivirus software installation go ahead and run it and let the software search for any viruses. Also keep your antivirus software up to date because new problems come out often as do the defenses against them. Do this especially if you are working with a machine that has a history of being infected, as was the case in my relative’s PC.

       Malware Software

   Next I always install malware software. A lot of people think that antivirus software is all that you need. That isn’t true. There are all sorts of problems that come from browsing the internet and reading email, even from viewing images over the web. Those problems aren’t classified as trojans or viruses or worms. Those kinds of problems are what cause things like popups or tracking your web usage. Indeed more than 90% of Windows operating systems are infected with some sort of malware. I’ve used many different offerings of malware protection. I now always use Malewarebytes. It also has a free version. It seems to be impervious to any piece of malware being able to damage the Malewarebytes search and quarantine functions. That’s important as some sophisticated forms of malware have figured out how to destroy the very program that you are using to discover the problems. I’m not going to say it is going to give you 100% protection but you will have a big leg up on the problem. Try to run whatever malware software that you install at least weekly or at the very least anytime your computer does something unexpected. Also keep your malware software up to date because new malware comes out daily as do the defenses against them. If you are working on a computer that has a history of being infected, after your antivirus software check, this is your second line of defense. After installing run the software and let it do its thing. Quarantine or delete anything it finds. In my case, Malewarebytes found nothing unusual on my relative's PC.

       Configure your “Host” file in Windows

   This is one that hardly anyone will do because they simply aren’t aware of it. If you Google “windows host file” you will come up with a whole group of links as to how to edit your host file inside Windows. It is not the scope of this article to teach you how to edit this one file but there is a lot of information out there to teach you how to perform the file edit. What I do want to tell you is that by properly configuring your host file you can stop your PC from being able to access thousands, if not hundreds of thousands, of known undesirable websites. Whenever I am working on a child’s Windows PC or Windows PC that I know that the owner has a limited knowledge of how dangerous the internet can really be, I always populate their PC's hosts file with a current list of websites that their computer is not allowed to visit. If you are working on a computer that has a history of being infected, this one step alone can help to stop a great deal of the problems. Remember, nothing is completely fool proof. The idea is to limit the possibilities. In the case of my relative’s PC, I populated the host file with over 400,000 blocked websites. I got the current list from the internet. With a little searching, you can too.

       Install Peach OSI as a backup operating system for Windows

  I realize that this one won’t be as important as the other 4 listed above. To list it as 1 of the 5 seems a bit self-serving and I hesitated to list it. But you are on my site reading this so whatever brought you to this site and to this article can’t conclude without me offering you another solution, should your Windows PC ever fall victim to some of the things like my relative’s Windows PC did. You see, I’ve not only fixed my relative’s PC, I’ve given him a way to do some of the things that he normally does in the event that his Windows partitions get trashed again. Not only that, he now has a way to be safer online without all the work that it takes to keep a Windows PC from being so – how can I put it – vulnerable. You can do your own search on why Linux is safer online. To me it is all about options for my clients. If my client can get online and check his or her email and do most, if not all, of the things that they normally would do, should Windows get trashed again, then I’ve done my job. Being able to have that option buys precious time for them and for me. I cannot always come running the moment something major goes wrong. With Peach OSI loaded and ready to go, my client always has options.

    Now a little more about the completed repairs to my relative’s badly infected PC. Remember I was writing about the fact that both my flash drive and my USB hard drive had mysteriously had files appear on them. I booted into safe mode with Windows on the same computer where they contracted the mysterious files. I then ran both Avast and Malewarebytes on both the drives. Sure enough the mysterious files were something that came from the infected Windows computer. Both Avast and Malewarebytes quarantined them and then I deleted them from the quarantine. I then connected them to one of my own computers and ran both Avast and Malewarebytes again and they found no issues. So next I plugged the USB hard drive into the previously infected computer and copied all the backed up files into a single folder for my relative to review later. After that, what the hell, I think I’ll format both of flash appliances just to be sure that I don't have anything that could ever cause me a problem. That’s the idea. The guys that do this sort of thing, create this malware, are good, real good and getting better all the time. Think of it like this. Would you get into your car, blind fold yourself and then attempt to drive somewhere. It's a simple question with only one correct answer. But by the same token, most people turn on their computer everyday without the slightest idea of where they are actually going. Like the blind folded driver, eventually you are going to hit something. Then you are going to ask the question, why? It is because you could not "see" the importance and take the time to "see" and become aware of the dangers from surfing blind. You should do a search of the web and find out how to best avoid the most common pitfalls. Your computer is not like a TV that you simply turn on and can expect for it to always go to whatever channel that you might select. There are a few things that anyone with any skill level can do to help to protect themselves. In this article I've given you a few of the basics. If you will take the time to do as I have instructed - it will help to serve you and your PC well. 

  I hope that somehow this information helps someone. Feel free to comment below.

Signing off,

Grandpa Carpenter