How to clean your PC after a virus infection
Table of contents
2. What you should not do
2.1. Use a removal tool
2.2. Continue using the infected PC
3. Destroy no evidence you might need
4. Remove network connection
5. Boot from a rescue system
6. Backup personal data
7. Wipe the hard drives
8. Reinstall the operating system
9. Update the operating system
10. Configure the operating system
11. Install and update applications
12. Restore data
13. The day after
13.1. Data could have been leaked
13.2. Think about your backup strategy
13.3. Check security
Shutdown your computer immediately and do not use any of the installed operating system anymore!
As soon as the computer is off, no further damage can occur and you have the time to plan your next actions.
Do not use a program which promises to clean the infected PC without reinstallation. These removal tools cannot work reliably. You'll be playing russian roulette.
You must assume that the PC is not under your control anymore. As long as the operating system is running, the virus can cause additional harm. If the PC is connected to the internet, other people might be harmed by it as well.
If you don't have a second computer for the necessary preparation steps (and reading this document), try to borrow one or grab a sixpack and ask your friendly neighbour or working colleague.
If you want to inform the police or an insurance company, you must now start with securing the evidence. It's best if you consult a specialised lawyer about this. He'll tell you what to do.
In that case: Do not proceed with this instruction.
Proceeding beyond this point will destroy all evidence that your computer has been infected! Continue only if you do not need them anymore.
Also, if you want to make an internal security analysis to find out how this infection could happen, you should now make a full backup of the infected system. This is not covered by this document however, because it is addressing normal and perhaps inexperienced home users. People who need a security analysis don't need me to tell them how to do it.
To be safe, remove all network cabling from your PC. Keep it away from the internet or any other untrusted networks until this article explicitly instructs you to do otherwise!
Get yourself a clean linux-based rescue system which can start from CD or an USB flash drive (i.e. Knoppix or the System Rescue CD. The exact step to create a bootable medium can be found in the documentation of the product you chose.
Create such a bootable media and boot the infected PC from it.
If you do not have an up-to-date back of your personal files, mount the hard drives of your PC and copy all files that you still need to a backup storage - like an USB flash drive. Then unmount the partitions and remove the backup device.
Overwrite all hard drives completely with zeros. The command:
# fdisk -l
will show you the device names of them (i.e. /dev/sda, /dev/sdb, etc. or maybe /dev/hda, /dev/hdb etc.). Any number you might see behind this refers to a partition on the specific drive. Be aware that if you booted from an USB flash drive, it will show up as hard disk, too. By looking at data like size and number of partitions, it should be easy to determine which hard disk is which.
The following command will delete all data on the hard drives it is used on! If you still need to backup something, do so now! After this, the files are irretrievably lost.
For each of these hard drives now type:
# dd if=/dev/zero of=/dev/sda
and replace the "/dev/sda" by the device names you determined above. The command will completely overwrite the disk and delete everything on it. Including the boot sector and possible boot sector viruses. Depending on the size of the disk, this can take quite a while and you will get no visual feedback. Don't let it confuse you, just keep waiting.
Install your operating system from the original media of the manufacturer. Follow the instructions the product.
Now install all updates and security fixes that are available for your operating system. If necessary, download them on another computer first. An interesting tool for Windows users is WSUS Offline Update. It allows you to download all available updates for Windows and Office from a clean internet PC and create a DVD or an USB flash drive that will automatically install them all on your newly installed operating system.
Configure your freshly installed system in accordance to current security standards. Close open and unused ports, create an user account with limited rights for the daily work, etc.
Now, you can connect your PC with the internet again and download or install all programs and applications you need.
Do not forget to use only the original media of the manufacturer or trusted internet sources for this, too.
You can now restore all your personal data which you backed up earlier.
Please note that these files come from an infected system and thus, could be manipulated. It is possible that they were falsified or manipulated so that they reinfect your PC upon opening them.
Check all the data carefully before storing it on the clean PC. If in doubt, it's better to throw a file away and create it anew. If you have files which you cannot forfeit and cannot ensure their integrity either, you should consult a specialised security analyst to guarantee their harmlessness.
Old files could still be infected and must be check very carefully before opening them on the new system!
Now PC is clean again. But the case isn't closed yet. You should consider a few things:
A data that the infected system was entrusted with must now be considered publicly available. That includes your personal documents as well as password, PINs and TANs for online banking, credit card details, bank account information and your login credentials for different websites. Take the appropriate measures and set new passwords, inform affected persons whose data was stored on your system about this incident and check your back statements and credit card bills with extra care in the upcoming months.
Did you have a recent data backup to get back to a working system quickly? Could you restore it without problems? Or was there something you should make different to have it easier in case of future infections?
How could the virus get on your computer? What can you do to improve security and prevent incidents like this from now on? How can you protect your sensible data better? It's no problem if you made a mistake. That happens to everyone. But you should consider this a valuable lesson and learn from it.