Attackers often leave “backdoors” on a compromised computer so they can easily regain access once the original virus/malware is removed. Removing all backdoors can be difficult, and many viruses/malware programs are designed to circumvent and even disable anti-virus utilities. Therefore we recommend reinstalling your operating system, but if that is not practical you can try this option first. If you receive another compromised notice after attempting to clean the computer, you MUST reinstall the operating system. If you suspect that your computer may be infected with a computer virus or otherwise compromised by hackers, the best course of action is to wipe the computer and reinstall your operating system and applications (see Reinstalling Your Compromised Computer for instructions). If this is not practical, you can attempt to clean your computer using these steps (instruction for Microsoft Windows operating systems):
- Make sure you have the latest virus definitions for your anti-virus software. For the campus-licensed Microsoft System Center Endpoint Protection (SCEP) you can use the following instructions:
- Double-click on the white and green shield icon in the icon tray bar (notification area) on the lower right portion of your screen. When you move your mouse over the icon, it should say "PC Status: Protected".
- Click the "Update" tab, click on the "Update" button and follow the prompts.
- Reboot your computer into safe-mode by pressing and holding the F8 key when starting the computer and selecting "Safe Mode" from the boot options when they are presented. Microsoft has specific instructions at the following URLs:
- While in Safe Mode, run a full scan of your system using your installed anti-virus program. Using either of the campus licensed anti-virus programs you can do the following:
- Double-click on the white and green shield icon in the icon tray bar (notification area) on the lower right portion of your screen and select. When you move your mouse over the icon, it should say "PC Status: Protected."
- On the "Home" tab select "Full" and click the "Scan now" button.
- Run a Rootkit Detection tool like Kaspersky Lab's TDSSKiller Rootkit Removal Utility (http://usa.kaspersky.com/downloads/TDSSKiller - there is a link for a free standalone version at the bottom of the page) or Sophos Rootkit Removal (http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx). Both of these programs can detect some, though not necessarily all, rootkits. Of the two of these, Sophos is the easier to use, however for those users who are technically inclined, Kaspersky's TDSSKiller provides more information about all hidden files and processes (including those that are a normal part of Windows).
- Download and install an Anti-Spyware program like Spybot - Search and Destroy (http://www.safer-networking.org/) or Ad-Aware (http://www.lavasoft.com/products/ad_aware_free.php). Both of these programs have free versions that can be run for personal use and have solid reputations. Keep in mind that some adware/spyware alerts, particularly cookies, may be fairly innocent and not represent a serious threat to your system's safety. In these cases, the alerts to be concerned about are primarily those that represent installed programs or browser plug-ins/add-ons that you cannot identify.
- If you received a security notice, take a screenshot or save anti-virus/anti-malware scan logs to send to System and Network Security as evidence that your system was successfully cleaned.
If none of these steps return any significant problems, then the system is probably ok to use, however, be wary of any issues you notice. If these steps do not resolve the issue, you should rebuild: Reinstalling Your Compromised Computer