• Increase font size
  • Decrease font size
  • Print this page

News

Budd:e

With the new school year upon us, it’s a great time for kids, teachers and families to learn about the simple steps we can take to stay safe and secure online

Factsheet 11, Part 3 - You suspect your computer is infected with malicious software - what should I do?

Download You suspect your computer is infected with malicious software - what should I do? (PDF, 954 KB)

This factsheet explains how to detect and remove malware on your computer using a bootable disc (such as a CD-ROM or DVD).

Circumstances for using a bootable rescue disc

1. Your computer will not boot1 (and therefore you have not been able to follow the steps in Factsheet 11, parts 1 and 2); or

2. You have followed the steps in Factsheet 11, parts 1 and 2 and believe there still may be malware on your computer.

However, even if these conditions apply, do not attempt to follow this Factsheet unless you also have:

1. intermediate computer skills;2 and

2. access to another computer (through work, family or friend), which is not infected, with a connection to the Internet and software installed that has the ability to copy (write) files to a CD-ROM or DVD optical disc; and

3. back-up files for the infected computer, including original operating system CDROMs and operating system rescue discs, and other copies of licensed software installed on your computer. This is important because sometimes the process of removing malware from your computer may inadvertently result in the corruption of important operating system files. Having access to back up software will help allow you recover if this occurs.

What is the advantage of using a bootable disc?

A problem with detecting malware using a computer that is compromised with malware is that the malware has the ability to subvert the operating system, the antivirus software and detection processes (including through web based scanners). Therefore, the methods described in Factsheet 11, parts 1 and 2 to detect malware are less reliable than the method described in this Factsheet (part 3).3

A bootable CD-ROM or DVD disc has the advantage of being both bootable and gread onlyh, that is, unable to be changed by malware, if it is present. The malware signature files are stored on the disc and the computer runs from the disc while the scan takes place, rather than from the computerfs operating system or existing antivirus programs, which may be compromised and provide a false result.

Where do I get the free bootable CD-ROM?

The files for the bootable disc (CD-ROM) are available for free from the Avira web site. It is called the Avira AntiVir Rescue System.

However, you will need to do so from another computer that is not infected with malware, with Internet access. Download and copy (write) the Avira AntiVir Rescue System files to a CD-ROM. Use or purchase a new optical disc with the format CD-R and copy (write) the files to this disc for this purpose.

Do not copy these files to a disc until you need them because the signature files on the Avira AntiVir Rescue System that is available from the web site are constantly updated.

Download the Avira AntiVir Rescue System files and create the rescue disc from another computer that is not infected:

  1. Using another computer that is not suspected to be infected4 (at your work place or belonging to a friend or family member), go to the following link at the Avira web site:

    http://www.avira.com/en/support/support_downloads.html

     avira website

  2. Click on the first gAvira AntiVir Rescue Systemh to download the file. It should have an image of a disc next to the file size as shown above.
  3. After the files are downloaded and saved on the computer, copy (write) the files to a new (unused) CD-R disc.
  4. Eject the disc.
Using the bootable disc on the computer with the suspected malware infection, which still boots:

  1. Most computers have the ability to boot from disc in the CD or DVD drive but either are not set up to do so, or wonft do so while the operating system still is capable of booting from the hard disk drive (HDD).

  2. In the situation when your computer still boots from the hard disk drive, you will need to modify the BIOS setup to change the location of the boot drive from the hard disk drive to the CD-ROM or DVD drive.

  3. The method to access the BIOS setup varies between hardware manufacturers. Usually, you must press a key (such as F2, F125, DEL, ESC6) or a combination of keys immediately after you turn on your computer but before the operating system boots. Sometimes the key which provides access to the gBoot Menuh will be flashed briefly on the computer screen after the computer is turned on and prior to the operating system booting from the hard disk drive.

  4. If you cannot see the key to access the gboot menuh displayed briefly on the computer screen immediately after you turn on the computer, then check the web site of the manufacturer of your computerfs hardware. Computer hardware manufacturers include companies such as Dell, Hewlett Packard (HP), Apple, Acer, Sony, etc. Go to the web site of your computer hardware manufacturer; look for the section under gHelph or gSupporth and search the web site for the words gaccess BIOS setuph or gaccess boot menuh. Write down this key for future reference. 5 Keys that start F1, F2, etc are called function keys. They appear on the top row of the keyboard. 6 DEL is the Delete key. ESC is the Escape key which usually appears in the top left hand corner of the keyboard.

  5. Incorrectly changing BIOS settings may leave the computer in a state in which the operating system no longer starts. Therefore make sure you write down the original BIOS settings before you modify them. (Remember also that once your computer is fixed you will need to change the BIOS settings back to boot from the hard disk drive, which is another good reason to record the settings.)

  6. Once you have accessed the Boot Menu, select gBIOS setuph, then gSystemh, then gBoot sequenceh. The menu options might vary slightly between manufacturers. Ultimately from the gBIOS setuph menu you need to modify the gboot sequenceh, so look for and select options which allow you to do this.

  7. Once in the gBoot sequenceh sub-menu, change the location where the computer boots from. The default will be the hard disk drive. Change this to the CD (or DVD) drive. The method used to change the sequence will be displayed on the screen, therefore, follow the particular instructions displayed for your particular computer.

    • As an example, to change the boot sequence on a Dell computer, using the up or down arrow keys, select the CD/DVD drive from the list of bootable drives. Hold down gShifth key in combination with the gup arrowh key to move the CD/DVD drive to the first position in the list. This makes the CD/DVD drive the first location from which the computer boots from.

  8. Save these settings and exit from the BIOS setup. Again, follow the instructions displayed on the screen which tells you how to do this.

  9. Open the CD/DVD drive and insert the Avira AntiVir Rescue System disc. Close the drive.

  10. The computer should now boot from the CD disc drive and present a screen as shown below in Figure 1.

     dos boot

    Figure 1. Boot Screen

  11. You need to boot from the AntiVir Rescue System, which is the default option listed. To do so press the "Enter" or "Return" key to continue. Wait for a moment while the software loads. Using the mouse, click the gUnion Jackh icon to select the English language as shown below in Figure 2.

     The default Avira screen with the English language button circled

    Figure 2. Default Screen in English

  12. Click the "Configuration" button. Click on the "Try to repair infected files" radio button and activate (tick) the "Rename files, if they cannot be removed?h check box. The figure below shows how this should look.

    Avira configuration screen with the desired settings circled

    Figure 3. Desired Configuration Settings

  13. Click the "Virus scanner" button and click the "Start scanner" button.

    The Avira screen with the Virus scanner and Start scanner buttons circled

    Figure 4. Start Scanning

  14. Depending on your system and how many files it has to scan it could take between ten minutes to several hours to complete. Once completed you will have a screen similar to Figure 5.

    The Avira screen showing results from a completed scan

    Figure 5. Finished Scan

  15. The scanner will rename files it cannot clean by appending a ".XXX" to the filename. Once it has completed you can shut down by selecting the "Miscellaneous" button and click "shutdown" as in the image below.

    The Avira screen with the Shutdown button circled

    Figure 6. Shutdown Computer

  16. Now the CD-ROM should eject and you can power off the system if it does not do this automatically at the following screen.

    The Avira screen showing CD-ROM eject and power off

    Figure 7. Eject CD]ROM and Power off

  17. After you have finished the scan, follow steps 3-8 above and change the BIOS setup back to the original settings to enable the computer to again boot from the hard disk drive.

  18. If you have modified the BIOS correctly, your system should start normally. Using the bootable disc on the computer with the suspected malware infection, which no longer boots:

1. Depending on how your computerfs BIOS is configured, if your computer is no longer able to boot from the hard disk drive, it may, as an alternative, try and boot from the CD/DVD drive instead. To test this, insert the Avira AntiVir Rescue System bootable disc into the drive CD/DVD drive.

2. If this works, the computer should now boot from the CD/DVD disc drive and present a screen as per step 10 (Figure 1) above.

3. If the computer does not boot to the CD/DVD drive and display the menu for the Avira AntiVir Rescue System (as shown in figure 1) then you will need to try to modify the computerfs BIOS set up in the same way as described above. Follow steps 3 - 16 above and change the BIOS setup so that the computer boots from the CD-ROM (or DVD drive) instead of the hard disk drive.

4. After you have finished the scan, follow steps 3 - 8 above and change the BIOS setup back to the original settings to enable the computer to again boot from the hard disk drive.

5. If you have modified the BIOS correctly, your system should start normally.

What now?

If your system continues to experience problems you should seek professional assistance. It is possible that some highly sophisticated malware remains on your computer or there may be another cause for the problems experienced.

1 If your computer fails to boot, this means that it will not start and load the operating systemand other programs to allow you to use the computer in the normal way.

2 If you do not have intermediate skills then do not attempt the steps in this factsheet. Seek professional assistance to fix your computer instead.

3 If you give your computer to a professional that claims to be able to clean and remove malware, it is important to check what methods they use to do this. If they are only following steps like those outlined in the Factsheet 11, part 1 and 2, then they are not providing a eprofessionalf levelof service.

4 It is important to download the files from a computer that is not infected for this process to work optimally. Using the infected computer, may corrupt the files that first need to be downloaded and saved to your computer. It is not recommended.