Disinfecting a Windows machine

So last weekend my sister came to me with a slow performing Windows 8.1 Acer laptop. She wanted me to format it and install a new copy of Windows 8.1.

I’ve been using Debian for the last 3 years. Previously I was dual booting between Windows and Debian in-order to play DOTA 2 with my friends, but since Valve released DOTA 2 on Linux, I’ve had little reason to open my Windows installation. As you’d expect I didn’t have a Windows 8.1 setup disc or ISO lying around. I debated whether to shift her to a clean KDE based Debian machine and she agreed as long as her desktop looked nice but I changed my mind when I saw the software she was using –

  1. Cyberlink PowerDirector Pro
  2. Cyberlink PhotoDirector
  3. Bunch of free games

I’m sure I’d be able to find alternatives for the above, but it’d be too much of a learning curve for her, plus setting up a KDE machine from scratch would take some time.

I decided to investigate the reason for slowness, and possibly fix the problem itself. Upon further discussion with her, I found out that the laptop was not only slow, but was infected with some sort of a malware. She was getting permission errors while opening certain folders, and a lot of the folders were hidden.

I’ve been using Linux as my primary OS for the past 4 years, and haven’t had to worry about this sort of a problem. Even so, cleaning up the system was quite simple. This blog gives an outline of the steps I followed to do so.

  1. Stop unwanted and suspicious running processes
  2. Remove unwanted startup programs
  3. Remove other antivirus
  4. Remove unnecessary and suspicious software
  5. Cleaning up trouble some software
  6. Remove unnecessary Chrome extensions
  7. Update Windows
  8. Reactivate Windows security features
  9. Full scan via Windows defender
  10. Windows proxy

Stop unwanted and suspicious running processes

First step is to find out what programs / processes are running that shouldn’t be. The Windows task manager is a good place to start looking.

Kill dangerous processes
Kill dangerous services

Somethings will shout out – I don’t belong here. Other’s might not be so obvious. If something seems suspicious but you’re not sure if its needed, just Google the process name and you should have your answer.

You want to do this first because certain applications / processes will detect that you’re uninstalling them and then perform some malicious action.

Remove unwanted startup programs

I used services.msc to determine which services were running. Going through the description of the service will likely give you enough information on whether the service is needed.

You can start services.msc by,

  1. Press Windows Key + R on your Windows desktop.
  2. Type services.msc
  3. Press enter

While I was here, I removed the various services related to the anti-virus applications that my sister had tried to install. In addition, whatever suspicious processes I had stopped earlier, I tried to find any services related to those.

Remove other antivirus

The gut reaction of a person who knows that they have been infected by virus or a malware is to install an antivirus and try to get rid of the problem. And if the first one doesn’t work, we try it with another one.

When I got my sister’s laptop, she had a couple of anti-viruses installed – Kaspersky, and Avast. Avast was fairly simple to remove via Windows Add / Remove program, but I was having troubles removing Kaspersky. During uninstall Kaspersky would tell me that I did not have enough privileges to uninstall the application.

Eventually I got rid of it by using the Kaspersky removal tool.

Remove unnecessary and suspicious software

This was a little painful to do since Windows does not allow you to uninstall multiple applications at once.

I uninstalled all the applications that I’d disabled earlier, one by one. Almost all of them were fairly straight forward to uninstall. I’ll be discussing the one that was not so easy to uninstall below.

Cleaning up troublesome software

MPC Cleaner gave me a hard time. There was no uninstaller for it in the Windows Add / Remove program and the install directory did not have an uninstaller either.

It doesn’t turn out to be a harmful program, but it is clearly an unwanted software that doesn’t want to get uninstalled.

Googling around revealed that you’ve to boot your system into safe mode and then remove it. That’s just too much work. The other way to remove it was to install AdwCleaner.

This is the approach I followed. In addition to removing MPC Cleaner, I removed browser cookies, local cache and history using AdwCleaner

Adw Cleaner

Remove unnecessary Chrome extensions

Next I tackled the browser, and removed all unnecessary extensions installed. AdwCleaner also helped remove unnecessary toolbars and a homepage that had been added to Chrome. This step was quite easy and went without any hiccups.

This process will defer if you are using a different browser but AdwCleaner support other popular browsers like Internet Explorer and Firefox as well.

Update Windows

I then updated Windows. I selected all the important updates, and downloaded latest definitions for Windows Defender. This took quite some time but went without any issues.

Reactivated Windows security features

I personally feel that Windows built in firewall and Defender are together good enough to handle any average users security needs. Hence I went ahead and activated these. These had been disabled by the previous antivirus software that my sister had installed.

Full scan via Windows Defender

So now that we had an updated version of Windows Defender, I ran a full system scan. Please note that this will take quite some time so feel free to go do your thing while Windows Defender does its.

Windows proxy

After the scan had been done, everything was looking good. No more permission issues, no more slowness but we were still having issues connecting to the Internet intermittently. I checked the proxy settings for Windows and for some reason found this there – http://unstops.net/wpad.dat. Apparently this is a browser hijacker and shows users ads and redirects their browser session. Removing this resolved the Internet connectivity issues.

The points mentioned here although run on a Windows 8.1 machine, are applicable to other versions of Windows too. The entire process took less than 2 hours of my time, out of which removing the unwanted software one by one took the longest. Most of the stuff happened in the background, without much of my intervention. I’m glad I went down this route rather than formatting the entire system. It was less work, and everything was still setup exactly the way it was earlier.

I had a chat with my sister and asked her not to install any more performance improving software. I also asked her to read carefully before pressing the next button while installing new software. Staying clean on a Windows machine is quite easy if you keep it up to date with security updates, have Windows firewall on and Defender running.

Leave a Reply