Will Installing Antivirus Help “After” Getting Infected?

time September 24th, 2011 time Posted in Antivirus, Computer Repair

Antivirus VendorsWhen I hear this question, I view it as another way for the customer to ask if they can remove the infection themselves … to save money of course. I don’t know how far into my head you want to get into this one, because the answer isn’t always a straight yes or no because it depends on many variables, such as:

  • When did you get infected? If your computer was infection-free up until the moment you really got infected, you could probably boot into Safe Mode and run a System Restore to a previous System Restore Checkpoint and then run some scans to be sure your computer is clean.
  • Do you already have current antivirus or antispyware security software installed and is it updated?
  • Is your security software alerting  you to the infection, or do you just suspect you are infected?
  • What is the name of the security software that is alerting  you to the infection? Is it one that came with the computer, one that you installed, or at least one you recognize as a reputable brand name? Do you think it is a fake alert?
  • Can you still boot to Windows “Normally” or to “Safe Mode”?
  • Can you access the internet?
  • Do your programs still seem to respond properly, can you open Task Manager?
  • Have you already had signs of an infection for some time, yet you continued to use the computer until you finally got one that rendered your computer useless?
  • Are you getting the “Blue Screen of Death” (BSOD), or is your computer stuck in a Boot Loop where it just keeps automatically restarting?
  • How would you rate your computer skills?

I could go on and on with this list depending how you respond, but it will ultimately depend on your computer skills. The fact that anybody would ask the question “Will installing antivirus help “after” getting infected?” tells me that you are probably not skilled in dealing with infections at all. So what can you do about it if you want to give it a shot anyway?

First off, never have more than “one” antivirus or “one” active antispyware program installed on your computer. So if you have an expired or corrupted antivirus program installed on your computer, remove it first before installing a new one. Also, don’t do what the antivirus companies recommend and turn-off System Restore. An infected, but bootable Restore Point is better than “NO” Restore Points. Turning off System Restore deletes your old Restore Points. Do this later after your computer is repaired, just remember to turn it back on.

This might sound strange to you, but installing and running an antivirus program is one of the “last” things I do when cleaning a computer. If there is a current antivirus program installed, that’s great, but I will only rely on its automatic real-time protection feature for now, which works great when running in conjunction with other antispyware scanners. I’ll run a full antivirus scan later.

I will usually startup in the Safe Mode and start cleaning up manually first. I’ll reveal all the hidden system files and extensions, perform a Selective Startup in “msconfig”, and turn-off unnecessary Services. I’ll then go to the Control Panel and use the Programs and Features applet to remove as much “bad” stuff as I can recognize. Just know that programs using the Windows Installer cannot be removed in Safe Mode. Just remove them later in the Normal mode. Sorry, but you will have to do your own homework as to what is bad or unnecessary.

Note: Don’t go wild and start removing everything. You only need to remove the bad programs.

Some infections hide in temp folders, which should be cleaned regularly anyway as part of routine software maintenance. I recommend a free program called CCleaner to perform this. As for scanning for malware, I like to start off with MalwareBytes and SUPERAntiSpyware.


Note: If you have been getting Blue Screens and think you might need professional help, copy the c:\Windows\Minidump folder somewhere because CCleaner will delete the minidumps. But even if you delete them, don’t worry, this folder only gets created when you have a critical error that creates a minidump, which happens during most Blue Screen errors. It is not required for normal operation, but might have some information that can be analyzed by a PC Tech.

As you clean off more and more junk from your computer, you should feel the speed and performance of your computer start to improve. But this is not always the case. If your computer has been acting up for some time and you have been ignoring it to the point your computer started freezing, you probably have errors on your hard drive which will need to be corrected with “chkdsk” or some other 3rd party hard drive utility first. These hard drive errors happen from the bad shutdowns you have to perform because the computer froze. Don’t kid yourself into thinking you can just keep doing this, you might end up with a bad hard drive and lose your data as well.

Sometimes computers get infected with some very persistent and deep rooted infections that not a single program found on BestBuy’s shelves can correct. I’m talking about Rootkits and Master Boot Record infections. They are the most devious and hard to remove infections for the average user, maybe even a PC Tech at times. I see them all the time these days, especially when you’re infected with a Fake Alert program.  Some of these are so malicious that they will prevent you from installing, running and updating most known security software. So what can you do?

Recent Rootkit Experience

The most common rootkit I see these days is the TDSS Rootkit, which Kaspersky provides a free tool for called TDSS Killer. I suspected I had one yesterday on a Compaq Windows XP machine I was working on. Whatever it was, it prevented me from even running TDSS Killer. I also suspected it might be an MBR infection.

I usually run MBRCheck on severely infected machines which will usually tell me if it has a non-standard or infected MBR, but this one reported it had a Standard XP MBR so I moved on to other things. I had already ran ComboFix which found some hidden infections, but obviously not all of them because Internet Explorer was still hijacked. It kept running on its own and got redirected to random advertising websites and consumed lots of memory. All my other scans were coming up clean though.

I finally decided to install a trial version of ESET Nod32 v5. It had some trouble installing but eventually finished and started reporting an MBR infection which it couldn’t clean. How ironic because I already ran MBRChk and this machine also had an outdated version of ESET Nod32 already installed, which I had to remove.

The fix for an infected MBR is actually pretty easy, but I don’t perform it unless required because you could end up with an unbootable Operating System. For XP, you just boot up to the Recovery Console and run “fixmbr” at the command prompt. For Vista and Win7, press F8 when booting up and select Startup Repair. Then run “bootrec.exe /fixmbr” at the command prompt.

After that, everything was fine, I was able to run TDSS Killer and it actually came up clean.

Moral of the Story

While this Compaq didn’t have the TDSS Rootkit, it had other ones, as evidenced by not being able to run TDSS Killer and the hijacked browser. ComboFix took care of most of this. So suspicions might not be true, even though my suspicions are based on years of experience. Anyway, I usually run the Antivirus program “last” because most infections are not “true” viruses, but are actually other forms of malware that are better discovered with a good antispyware program. Besides, a full virus scan can take 1-1/2 hours or more, while antispyware scans are about 20 minutes or so.

Also, a good number of people have expired antivirus programs and I don’t know what their plans are yet as far as renewing it, or installing another brand. I just hope they don’t decide to install one of the free ones, because basic antivirus protection doesn’t go very far when only about 3% of malware infections are actually “true” viruses. The paid programs are much more robust and can detect a much wider range of threats. Also, if I were to wait to find out what they wanted to do about their expired antivirus, it would delay the repair, especially if we ended up playing phone tag.

For this poor Compaq machine, I may have been able to discover the worst infection “first” by upgrading the Nod32 Antivirus to the new version, but it is also possible that with the trouble I had installing it towards the end, that it might not have been able to be installed in the beginning until a fair amount of the other malware was removed. I’ll never know.

What I do know is that most antispyware scanners allow you to choose what you want to remove when it detects something, whereas by default, most antivirus programs automatically clean, delete, or quarantine the infected files it finds. This can sometimes leave you with a unbootable system if it managed to automatically delete an infected system file, or some malicious file it tricked Windows into thinking it was now required for boot up. It has happened to me more times than I care to mention over the years, and although I can usually reverse what happened with a manual System Restore, it adds time to the repair.

So in my experience, I would not recommend merely installing an antivirus program “after” you got infected. You should always have these tools installed before hand. But because you might not be able to do things the way I suggest, you will probably do it anyway and hope for the best. You just might get away with it depending on what you got, but you would be guessing by the seat of the pants what you were doing. As a professional, I can’t risk performing computer repairs by the seat of my pants. But I do know that if you didn’t get away with it and you end up bringing your computer to me to fix after you gave it a try, that it will usually be a more difficult problem to repair than if you just brought it to me in the first place. That will mean more down time and sometimes more money.

So bite the bullet and install some top-tier antivirus and antispyware products before you have a problem. You know what I recommend. Also, download some of these free tools I mentioned before you need them, because you might not be able to get on the internet later if you only have access to one computer and it is the one that is broke.

I hope this gives you a little insight into the malware removal business. It is definitely better if you spend your efforts learning how to prevent malware than guessing how to remove it. But if you do get infected anyway, just save yourself the headache and have a pro do it for you. While we probably already have a headache, I don’t think it will get any worse. We’ll still be able to take care of your sick computer.

free computer repair

Share This Page with the Social Media Buttons Below

 

You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply



XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>