[ The PC Guide | System Care Guide | Data Loss and Virus Prevention | Virus Detection and Protection | Virus Scanning and Antivirus Software ]

Virus Removal and Recovery

Despite your best efforts, you may at some point catch a virus on your PC. When this happens, you of course want to get rid of the virus immediately, and restore your system to its pre-infected state. Removing a virus from your system can be incredibly simple, or surprisingly difficult, depending on what the virus is, what sort of antivirus software you are using, and how quickly you have caught the problem. There is also the problem of dealing with any potential data loss that may have resulted from the virus's handiwork.

Most virus scanners that use virus definition files also include software that will remove many viruses and repair the damage that they have caused. However, in many cases a scanner will detect a virus, but will be unable to remove it from the system. This can leave you, the one with the virus, feeling somewhat helpless. It would be better if scanners could remove all viruses that they could find, but this isn't always possible. Some scanners will remove viruses that others cannot.

Remember that there is the possibility of false positives with all virus detection products. Make sure you really do have a virus before you attempt to remove it, or you may make matters worse. The first thing that I do when I find a virus on one of the PCs I maintain is to do a search on the net to find out more about it. This helps me to decide how to proceed when dealing with the virus, since if a special disinfector is needed, many people usually will be talking about it. It also helps me to decide if I have a real infection or a false positive--if many others have been finding a particular virus, there's a better chance that the infection is real. I usually first check on USEnet to see what the current scuttlebutt is about the virus I just found.

When a virus infects a boot sector, it is normally removed by rewriting the boot sector code that resides on the disk. Most virus scanners will do this for you. Another way to do it manually is to boot from a clean floppy (to make sure that the virus is not in memory) and then use the command "FDISK /MBR" to rewrite the boot sector code on the hard disk. However, this is not always the best solution, because in some cases the virus can cause damage that needs to be undone by a program that knows how to deal with it. "FDISK /MBR" will wipe out the virus, but not necessarily address any damage that it has created to the disk.

Warning: Be careful before using FDISK /MBR, especially if you have any special setups on your hard disk, such as non-DOS partitions, disk manager utilities or boot managers. These situations often require special attention to ensure that the non-DOS information is not lost.

Most commercial antivirus software today is very high quality, due largely to competition amongst the various large firms for this lucrative market. It is best to follow the instructions given by the antivirus program when you find that you are infected, and use the technical support line that it comes with, if you need it. Usually this will yield the best results. You may also find more useful information in the comp.virus FAQ page, or Symantec's Antivirus Research Center.

For files infected with viruses, there are usually one of three results:

• File Can be Disinfected Automatically: Many viruses can be removed from files automatically and perfectly by most good antivirus software. This isn't always the case, but usually the antivirus program can tell if it is able to repair an infected file or not, and will tell you in advance.
• File Requires Special Disinfection: Some viruses can be removed but require special tools in order to do this. If this is the case, the manufacturer of the antivirus software will make these disinfectors available for download on their web or FTP site. Make sure to follow all the accompanying instructions carefully.
• File Cannot be Disinfected: Some types of viruses cannot be removed from files, or can only be removed by damaging the host program. Sometimes the antivirus software is what causes the damage through imperfect disinfection. For this reason, it makes sense in some ways to try to copy the affected file to a floppy disk and try disinfecting it there. (Many antivirus products will back up the file before trying to disinfect it). If the file is damaged, try a different virus remover, which may be better at dealing with this particular type of virus. However, often the file damage is unavoidable; this is usually because the damage was done at the time that the file was infected. In this case, removing the file and restoring from a backup is the best option.

Tip: After disinfecting a virus, reboot your PC and run a routine scan again to make sure that all traces of the virus have truly been removed.

Next: Deciding on an Antivirus Software Plan

Home  -  Search  -  Topics  -  Up