Question

What should I do if I think I have a virus, and how do I remove a virus from my device?

Overview

You suspect that there may be a virus or malware on your machine or storage device. Any of the following symptoms may be occurring:

• Unwanted pop-ups
• Unusual computer behavior
• Unusually slow performance during certain tasks (Often browsing speeds are affected)
• Message notifications occur that you have a virus

Answer

Important Note

The UC Davis Information Security Office highly recommends that any computer demonstrating possible malware infection symptoms be analyzed by an IT professional. If, after such an analysis,  doubt remains about whether or not the malware was completely removed, the recommended course of action is to reinstall the computer operating system. This follows federal computer safety guidelines, best practices, and prevents persistent virus infections from continuing to steal usernames, passwords, and sensitive files. It also prevents infections from spreading and protects the UC Davis network. If you do not have the ability to have an IT specialist review your system then please contact your computer vendor.

Here are general steps which should be performed to "wipe" a system.

1. Backup your important files by copying them to a safe location off the infected system (cloud, USB stick, external hard drive, etc.).
   1. These include files such as email, documents, photographs, spreadsheets, presentations, and any unique files or software activation codes for your software you cannot replace if your computer were lost.
2. Obtain your operating system re-installation software (often this comes with a new computer).
3. Follow manufacturer recommendations to reinstall your operating system.
4. Immediately update the operating system using built in update mechanisms as the original software will have vulnerabilities which can be used to reinfect your system.
5. Install antivirus and anti-malware software.
6. Install computer programs you use, and configure your software.
7. Update computer programs to latest versions.
8. Copy your backed-up files back to your computer.
9. Be safe when reading email, and browsing the Internet.

The steps below may assist with restoring your system to a usable state so it can be used to backup your files and data before wiping it and reinstalling the operating system. In very rare cases known and very common infections can be stopped using these steps, however, this is not the recommended solution for responding to a virus infection.

• Windows
• macOS
• USB Drives/Removable Storage
• Outside Support 

Windows

1. Clear your browsing history, cookies, and cache. Browsers may vary on this task. This will significantly reduce scanning times.
2. Click Start, and go to your Control Panel. Click Add/Remove programs. Check through your installed programs to locate any unwanted or suspicious programs. Uninstall anything that may be questionable. Examples: Toolbars for coupons, Windows "Optimizers," or Windows "Cleaners." Usually, these programs will ask you a couple times if you are really sure that you want to uninstall the software.
3. Open Windows Security (Start > Settings > Update & Security > Windows Security), select Virus & threat protection, update the definitions, then run a full scan.
4. Download and install Malwarebytes. Run the program, let it update its definitions, then run a full scan of your system.
   Note: While it is free for personal use, a license is required to run on a University owned system.
5. If you are unable to download Malwarebytes, try using TrendMicro HouseCall. HouseCall is a lightweight free virus scanner for both Windows and Mac. After clicking the download button, select "Get HouseCall Now." Perform a full system scan after the program has loaded.
6. When the scanner(s) have completed their process, a system restart is advised.
7. Run Windows Update (Start > Settings > Update & Security > Windows Update). Click Check for updates and install all recommended updates. Reboot the PC if prompted.
8. If the virus/malware is still persistent, you may need to reload your machine from a backup.

Advanced Tips:

• If your system is not allowing web access to certain sites or is redirecting to the wrong sites, you may need to clean up your hosts file. This file is located under %SYSTEMROOT%\Windows\System32\Drivers\etc. You'll need to have hidden files and folders enabled for viewing. Once you locate the file, right click and select "Open with..." Select Notepad for your program. When the file is open, you'll find several lines commented out with a hashtag(#), and 127.0.0.1 LocalHost. Any additional lines are not in this file by default. Once modified, save the file. Make sure there is no .txt extension appended to the file.
• Windows Task Manager has a Startup tab where you can disable any questionable startup programs.
• An alternative to the Startup program editor is to use the Windows Configuration Manager. This can be accessed by clicking Start, going to Run, and entering msconfig.exe. Use the Startup tab to change your system's startup behavior. Note that this will not remove the lines from the file but allow you to uncheck any unwanted startup programs.
• An alternative to Malwarebytes is Spybot Search & Destroy. This program is free (for students/faculty), and features pre-startup scanning in addition to a handful of advanced tools.

macOS

1. Clear your browsing history, cookies, and cache. Browsers may vary on this task. This will significantly reduce scanning times.
   • Firefox: Click History, then select "Clear Browsing History..." Check the appropriate boxes and continue.
   • Safari: Click History, then select "Clear History." Click Clear.
   • Chrome: Click History, then select "Show Full History." At the top, click "Clear browsing data..." Check the appropriate boxes and set the drop down menu to "Since the beginning of time."
2. Download and install Sophos for Home Mac Edition.
3. After this program is installed, allow the program to complete its virus definition update. Once this has completed, perform a full scan.
4. If you are unable to download or visit the above links, try using TrendMicro Housecall. HouseCall is a lightweight free virus scanner for both Windows and Mac. After clicking the download button, select "Get HouseCall Now." Perform a full system scan after the program has loaded.
5. Once one of the above scanners has completed, it will ask what you would like to do with any files that were detected. The default option is to Quarantine the file. Confirm and allow the system to do this. 
6. When the scanner(s) have completed their process, a system restart is advised.
7. If the virus/malware is still persistent, you may need to reload your machine from a backup.
8. Run all the latest Mac updates for your machine. Go to the Apple icon, and select Software Update... This will open the App Store and search for any available updates.

Advanced Tips:

• Sometimes a Mac will be performing poorly due to a bad profile. Try creating a new account profile to see if performance improves.
• Viruses may reside in the Library folder or as an "Application." The easiest way to remove these is simply drag the file to the Trash.
• Viruses that require an install will ask for your Administrative password before the install is allowed. Be sure that you know what you are installing before you clear it for installation.

Scanning Storage Devices

If you believe your USB Drive or other storage device may have a virus, you'll need to scan it on a computer. Plug the device into a computer with one of the above anti-virus programs. Your storage device should be listed as a scannable drive.

If you are using Windows, start from step 4.
For Mac, start from step 3.

Outside Support

For Students: Visit the Tech-HUBfor additional assistance. They are located next to the Memorial Union building on the Davis campus.

For Staff/Faculty: Please contact your local IT support for additional assistance. You may also contact IT Professional Services.