We’re gonna fix you up, and, with a little effort, prevent problems from occurring in the future.
Please note that a (re)format (when you wipe the computer and reinstall windows) is rarely needed to get rid of a computer infection. A worst case scenario is that an infection infects and changes critical system files, but those can be replaced with clean copies off any install CD with a simple command. Some people may have 50 gigabytes of personal files on their computer, and some people have their computers set up a very specific way that would take hours or days to restore to working order after a format. Just because formatting is your choice does not mean it should be the first suggestion to somebody else.
- If your only problem is internet popups (even when no internet windows are open) or viruses infecting your files, and you still have control over your computer, then after “Setup”, follow the “Basic Removal” post.
- If you are infected by a program that’s only pretending to be a virus/spyware remover, and you know it’s fake…
If you are getting fake virus warnings from your own computer, not on internet pages…
If your wallpaper has changed to a fake warning…
If you are for some reason unable to fully control your own computer, like settings are locked…
If the basic removal failed…I suggest you use the “Advanced Removal” post after “setup”.
- If you have little to no control over your computer…
If something closes/kills any scanner you run…
If you can’t get into safe mode because of a Blue Screen error…
If you cannot run the Task Manager…
If your account(s) are no longer Administrator…
If the advanced removal failed…You should go to the “Super Removal” post.
These steps will help cripple most infections, making them easier to remove.
- Disable IE AddonsOpen Internet Explorer, and press the ALT key on your keyboard once. At the top, go to the “Tools” menu, and choose “Internet Options”. In the new window, on the Advanced tab you will find many options. Uncheck the option “Enable third party browser extensions”, and press OK. Close Internet Explorer.
- Disable System RestoreIf you’re on XP…
In your start menu, go to the control panel, and there should be a bunch of icons, one of them being “system”. If not, click “switch to classic view” on the left. Open “system”, and click the “system restore” tab at the top. In that section, click the checkbox to “turn off system restore on all drives”, if it not already checked. Save the settings. That will delete any older system restore points, which could easily contain viruses, to prevent them from coming back in the future if you use a restore point.
If you’re on Vista…
Open the start menu, right-click “Computer”, and click “properties”. In the new window, go near the top-left and click “System protection”. In a new window, you’ll see a list of your drives. Uncheck them. Tell windows that you want to turn system restore off by clicking the button when it asks you.
If you’re on Windows 7…
Open the start menu, right-click “Computer”, and click “properties”. In the new window, go near the top-left and click “System protection”. In a new window, you’ll see a list of your drives. Below that, click the “configure” button. In the next new window, choose “Turn off system protection”, then click the “OK” button.
- Remove Redirects
- Part AIf you’re on XP…
Open the start menu and click “run”. In the white box, type “regedit.exe” (without the quotes) and press enter.
If you’re on Vista or Windows 7…
Open the start menu and click in the white box at the bottom. Type “regedit.exe” (without the quotes) and press enter.
That will start the registry editor, which we will use to find where the current HOSTS file is.
On the left, double-click “HKEY_LOCAL_MACHINE”.
After that, double-click “System”.
Then, double-click “CurrentControlSet”.
After that, you want to open “Services”.
Almost done now, open “Tcpip”.
Finally, you want to open “Parameters”.
On the right side of the you will see three columns. “Name”, “Type”, and “Data”.
In the “Name” column, find “DataBasePath” and double-click it. Copy the “Value Data”.
Remember how you ran “regedit.exe” before? This time, instead of running regedit, you should paste that “Value Data” line in the “run” box (or the bottom of the start menu in Vista/7), and press enter. This will open the folder that has the HOSTS file!
It will just be called “hosts” and won’t have any special icon. Delete it.
- Part BThere’s a possibility that your computer has been set to use a different DNS server, instead of the clean one run by your internet company. These other DNS servers are usually bad, directing you to fake sites instead of real ones (like telling you that Jack’s house is in the middle of a highway, instead of giving you the real address).
To get around that, here’s instructions on using a clean DNS server (with pictures!).
If you don’t want to use OpenDNS, you can follow those instructions and put in google’s DNS servers. 18.104.22.168 and 22.214.171.124 are the IPs for them.
Avast! – www.avast.com
Microsoft Security essentials – www.microsoft.com/Security_essentials
Avira (Shows an ad) – From download.cnet.com.
AVG – From download.cnet.com.
ClamWin – www.clamwin.com
Comodo – antivirus.comodo.comPaid
Kaspersky – www.kaspersky.com
NOD32 – www.eset.com
Bitdefender – www.bitdefender.com
F-Secure – www.f-secure.com
Trend Micro – www.trendmicro.com
- If you don’t have some, pick out one Antivirus program and one Antispyware program from the “Programs” post. Please make sure you have at least one from both of the categories (antivirus and spyware scanner).
Do not buy one online right now, because somebody could use the infection to steal your financial information!
- Install the programs, run them and they might ask you to update the definitions. If so, let them.
- Then, go into Safe Mode, but read the rest of this post before you do that.This site has instructions on getting into safe mode.
Safe mode will not have internet (possibly no sound, either), and things may look weird.
Don’t panic, it’s only temporary. When you restart things will be back to normal.
- In safe mode, run the scanners, and heal/remove anything they find.
- Restart (which will get you out of safe mode) and things should be fixed!
If not, go to the “Advanced Removal” post.
- Microsoft Windows Malicious Software Removal Tool
This is the first program that you should download and run. It’s a tool that checks your computer for infection by specific viruses known to affect windows, it is not a replacement for a normal anti-virus, but it is useful in removing something that has already infected you.
- If your issue is a fake antivirus program, it should have a fake name it’s trying to use to sound legitimate.
If your virus scanner is picking up an infection but can’t remove it, it should also present you with some sort of name.Go to a search site (such as google, bing, yahoo, ask) and try to find instructions on removing the specific name of the infection. Type in something like “NAME removal”. The first few results should have specific instructions (or sometimes even a free program) specifically made to remove that type of infection. It’s best to follow those instructions first, since they can remove specific parts of an infection that generic guides miss.
- After following those instructions (or if you couldn’t find any), download and run this tool.
It comes in four “flavors”, if one doesn’t work try the others.
This will attempt to kill any active infections that would stop you from running removal tools.
Any time you restart, run one of these again.
- Then, run this tool.
http://www.internetinspiration.co.uk/roguefix.htmThat is an updated tool that will attempt to remove all known deep infections.
Follow all the instructions exactly (remember safe mode when it says to!) and give it time to do it’s job.
After downloading it, open a folder, any folder. Go to “Tools” at the top menu, and click “Folder options”. When a new window comes up, go to the the “view” section. Find and UNcheck “hide file extensions for known types”, save the changes. Then rename the text file you got from “roguefix.txt” to “roguefix.bat”, that way you can run it. Feel free to recheck the box afterwards, it’s only needed to be off so that you can run roguefix.
If you cannot run that tool for some reason, use one of these.
- When that program finishes, go back into normal mode and follow the “Basic Removal” instructions.
If that fixes your problem, skip on down to the “After Scanning” section.
If that still does not remove your infection, you may have a “Rootkit”, which hides files from windows itself.
Download and run this rootkit detector. Do not just “run” it, but actually save it somewhere you can find it, and then run it.
If you don’t know how to do this, post and ask us (be sure to tell us what browser program you view web pages with!)
Run that, and it will scan for things that are hidden to windows and normal programs. When it’s done, it’ll have a list of results. Look at a result, and look for it with a search engine like google or yahoo (search for the file/folder name along with the word “rootkit” ), and if the results involve a type of infection (spyware, adware, rogue software, malware, virus, trojan), you should see a removal guide.
Not everything it finds is bad! Some are involved with programs you know are safe (like firefox) or part of windows itself. When it’s done, you’ll find a log file where you saved the program. It will be named something like “fsbl-20090124034050.log”. If some things were found, open it (right-click it, choose “open with”, and choose Notepad or some other text editor) and show us what it says.
- Download it here. (It’s free.)
Run that when you have a blank CD in your computer and it will start creating the disc.
- When it’s done, take the disc out and label it if you want, then put it back in and restart your computer. You’ll need to tell your computer to boot the CD, there’s multiple ways it can be done. Once it’s started, go to step 3.A – Your computer may start the CD on it’s own.
B – When it’s first starting up you should see something like “press (something) to boot from CD”, or may just say “Boot from CD” If so, press that key (or enter) to start the CD.
C – If that doesn’t appear, you may see something like “F10 (or some other key) – Boot Menu”. If so, press that key, and then choose the CD drive from the list.
D – If you’re not given any of those options, there should be a “Press (some key) to enter setup” notice. Press that key to access your motherboard’s settings. You navigate around with the arrow keys, tab, enter, and escape. Somewhere in there should be an option for changing the “Boot order”. Choose that, and change it so that the CD drive is above the harddrive in the list. Press whatever key it is to save changes and exit, and the computer should now be able to boot off the CD.
- When the CD first starts, you’ll see a screen like this. You should press the “1” key on your keyboard.
(Click for full version)
- When the Live CD is fully started up, you’ll see two flags in the bottom-left.
The right-one (British flag) changes the language to english, click it.
- In the left-hand menu, click “Configuration”.
Select “Scan all files” and “Try to repair infected files”.
(Click for full version)
- In the left-hand menu, choose “Virus scanner”, then click “Start scan” near the bottom.
The scanning process may take a long time, this is normal.
(Click for full version)
- When the scanning is finished, go to the left and find “Miscellaneous” and click it, then click “Shutdown”.
The system shout shut down and eject the CD (or tell you to eject it) and then restart normally.
If that fixed the issue, go on down to the “After Scanning” post!
If this does nothing to fix the issue, then it’s possible that some critical windows system files are infected to the point that they cannot be healed. This will require removing the files (running the scan again with the “remove infected files” option selected), and replacing them with clean versions off a windows CD. How you would do this greatly depends on your situation, so ask us about doing a “repair install” and we will help you personally.
Visit that page, paste whatever you want to show us in the “Code” box, then click the “Paste it” button.
You will see a new page with the coding, just give us a link to the page and we can see it.
- If whatever programs you scanned with offers you a log, show it to us.
- Download and run the executable version of Hijack This!
http://free.antivirus.com/hijackthis/Choose “Do a system scan and save a log file”. It will open the log file when it’s done scanning. Please show us the log first, then continue these instructions.
Go to http://www.hijackthis.de and paste your log into the white box. Tell it to analyze your log, and it will scan it, and then give you the results after a small bit. The results will be a long list, but the only things you need to worry about are the symbols on each item in the list. Ones with a red X are bad, and you should go into hijackthis, and put a check next to every bad item. Then, after marking all the bad ones in hijackthis, tell it to delete the entries, which will fix the issues.
Run hijackthis again, so it makes another log, and show us the second log.
- Go to the “Setup” post, and follow the instructions on disabling Internet Explorer browser extensions, but this time turn them back on.
- Turn System Restore back on.
- Change your DNS settings back to “automatic”.
Here’s the page about it.
- If you find trying to run some programs gives you a message asking you what to open it with, then download this file, open it, and choose to run the file inside it. When it asks you if you want to merge/add the info to the registry, choose yes. After that, restart and you should be able to run programs properly again.
- And finally, this page covers the rest.
What can I do to prevent it?
Where do infections come from?
How can I spot bad programs?An ounce of prevention is worth a pound of cure.
Taking 30 seconds of your life every so often to keep your protection up to date can save you hours of fixing issues later.
- Q – How do I avoid getting viruses and spyware and all that other bad stuff?
A – Here’s a list of preventative measures you can take.
- Turn windows update on and leave it on! It’s very important that your version of windows is kept up to date!
- If you are in windows Vista/7, make sure UAC is on.
- Make sure to allow your antivirus to update automatically.
- Scan with your antispyware at least once a week, updating it with the update option in the program before you scan.
- Any good antivirus software (like the ones listed in this guide) will have what’s known as an “active guard” or “resident shield”. What that does is scan every file before it enters your computer, like a robot security guard at the door of a nightclub. If it detects an infection, it can stop it from doing anything, and alert you. Leave this option on.
- Spybot also has a neat tool, the “immunizer”. What this does it make it so that your computer cannot normally connect to any site that’s known to be a fake, or one that attempts to install infections.
- Using OpenDNS (http://opendns.org/) can help prevent infections from getting to your computer in the first place as well.
- Q – Why did my current program not protect me?
Here’s some possible reasons.
- It was not fully updated.
- It was a pay program, and you stopped paying for it, so it stopped protecting you.
- It was a scanner for a different type of infection then you got. Virus scanners usually will not scan for spyware/adware, and the same goes the other way way around.
- The virus managed to break your protection program.
- It could have been a rogue program that actually doesn’t protect you, see below for a bit of details.
Here’s a list of common places/ways people get infected.
This is one of the biggest. Yes, random advertisements on websites. Websites get paid by advertising companies to let the ad companies stick random ads in the website when it’s viewed. The ad companies get paid by people that want to advertise. The people that want to advertise pay the ad company, and give the ad company the code/image/file for the ad, which is then randomly given out to any sites that display it. Normally that works fine, but if some low-life uses a trick or three to stick an infection in an ad, it can show up in multiple sites for hours before it’s caught and removed. So almost any site that displays advertisements could possibly give an infection. The chances are slim, but it’s possible, even more on sites that deal in shady things, like ROMs or Warez or porn. This is partially why it’s so important to keep some protection that’s always on.
- Rogue Software
Sometimes you might see a random popup or a page claiming it’s scanning your computer, and showing you hundreds of problems it’s finding that claims it can fix. THESE ARE FALSE. It is not scanning your computer, it is not detecting issues, all it’s trying to do is scare you into buying it. You can usually tell by opening “My Computer” or “Computer” from the start menu and looking at your list of drives and comparing it to the fake screenshot the program is showing you.
- Crack/Serial/Warez Sites
These are absolutely packed with infections and should be avoided.
- P2P/Filesharing Programs (such as Limewire)
When you use these programs, you are downloading files from other people’s computers, and other people are downloading files from your computer. That’s why it’s called “file sharing”. If anybody has an infection on their computer, you can catch it since your computer connects to theirs in order to get the file. Every single one of these programs has a very high risk of infection, you should try to avoid these.Why not try these websites where you can listen to free legal music instead!
- Links In Instant Messengers
If you suddenly get a message over MSN/AIM/Live/Yahoo saying “hey, look at this cool thing”, or “are these pictures of you?”, or “hey look at these naked pictures of me!”, along with a link, you should ask the person if they sent it to you or not before you click on it. It could be a special type of worm, there are ones that will continue to spread because they send that message to everyone on the infected person’s buddy list. Same sort of thing as viruses in e-mails, it appears to be from somebody you know, but could easily be an infection.
Most importantly, if you are going to install a program, simply look it up. Go to a search website, and type in the name of the program. If the first few results are saying “It’s bad, here’s how you remove it!”, you should avoid it!
A – DO IT ANYWAY. Far too often people will skip steps, only to find they are still infected. Every step has a purpose. Follow them all.Q – Why doesn’t your sticky specifically list (name of infection here)?
A – There’s thousands and thousands of computer infections, just like there’s thousands and thousands of viral infections your IRL body can get, but there’s not thousands and thousands of cold medications, are there? There’s tons of breeds of dogs, but they’re all still dogs. You don’t buy dog food specifically for your dog’s breed+gender+age+color+attitude, do you? Most infections have core things in common with each other, so a few tools and instructions can remove 99% of computer infections people get. Furthermore the same infection can often call itself multiple names in order to try to disguise itself. This is most often true of infections that pretend to be virus scanners and try to scare you into “buying” them.
Q – A scanner is telling me that something I know is clean (for example, a game like maple story) is an infection, why?
A – Either it really DOES have an infection (viruses infect other programs in order to reproduce!), or the scanner you’re using is doing “heuristics” scanning. That’s where it takes the program, and basically puts it in a virtual environment and tests how it reacts to certain actions, and if it does anything the scanner finds suspicious (that the scanner thinks it has no right doing, like a fast food employee carrying a gun), the scanner will mark it with a generic alert based on what type of infection the scanner thinks it is.
http://www.virustotal.com/ – Go there, upload the file it says is infected, and it will scan it with many virus scanners. There you can see what the results are. If only a small percentage of the scanners mark it as bad, and they use generic terms, like just “spyware” or “trojan” or “keylogger”, then you can assume that the file is really clean. Real viruses are given codenames, like “Fojack” or “Hidrag.a”.
Q – What is all this stuff about DNS and HOSTS?
A – DNS means “Domain Name Server”. A DNS server keeps information which web address relates to which IP address on the internet (like how google.com is 126.96.36.199). It’s sort of like how “Jack’s house” means “123 Oak Tree Lane” in the real world. Unfortunately, sometimes an infection will misdirect your computer, sending it to the wrong websites. We can do a few things to stop that.
The HOSTS file is a file on windows that holds information about DNS entries on your own computer, it’s usually used to bypass a normal DNS server for whatever reason. Unfortunately infections will add entries that make real sites redirect to fake sites… so we will delete the HOSTS file so that it cannot be used for evil. Your computer can work without it, and if it’s needed it will be recreated later, but for now it can be considered dangerous.
Q – What’s a tracking cookie?
A tracking cookie is not a virus, it will not hurt your computer. They are used by ads on websites for marking purposes. They record what “genre” of sites you generally visit (such as anime sites, military sites, car sites) so that the advertisements on a site know which types of ads to show you. They do not record any personal information about you, they do not know who you are.
A cookie is a text file created by a website on your computer to store information about what you’ve done there. A text file is several kilobytes, which is one thousandth of a megabyte, which in turn, is one thousandth of a gigabyte. It would take millions of cookies to amount to anything that might slow down your computer.
For any questions, queries please do not hesitate to leave a comment in the queries page at the bottom of the page or contact us at firstname.lastname@example.org
Join us on facebook