Infection Removal Guide This guide will cover basic infection removal. If you have an infection you'd like to remove... Please follow the Setup and then Removal posts. If that doesn't fix it, look at Advanced Removal. If you want to learn how to stop future infections... Check out the Infection Prevention Guide lower in this post. Intro/T.O.C. Setup Removal Advanced Removal Setup Warning: Spoilers inside! Setup Before you start removing infections, there's a few precautions you should take. These steps will help cripple most infections, making them easier to remove. Restore file associations. Sometimes infections will remove your ability to directly run programs. This is often done so that while you can use shortcuts to still launch your browser and other programs, you can't run installers or tools to remove the infection. Luckily this is a quick fix. www.dougknox.com/xp/fileassoc/xp_exe_fix.zip Download that file and open/run it. You should see something called xp_exe_fix.reg inside. Double-click that, and you should get a confirmation/warning. Click the Yes or Merge button (whatever your system says) to fix the EXE association information. You may need to restart afterwards before programs will run. Disable Browser Addons During the removal, you should run your browser with addons disabled so they don't get in the way of removing the infection. Internet Explorer In your start menu's programs list, go to Accessories, then System Tools, and then Internet Explorer (No Addons). Firefox Hold down the Shift key while starting firefox to go into it's Safe Mode (which has addons disabled). Chrome Open chrome normally, then press CTRL+SHIFT+N to open an incognito window, which has addons disabled. Close the original window and use the incognito one. Disable System Restore Viruses and other infections can hide in restore points, so we need to clear them. XP In your start menu, go to the control panel, and there should be a bunch of icons, one of them being system. If not, click switch to classic view on the left. Open system, and click the system restore tab at the top. In that section, click the checkbox to turn off system restore on all drives, if it not already checked. Save the settings. That will delete any older system restore points, which could easily contain viruses, to prevent them from coming back in the future if you use a restore point. Vista Open the start menu, right-click Computer, and click properties. In the new window, go near the top-left and click System protection. In a new window, you'll see a list of your drives. Uncheck them. Tell windows that you want to turn system restore off by clicking the button when it asks you. Windows 7 Open the start menu, right-click Computer, and click properties. In the new window, go near the top-left and click System . In a new window, you'll see a list of your drives. Below that, click the configure button. In the next new window, choose Turn off system protection, then click the OK button. Delete the HOSTS file. The HOSTS file can be used to redirect good addresses (like google.com) to bad ones (like thiswebsiteisavirus.com), so we should delete it to be safe. In your start/globe menu, go to the Run command. If you're on vista/7, you'd click in it the little white box near the bottom. Copy the below text and paste it in the box, then press [/b]enter[/b]. %systemroot%\System32\drivers\etc\ In the folder that pops up, there should be a file named hosts with no extension. Delete it. Removal Warning: Spoilers inside! Removal Malicious Software Removal Tool Malicious Software Removal Tool (32-bit) Malicious Software Removal Tool (64-bit) This is the first program that you should download and run. It's a tool that checks your computer for infection by specific viruses known to affect windows, it is not a replacement for a normal anti-virus, but it is useful in removing something that has already infected you. rKill This tool will further attempt to kill any malicious program that's running, so we can actually get on with the removal. It comes in five "flavors", if one doesn't work try the others. http://download.bleepingcomputer.com/grinler/rkill.exe http://download.bleepingcomputer.com/grinler/rkill.com http://download.bleepingcomputer.com/grinler/eXplorer.exe http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe http://download.bleepingcomputer.com/grinler/iExplore.exe Anti-Malware Next thing to do is a scan with an anti-malware. Download and install Malwarebytes, let it update, and then run a full scan with it. Fix/remove whatever it finds. www.malwarebytes.org Anti-Virus (Run-Once) It's time to do an antivirus scan, this is a run-once tool meant to remove any existing standard virus infections. Download and run this tool, and allow it to scan your computer. www.microsoft.com/security/scanner/ Anti-Virus (Boot-Time) It's time for another antivirus scan, but this will be done a bit differently. Download and install Avast, then open the control window (main window). Go to the menu, and choose Schedule Boot-Time Scan. In the new window select scan all local discs and then confirm the schedule. After that, restart and Avast should boot before anything else, and it should scan and remove whatever it can find. www.avast.com Advanced Removal Warning: Spoilers inside! Advanced Removal If the normal removal steps didn't work or you can't follow them... We can help you get past those blocks personally. We will need certain pieces of info from you. Post a thread with the following info. Windows version. In the start/orb menu there should be a My Computer or Computer option. Right-click it and click Properties. The new window that comes up should have information about which version of Windows you're using. If you're not sure which info it is, just take a screenshot for us. Nature of infection. What's the exact problem? Are you getting slowdown? Random ads popping up? Google search is redirecting to ads? Can't open the task manager? Can't access certain files? Persistent ad trying to scare you out of your money? Tell us exactly what's going on, and remember that a picture tells a thousand words, and we like screenshots! Why you can't remove. Unable to download one or more of the programs? Can't find a setting the guide told you to find? Can't run any of the programs for some reason? Did the programs run but not find anything? Does the infection keep coming back after you remove it? The more you tell us about the situation, the easier it'll be to find the source of the infection and get rid of it. HijackThis log. Download and run the executable version of HijackThis from free.antivirus.com/hijackthis. Choose Do a system scan and save a log file. It will open the log file when it's done scanning. Visit dpaste.com and copy-paste the log into the big white box and submit/paste it. Then give us the link of the new page. Msconfig startup list. In your start/globe menu, go to the Run command. If you're on vista/7, you'd click in it the little white box near the bottom. Type msconfig, then press enter. In the new window, click the Startup tab, then take screenshots to show us everything that's checked. Infection Prevention Guide This guide will show you how to prevent infections in the first place. Intro/T.O.C. Program List Future Prevention F.A.Q. Program List Warning: Spoilers inside! Program ListThere's multiple classifications of infection in the computer world, just like there's multiple classifications of infections in the real world (for example viruses versus bacteria versus fungal infections). These infections work in different ways, and are often removed in different ways as well. There's two main common categories for computer infections because of this. The first is "viruses", this generally includes viruses, worms, trojans, and malicious modifications to core system files. The second is "malware", which generally includes spware, adware, rogue software, and malicious system settings changes. Often a scanner for one category won't aim for the other category due to the major differences, so it's recommended to have two programs. One antivirus and one antimalware, unless you have an antivirus that specifically includes antimalware instead (such as one of the paid anti-virus programs.) It's important to only keep one anti-virus program installed at a time. Antivirus programs aren't normal programs, they hook into core parts of the system (such as filesystem I/O) and expect to be the only things doing so. Having multi antivirus programs can actually cause them to perform worse, or actually damage your system under rare circumstances. Anti-virus Free Avast! - Has a boot-time scanner which can be really helpful to remove infections. Microsoft Security essentials - Good at staying out of your way unless there's an issue. Updates definitions along with Windows Update, is light on requirements. Comodo - Includes a software firewall and other such additional protections, but may be too restrictive for power users. Avira - Standard antivirus, but the free version displays an ad when it updates. AVG - Light on requirements, but can be seen as a little behind the times. Paid Kaspersky - Big focus on Heuristics, so it can often catch infections before other AV programs can. NOD32 - Low amount of false positives. Bitdefender - Big focus on phishing protection, includes various other things such as parental controls (but the controls are easily bypassed). F-Secure - Very fast and lightweight, but weak anti-malware protection. Trend Micro - Website blocker, modern firewall, and a spam filter. Not the best malware protection. Anti-Malware Free MalwareBytes - Excellent, takes steps that other programs don't in order to remove stubborn infections. SUPERAntiSpyware - Light on resources when scanning. Spybot S&D - And old standby, but can be considered deprecated. The TeaTimer component should not be installed or used. Future Prevention Warning: Spoilers inside! Future Prevention How did I get that infection in the first place? What can I do to prevent it? Where do infections come from? How can I spot bad programs? An ounce of prevention is worth a pound of cure. Q - How do I avoid getting viruses and spyware and all that other bad stuff? A - Here's a list of preventative measures you can take. Turn windows update on and leave it on! It's very important that your version of windows is kept up to date! If you are in windows Vista/7, make sure UAC is on. Make sure to allow your antivirus to update automatically. make sure your web browser is always updating, It doesn't matter if you like the look if Firefox 0.9 better, if it's way out of date you shouldn't be using it as the security holes in it will not be fixed. There's often methods and options to make new programs look or function like old ones, so just update and get used to it. Running an older browser is just asking for infections. Make sure that your antivirus is set to automatically scan every file that's created/modified. Any good antivirus software will have what's known as an "active guard" or "resident shield". What that does is scan every file before it enters your computer, like a robot security guard at the door of a nightclub. If it detects an infection, it can stop it from doing anything, and alert you. Q - Why did my current program not protect me? A - Here's some possible reasons. It was not fully updated. It was a pay program, and you stopped paying for it, so it stopped protecting you. It was a scanner for a different type of infection then you got. Virus scanners usually will not scan for spyware/adware, and the same goes the other way way around. The virus managed to break your protection program. What you thought was your protection program could have been a rogue program that actually doesn't protect you and was just scamming you for money by giving you false error reports. What you think is an infection is actually on your computer legally. Increasingly now programs that are normally good may also install other software that displays ads. If it's in the EULA and you click the "agree" button, then it's on your computer legally, so virus scanners often won't pick it up! You need to be very careful because installers will use all sorts of tricks to get you to agree to install additional software! They'll swap what buttons do what, hide the "do not install" option unless you click certain areas, and more. Q - Where do infections come from? A - Many, many places. Advertisements Yes, random advertisements on websites can attempt to infect your computer. You can even get infected by good sites like The New York Times. Almost any site that displays advertisements could possibly give an infection, this is partially why it's so important to keep some protection that's always on. Rogue Software Sometimes you might see a random popup or a page claiming it's scanning your computer, and showing you hundreds of problems it's finding that claims it can fix. THESE ARE FALSE. It is not scanning your computer, it is not detecting issues, all it's trying to do is scare you into buying it. Crack/Serial/Warez Sites These are absolutely packed with infections and should be avoided. Their advertisements are rarely monitored and often contain infections, and the cracks and warez on the site itself often hide keyloggers and other such infections. P2P/Filesharing Programs When you use programs like Frostwire, you are downloading files directly from other people's computers, and other people are downloading files from your computer. That's why it's called "file sharing"! If anybody has an infection on their computer, you could catch it since your computer connects to theirs in order to get the file. Every single one of these programs has a very high risk of infection, you should try to avoid these. The Done To Death sticky has lists of where to get free music safely and legally. These are just a few of the places to pick up infections. The people who make them are always looking into new ways to infect a large amount of machines, so if you're not sure on something look it up before you use it! F.A.Q. Warning: Spoilers inside! F.A.Q. Q - A lot of the steps in the Removal Guide seem useless, do I still need to do it all? A - Every step has a purpose. Far too often people will skip steps, only to find they are still infected later. By the very nature of many infections, it's best that they remain hidden. After all, if you KNOW there's an infection you're going to try to remove it, right? Most actual viruses and bad infections will do all they can to prevent you from finding them, because they don't want you to try to remove them. Some steps you're told to follow may seem excessive, but they will catch stuff a simple virus scan won't. Q - Why not just format when you get infected? A - At least once a month, windows receives automatic security updates. These fix security holes that viruses and other types of infections can use to get into your computer and mess it up. When you format and reinstall windows, you are taking it back to a time before all the updates, meaning you are just opening the door for even more infections to get in! Most of the time it's better to remove the current infection and then take steps (listed in the "future prevention" post) to prevent reinfection. Formatting is a last resort, some people may have 50 gigabytes of personal files on their computer, and some people have their computers set up a very specific way that would take hours or days to restore to working order after a format. Just because formatting is your choice does not mean it should be the first suggestion to somebody else. Q - Why doesn't the Removal Guide specifically list (name of infection here)? A - There's thousands and thousands of computer infections, but most infections can be categorized into groups based on how they work, so a few tools and instructions can remove most of the computer infections people get. Furthermore the same infection can often call itself multiple names in order to try to disguise itself. This is most often true of infections that pretend to be virus scanners and try to scare you into "buying" them. Q - I found this (verified legit) program that I installed and it scanned my computer and says it found the problem and is only asking me $30 to remove it, isn't that a good deal? A - No, these programs are often just out for your money. If the program has scanned and found issues, that's the hard part. The actual fix should be easy, so the fact that it's waiting until then to make you pay shows that it's just after your money. This is especially true if the program doesn't actually tell you what and where the problems are, this shows that the makers of the program don't want you going and fixing it yourself. They're not interested in actually fixing your problem, they just want to scare you out of your money. Q - A scanner is telling me that something I know is clean (for example, a game like Maple Story) is an infection, why? A - Either it really DOES have an infection (remember that viruses infect other programs in order to reproduce!), or the scanner you're using is doing "heuristics" scanning. That's where it takes the program, and basically puts it in a virtual environment and tests how it reacts to certain actions, and if it does anything the scanner finds suspicious (that the scanner thinks it has no right doing, like a fast food employee carrying a gun), the scanner will mark it with a generic alert based on what type of infection the scanner thinks it is. http://www.virustotal.com/ - Go there, upload the file it says is infected, and it will scan it with many virus scanners. There you can see what the results are. If only a small percentage of the scanners mark it as bad, and they use generic terms, like just "spyware" or "trojan" or "keylogger", then you can assume that the file is really clean. Real viruses are given codenames, like "Fojack" or "Hidrag.a". Q - What is all this stuff about DNS and HOSTS? A - DNS means "Domain Name Server". A DNS server keeps information which web address relates to which IP address on the internet (like how google.com is 184.108.40.206). It's sort of like how "Jack's house" means "123 Oak Tree Lane" in the real world. Unfortunately, sometimes an infection will misdirect your computer, sending it to the wrong websites. The HOSTS file is a file on windows that holds information about DNS entries on your own computer, it's usually used to bypass a normal DNS server for whatever reason. Unfortunately infections will add entries that make real sites redirect to fake sites. Q - What's a tracking cookie? A - A tracking cookie is not a virus, it will not hurt your computer. They are used by ads on websites for marketing purposes. They record what "genre" of sites you generally visit (such as anime sites, military sites, car sites) so that the advertisements on a site know which types of ads to show you. They do not record any personal information about you, they do not know who you are. A cookie is a text file created by a website on your computer to store information about what you've done there. A text file is several kilobytes, which is one thousandth of a megabyte, which in turn, is one thousandth of a gigabyte. It would take millions of cookies to amount to anything that might slow down your computer.