# Spyware/Adware/Virus/Trojan/Rootkit/Keylogger Removal Guide



## Rydian (Feb 14, 2010)

<div align="center"><!--sizeo:5--><span style="font-size:18pt;line-height:100%"><!--/sizeo--><u>Spyware/Adware/Virus/Trojan/Rootkit/Keylogger Removal Guide</u><!--sizec--></span><!--/sizec-->

So, you're obviously here because your computer has some sort of problem.
We're gonna fix you up, and, with a little effort, prevent problems from occurring in the future.</div>

<div align="center"><!--sizeo:3--><span style="font-size:12pt;line-height:100%"><!--/sizeo--><b><!--coloro:#990000--><span style="color:#990000"><!--/coloro-->FORMATTING IS A LAST RESORT ONLY!<!--colorc--></span><!--/colorc--></b><!--sizec--></span><!--/sizec--></div><!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo-->Please note that a (re)format (when you wipe the computer and reinstall windows) is rarely needed to get rid of a computer infection.  A worst case scenario is that an infection infects and changes critical system files, but those can be replaced with clean copies off any install CD with a simple command.  Some people may have 50 gigabytes of personal files on their computer, and some people have their computers set up a very specific way that would take hours or days to restore to working order after a format.  Just because formatting is <i>your</i> choice does not mean it should be the first suggestion to <i>somebody else</i>.<!--sizec--></span><!--/sizec-->



<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Basic, Advanced, or Super removal?</div><!--sizec--></span><!--/sizec-->


Spoiler



<ol type='1'><li>If your only problem is internet popups (even when no internet windows are open) or viruses infecting your files, and you still have control over your computer, then after "Setup", follow the "Basic Removal" post.
--------------------------------------------------------
</li><li>If you are infected by a program that's only pretending to be a virus/spyware remover, and you know it's fake...
If you are getting fake virus warnings from your own computer, not on internet pages...
If your wallpaper has changed to a fake warning...
If you are for some reason unable to fully control your own computer, like settings are locked...
If the basic removal failed...

I suggest you use the "Advanced Removal" post after "setup".
--------------------------------------------------------
</li><li>If you have little to no control over your computer...
If something closes/kills any scanner you run...
If you can't get into safe mode because of a Blue Screen error...
If you cannot run the Task Manager...
If your account(s) are no longer Administrator...
If the advanced removal failed...

You should go to the "Super Removal" post.</li></ol>





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Setup</div><!--sizec--></span><!--/sizec-->


Spoiler



Before you start removing infections, there's a few precautions you should take.
These steps will help cripple most infections, making them easier to remove.<ol type='1'><li><u>Disable IE Addons</u>

Open Internet Explorer, and press the ALT key on your keyboard once. At the top, go to  the "Tools" menu, and choose "Internet Options". In the new window, on the Advanced tab you will find many options. Uncheck the option "Enable third party browser extensions", and press OK. Close Internet Explorer.


</li><li><u>Disable System Restore</u>

<b>If you're on XP...</b>
In your start menu, go to the control panel, and there should be a bunch of icons, one of them being "system". If not, click "switch to classic view" on the left. Open "system", and click the "system restore" tab at the top. In that section, click the checkbox to "turn off system restore on all drives", if it not already checked. Save the settings. That will delete any older system restore points, which could easily contain viruses, to prevent them from coming back in the future if you use a restore point.

<b>If you're on Vista...</b>
Open the start menu, right-click "Computer", and click "properties".  In the new window, go near the top-left and click "System protection".  In a new window, you'll see a list of your drives.  Uncheck them.  Tell windows that you want to turn system restore off by clicking the button when it asks you.

<b>If you're on Windows 7...</b>
Open the start menu, right-click "Computer", and click "properties".  In the new window, go near the top-left and click "System protection".  In a new window, you'll see a list of your drives.  Below that, click the "configure" button.  In the next new window, choose "Turn off system protection", then click the "OK" button.


</li><li><u>Remove Redirects</u><ul><li>Part A

<b>If you're on XP...</b>
Open the start menu and click "run".  In the white box, type "regedit.exe" (without the quotes) and press enter.

<b>If you're on Vista or Windows 7...</b>
Open the start menu and click in the white box at the bottom.  Type "regedit.exe" (without the quotes) and press enter.


That will start the registry editor, which we will use to find where the <i>current</i> HOSTS file is.
On the left, double-click "<!--coloro:#000099--><span style="color:#000099"><!--/coloro-->HKEY_LOCAL_MACHINE<!--colorc--></span><!--/colorc-->".
After that, double-click "<!--coloro:#000099--><span style="color:#000099"><!--/coloro-->System<!--colorc--></span><!--/colorc-->".
Then, double-click "<!--coloro:#000099--><span style="color:#000099"><!--/coloro-->CurrentControlSet<!--colorc--></span><!--/colorc-->".
After that, you want to open "<!--coloro:#000099--><span style="color:#000099"><!--/coloro-->Services<!--colorc--></span><!--/colorc-->".
Almost done now, open "<!--coloro:#000099--><span style="color:#000099"><!--/coloro-->Tcpip<!--colorc--></span><!--/colorc-->".
Finally, you want to open "<!--coloro:#000099--><span style="color:#000099"><!--/coloro-->Parameters<!--colorc--></span><!--/colorc-->".

On the right side of the you will see three columns.  "Name", "Type", and "Data".
In the "Name" column, find "DataBasePath" and double-click it.  Copy the "Value Data".

Remember how you ran "regedit.exe" before?  This time, instead of running regedit, you should paste that "Value Data" line in the "run" box (or the bottom of the start menu in Vista/7), and press enter.  This will open the folder that has the HOSTS file!

It will just be called "hosts" and won't have any special icon.  Delete it.</li><li>Part B

There's a possibility that your computer has been set to use a different DNS server, instead of the clean one run by your internet company. These other DNS servers are usually bad, directing you to fake sites instead of real ones (like telling you that Jack's house is in the middle of a highway, instead of giving you the real address).

To get around that, <a href="https://store.opendns.com/setup/computer/" target="_blank">here's instructions on using a clean DNS server</a> (with pictures!).
If you don't want to use OpenDNS, you can follow those instructions and put in google's DNS servers.  8.8.8.8 and 8.8.4.4 are the IPs for them.</li></ul></li></ol>





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Programs List</div><!--sizec--></span><!--/sizec-->


Spoiler



<u>Anti-virus</u>
<b>Free</b>
Avast! - <a href="http://www.avast.com/eng/download-avast-home.html" target="_blank">www.avast.com</a>
Microsoft Security essentials - <a href="http://www.microsoft.com/Security_essentials/" target="_blank">www.microsoft.com/Security_essentials</a>
Avira (Shows an ad) - From <a href="http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914" target="_blank">download.cnet.com</a>.
AVG - From <a href="http://download.cnet.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?part=dl-10044820&subj=dl&tag=button&cdlPid=11014801" target="_blank">download.cnet.com</a>.
ClamWin - <a href="http://www.clamwin.com/" target="_blank">www.clamwin.com</a>
Comodo - <a href="http://antivirus.comodo.com/" target="_blank">antivirus.comodo.com</a>

<b>Paid</b>
Kaspersky - <a href="http://usa.kaspersky.com/products_services/anti-virus.php" target="_blank">www.kaspersky.com</a>
NOD32 - <a href="http://www.eset.com/purchase/" target="_blank">www.eset.com</a>
Bitdefender - <a href="http://www.bitdefender.com/" target="_blank">www.bitdefender.com</a>
F-Secure - <a href="http://www.f-secure.com/en_US/products/home-office/antivirus/index.html" target="_blank">www.f-secure.com</a>
Trend Micro - <a href="http://us.trendmicro.com/us/products/personal/antivirus-plus-anti-spyware/index.html" target="_blank">www.trendmicro.com</a>


<u>Spyware scanner</u>
<b>Free</b>
Spybot S&D - <a href="http://www.safer-networking.org/en/spybotsd/index.html" target="_blank">www.safer-networking.org</a>
AdAware - <a href="http://www.lavasoft.com/products/ad_aware_free.php" target="_blank">www.lavasoft.com</a>
SUPERAntiSpyware - <a href="http://www.superantispyware.com/superantispywarefreevspro.html" target="_blank">www.superantispyware.com</a>
MalwareBytes - <a href="http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button" target="_blank">www.malwarebytes.org</a>





<div align="center"><!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo-->Basic Removal<!--sizec--></span><!--/sizec--></div>


Spoiler



<ol type='1'><li>If you don't have some, pick out one Antivirus program and one Antispyware program from the "Programs" post.  Please make sure you have at least one from both of the categories (antivirus and spyware scanner).
<b>Do not buy one online right now, because somebody could use the infection to steal your financial information!</b>
</li><li>Install the programs, run them and they might ask you to update the definitions.  If so, let them.
</li><li>Then, go into Safe Mode, but read the rest of this post before you do that.

This site has instructions on getting into safe mode.
<a href="http://www.computerhope.com/issues/chsafe.htm" target="_blank">http://www.computerhope.com/issues/chsafe.htm</a>
Safe mode will not have internet (possibly no sound, either), and things may look weird.
Don't panic, it's only temporary.  When you restart things will be back to normal.
</li><li>In safe mode, run the scanners, and heal/remove anything they find.
</li><li>Restart (which will get you out of safe mode) and things should be fixed!</li></ol>If so, go on down to the "After Scanning" post.
If not, go to the "Advanced Removal" post.





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Advanced Removal</div><!--sizec--></span><!--/sizec-->


Spoiler



<ol type='1'><li><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en" target="_blank">Microsoft Windows Malicious Software Removal Tool</a>
This is the first program that you should download and run. It's a tool that checks your computer for infection by specific viruses known to affect windows, it is not a replacement for a normal anti-virus, but it is useful in removing something that has already infected you.

</li><li>If your issue is a fake antivirus program, it should have a fake name it's trying to use to sound legitimate.
If your virus scanner is picking up an infection but can't remove it, it should also present you with some sort of name.

Go to a search site (such as google, bing, yahoo, ask) and try to find instructions on removing the specific name of the infection.  Type in something like <i>"NAME removal"</i>.  The first few results should have specific instructions (or sometimes even a free program) specifically made to remove that type of infection.  It's best to follow those instructions first, since they can remove specific parts of an infection that generic guides miss.

</li><li>After following those instructions (or if you couldn't find any), download and run this tool.
It comes in four "flavors", if one doesn't work try the others.
<a href="http://download.bleepingcomputer.com/grinler/rkill.exe" target="_blank">http://download.bleepingcomputer.com/grinler/rkill.exe</a>
<a href="http://download.bleepingcomputer.com/grinler/rkill.com" target="_blank">http://download.bleepingcomputer.com/grinler/rkill.com</a>
<a href="http://download.bleepingcomputer.com/grinler/rkill.scr" target="_blank">http://download.bleepingcomputer.com/grinler/rkill.scr</a>
<a href="http://download.bleepingcomputer.com/grinler/rkill.pif" target="_blank">http://download.bleepingcomputer.com/grinler/rkill.pif</a>
This will attempt to kill any active infections that would stop you from running removal tools.
<b>Any time you restart, run one of these again.</b>
</li><li>Then, run this tool.
<a href="http://www.internetinspiration.co.uk/roguefix.htm" target="_blank">http://www.internetinspiration.co.uk/roguefix.htm</a>

That is an updated tool that will attempt to remove all known deep infections.
Follow all the instructions exactly (remember safe mode when it says to!) and give it time to do it's job.

After downloading it, open a folder, any folder. Go to "Tools" at the top menu, and click "Folder options". When a new window comes up, go to the the "view" section. Find and <!--coloro:#990000--><span style="color:#990000"><!--/coloro-->UNcheck<!--colorc--></span><!--/colorc--> "hide file extensions for known types", save the changes. Then rename the text file you got from "roguefix.txt" to "roguefix.bat", that way you can run it. Feel free to recheck the box afterwards, it's only needed to be off so that you can run roguefix.

If you cannot run that tool for some reason, use one of these.
<a href="http://www.bleepingcomputer.com/combofix/how-to-use-combofix" target="_blank">http://www.bleepingcomputer.com/combofix/how-to-use-combofix</a>
<a href="http://siri.geekstogo.com/SmitfraudFix.php" target="_blank">http://siri.geekstogo.com/SmitfraudFix.php</a>

</li><li>When that program finishes, go back into normal mode and follow the "Basic Removal" instructions.
If that fixes your problem, skip on down to the "After Scanning" section.</li></ol><i>If that still does not remove your infection</i>, you may have a "Rootkit", which hides files from windows itself.

Download and run this rootkit detector. Do not just "run" it, but actually save it somewhere you can find it, and then run it.
If you don't know how to do this, post and ask us (be sure to tell us what browser program you view web pages with!)
<a href="ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe" target="_blank">ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe</a>

Run that, and it will scan for things that are hidden to windows and normal programs. When it's done, it'll have a list of results. Look at a result, and look for it with a search engine like google or yahoo (search for the file/folder name along with the word "rootkit" ), and if the results involve a type of infection (spyware, adware, rogue software, malware, virus, trojan), you should see a removal guide.

Not everything it finds is bad! Some are involved with programs you know are safe (like firefox) or part of windows itself. When it's done, you'll find a log file where you saved the program. It will be named something like "fsbl-20090124034050.log". If some things were found, open it (right-click it, choose "open with", and choose Notepad or some other text editor) and show us what it says.





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Super Removal</div><!--sizec--></span><!--/sizec-->


Spoiler



A Live CD is a disc that runs it's own Operating System.  What a Live CD allows you to do is do things on your computer even if something in windows is really messed up..  This also means than any infection will not be active, so the Live CD is free to scan and remove viruses without interference.  The down side is it requires you to burn a CD (you will probably need to burn it from another computer), and the scan can take a while.<ol type='1'><li><a href="http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html" target="_blank">Download it here.</a> (It's free.)
Run that when you have a blank CD in your computer and it will start creating the disc.

</li><li>When it's done, take the disc out and label it if you want, then put it back in and restart your computer. You'll need to tell your computer to boot the CD, there's multiple ways it can be done.  Once it's started, go to step 3.

A - Your computer may start the CD on it's own.

B - When it's first starting up you should see something like "press (something) to boot from CD", or may just say "Boot from CD"  If so, press that key (or enter) to start the CD.

C - If that doesn't appear, you may see something like "F10 (or some other key) - Boot Menu".  If so, press that key, and then choose the CD drive from the list.

D - If you're not given any of those options, there should be a "Press (some key) to enter setup" notice.  Press that key to access your motherboard's settings.  You navigate around with the arrow keys, tab, enter, and escape.  Somewhere in there should be an option for changing the "Boot order".  Choose that, and change it so that the CD drive is above the harddrive in the list.  Press whatever key it is to save changes and exit, and the computer should now be able to boot off the CD.

</li><li>When the CD first starts, you'll see a screen like this.  You should press the "1" key on your keyboard.
<a href="http://img264.imageshack.us/img264/6329/31710781.gif" target="_blank"><img src="http://img81.imageshack.us/img81/8527/rescuecd369scr01.th.jpg" border="0" class="linked-image" /></a>
(Click for full version)

</li><li>When the Live CD is fully started up, you'll see two flags in the bottom-left.
The right-one (British flag) changes the language to english, click it.
<img src="http://img137.imageshack.us/img137/6757/flags.gif" border="0" class="linked-image" />

</li><li>In the left-hand menu, click "Configuration".
Select "Scan all files" and "Try to repair infected files".
<a href="http://img81.imageshack.us/img81/3107/configg.gif" target="_blank"><img src="http://img81.imageshack.us/img81/3107/configg.th.gif" border="0" class="linked-image" /></a>
(Click for full version)

</li><li>In the left-hand menu, choose "Virus scanner", then click "Start scan" near the bottom.
The scanning process may take a long time, this is normal.
<a href="http://img217.imageshack.us/img217/7999/start.gif" target="_blank"><img src="http://img217.imageshack.us/img217/7999/start.th.gif" border="0" class="linked-image" /></a>
(Click for full version)

</li><li>When the scanning is finished, go to the left and find "Miscellaneous" and click it, then click "Shutdown".
The system shout shut down and eject the CD (or tell you to eject it) and then restart normally.

<img src="http://img230.imageshack.us/img230/2014/shutdown.gif" border="0" class="linked-image" /></li></ol>If that fixed the issue, go on down to the "After Scanning" post!


If this does nothing to fix the issue, then it's possible that some critical windows system files are infected to the point that they cannot be healed.  This will require removing the files (running the scan again with the "remove infected files" option selected), and replacing them with clean versions off a windows CD.  How you would do this greatly depends on your situation, so ask us about doing a "repair install" and we will help you personally.





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">After Scanning</div><!--sizec--></span><!--/sizec-->


Spoiler



After your infection seems to be gone, it's best to do a few things just to be sure!  When you're going to show us a log, it's best to put it on another site and give us a link.  This saves space in a thread, and also prevents the forum system from removing anything it thinks may be harmful (such as malicious javascript) or a smiley.

This is a site you can use.
<a href="http://dpaste.com/" target="_blank">http://dpaste.com/</a>
Visit that page, paste whatever you want to show us in the "Code" box, then click the "Paste it" button.
You will see a new page with the coding, just give us a link to the page and we can see it.<ol type='1'><li>If whatever programs you scanned with offers you a log, show it to us.

</li><li>Download and run the executable version of Hijack This!
<a href="http://free.antivirus.com/hijackthis/" target="_blank">http://free.antivirus.com/hijackthis/</a>

Choose "Do a system scan and save a log file".  It will open the log file when it's done scanning.  Please show us the log first, then continue these instructions.

Go to www.hijackthis.de and paste your log into the white box. Tell it to analyze your log, and it will scan it, and then give you the results after a small bit.  The results will be a long list, but the only things you need to worry about are the symbols on each item in the list. Ones with a red X are bad, and you should go into hijackthis, and put a check next to every bad item. Then, after marking all the bad ones in hijackthis, tell it to delete the entries, which will fix the issues.

Run hijackthis again, so it makes another log, and show us the second log.</li></ol>





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Cleanup</div><!--sizec--></span><!--/sizec-->


Spoiler



So you're done removing the infection, but there's a few things to change back.<ol type='1'><li>Go to the "Setup" post, and follow the instructions on disabling Internet Explorer browser extensions, but this time turn them back on.

</li><li>Turn System Restore back on.

</li><li>Change your DNS settings back to "automatic".
<a href="https://store.opendns.com/setup/computer/" target="_blank">Here's the page about it.</a>

</li><li>If you find trying to run some programs gives you a message asking you what to open it with, then download <a href="http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip" target="_blank">this file</a>, open it, and choose to run the file inside it.  When it asks you if you want to merge/add the info to the registry, choose yes.  After that, restart and you should be able to run programs properly again.

</li><li>And finally, this page covers the rest.
<a href="http://www.internetinspiration.co.uk/pc_clean_up.htm" target="_blank">http://www.internetinspiration.co.uk/pc_clean_up.htm</a></li></ol>





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">Future Prevention</div><!--sizec--></span><!--/sizec-->


Spoiler



<div align="center"><b>How did I get that infection in the first place?
What can I do to prevent it?
Where do infections come from?
How can I spot bad programs?</b>

An ounce of prevention is worth a pound of cure.
Taking 30 seconds of your life every so often to keep your protection up to date can save you hours of fixing issues later.</div><ul><li><b>Q - How do I avoid getting viruses and spyware and all that other bad stuff?</b>
A - Here's a list of preventative measures you can take.<ol type='1'><li>Turn windows update on and leave it on!  It's very important that your version of windows is kept up to date!</li><li>If you are in windows Vista/7, <a href="http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off" target="_blank">make sure UAC is on</a>.</li><li>Make sure to allow your antivirus to update automatically.</li><li>Scan with your antispyware at least once a week, updating it with the update option in the program before you scan.</li><li>Any good antivirus software (like the ones listed in this guide) will have what's known as an "active guard" or "resident shield". What that does is scan every file before it enters your computer, like a robot security guard at the door of a nightclub. If it detects an infection, it can stop it from doing anything, and alert you. Leave this option on.</li><li>Spybot also has a neat tool, the "immunizer". What this does it make it so that your computer cannot normally connect to any site that's known to be a fake, or one that attempts to install infections.</li><li>Using OpenDNS (http://opendns.org/) can help prevent infections from getting to your computer in the first place as well.</li></ul></li><li><b>Q - Why did my current program not protect me?</b>
Here's some possible reasons.<ol type='1'><li>It was not fully updated.</li><li>It was a pay program, and you stopped paying for it, so it stopped protecting you.</li><li>It was a scanner for a different type of infection then you got. Virus scanners usually will not scan for spyware/adware, and the same goes the other way way around.</li><li>The virus managed to break your protection program.</li><li>It could have been a rogue program that actually doesn't protect you, see below for a bit of details.</li></ol></li></ol><ul><u>Here's a list of common places/ways people get infected.</u>
</li><li><b>Advertisements</b>
This is one of the biggest.  Yes, random advertisements on websites. Websites get paid by advertising companies to let the ad companies stick random ads in the website when it's viewed. The ad companies get paid by people that want to advertise. The people that want to advertise pay the ad company, and give the ad company the code/image/file for the ad, which is then randomly given out to any sites that display it. Normally that works fine, but if some low-life uses a trick or three to stick an infection in an ad, it can show up in multiple sites for hours before it's caught and removed. <i>So almost any site that displays advertisements could possibly give an infection.</i> The chances are slim, but it's possible, even more on sites that deal in shady things, like ROMs or Warez or porn. This is partially why it's so important to keep some protection that's always on.
</li><li><b>Rogue Software</b>
Sometimes you might see a random popup or a page claiming it's scanning your computer, and showing you hundreds of problems it's finding that claims it can fix. THESE ARE FALSE. It is not scanning your computer, it is not detecting issues, all it's trying to do is scare you into buying it.  You can usually tell by opening "My Computer" or "Computer" from the start menu and looking at your list of drives and comparing it to the fake screenshot the program is showing you.
</li><li><b>Crack/Serial/Warez Sites</b>
These are absolutely packed with infections and should be avoided.
</li><li><b>P2P/Filesharing Programs (such as Limewire)</b>
When you use these programs, <i>you are downloading files from other people's computers, and other people are downloading files from your computer</i>. That's why it's called "file sharing". If anybody has an infection on their computer, you can catch it since your computer connects to theirs in order to get the file. Every single one of these programs has a very high risk of infection, you should try to avoid these.

Why not try these websites where you can listen to free legal music instead!
<a href="http://www.last.fm/" target="_blank">http://www.last.fm/</a>
<a href="http://www.mp3.com/free-music/free-mp3s" target="_blank">http://www.mp3.com/free-music/free-mp3s</a>
<a href="http://www.jamendo.com/" target="_blank">http://www.jamendo.com/</a>
<a href="http://www.garageband.com/" target="_blank">http://www.garageband.com/</a>
<a href="http://www.unsignedbandweb.com/" target="_blank">http://www.unsignedbandweb.com/</a>
</li><li><b>Links In Instant Messengers</b>
If you suddenly get a message over MSN/AIM/Live/Yahoo saying "hey, look at this cool thing", or "are these pictures of you?", or "hey look at these naked pictures of me!", along with a link, you should ask the person if they sent it to you or not before you click on it.  It could be a special type of worm, there are ones that will continue to spread because they send that message to everyone on the infected person's buddy list. Same sort of thing as viruses in e-mails, it appears to be from somebody you know, but could easily be an infection.</li></ul>Most importantly, if you are going to install a program, simply look it up.  Go to a search website, and type in the name of the program.  If the first few results are saying "It's bad, here's how you remove it!", you should avoid it!





<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><div align="center">F.A.Q.</div><!--sizec--></span><!--/sizec-->


Spoiler



<b>Q - A lot of this seems useless.</b>
A - DO IT ANYWAY. Far too often people will skip steps, only to find they are still infected. Every step has a purpose. Follow them all.


<b>Q - Why doesn't your sticky specifically list (name of infection here)?</b>
A - There's thousands and thousands of computer infections, just like there's thousands and thousands of viral infections your IRL body can get, but there's not thousands and thousands of cold medications, are there?  There's tons of breeds of dogs, but they're all still dogs. You don't buy dog food specifically for your dog's breed+gender+age+color+attitude, do you?  Most infections have core things in common with each other, so a few tools and instructions can remove 99% of computer infections people get.  Furthermore the same infection can often call itself multiple names in order to try to disguise itself.  This is most often true of infections that pretend to be virus scanners and try to scare you into "buying" them.


<b>Q - A scanner is telling me that something I know is clean (for example, a game like maple story) is an infection, why?</b>
A - Either it really DOES have an infection (<i>viruses infect other programs in order to reproduce</i>!), or the scanner you're using is doing "heuristics" scanning. That's where it takes the program, and basically puts it in a virtual environment and tests how it reacts to certain actions, and if it does anything the scanner finds suspicious (that the scanner thinks it has no right doing, like a fast food employee carrying a gun), the scanner will mark it with a generic alert based on what type of infection the scanner thinks it is.

<a href="http://www.virustotal.com/" target="_blank">http://www.virustotal.com/</a> - Go there, upload the file it says is infected, and it will scan it with many virus scanners. There you can see what the results are. If only a small percentage of the scanners mark it as bad, and they use generic terms, like just "spyware" or "trojan" or "keylogger", then you can assume that the file is really clean.  Real viruses are given codenames, like "Fojack" or "Hidrag.a".


<b>Q - What is all this stuff about DNS and HOSTS?</b>
A - DNS means "Domain Name Server". A DNS server keeps information which web address relates to which IP address on the internet (like how google.com is 74.125.45.100). It's sort of like how "Jack's house" means "123 Oak Tree Lane" in the real world.  Unfortunately, sometimes an infection will misdirect your computer, sending it to the wrong websites.  We can do a few things to stop that.

The HOSTS file is a file on windows that holds information about DNS entries on your own computer, it's usually used to bypass a normal DNS server for whatever reason.  Unfortunately infections will add entries that make real sites redirect to fake sites... so we will delete the HOSTS file so that it cannot be used for evil.  Your computer can work without it, and if it's needed it will be recreated later, but for now it can be considered dangerous.


<b>Q - What's a tracking cookie?</b>
A tracking cookie is not a virus, it will not hurt your computer.  They are used by ads on websites for marking purposes.  They record what "genre" of sites you generally visit (such as anime sites, military sites, car sites) so that the advertisements on a site know which types of ads to show you.  <i>They do not record any personal information about you, they do not know who you are.</i>

A cookie is a text file created by a website on your computer to store information about what you've done there. A text file is several kilobytes, which is one thousandth of a megabyte, which in turn, is one thousandth of a gigabyte. It would take millions of cookies to amount to anything that might slow down your computer.


----------



## Thoob (Feb 14, 2010)

Rydian said:
			
		

> This saves space in a thread, and also prevents *gaia's* forum system from removing anything it thinks may be harmful to* gaia* (such as malicious javascript).



_Dude_... You copied this thread from Gaia?!


----------



## Rydian (Feb 14, 2010)

I made this thread for there originally, and figured since there was no guide here on infection removal, this forum could use the info.

Thanks for pointing that out, I must have missed that when I was formatting it for this board, it was originally a multi-post thing/


----------



## Law (Feb 14, 2010)

Thoob said:
			
		

> Rydian said:
> 
> 
> 
> ...



This + multiple mentions of internet explorer = useless thread

thanks for playing, though.


Oh not to mention the formatting is terrible and the thread is a giant pain to read.


----------



## Rydian (Feb 14, 2010)

Law said:
			
		

> Thoob said:
> 
> 
> 
> ...


If you have suggestions on the proper way to format this thread, please post them, as I have had a bit of an issue getting all this information readable, the spoiler tags help with that but I think the guide itself may need some color-coding or something...

*But if you're just here to troll, I will go get a moderator to stop it.*
I was told by wildwon that if I had a guide, I could just post it right in this section.


----------



## Demonbart (Feb 14, 2010)

Bookmark'd. I've got the feeling that this thread will save my sorry ass someday.


----------



## Law (Feb 14, 2010)

Rydian said:
			
		

> If you have suggestions on the proper way to format this thread, please post them, as I have had a bit of an issue getting all this information readable, the spoiler tags help with that but I think the guide itself may need some color-coding or something...



Get rid of the spoiler tags, they're part of the problem

make a proper Index/Contents with something to ctrl+f to or use the anchor point bbtag

Stop centering shit


----------



## Rydian (Feb 14, 2010)

Law said:
			
		

> Get rid of the spoiler tags, they're part of the problemWouldn't that make the page far too long?
> 
> 
> 
> ...


Yeah, it's harder to read on a wider forum, thanks.


----------



## Hakoda (Feb 14, 2010)

Thank you, this was very much needed. Mods sticky this, its instruction & format is worthy of stickiness.  
	

	
	
		
		

		
			





I liked the three levels of removal as well as easy to understand setup for noobies. The best part was prolly the spoilers, imagine all that without spoilers. Holy crap. That and the word "Norton" was not found on this thread at all. Very well done Rydian

For anyone using this guide in the future, FOLLOW IT TO THE VERY END. Just because the infection is gone does not mean your system is stable. The "After Scanning", "Cleanup", & "Future Prevention" steps are CRITICAL.


----------



## Elritha (Feb 14, 2010)

Layout doesn't seem that bad to me. Spoiler tags prevent it from being just one wall of text. Useful guide to have.


----------



## triassic911 (Feb 14, 2010)

This thread is pure gold. Thanks.


----------



## steve-p (Feb 15, 2010)

this whole thread makes me glad i dont use windoze anymore,

and it's a joke that if you go to any torernt index site the top searches other than media are damned security apps.


----------



## Cermage (Feb 15, 2010)

srsly. safe mode, a program like malware bytes and an online scanner will solve most of your problems.


----------



## Rydian (Feb 15, 2010)

steve-p said:
			
		

> this whole thread makes me glad i dont use windoze anymore,Linux or OSX?
> 
> 
> 
> ...


And that's what the basic instructions are, however there's infections that will modify all sorts of things in order to prevent that.  Some will remove or modify files causing a STOP error when you try to go into safe mode, some will hook into windows in order to kill any process it recognizes as capable of removing it (originally they went by just filename, but not anymore), some will entry fake DNS entries in the hosts file to block known malware removal sites or redirect to fake sites, others will set up a proxy so they can update the blocks and redirects from their end, or just set your connection up to use a fake DNS server itself...

There's plenty _modern_ infections (especially those fake virus removers) can do to prevent you from just running a scanner, that's why this guide is as long as it is.


----------



## Sephi (Feb 15, 2010)

combofix always saves the day.

also, you wouldn't happen this guy would you http://www.gaiaonline.com/p/9462127

I am the caffeinated one that quit the forums after a day


----------



## CyrusBlue (Feb 15, 2010)

Why is everyone being an asshole? This is some useful information right here. I don't care where it came from.


----------



## Rydian (Feb 15, 2010)

Sephi said:
			
		

> combofix always saves the day.And it scares people when they watch you run it! =D
> 
> 
> 
> ...


Don't remember you. D:


----------



## antwill (Feb 15, 2010)

Why not mention 'common sense' in the prevention section as well? It's not that hard to avoid all of these problems with a bit of common sense after all.


----------



## NoSmokingBandit (Feb 15, 2010)

You cant expect people on the internet to have common sense.


----------



## Rydian (Feb 15, 2010)

I don't want to encourage piracy!






See?


----------



## antwill (Feb 15, 2010)

Well you shouldn't have gone cracking all that stuff and uploading it then should you


----------



## Skyline969 (Feb 15, 2010)

Nice guide, however the good ol' three-step is usually all I need.

1. Download and install Malwarebyte's Anti-Malware
2. Perform a scan using MBAM.
3. If scan does not catch all viruses, format.


----------



## antwill (Feb 15, 2010)

Skyline969 said:
			
		

> Nice guide, however the good ol' three-step is usually all I need.
> 
> 1. Download and install Malwarebyte's Anti-Malware
> 2. Perform a scan using MBAM.
> 3. If scan does not catch all viruses, format.


Except his guide was aimed at preventing a format unless absolutely necessary.


----------



## Satangel (Feb 15, 2010)

Good guide, I'm sure it will help a lot of people in time.
Should get stickied though, so we don't forget about it.


----------



## Sanderino (Feb 15, 2010)

Satangel said:
			
		

> Good guide, I'm sure it will help a lot of people in time.
> Should get stickied though, so we don't forget about it.



I agree. I'm going to read this thread toroughly next weekend and going to fix my computer.


----------



## Strider (Feb 15, 2010)

Hm, reinstall as a last resort, yes? Sure, if you never want to know if you can trust your computer again...

Just because you think you removed everything doesn't make it so.

Not trying to be an asshole, but these are the facts. As I pointed out several times before, gbatemp is not the place to get advice for pc-fixing as much as I love it.


----------



## Skyline969 (Feb 15, 2010)

antwill said:
			
		

> Skyline969 said:
> 
> 
> 
> ...


I know, I know. And it's very informative as well.


----------



## Rydian (Feb 15, 2010)

Strider said:
			
		

> Hm, reinstall as a last resort, yes? Sure, if you never want to know if you can trust your computer again...
> 
> Just because you think you removed everything doesn't make it so.
> 
> Not trying to be an asshole, but these are the facts. As I pointed out several times before, gbatemp is not the place to get advice for pc-fixing as much as I love it.


http://www.tomshardware.com/news/bios-viru...kdoor,7400.html
Look at that, an infection that survives harddrive wipes...
No, no strain of it is in the wild.

If you go and compare different AV rating sites, they all seem to rank them in a different order. Why? A detection rate is not concrete. It is not a measurement of probability given in regards to how things will work, because everything is so uncertain, and new viruses come out daily. It's a measurement of how well programs actually performed. *Do you think any one company has access to every single virus on the planet?*

Chances are just as good with ANY AV software that you can get an infection it won't pick up. You can use AVG and get an infection it won't pick up, and then switch to avast to clear out that infection, then get another one that avast won't pick up that AVG would have.

So you don't need to see an infection for it to exist, it's entirely possible you can be infected at any given moment and not realize it, possibly for months.  Unless you're running some tripwire software, better stop using the computer now if that's really your view.


----------



## CannonFoddr (Feb 16, 2010)

CyrusBlue said:
			
		

> Why is everyone being an asshole? This is some useful information right here. I don't care where it came from.


Totally agree - IF there's anything that'll help remove malicious code/programs it's always gratefully accepted by those who need it

Those who complain must've never had the hassle (or they don't know they're infected in the first place)


----------



## WeeBabyDoll (Feb 17, 2010)

Excellent thread and well presented - very easy to read.
Bookmarking this!
I used to be a Gaian. Many moons ago...


----------



## zuron7 (Feb 23, 2010)

This data is awesome but only if I had it 2 years ago when my comp had a virus.
Now it's got antivirus.


----------



## Gh0sti (Feb 23, 2010)

so i have a question i keep getting a tracking cookie every time i run my norton 360 v2 for windows 7, now granted i go to sites that have ads n stuff, however i still get it even if i havent even gotten on internet for awhile, is it just still a cookie or is it something else


----------



## raulpica (Feb 23, 2010)

Combofix > Everything

Even though it has failed in some rare cases. Also, Spybot fails HARD.

BTW, most of the times normal AVs are just totally useless against those new viruses (y'know, the ones that actually "kill" your computer most of the times) as they install themselves as drivers or services, and also hide their processes. Nowadays, AV scans are just for little viruses whcih do almost nothing to your PC.


----------



## Rydian (Feb 23, 2010)

squirrelman10 said:
			
		

> so i have a question i keep getting a tracking cookie every time i run my norton 360 v2 for windows 7, now granted i go to sites that have ads n stuff, however i still get it even if i havent even gotten on internet for awhile, is it just still a cookie or is it something elseIt's just a cookie.  You can get a tracking cookie from just viewing an ad online, and all a tracking cookie does it show that you viewed a specific ad on a specific site, so the advertisers can find out what sort of sites you go on so they can show advertisements they think you'll like.  You know, how google shows personal/targeted ads, same concept.
> 
> 
> 
> ...


Maybe if you're still using an AV from a few years ago, or have disabled all of it's features/protections/shields/whatevers except the main portion, but modern AVs can stop threats on a variety of levels.  Hell, Avast even includes specific protection for IM file transfers in the free version.

If you never get infected in the first place, there's nothing you need to remove.


----------



## Bently (Feb 24, 2010)

Does this work well against the malware 'Internet Security 2010'? (quite hard to remove)
That was one of the worst viruses that had infected my computer >.>
and I had to install Windows XP again.


----------



## Rydian (Feb 24, 2010)

Yes, that's the same sort of rogueware that this guide was made to counter, since removal of it is more than simply "run this program".


----------



## geoflcl (Feb 24, 2010)

This seems to be a vital addition to GBATemp. Although, I fear this may start a horrible trend of "omg trojan halp plz" threads and/or posts by desperate novices.


----------



## Rydian (Feb 24, 2010)

Look at this as one more sticky to ban people for not reading, then?


----------



## Skyline969 (Mar 8, 2010)

Ah, my faith in Malwarebytes' Anti-Malware has been strengthened even more. My friend had a horrible virus on her computer, where she couldn't access any websites at all. It disguised itself as "Vista Antispyware 2010" or some bullshit, which to her (since she's a total retard on the computer) looked legit. I knew it was a virus right away, because she said it appeared out of thin air, and said she didn't install it. I had to send her MBAM through MSN, and one 3-hour scan later her computer was completely repaired. MBAM 23439408789239, virus 0.


----------



## syko5150 (Mar 21, 2010)

thanks this guide helped me locate some stupid program that was a fake virus crap i was able to get rid of it in safe mode =)


----------



## Matthew (Apr 6, 2010)

I think one of the first steps you should do is download SuperAntiSpyware Portable and run it as it ALONE solves most of the problems I've ever encountered, then Malware antibytes. PM me if you can' get to the official site and I'll mirror it.

http://www.superantispyware.com/portablescanner.html


----------



## DeltaBurnt (Jun 2, 2010)

This is somewhat of a bump, but whatever this thread is stickied.

There are ways to re-enable your command prompt/registry/task manager if they get disabled by a virus by just running a command through your "run" console.


----------



## Trulen (Jun 16, 2010)

Great stuff!  Thanks.  Will come in great handiness when I fix up folk's computers that Microsoft Security Essentials can't handle.


----------



## ComplicatioN (Jul 10, 2010)

Quick question, do these steps remove Keyloggers?


----------



## Rydian (Jul 10, 2010)

A "keylogger" is not any separate classification of infection, an infection can be called a keylogger if it logs key strokes.

It's like if viruses are school kids, and key loggers are school kids that play football.

So yes.


----------



## ComplicatioN (Jul 12, 2010)

Alright thanks, managed to revive my screwed up comp thanks to this guide 
	

	
	
		
		

		
			




Thumbs Up


----------



## Minox (Jul 12, 2010)

Skyline969 said:
			
		

> Ah, my faith in Malwarebytes' Anti-Malware has been strengthened even more. My friend had a horrible virus on her computer, where she couldn't access any websites at all. It disguised itself as "Vista Antispyware 2010" or some bullshit, which to her (since she's a total retard on the computer) looked legit. I knew it was a virus right away, because she said it appeared out of thin air, and said she didn't install it. I had to send her MBAM through MSN, and one 3-hour scan later her computer was completely repaired. MBAM 23439408789239, virus 0.


I got a similar infection myself through a java exploit. It wasn't Vista Antispyware 2010, but it was something along those lines. However scanning my hard drives for this infection took far too long and didn't yield much of a result so I ended up having to remove it manually. Luckily I had shut down my computer instantly when I noticed that fraud anti-spyware/virus application and rebooted into safe mode so it didn't have much time to mess around with things. Another good thing was that the infection was rather stupidly made and only one instance of it existed. Once I had removed that and a couple of registry changes it had made I was pretty much done. Although I still ran another scan to make sure of it being removed properly.

So what did I learn from all this? Well first of all I learnt that I should have noscript running all the time to avoid nasty java/flash exploits. I also learnt that once you know what you're dealing with it's sometimes much easier to just remove it manually. That is unless the infection does major changes to your computer.


----------



## MaK11-12 (Jul 18, 2010)

OR you could just use UBCD which has loads of Computer repair stuff.
Great guide though. BUT i haven't got an anti-virus, and still no virus in sight. You have to be smart when browsing the net otherwise there isn't any need for anti-virus.
OR you could just use linux ((K)ubuntu/Puppy/Slitax/Slax/ect)


----------



## Rydian (Jul 18, 2010)

MaK11-12 said:
			
		

> Great guide though. BUT i haven't got an anti-virus, and still no virus in sight.A - I've never been to the doctor!  I don't need to, no doctor has ever told me I'm sick!
> B - I never bothered getting checked for STDs, because I'm sure I don't have any!
> C - Well I don't see anybody wearing a black suit and shades, so there's no FBI agents here!
> 
> ...


Unless they need to use some windows-only programs as a requirement of their work/school.


If this guide was not needed it would not exist and would not be stickied.


----------



## Scott-105 (Jul 18, 2010)

My computer is brand new and has yet to get any viruses, but I'll be sure to bookmark this just in case something happens


----------



## Rydian (Jul 18, 2010)

I suggest following the "future prevention" section anyways.


----------



## Ace (Jul 22, 2010)

I'm trying to follow this guide for my cousin with the Super Removal. She's only here for visit and doesn't have her Vista recovery discs, so I'd be delighted to know what to do if Super Removal method fails? I'm well-oriented with these methods already, I just need to know what comes if Super Removal will not have an effect.


----------



## Rydian (Jul 22, 2010)

Make a new user account and run rkill, then disable the proxy in the windows control panel and change your DNS settings to auomatic.  Install an antispyware program fresh and scan with it, then run hijackthis and let hijackthis.de analyze your log, pick out whatever in there it marks as bad and anything else you find suspicious (like shit with a random name running from application data or a temp directory, keep a specific eye out for those) and fix it, then do a full antivirus scan.

If critical windows files have become infected you're kinda' fucked (and when this is fixed you need to turn UAC on and leave it on), you'll need to borrow somebody else's disc (with vista the version doesn't matter as long as it's the right bit-depth) and do an in-place "upgrade" (which is like XP's repair install), which will reinstall windows overtop of itself, leaving all your personal files, but some/all programs need to be reinstalled and windows update needs to be run again.


----------



## Ace (Jul 22, 2010)

Rydian said:
			
		

> *How I should fix the system*



Thank you. I somewhat foresaw I'd need a Vista CD. I have one available from my mother's company (old Company-versions of Windows, most likely with VLK keys... Distribute or not?  
	

	
	
		
		

		
		
	


	




 ), so I won't need to change my Windows Activation key, right?

I should mention that the virus she has (most likely Vundo, although it also gives thousands of error messages of a fake svchost process called "svchosty.exe") has crippled her system to a BSOD the instant Windows has finished booting, and Safe Mode is compromised as well. This is why I am now attempting the Super Removal. Upon questioning her on details (She isn't good with anti-virus programs), she came to the conclusion that the system has had the virus for a few weeks, to a few months. This was alerting, of course. I don't think I've heard of anyone using a crippled system for THAT long.


----------



## Rydian (Jul 22, 2010)

The discs that tend to come with computers are usually modified copies and don't have any of the extra options (such as upgrading or even the recovery console sometimes) and are just made to image the drive, so be careful.

If it's been there for ages then the livecd should be able to remove it.


----------



## Ace (Aug 27, 2010)

I really must thank you for this guide! It helped my cousin remove her Vundo + about 30 other viruses from her computer. For me, I just got another one of those "Fake AntiSpyware Crapware Beta 2.33.1235 2011 Christmas Rudolph's Limited Special Edition" from an XSS'd website. NOD32 and Malwarebytes' Anti-Malware got them away in a few hours


----------



## Ubuntuの刀 (Nov 10, 2010)

Dude, you are a genius. I had to reset my computer at least 4 times since I had no way on how to remove a virus(w/o installing programs to slow my computer down)


----------



## Ubuntuの刀 (Nov 11, 2010)

Hey, I click the link for super removal and it pops up with unable to go to the site. so i found another site with a bunch of Antivirus Live cd downloads




Antivirus Live CD

Rydian, add this in your Super Removal links


----------



## Rydian (Nov 11, 2010)

Avira.com works for me.  If it's not working for you it's likely something is wrong with your DNS, check the "removing redirects" section.


----------



## aimansss95 (Nov 14, 2010)

Help!!
I can't open those four flavors thing cause this 'security tool' doesn't allow me to
HELP PLS 
	

	
	
		
		

		
		
	


	




EDIT = And any of the programs that is said that can delete this virus


----------



## Rydian (Nov 14, 2010)

Try them in safe mode.
http://www.computerhope.com/issues/chsafe.htm

If you can't even get that far, you'll need to do the "super removal" with the livecd.


----------



## playallday (Nov 18, 2010)

.


----------



## Rydian (Nov 18, 2010)

What were those things, exactly?


----------



## playallday (Nov 19, 2010)

.


----------



## Vigilante (Dec 3, 2010)

I hate virus


----------



## daxtsu (Mar 24, 2011)

Are there any alternatives to F-Secure Backlight[the rootkit scanner/fsbl.exe]? It just crashes on windows 7 64 bit with a BEX error[DEP crash I believe], even when run as admin, and even when added to DEP exceptions[so it's effectively off for the app].


----------



## Rydian (Mar 24, 2011)

http://www.sophos.com/products/free-tools/...ti-rootkit.html


----------



## Arras (Mar 24, 2011)

Ah yes, I remember getting infected by one of those fake antivirus programs that block all .exe files. I had to use a different computer to access the internet, write a .reg file that restored exe's and running that just to be able to do a scan >_>


----------



## Rydian (Mar 24, 2011)

Yeah there's a few places to get a registry file for that now, thankfully.


----------



## Zetta_x (Apr 11, 2011)

Very nice guide.

I work as a senior tech for my university and this guide is pretty informative. Very rarely, we have had mebroot/torpig infect a few computers within on the university network in which we had to boot into a linux environment to get rid of the infection in the MBR and then do a re-installation of windows to clean out any windows remnants. If all went well, the networking department can check to make sure all suspicious activity on the network has ceased and is no longer operable.

Even for personal use, I have used the live CD linked in this thread to get passed some nasty interferences into windows that would pop up preventing me from fixing in windows even in safe mode.


----------



## Rydian (Apr 12, 2011)

Thanks.  Yeah I made this guide to be helpful both to people who had infections, and for people looking to help those, by outlining stuff infections will do and ways to get around them.  There's other stuff (such as making a new user account) that can provide temporary relief, usually enough to at least start some more removal steps.


----------



## Joktan (Apr 26, 2011)

Just wanted to say thanks.found out somebody did something yesterday on the pc and got a few viruses by accident.and this guide helped me get rid of them.thanks.


----------



## Jamstruth (May 3, 2011)

Anybody know how to get rid of a google redirect virus? Well, not just google. Bing is also affected. Its bugging the hell out of me. I'm sure its just something hiding in my appdata (had something similar before I had to hit with a perma-delete program) but I don't for the life of me know. I can't nail down which site it redirects through or to because its different every time... Have run Avast Bootscan to no avail and have run MalwareBytes while in safe mode. Neither found it.


----------



## Rydian (May 3, 2011)

Two possibilities.

[*]These are hard because they're often legit adware that come along with something else you installed.
http://www.youtube.com/watch?v=tBMuxGZQb5M

Since they're technically legal and you gave whatever installer permission to install them, spyware scanners often won't remove them.  Your best bet is to check the addons for each browser you use and remove any you don't recognize, delete your HOSTS file, make sure your computer isn't set to use DNS servers you don't recognize, and do a hijackthis log.

[*]There's also the possibility that it was an infection that logged into your router and changed the DNS server it's set to use (possible if the router is still using default login info).


----------



## Jamstruth (May 3, 2011)

My computer is the only one affected so it is not option 2.
As for option one this is most definitely NOT legit adware. THe sites are random and annoying as hell. I haven't installed anything dumb. THe only weird thing I've installed is get_iplayer.
edit: Also Youtube is playing up on me, not loading any content past basic text and a few pictures. Don't know if its related

Edit: One of the redirect sites is goingonearth.com once this is added to my search my search doesn't happen at all, redirecting to "msdn.microsoft.com"


----------



## Rydian (May 4, 2011)

You don't have to install anything dumb.  Watch the video I linked, I'm installing useful programs like Unlocker, Yahoo Messenger, Daemon Tools, uTorrent...

Check the addons and such.


----------



## Jamstruth (May 4, 2011)

Like I said this isn't legit adware. I promise you. If it was I could find and uninstall it easily.
Main problem I'm having is  all the removal instructions I find are for WIndows XP. I'm running WIndows 7 Home Premium 64-Bit

Edit: Think I've fixed it. I deleted a .job file in the \WIndows\Tasks directory. It appears to always be a random name to cause confusion (everywhere tells to to look for something different). Probably best to delete from Linux to be sure its gone.


----------



## Jamstruth (May 4, 2011)

Damn, turns out that that wasn't the thing which is fiddling with my DNS resolver cache. I've got no idea where to look for this thing :S


----------



## Rydian (May 4, 2011)

See what malwarebytes says?

Also give a hijackthis log.


----------



## Jamstruth (May 4, 2011)

Malware Bytes returns clean. Don't have a log :S
As for Hijack THis


Spoiler



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:05:53, on 04/05/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Intel\IntelÂ Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank">http://go.microsoft.com/fwlink/?LinkId=54896</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank">http://go.microsoft.com/fwlink/?LinkId=69157</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank">http://go.microsoft.com/fwlink/?LinkId=54896</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank">http://go.microsoft.com/fwlink/?LinkId=54896</a>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank">http://go.microsoft.com/fwlink/?LinkId=69157</a>
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\IntelÂ Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - S-1-5-21-2878719929-3952998556-2784194744-500 Startup: IntelÂ Turbo Boost Technology Monitor 2.0.lnk = C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (User 'Administrator')
O4 - S-1-5-21-2878719929-3952998556-2784194744-500 User Startup: IntelÂ Turbo Boost Technology Monitor 2.0.lnk = C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (User 'Administrator')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: TweetDeck.lnk = C:\Program Files (x86)\TweetDeck\TweetDeck.exe
O8 - Extra context menu item: Free YouTube Download - C:\Users\James\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: IntelÂ Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\IntelÂ Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: IntelÂ Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\IntelÂ Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: VAIO Care Performance Service (SampleCollector) - Sony Corporation - C:\Program Files\Sony\VAIO Care\VCPerfService.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe
O23 - Service: VAIO Entertainment Common Service (SpfService) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: IntelÂ Turbo Boost Technology Monitor 2.0 (TurboBoost) - IntelÂ Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: IntelÂ Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\IntelÂ Management Engine Components\UNS\UNS.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Power Management - Sony Corporation - C:\Program Files\Sony\VAIO Power Management\SPMService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: VAIO Content Folder Watcher (VCFw) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata Intelligent Network Service Manager (VcmINSMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe
O23 - Service: VCService - Sony Corporation - C:\Program Files\Sony\VAIO Care\VCService.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VSNService - Sony Corporation - C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: VUAgent - Sony Corporation - C:\Program Files\Sony\VAIO Update 5\VUAgent.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13823 bytes


----------



## Rydian (May 4, 2011)

Tch, don't see anything that stands out...

Run IE in no addons mode (in the system tools part of accessories), does it happen then?


----------



## Jamstruth (May 5, 2011)

Yeah... my IE9 install's a bit borked. Need to reinstall it, something happened and it doesn't appear in the programs menu.

On top of this its sent some spam to my mates from my default mail account in Windows Live MAil just this morning AND on top of that I have a load of stuff about it trying to send data to old contacts hat must have since deleted their e-mails. and disconcertingly one I don't recognise [email protected]
Since this infection has stepped up malware bytes bight catch this part of it.


----------



## Rydian (May 5, 2011)

You should be able to access IE's settings from the windows control panel, can you get to the addon manager?


----------



## Jamstruth (May 5, 2011)

Can get to it but not sure what I'm looking for. Even then, I'm getting this in FireFox, not IE. Have started Firefox in safe mode with no change.

In all my searches I keep coming up with the TDSS rootkit. But my PC has none of the files characteristic of it (looking through on Linux where files should all be visible regardless) Have run Kaspersky's TDSS killer with nothing returned. So yeah, I dunno wtf is going on.


----------



## Rydian (May 5, 2011)

What's your addons list in Fx and IE?


----------



## Jamstruth (May 6, 2011)

Update: Appear to have gotten rid of the main redirect issue.
Ran a scan with Prevx which found an infected .dll but refused to remove it. THen ran Hitman Pro which had a free 30 day trial allowing me to remove it, along with a biajillion crummy tracking cookies.

Bad news: My Windows Security Centre Service is refusing to start, though firewall is running (checked the services) and Avast has not been starting automatically on boot. Just reinstalled Avast in the hope that it might reset itself and without the DLL there not change back but I can't really do the same with the security centre service, can I?
Edit: Nevermind FIXED IT!!!!


----------

