Welcome to Gaia! ::

Spyware/Adware/Virus/Trojan/Rootkit/Keylogger Removal Guide

So, you're obviously here because your computer has some sort of problem.
We're gonna fix you up, and, with a little effort, prevent problems from occurring in the future.



FORMATTING IS A LAST RESORT ONLY!
Please note that a (re)format (when you wipe the computer and reinstall windows) is rarely needed to get rid of a computer infection. A worst case scenario is that an infection infects and changes critical system files, but those can be replaced with clean copies off any install CD with a simple command. Some people may have 50 gigabytes of personal files on their computer, and some people have their computers set up a very specific way that would take hours or days to restore to working order after a format. Just because formatting is your choice does not mean it should be the first suggestion to somebody else.


If you are confused or have ANY questions AT ALL about
this guide please post a new thread in the forum and you will be helped.
REMEMBER!


  • Stuck on a step?
  • Don't know what a word means?
  • Confused where you go next?
  • Not sure if you're doing the right thing?


Ask us and we will help you!
Nobody will make fun of you!
We're here to fix your computer!
Basic, Advanced, or Super removal?



  1. If your only problem is internet popups (even when no internet windows are open) or viruses infecting your files, and you still have control over your computer, then after "Setup"; follow the "Basic Removal" post.
    --------------------------------------------------------

  2. If you are infected by a program that's only pretending to be a virus/spyware remover, and you know it's fake...
    If you are getting fake virus warnings from your own computer, not on internet pages...
    If your wallpaper has changed to a fake warning...
    If you are for some reason unable to fully control your own computer, like settings are locked...
    If the basic removal failed...

    I suggest you use the "Advanced Removal" post after you do the "setup".
    --------------------------------------------------------

  3. If you have little to no control over your computer...
    If something closes/kills any scanner you run...
    If you can't get into safe mode because of a Blue Screen error...
    If you cannot run the Task Manager...
    If your account(s) are no longer Administrator...
    If the advanced removal failed...

    You should go to the "Super Removal" post, skipping "setup" for now.
Setup


Before you start removing infections, there's a few precautions you should take.
These steps will help cripple most infections, making them easier to remove.


  1. Disable IE Addons

    Open Internet Explorer, and press the ALT key on your keyboard once. At the top, go to the "Tools" menu, and choose "Internet Options". In the new window, on the Advanced tab you will find many options. Uncheck the option "Enable third party browser extensions", and press OK. Close Internet Explorer.



  2. Hijack This! Log

    Download and run the executable version of Hijack This!
    http://free.antivirus.com/hijackthis/
    Choose "Do a system scan and save a log file". It will open the log file when it's done scanning.
    Go to http://dpaste.com/, paste the log in the "Code" box, then click the "Paste it" button. You will see a new page with the coding, just give us a link to the page and we can see it.



  3. Disable System Restore

    If you're on XP...
    In your start menu, go to the control panel, and there should be a bunch of icons, one of them being "system". If not, click "switch to classic view" on the left. Open "system", and click the "system restore" tab at the top. In that section, click the checkbox to "turn off system restore on all drives", if it not already checked. Save the settings. That will delete any older system restore points, which could easily contain viruses, to prevent them from coming back in the future if you use a restore point.

    If you're on Vista...
    Open the start menu, right-click "Computer", and click "properties". In the new window, go near the top-left and click "System protection". In a new window, you'll see a list of your drives. Uncheck them. Tell windows that you want to turn system restore off by clicking the button when it asks you.

    If you're on Windows 7...
    Open the start menu, right-click "Computer", and click "properties". In the new window, go near the top-left and click "System protection". In a new window, you'll see a list of your drives. Below that, click the "configure" button. In the next new window, choose "Turn off system protection", then click the "OK" button.



  4. Remove Redirects

    • Part A

      If you're on XP...
      Open the start menu and click "run". In the white box, type "regedit.exe" (without the quotes) and press enter.

      If you're on Vista or Windows 7...
      Open the start menu and click in the white box at the bottom. Type "regedit.exe" (without the quotes) and press enter.


      That will start the registry editor, which we will use to find where the current HOSTS file is.
      On the left, double-click "HKEY_LOCAL_MACHINE".
      After that, double-click "System".
      Then, double-click "CurrentControlSet".
      After that, you want to open "Services".
      Almost done now, open "Tcpip".
      Finally, you want to open "Parameters".

      On the right side of the you will see three columns. "Name", "Type", and "Data".
      In the "Name" column, find "DataBasePath" and double-click it. Copy the "Value Data".

      Remember how you ran "regedit.exe" before? This time, instead of running regedit, you should paste that "Value Data" line in the "run" box (or the bottom of the start menu in Vista/7), and press enter. This will open the folder that has the HOSTS file!

      It will just be called "hosts" and won't have any special icon. Delete it.


    • Part B

      There's a possibility that your computer has been set to use a different DNS server, instead of the clean one run by your internet company. These other DNS servers are usually bad, directing you to fake sites instead of real ones (like telling you that Jack's house is in the middle of a highway, instead of giving you the real address).

      To get around that, here's instructions on using a clean DNS server (with pictures!).

      It's also possible that the infection changed your computer to use a malicious proxy server. Follow the below instructions and choose to NOT use a proxy server, then save the settings.

      If your internet explorer can use tabs, follow these instructions.
      If it cannot use tabs, follow these instructions.
Programs List



Anti-virus
Free
Avast! - www.avast.com
Microsoft Security essentials - www.microsoft.com/Security_essentials
Comodo - antivirus.comodo.com
AVG - From download.cnet.com.
Avira (Shows an ad) - From download.cnet.com.
ClamWin - www.clamwin.com

Paid
Kaspersky - www.kaspersky.com
NOD32 - www.eset.com
Bitdefender - www.bitdefender.com
F-Secure - www.f-secure.com
Trend Micro - www.trendmicro.com


Spyware scanner
Free
MalwareBytes - www.malwarebytes.org
SUPERAntiSpyware - www.superantispyware.com
Spybot S&D - www.safer-networking.org
AdAware - www.lavasoft.com

If a program does not allow you to install in safe mode because of "MSI" or "Windows Installer" not running, you can use this tool to turn MSI on in safe mode, so that you can install what you need.
Basic Removal


  1. If you don't have some, pick out one Antivirus program and one Antispyware program from the "Programs" post. Please make sure you have at least one from both of the categories (antivirus and spyware scanner).
    Do not buy one online right now, because somebody could use the infection to steal your financial information!


  2. Install the programs, run them and they might ask you to update the definitions. If so, let them.


  3. Then, go into Safe Mode, but read the rest of this post before you do that.

    This site has instructions on getting into safe mode.
    http://www.computerhope.com/issues/chsafe.htm
    Safe mode will not have internet (possibly no sound, either), and things may look weird.
    Don't panic, it's only temporary. When you restart things will be back to normal.


  4. In safe mode, run the scanners, and heal/remove anything they find.


  5. Restart (which will get you out of safe mode).


Go on down to the "After Scanning" post.
Advanced Removal


  1. Microsoft Windows Malicious Software Removal Tool (32-bit)
    Microsoft Windows Malicious Software Removal Tool (64-bit)
    This is the first program that you should download and run. It's a tool that checks your computer for infection by specific viruses known to affect windows, it is not a replacement for a normal anti-virus, but it is useful in removing something that has already infected you.


  2. If your issue is a fake antivirus program, it should have a fake name it's trying to use to sound legitimate.
    If your virus scanner is picking up an infection but can't remove it, it should also present you with some sort of name.

    Go to a search site (such as google, bing, yahoo, ask) and try to find instructions on removing the specific name of the infection. Type in something like "NAME removal". The first few results should have specific instructions (or sometimes even a free program) specifically made to remove that type of infection. It's best to follow those instructions first, since they can remove specific parts of an infection that generic guides miss.


  3. After following those instructions (or if you couldn't find any), download and run this tool.
    It comes in four "flavors", if one doesn't work try the others.
    http://download.bleepingcomputer.com/grinler/rkill.exe
    http://download.bleepingcomputer.com/grinler/rkill.com
    http://download.bleepingcomputer.com/grinler/rkill.scr
    http://download.bleepingcomputer.com/grinler/rkill.pif
    This will attempt to kill any active infections that would stop you from running removal tools.
    Any time you restart, run one of these again.

  4. Then, run this tool.
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    That is an updated tool that will attempt to remove all known deep infections.
    Follow all the instructions exactly (remember safe mode when it says to!) and give it time to do it's job.


  5. When that program finishes, go back into normal mode and follow the "Basic Removal" instructions.
    If that fixes your problem, skip on down to the "After Scanning" section.



If that still does not remove your infection, you may have a "Rootkit", which hides files from windows itself.

Download and run this rootkit detector. Do not just "run" it, but actually save it somewhere you can find it, and then run it.
If you don't know how to do this, post and ask us (be sure to tell us what browser program you view web pages with!)
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Run that, and it will scan for things that are hidden to windows and normal programs. When it's done, it'll have a list of results. Look at a result, and look for it with a search engine like google or yahoo (search for the file/folder name along with the word "rootkit" ), and if the results involve a type of infection (spyware, adware, rogue software, malware, virus, trojan), you should see a removal guide.

Not everything it finds is bad! Some are involved with programs you know are safe (like firefox) or part of windows itself. When it's done, you'll find a log file where you saved the program. It will be named something like "fsbl-20090124034050.log". If some things were found, open it (right-click it, choose "open with", and choose Notepad or some other text editor) and show us what it says.
Super Removal


A Live CD is a disc that runs it's own Operating System. What a Live CD allows you to do is do things on your computer even if something in windows is really messed up.. This also means than any infection will not be active, so the Live CD is free to scan and remove viruses without interference. The down side is it requires you to burn a CD (you will probably need to burn it from another computer), and the scan can take a while.

  1. Download it here. (It's free.)
    Run that when you have a blank CD in your computer and it will start creating the disc.


  2. When it's done, take the disc out and label it if you want, then put it back in and restart your computer. You'll need to tell your computer to boot the CD, there's multiple ways it can be done. Once it's started, go to step 3.

    A - Your computer may start the CD on it's own.

    B - When it's first starting up you should see something like "press (something) to boot from CD", or may just say "Boot from CD" If so, press that key (or enter) to start the CD.

    C - If that doesn't appear, you may see something like "F10 (or some other key) - Boot Menu". If so, press that key, and then choose the CD drive from the list.

    D - If you're not given any of those options, there should be a "Press (some key) to enter setup" notice. Press that key to access your motherboard's settings. You navigate around with the arrow keys, tab, enter, and escape. Somewhere in there should be an option for changing the "Boot order". Choose that, and change it so that the CD drive is above the harddrive in the list. Press whatever key it is to save changes and exit, and the computer should now be able to boot off the CD.


  3. When the CD first starts, you'll see a screen like this. You should press the "1" key on your keyboard.
    User Image - Blocked by "Display Image" Settings. Click to show.
    (Click for full version)


  4. When the Live CD is fully started up, you'll see two flags in the bottom-left.
    The right-one (British flag) changes the language to english, click it.
    User Image - Blocked by "Display Image" Settings. Click to show.


  5. In the left-hand menu, click "Configuration".
    Select "Scan all files" and "Try to repair infected files".
    User Image - Blocked by "Display Image" Settings. Click to show.
    (Click for full version)


  6. In the left-hand menu, choose "Virus scanner", then click "Start scan" near the bottom.
    The scanning process may take a long time, this is normal.
    User Image - Blocked by "Display Image" Settings. Click to show.
    (Click for full version)


  7. When the scanning is finished, go to the left and find "Miscellaneous" and click it, then click "Shutdown".
    The system shout shut down and eject the CD (or tell you to eject it) and then restart normally.

    User Image - Blocked by "Display Image" Settings. Click to show.


If that fixed the issue, go on down to the "After Scanning" post!


If this does nothing to fix the issue, then it's possible that some critical windows system files are infected to the point that they cannot be healed. This will require removing the files (running the scan again with the "remove infected files" option selected), and replacing them with clean versions off a windows CD. How you would do this greatly depends on your situation, so ask us about doing a "repair install" and we will help you personally.
After Scanning


After your infection seems to be gone, it's best to do a few things just to be sure! When you're going to show us a log, it's best to put it on another site and give us a link. This saves space in a thread, and also prevents gaia's forum system from removing anything it thinks may be harmful to gaia (such as malicious javascript).

This is a site you can use.
http://dpaste.com/
Visit that page, paste whatever you want to show us in the "Code" box, then click the "Paste it" button.
You will see a new page with the coding, just give us a link to the page and we can see it.


  1. If whatever programs you scanned with offers you a log, show it to us using the dpaste site.


  2. Download and run the executable version of Hijack This!
    http://free.antivirus.com/hijackthis/

    Choose "Do a system scan and save a log file". It will open the log file when it's done scanning. Please show us the log (using dpaste) first, then continue these instructions.

    Go to http://www.hijackthis.de and paste your log into the white box. Tell it to analyze your log, and it will scan it, and then give you the results after a small bit. The results will be a long list, but the only things you need to worry about are the symbols on each item in the list. Ones with a red X are bad, and you should go into hijackthis, and put a check next to every bad item. Then, after marking all the bad ones in hijackthis, tell it to delete the entries, which will fix the issues.

    Run hijackthis again, so it makes another log, and show us the second log (using dpaste).
Cleanup


So you're done removing the infection, but there's a few things to change back.

  1. Go to the "Setup" post, and follow the instructions on disabling Internet Explorer browser extensions, but this time turn them back on.

  2. Turn System Restore back on.

  3. Change your DNS settings back to "automatic".
    Here's the thread about it.

  4. If you find trying to run some programs gives you a message asking you what to open it with, then download this file, open it, and choose to run the file inside it. When ti asks you if you want to merge/add the info to the registry, choose yes. After that, restart and you should be able to run programs properly again.

  5. And finally, this page covers the rest.
    http://www.internetinspiration.co.uk/pc_clean_up.htm
Future Prevention


How did I get that infection in the first place?
What can I do to prevent it?
Where do infections come from?
How can I spot bad programs?


An ounce of prevention is worth a pound of cure.
Taking 30 seconds of your life every so often to keep your protection up to date can save you hours of fixing issues later.


  • Q - How do I avoid getting viruses and spyware and all that other bad stuff?
    A - Here's a list of preventative measures you can take.
    1. Turn windows update on and leave it on! It's very important that your version of windows is kept up to date!
    2. Make sure to allow your antivirus to update automatically.
    3. If you are in windows Vista/7, make sure UAC is on.
    4. Scan with your antispyware at least once a week, updating it with the update option in the program before you scan.
    5. Any good antivirus software (like the ones listed in this guide) will have what's known as an "active guard" or "resident shield". What that does is scan every file before it enters your computer, like a robot security guard at the door of a nightclub. If it detects an infection, it can stop it from doing anything, and alert you. Leave this option on.
    6. Spybot also has a neat tool, the "immunizer". What this does it make it so that your computer cannot normally connect to any site that's known to be a fake, or one that attempts to install infections.
    7. Using OpenDNS (http://opendns.org/) can help prevent infections from getting to your computer in the first place as well.


  • Q - Why did my current program not protect me?
    Here's some possible reasons.
    1. It was not fully updated.
    2. It was a pay program, and you stopped paying for it, so it stopped protecting you.
    3. It was a scanner for a different type of infection then you got. Virus scanners usually will not scan for spyware/adware, and the same goes the other way way around.
    4. The virus managed to break your protection program.
    5. It could have been a rogue program that actually doesn't protect you, see below for a bit of details.

    Here's a list of common places/ways people get infected.

  • Advertisements
    This is one of the biggest. Yes, random advertisements on websites. You can even get infected by good sites like The New York Times. Websites get paid by advertising companies to let the ad companies stick random ads in the website when it's viewed. The ad companies get paid by people that want to advertise. The people that want to advertise pay the ad company, and give the ad company the code/image/file for the ad, which is then randomly given out to any sites that display it. Normally that works fine, but if some low-life uses a trick or three to stick an infection in an ad, it can show up in multiple sites for hours before it's caught and removed. So almost any site that displays advertisements could possibly give an infection. The chances are slim, but it's possible, even more on sites that deal in shady things, like ROMs or Warez or porn. This is partially why it's so important to keep some protection that's always on.

  • Rogue Software
    Sometimes you might see a random popup or a page claiming it's scanning your computer, and showing you hundreds of problems it's finding that claims it can fix. THESE ARE FALSE. It is not scanning your computer, it is not detecting issues, all it's trying to do is scare you into buying it. You can usually tell by opening "My Computer" or "Computer" from the start menu and looking at your list of drives and comparing it to the fake screenshot the program is showing you.

  • Crack/Serial/Warez Sites
    These are absolutely packed with infections and should be avoided.

  • P2P/Filesharing Programs (such as Limewire)
    When you use these programs, you are downloading files from other people's computers, and other people are downloading files from your computer. That's why it's called "file sharing". If anybody has an infection on their computer, you can catch it since your computer connects to theirs in order to get the file. Every single one of these programs has a very high risk of infection, you should try to avoid these.

    Why not try these websites where you can listen to free legal music instead!
    http://www.last.fm/
    http://www.mp3.com/free-music/free-mp3s
    http://www.jamendo.com/
    http://www.garageband.com/
    http://www.unsignedbandweb.com/

  • Links In Instant Messengers
    If you suddenly get a message over MSN/AIM/Live/Yahoo saying "hey, look at this cool thing", or "are these pictures of you?", or "hey look at these naked pictures of me!", along with a link, you should ask the person if they sent it to you or not before you click on it. It could be a special type of worm, there are ones that will continue to spread because they send that message to everyone on the infected person's buddy list. Same sort of thing as viruses in e-mails, it appears to be from somebody you know, but could easily be an infection.


Most importantly, if you are going to install a program, simply look it up. Go to a search website, and type in the name of the program. If the first few results are saying "It's bad, here's how you remove it!", you should avoid it!
F.A.Q.



Q - A lot of this seems useless.
A - DO IT ANYWAY. Far too often people will skip steps, only to find they are still infected.
Every step has a purpose. Follow them all.


Q - Why not just format?
A - At least once a month, windows receives automatic security updates. These fix security holes that viruses and other types of infections can use to get into your computer and mess it up. When you format and reinstall windows, you are taking it back to a time before all the updates, meaning you are just opening the door for even more infections to get in! It's better to remove the current infection and then take steps (listed in the "future prevention" post) to prevent reinfection.


Q - Why doesn't your sticky specifically list (name of infection here)?
A - There's thousands and thousands of computer infections, just like there's thousands and thousands of viral infections your IRL body can get, but there's not thousands and thousands of cold medications, are there?

There's tons of breeds of dogs, but they're all still dogs. You don't buy dog food specifically for your dog's breed+gender+age+color+attitude, do you? Most infections have core things in common with each other, so a few tools and instructions can remove 99% of computer infections people get. Furthermore the same infection can often call itself multiple names in order to try to disguise itself. This is most often true of infections that pretend to be virus scanners and try to scare you into "buying" them.


Q - I found this (verified legit) program that I installed and it scanned my computer and says it found the problem and is only asking me $30 to remove it, isn't that a good deal?
A - Never. That's like an electrician coming into your home, doing an inspection, and telling you "Hey, I found the problem, these cords right here came disconnected. Now, I can reconnect them, but you're gonna' have to pay me $50..." If the program has installed and has found the issue, it has no reason whatsoever to charge you to do the final steps, which are simple compared to actually being installed and scanning, which it's already done for free. These programs try to get you to pay for something you don't need. They try to make you feel backed into a corner, like you have no other option. There is no actual need for you to pay after it's already scanned, they just want your money.

This is especially true if the program doesn't actually tell you what and where the problems are, that shows that the makers of the program don't want you going and fixing it yourself. They're not interested in actually fixing your problem, they just want to scare you out of your money.


Q - A scanner is telling me that something I know is clean (for example, a game like maple story) is an infection, why?
A - Either it really DOES have an infection (viruses infect other programs in order to reproduce!), or the scanner you're using is doing "heuristics" scanning. That's where it takes the program, and basically puts it in a virtual environment and tests how it reacts to certain actions, and if it does anything the scanner finds suspicious (that the scanner thinks it has no right doing, like a fast food employee carrying a gun), the scanner will mark it with a generic alert based on what type of infection the scanner thinks it is.

http://www.virustotal.com/ - Go there, upload the file it says is infected, and it will scan it with many virus scanners. There you can see what the results are. If only a small percentage of the scanners mark it as bad, and they use generic terms, like just "spyware" or "trojan" or "keylogger", then you can assume that the file is really clean. Real viruses are given codenames, like "Fojack" or "Hidrag.a".


Q - What is all this stuff about DNS and HOSTS?
A - DNS means "Domain Name Server". A DNS server keeps information which web address relates to which IP address on the internet (like how google.com is 74.125.45.100). It's sort of like how "Jack's house" means "123 Oak Tree Lane" in the real world. Unfortunately, sometimes an infection will misdirect your computer, sending it to the wrong websites. We can do a few things to stop that.

The HOSTS file is a file on windows that holds information about DNS entries on your own computer, it's usually used to bypass a normal DNS server for whatever reason. Unfortunately infections will add entries that make real sites redirect to fake sites... so we will delete the HOSTS file so that it cannot be used for evil. Your computer can work without it, and if it's needed it will be recreated later, but for now it can be considered dangerous.


Q - What's a tracking cookie?
A tracking cookie is not a virus, it will not hurt your computer. They are used by ads on websites for marking purposes. They record what "genre" of sites you generally visit (such as anime sites, military sites, car sites) so that the advertisements on a site know which types of ads to show you. They do not record any personal information about you, they do not know who you are.

A cookie is a text file created by a website on your computer to store information about what you've done there. A text file is several kilobytes, which is one thousandth of a megabyte, which in turn, is one thousandth of a gigabyte. It would take millions of cookies to amount to anything that might slow down your computer.

Quick Reply

Submit
Manage Your Items
Other Stuff
Get GCash
Offers
Get Items
More Items
Where Everyone Hangs Out
Other Community Areas
Virtual Spaces
Fun Stuff
Gaia's Games