Welcome to Gaia! :: Slow computer, trojan, virus, spyware? Look here first! NEW! | Forum

Register FaceBook Login Login

 

 
GST

Welcome to Gaia's forums, where millions of members gather to discuss random stuff, make new friends,
complain about life, argue about nothing, laugh at dumb pictures, discuss serious issues and/or curse like sailors.

Lurking is creepy. Quit skulking in the shadows and join the conversation!

Register to reply

Gaia Forums » Entertainment » Computers & Technology
Advertisement
Sticky: Slow computer, trojan, virus, spyware? Look here first! NEW!
Tags: slow  computer  trojan  virus  spyware 
Share:  
forum:43, topic:48412007
1
Offline
Post: 48412007_1 created on Thu Mar 26, 2009 9:47 pmPosted: Thu Mar 26, 2009 9:47 pm
Spyware/Adware/Virus/Trojan/Rootkit/Keylogger Removal Guide

So, you're obviously here because your computer has some sort of problem.
We're gonna fix you up, and, with a little effort, prevent problems from occurring in the future.



FORMATTING IS A LAST RESORT ONLY!
Please note that a (re)format (when you wipe the computer and reinstall windows) is never needed to get rid of any sort of infection.
A worst case scenario is that an infection infects and changes critical system files, but those can be replaced with clean copies off any install CD with a simple command. In addition, in order to use windows on your computer after it's formatted, you will need either the 'restore' or 'recovery' CD for your computer, or a normal windows install CD, plus the correct serial/license key for your computer.
After a format, there's driver upgrades and windows updates to do, and all your personal files and additional programs will be gone.



You may see that a lot of the links given in this guide look strange. They're not normal links, they're links that bypass DNS or use redirects. Some advanced infections will, when they find you heading to a site to remove them, instead redirect you to a fake site that looks like the original, but instead contains more bad software instead of a remover. The links here are changed to prevent that.

If you are confused or have any questions about this guide please post a new topic in the forum and you will be helped.



    -CONTENTS-
  1. Introduction.
  2. About Infections
  3. F.A.Q.
  4. Setup / Start
  5. Normal Removal
  6. Advanced infections / Rootkits
  7. Future Prevention
  8. Program List
  9. Cleanup
  
     
Offline
Report this post
Post: 48412007_2 created on Thu Mar 26, 2009 9:47 pmPosted: Thu Mar 26, 2009 9:47 pm
 
About Infections


What is a Worm/Virus?
A virus or worm is dangerous program designed to cause damage and generally mess up your computer.
They self-replicate inside your computer, and can spread to other computers.
They are generally responsible for things breaking, such as you not being allowed to change settings or update key programs.
They spread by infecting other files on your computer (like how real viruses spread in your body, by infecting other cells) in the hopes that when you send a file to somebody else, it will contain a new copy of the virus.


What's Spyware/Adware?
Spyware and Adware tend to slow down your computer (because of all the snooping they're doing), and send information to companies. Spyware mainly gathers information about things such as pages you go to, programs you use, and such and send them to companies to analyze. This slows down your computer and it is a big privacy issue.
Adware tends to come along with programs. Like P2P file sharing programs or pirated software. They often will give you undesired pop-ups and also slow down your computer. Plus they can interfere with programs you use. They are just downright annoying!


What is a Keylogger?
A keylogger is what it says - It logs your keystrokes. Then it sends those logged keystrokes, which may include usernames, passwords, credit card numbers, or whatever you type, to someone. These are very bad, especially if you use PayPal, a credit card, or log into your bank account online.


What is a Trojan?
A Trojan generally is not by definition a virus and unlike common belief they do not spread to other computers or programs. However they are one of the leading causes of computer faults.
A Trojan login program can be written so it accepts certain passwords for any user's account to give the intruder access to your computer.
They can even cover their tracks so with out a scan you may never notice you have one!
Trojans can contain a virus, a password grabber or they can be an RAT (Remote Access Trojan) that is designed to allow remote control over your system, by another person in another place. e.g. "Help! My mouse is moving by itself!"
     
Offline
Report this post
Post: 48412007_3 created on Thu Mar 26, 2009 9:48 pmPosted: Thu Mar 26, 2009 9:48 pm
F.A.Q.



Q - A lot of this seems useless.
A - DO IT ANYWAY. Far too often people will skip steps, only to find they are still infected. Every step has a purpose. Follow them all.

Q - Why are a lot of links given as IP addresses?
A - Some infections will redirect DNS (Domain Name Server) lookups, making www.goodsite.com, which would normally lead to a good server, instead lead to a bad one, without you being able to tell you ended up at the wrong site. These bad servers usually are a copy of the good one, to further confuse you, only they contain more infections, instead of the removal tools.
Not all servers like being access by the IP address, so some had to stay as normal links.

Q - A scanner is telling me that something I know is clean (like a game like maple story) is an infection, why?
A - Either it really DOES have an infection (viruses infect other programs in order to reproduce!), or the scanner you're using is doing "heuristics" scanning. That's where it takes the program, and basically puts it in a virtual environment and tests how it reacts to certain actions, and if it does anything the scanner finds suspicious (that the scanner thinks it has no right doing, like a fast food employee carrying a gun), the scanner will mark it with a generic alert based on what type of infection the scanner thinks it is.
http://www.virustotal.com/ - Go there, upload the file it says is infected, and it will scan it with many virus scanners. There you can see what the results are. If only a small percentage of the scanners mark it as bad, and they use generic terms, like just "spyware" or "trojan" or "keylogger" (real viruses are given codenames, like "Fujack.k" or "Hidrag.a" ), then you can assume that the file is really clean.
 
     
Offline
Report this post
Post: 48412007_4 created on Thu Mar 26, 2009 9:48 pmPosted: Thu Mar 26, 2009 9:48 pm
 
Which order do I follow the guide in?


  1. If your only real issues are internet popups (even when no internet windows are open) or viruses infecting your files, and you still have control over your computer, then go to the "removal" section and follow the instructions.

    • If you are infected by a program that's only pretending to be a virus/spyware remover, and you know it's fake...
    • If you are getting fake virus warnings from your own computer, not on internet pages...
    • If your wallpaper has changed to a fake warning...
    • If you are for some reason unable to fully control your own computer, like settings are locked...
    • If the normal removal failed...
    If any of those are true, I suggest you skip down to the "Advanced Infections" post, and follow the first two sections in safe mode (automatic removal and clearing the hosts file), then follow the normal "removal" section, that should take care of it. Go to the "cleanup" section when you're done.

  3. If you've followed the first half of the "advanced infections" section as well as the rest of the guide and it hasn't worked, then do the "rootkits" section right below it. Also, go and run hijackthis, and keep any and all logs, then post them in the forum, and we may have to link you to a more advanced forum than this, or recommend the best way to format your system, if all this didn't get it.



Setup/Start


  1. Restart that lovely system of yours, and press F8 over and over as your computer is starting up, until you see a list of options in white. From this list, you should choose the option "Safe Mode with Networking" from the list.
    If it asks you about what version to boot, choose your version of windows from the list (the default should work) and press enter. Then come back here to continue the instructions.
    If that doesn't get you into safe mode, follow this guide.
    http://208.38.187.28/support/safemode.shtml

    The program (bootsafe) should only be used if you can't get to the menu that lets you choose safe mode. If you can get to the menu, but safe mode won't load, then you should go to the "advanced infections" section first.

    All steps must be performed in Safe Mode unless stated otherwise.


    Any time you have to reboot while following this guide, hit F8 just before the windows loading screen, and choose "Safe Mode with Networking", unless I say otherwise.

    When you see the desktop you might notice that your wallpaper looks a bit strange, and the icons are large. Don't worry; this is a temporary measure in place to help while your poor PC is fixed. You might get a message asking you if you'd like to use System Restore instead, make sure you choose to continue with Safe Mode.

    Do this step in internet explorer! Not firefox, not opera, not chrome, not konqueror, not safari, DO IT IN INTERNET EXPLORER!
  2. Open Internet Explorer and go to the Tools menu, and choose "Internet Options". On the Advanced tab, you will find many options. Uncheck the option "Enable third party browser extensions", and press OK. Close Internet Explorer. Open it again and proceed to the next step.

    If you are using vista, skip this step, as vista treats it's system restore function differently.
  3. In your start menu, go to the control panel, and there should be a bunch of icons, one of them being "system". If not, click "switch to classic view" on the left. Open "system", and click the "system restore" tab at the top. In that section, click the checkbox to "turn off system restore on all drives", if it not already checked. Save the settings. That will delete any older system restore points, which could easily contain viruses, to prevent them from coming back in the future if you use a restore point.
     
Offline
Report this post
Post: 48412007_5 created on Thu Mar 26, 2009 9:49 pmPosted: Thu Mar 26, 2009 9:49 pm
Removal



Different scanners have different purposes. They are generally put into three groups; Spyware scanners, Virus scanners, and Rootkit scanners. It's good to have one or more scanner of each type, but that will be covered later, you only need to pick one from each category for now.

Microsoft Windows Malicious Software Removal Tool
This is the first program that you should download and run. It's a tool checks your computer for infection by specific viruses known to affect windows, it is not a replacement for a normal anti-virus. - Download

Spyware Scanner
SUPERAntiSpyware - http://209.62.68.168/
MalwareBytes - http://74.86.201.220/Malwarebytes_Anti-Malware_d5756.html

Virus Scanner
Avira - http://62.146.210.133/
AVG Free - 212.67.88.87


  1. Download one from each category, and remember to do this in safe mode!
    Install them. If any of them refuse to install in safe mode, then restart into normal mode to install those, then go back into safe mode to continue. It is very important that you download them in safe mode.

    After they have been installed, run them, choose to update (if it's an option, or if they require it), and then tell each one of them to scan your system, and fix any problems they find.

    For the virus scanner, when it finds an infection, you may get a choice on moving the virus to the vault (which is like moving the virus to jail), cleaning the infected file (death sentence), or deleting the infected file (bombing it's house). Clean it if possible, if not, move it to the vault or delete it, your choice, as that file is now dead to you, treat it like it's radioactive, you do not want it anymore. Redownload or install a clean copy of whatever it is later.


  2. After running those scans, try out trendmicro's housecall, just to make sure you're clear and that no viruses remain.
    http://housecall.trendmicro.com/


  3. When that is done, one final check remains to make sure your computer is clean.

    Download and run the standalone version of 'Hijack This!'
    Hijack This - http://74.86.201.220/download3155.html

    Tell it to scan your computer, and to save a logfile, which it will then open. Press CTRL+A to select all the text, and then CTRL+C to copy it. Go to www.hijackthis.de and click in the white box on the site, and press CTRL+V to paste your log into the box. Tell it to analyze your log, and it will scan it, and then give you the results after a small bit.

    The results will be a long list, but the only things you need to worry about are the symbols on each item in the list. Ones with a red X are bad, and you should go into hijackthis, and put a check next to every bad item. Then, after marking all the bad ones in hijackthis, tell it to delete the entries, which will fix the issues.

    Run hijackthis again, so it makes another log. Copy it like before, but this time visit 208.68.18.97, paste it into that large white box, and click the "submit post" button below it, to the right.
    It will give you a link. Click it to visit your log. Copy the address/link, and show it to us. If you have a thread already, post it there, but if not, make a new thread with it, so we can go over anything that may have been marked as unidentified.





After Scanning


After all that scanning, when you restart normally (not pressing F8 to enter safe mode), your infection should be fixed.

If it is not, check the "advanced infections" section right below this. If that STILL does not fix it, please post anything that went wrong in a new thread, and we will try to help you.

If everything did work out as planned, then feel free to turn system restore back on, check the instructions in part 3 of the "setup" section of this guide.

Finally, go into your control panel, and open the "automatic updates" section. Make sure they are on "automatic".

You may notice that you get repeated "infections" of "tracking cookies" that show up every time you scan. These are not actual infections, they are given to you by viewing advertisements on the internet, and they do not pose a security hazard. However, they can be seen as an invasion of privacy, as when they are put on your computer by an advertisement, they can keep track of which of that advertiser's sites you have been to. They cannot steal your passwords, they cannot watch what you type, they do not harm or slow down your computer. If you don't care that advertiser X knows that you visited advertiser Y's site, then leave them be, as they do not slow anything down. If you do not want to get them at all, then consider seeing if the web browser you use has any ad-blocking capabilities. Don't go blocking everything, though! Websites usually depend on ads to give them the money they need to keep running.
 
     
Offline
Report this post
Post: 48412007_6 created on Thu Mar 26, 2009 9:50 pmPosted: Thu Mar 26, 2009 9:50 pm
 
Advanced Infections


Advanced Automatic Removal


The purpose of a virus is to self-replicate, thus it will leave your computer in a mostly-operational form, as it uses it to spread itself.

Spyware and Adware need the computer mostly working, because if you're not using it, then spying on your habits and displaying advertisements is useless.

That said, there are a few, horribly, horribly nasty types of infection, that render your computer almost useless, can redirect your web browser to it's own pages, restore themselves from a half-removed state, and refuse to let you do anything useful until you pay them. They're holding your computer ransom with a nuculear bomb, so to speak, and require special tools (SWAT TEAM!) to take care of.

They can be called many names, but a main classification of them can be called Smitfraud, Virtumonde, and Vundo.

http://urlcut.com/fixer_of_rogues

That is an updated tool that will attempt to remove all known deep infections. Follow all the instructions exactly (remember safe mode when it says to!) and give it time to do it's job.

After downloading it, open a folder, any folder. Go to "Tools" at the top menu, and click "Folder options". When a new window comes up, go to the the "view" section. Find and UNcheck "hide file extensions for known types", save the changes. Then rename the text file you got from roguefix from .txt to .bat, that way you can run it. Feel free to recheck the box afterwards, it's only needed to be off so that you can run roguefix.

If you cannot run that one, try these backups.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://siri.geekstogo.com/SmitfraudFix.php



Fixing Redirections


DNS is "Domain Name Server". A DNS server keeps information which web address relates to which IP address on the internet (like how google.com is 74.125.45.100). It's sort of like how "Jack's house" means "123 Oak Tree Lane" in the real world.

A - Cleaning Your Hosts File

The HOSTS file is a file on windows that holds information about DNS entries on your own computer, it's usually used to bypass a normal DNS server for whatever reeason. Usually it's only used to block things (by making the browser try to go to a non-internet IP address when you try to visit a specific site), like to block bad sites, or your parents might use it to block myspace or something. Unfortunately infections will add entries that make real sites redirect to fake sites... so this might need to be undone.

If you're on XP...
In your start menu, go to "run".
Type in the below code, without spaces.
% Windir % /System32/drivers/etc/
Press enter, a window show open. In there, find a "hosts" file. Right-click it, "open with", and open it in notepad.

If you're on Vista...
1) Browse to Start -> All Programs -> Accessories
2) Right click "Notepad" and select "Run as administrator"
3) Click "Continue" on the UAC prompt
4) Click File -> Open
5) Browse to "C:WindowsSystem32Driversetc"
6) Change the file filter drop down box from "Text Documents (*.txt)" to "All Files (*.*)"
7) Select "hosts" and click "Open"

If you see any mention of sites you KNOW are safe (if it mentions safer-networking.org or ebay.com other sites you know of, especially ones you'd download security software from or that the infections is blocking you from visiting), then you'll want to remove them.

Start by erasing all of those bad lines. Go to save it, and when you do, make sure you click the "save as type" box when saving, and select "all files", then save the file as "hosts" without the ".txt" ending. If that fails for some reason, and you know you don't need any of the redirects in the hosts file, just delete it. See if you can get to the websites again after you're done with that. If not, restart back into safe mode and try again.


B - Changing DNS server.

If your HOSTS file is clean and you're still getting redirected, then your computer has been set to use a different DNS server, instead of the clean one run by your internet company. These other DNS servers are usually bad, directing you to fake sites instead of real ones (like telling you that Jack's house is in the middle of a highway, instead of giving you the real address).

To get around that, here's instructions on using a clean DNS server.
Link to thread is here!


Rootkit Removal


If both those special programs and a normal virus and spyware scanner all failed, you may have a rootkit, which hides files from other scanners. If that's the case, read on.

Download and run this rootkit detector. Do not just "run" it, but actually save it somewhere you can get it, and then run it.
hftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Run it, and it will scan for things that are hidden to windows and normal programs. When it's done, it'll have a list of results. Look at a result, and look for it with a search engine like google or yahoo (search for the file/folder name along with the word "rootkit" ), and if the results involve a type of infection (spyware, adware, rogue software, malware, virus, trojan), you should see a removal guide.

Not everything it finds is bad! Some are involved with programs you know are safe (like firefox) or part of windows itself. When it's done, you'll find a log file where you saved the program. It will be named something like "fsbl-20090124034050.log". If some things were found, open it and show us what it says.
     
Offline
Report this post
Post: 48412007_7 created on Thu Mar 26, 2009 9:50 pmPosted: Thu Mar 26, 2009 9:50 pm
Future Protection




How did I get that infection in the first place? What can I do to prevent it? Where do infections come from? How can I spot bad programs?
An ounce of prevention is worth a pound of cure. Taking 30 seconds of your life every so often to keep your protection up to date can save you hours of fixing issues later.



How do I avoid getting viruses and the like?
Well, almost everyone gets one at some point. They're everywhere.

  • Turn windows update on and leave it on! It only updates once a month, twice if there's something serious.
  • Make sure to allow your antivirus to update automatically.
  • Scan with your antispyware at least once a week, updating it with the update option in the program before you scan.
  • Any good antivirus software (like the ones listed in this guide) will have what's known as an "active guard" or "resident shield". What that does is scan every file before it enters your computer, like a robot security guard at the door of a nightclub. If it detects an infection, it can stop it from doing anything, and alert you. Leave this option on.
  • Spybot also has a neat tool, the "immunizer". What this does it make it so that your computer cannot normally connect to any site that's known to be a fake, or attempt to install infections.
  • Using OpenDNS (http://opendns.org/) can help prevent infections from getting to your computer in the first place as well.


Why did my current program not protect me?
    One of multiple reasons.
  1. It was not fully updated.
  2. It was a pay program, and you stopped paying for it, so it stopped protecting you.
  3. It was a scanner for a different type of infection then you got. Virus scanners usually will not scan for spyware/adware, and the same goes the other way waround.
  4. It could have been a rogue program that actually doesn't protect you, see below for a bit of details.



Here are some examples:

Advertisements: Yes, random advertisements on websites. Websites get paid by advertising companies to let the ad companies stick random ads in the website when it's viewed. The ad companies get paid by people that want to advertise. The people that want to advertise pay the ad company, and give the ad company the code/image/file for the ad, which is then randomly given out to any sites that display it. Normally that works fine, but if some low-life uses a trick or three to stick an infection in an ad, it can show up in multiple sites for hours before it's caught and removed. So almost any site that displays advertisements could possibly give an infection. The chances are slim, but it's possible, even more on sites that deal in shady things, like ROMs or Warez or free porn. This is partially why it's so important to keep some protection that's always on.

Rogue Software: Sometimes you might see a random popup claiming it's scanning your computer, and showing you hundreds of problems it's finding that claims it can fix. THESE ARE FALSE. It is not scanning your computer, it is not detecting issues, all it's trying to do is scare you into buying it. Scan everything you download before you run it.

Internet Explorer Toolbars: Most of the time, ones that show up randomly are chocked full of spyware, adware, and sometimes worse. Google/yahoo toolbars and such are fine, but it's important not to use any strange ones. Do your homework, go to google and look it up to make sure it's not crap. If the first few results you get are about how to remove it, don't touch it. Use common sense.

Random Programs: Some are legit and good. Some are not. I'd always suggest reading reviews of the programs before downloading them. Some contain spyware and adware. http://www.download.com has reviews for shareware and freeware programs which usually tell you if they have any nasty stuff in them. (For those who don't know, Shareware is programs that are sort of a "try before you buy". Free trials. Freeware is programs the the other allows people to use for free [usually just for home use].) Scan everything you download before you run it.

Smilies: I've seen a zillion flashing ads for "COOL IM SMILYS HERE!!!" and such. Don't get them without checking up on them first, unless you are prepared to deal with wave after wave of spyware and adware. Scan everything you download before you run it.

Crack/Serial Sites: These are absolutely packed with things. Viruses. Heavy-duty spyware that will take you ages to remove.

Porn sites: Same as crack/serial sites.

"Get paid to surf" sites: Half the time, these are a scam and ask you to install a plugin, which contains so much adware and spyware, you'll have a hard time getting rid of it all. Some even contain keyloggers. The other half of the time, the payout is so low that it's not worth even looking at. I'm talking $1 a day at the most.

P2P/Filesharing Programs (such as Limewire): When you use these programs, you are downloading files from other people's computers, and other people are downloading files from your computer. That's why it's called "file sharing". If anybody has an infection on their computer, you can catch it since your computer connects to theirs in order to get the file. Every single one of these programs has a very high risk of infection, you should try to avoid these.

Why not try these websites where you can listen to free legal music instead!
http://www.last.fm/
http://www.mp3.com/free-music/free-mp3s
http://www.jamendo.com/
http://www.garageband.com/
http://www.unsignedbandweb.com/
http://www.ocremix.org/

Emails: Never, NEVER open an email attachment from someone you don't know. There are alot of viruses that will send themselves to everyone in your address book, so if someone you know sends you something that looks fishy or you weren't expecting, DON'T OPEN IT! Email that person and ask them if they sent it.

Instant Messengers: If you suddenly get a message over MSN saying "hey, look at this cool thing", or "are these pictures of you?", or "hey look at these naked pictures of me!", along with a link... don't do it. It's probably a virus.
There are ones that will continue to spread because they send that message to everyone on the infected person's buddy list. Same sort of thing as e-mails, it appears to be from somebody you know, but could easily be an infection. Scan everything you download before you run it.

----------------------------------------------------

An issue, is to not have more than one antivirus' "active guard" or "background scan" active at the same time, otherwise they could run into eachother and make a mess. gonk Feel free to have AVG and Avast and others, but only have one virus scanner active at the same time, leaving the others for an emergency.
 
     
Offline
Report this post
Post: 48412007_8 created on Thu Mar 26, 2009 9:58 pmPosted: Thu Mar 26, 2009 9:58 pm
 
Programs



Here's a list of programs of varying types for you to check out and use if you want, or if the ones listed in the main sections will not work for you.


Anti-virus
Free
Avast! - http://216.12.205.130/
Avira - http://62.146.210.133/ (Displays an ad when it updates daily.)
AVG Free - 212.67.88.87
Microsoft Security essentials - http://www.microsoft.com/Security_essentials/

Paid
Kaspersky - http://85.12.57.107/
NOD32 - http://72.3.254.86/


Spyware scanner
Free
Spybot S&D - 89.238.64.39
AdAware - http://209.87.179.221/
SUPERAntiSpyware - http://209.62.68.168/
MalwareBytes - http://74.86.201.220/Malwarebytes_Anti-Malware_d5756.html
     
Offline
Report this post
Post: 48412007_9 created on Sat Mar 28, 2009 9:24 pmPosted: Sat Mar 28, 2009 9:24 pm
Cleanup After Infection


So you've got the bulk of it out, but there's still little annoyances that are bothering you, and you want to fix them or make sure the rest of the infection is out of your system?

First, open Internet Explorer and go to the Tools menu, and choose "Internet Options". On the Advanced tab, you will find many options. Check the option "Enable third party browser extensions", and press OK. This will turn on browser extensions, which were disabled at the start of the guide because some could be infections.

http://www.internetinspiration.co.uk/pc_clean_up.htm
 
     
http://tinyurl.com/ygerbtm
Crew love.
It's not a joke, it's a way of life.
http://www.thesuitesguild.com/banner/rotate.php
1
Gaia Forums » Entertainment » Computers & Technology
 Subscribe to Topic  Report this Topic

Quick Reply

Enter both words below, separated by a space:

Can't read the text? Click here

Submit

We will be phasing out support for your browser soon.

Please upgrade to one of these more modern browsers.