*** Advice&Tools for virus/trojan/malware Removal & Prevention***

Hi,

this list of questions & tools is here to help you in case of problems with viruses, worms, trojans and other malware…

Please work through it, answer the questions (in your own topic, please, not here…) :wink:
and have a go at the advised tools & removal instructions…
*
A word of caution at first:

If a virus, trojan, worm etc. is found, you should
a) not panic :wink:
b) try and get some information on it & the proper removal procedure
c) try to REPAIR or CLEAN it first; only if this is not possible:
d) MOVE it to the avast CHEST

→ DON’T delete it (because then it’s not possible to undo any changes if the system is not working properly anymore), especially if you don’t really know what you are doing… :wink:
*
Check if the Worm or Virus is included in the list of malware that the avast CLEANER can remove:
http://www.avast.com/i_idt_171.html
If so, please try the Cleaner first…
It’s also very helpful in a number of cases where programs won’t run (e.g. after a botched-up attempt to remove/delete a virus or worm)
*
Don’t panic, but:
If you have found an ACTIVE Backdoor (or Keylogger/Password-Stealer etc.) on your system, please read the next article to decide whether to just remove it or better to flatten the system and properly redo it (in case you have sensitive data on the PC, or if you use online-banking etc etc…)


So here goes with the info we need to help you and/or how you can resolve this yourself:

  • What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!

  • What name does avast give the virus (e.g. like: “Win32:Netsky-P [Wrm]” ) ?

  • Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ?
    You’ll get this info from the Alert/PopUp window or from avast’s report/Log-files. If you can’t start avast, look for the info in the logfiles in the avast (sub-)folders and
    in the EventLog of Win XP / 2000: Controlpanel → Administration → Event-log

Sometimes, to get rid of it, it’s enough to:

  • clear all TEMP-folders (via drive CleanUp AND best also manually)
  • empty Temp.Int.Files folder(s) (via IE->Extras-Internetoptions->Delete files, including OFFLINE files !!) and
  • empty java-Cache (controlPanel → java-Plugin → Cache)

Or, if the virus/trojan/worm is found (only) in the RESTORE folder of WIN ME/XP:
disable system restore INCLUDING a REBOOT!!
—> Howto: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Test the file with OnlineScanners e.g. from KAV, Trend & RAV (see below) to get a more specific name. You need to temporarily pause AV-ResidentShield/Monitor/Guard to be able to scan the file online

Trend: http://housecall.trendmicro.com/housecall/start_corp.asp
RAV: http://www.ravantivirus.com/scan/indexie.php (use with IE & ActiveX enabled)
KAV: http://www.kaspersky.com/remoteviruschk.html
*** Multiple Scan-Engines: JOTTI & VirusTotal

(If they all don’t show it as infected, please send it in a password-protected RAR- or ZIP-file to:
virus (at) avast.com
→ How To treat False Positives

Sometimes (especially if the trojan is of the “trojan-gen”, “trojano” or “startpage” kind):
Spybot, Ad-aware and Cwshredder might also help
→ see www.lurkhere.com ->nicefiles and www.lavasoft.de
Be sure to update them after installing

You might also try searching for the virus name or filename with google or here in the board search (see above).
*** If you search for virus names here or elsewhere, it’s often better NOT to use the complete name given by avast, but only the main/central part of it:
→ instead of “Win32:DyfucDldr-C [Trj]” use “Dyfuc” because other antivirus companies name it differently (e.g. “TrojanDownloader.Win32.Dyfuca.af”),
(Of course, when you post here in the board, please give us the complete & exact name,
up to the last :-/[ & space if possible :wink: ).

There are also lots of sites which provide free Removal Tools for some wide-spread viruses, worms & trojans:
→ First of all, of course avast’s CLEANER:
http://www.avast.com/eng/avast_cleaner.html
Then have a look at these sites:
http://www.bitdefender.com/html/free_tools.php
http://vil.nai.com/vil/averttools.asp#stinger
http://securityresponse.symantec.com/avcenter/tools.list.html
CLRAV: ftp://ftp.kaspersky.com/utils/clrav/clrav.zip
ESCAN: http://www.mwti.net/antivirus/free_utilities.asp
Set the options as shown in this ->Screenshot<-
*

*** NOTE: If you (did) use an AV-product of PANDA, be prepared to get a harmless “false positive” about it from avast, because PANDA don’t encrypt their files, so that avast (and lots of other scanners !!) CORRECTLY identify (harmless) pieces/strings of virus code in it
(infamous examples: “KUANG2” & “MATYAS” detected in files like imscan.dll & PAV.sig)
For more details, please read HERE

General removal procedure:

  • For Win ME/XP: best disable system restore (including a REBOOT), especially if the virus is (also) found in the RESTORE folder
  • You might want to start your WIN in “SafeMode”, as then only the “bare bones” of WIN are loaded: lots of Malware processes are not active then and the nasties are easier to remove
    How to start the computer in Safe Mode
  • kill respective Virus/Worm/Trojan process with task manager ( CTRL + ALT + DEL )
  • search for the file/process names in the registry; remove the malware’s startup entries in the registry
    !!! Make a Registry backup beforehand (at least backup the registry keys you change) in case something goes wrong:
    How to back up the Windows registry
  • disinfect/clean or (if disinfection is not possible) move the file to quarantine (avast’s CHEST); this may be possible only after a reboot

When you’ve removed the virus/malware:

  • Scan your whole system with updated AVAST (and maybe a 2nd scanner ,e.g. TrendMicro, RAV, COD to check whether your PC is clean) :wink:
  • If needed, reenable system restore on Win ME/XP

If you still can’t remove it, you could post a logfile of Hijackthis here in the forum (but in a new/your own topic, please): http://tomcoyote.org/hjt

This shows what stuff (good or bad) is starting on your PC and is excellent for diagnosis.
Be sure to unpack the ZIP-file, i.e. NOT to run hijackthis.exe from TEMP-folder or Desktop, but from a new folder of its own.
Otherwise you might lose backups of the stuff changed with it…
DON’T remove/fix anything with it yet, if you’re not 100% sure, as this tool lists GOOD & BAD stuff starting/running !!
& please read this first: http://www.spywareinfo.com/~merijn/htlogtutorial.html

VERY IMPORTANT: Secure your system !!!
→ NO! antivirus detects everything or offers 100% protection, and there are continuously found new security holes in WINDOWS, but you can do much (with just a few steps) to ensure that YOUR pc is quite safe from known nasties:

  • Change passwords or set more secure ones, disable or secure shares, install patches/updates for WIN & IE (InternetExplorer);
  • Disable ActiveX and Scripting in IE except for known, secure sites
  • Even better, use a secure browser/Mailprogram like Opera, Mozilla or Netscape, instead of the notoriously unsafe IE & Outlook !

*** Read How did I get infected in the first place and follow Tony’s advice. He will tell you about some ways to make your computer more secure and link to some excellent free tools to help with that.


Further Details and Links via the board search above …:
http://forum.avast.com/index.php?board=;action=search
E.g. entering a virus/trojan name there (or even the filename of an infected file) will usually get you lots of topics with specific advice for its proper removal :wink:

Another HotSpot for Malware-Removal & Security is Eddy’s page
Please also read Technical’s excellent “User’s FAQ”: to get more info on problems/tweaks/advice related to the functions of AVAST & WIN
Another place you want to look at are the
avast! 4 FAQs
& Links! (for almost everything)
*
If you couldn’t resolve the problem yourself, you’re very welcome to start/continue your own topic asking for further help, but please:

  • provide the requested info & maybe other stuff you deem important
  • describe in detail what you’ve tried so far, and with what results…
    :wink:

Corrections, additions, suggestions etc. are very welcome, but better via PM to me (so that this topic doesn’t get too cluttered)
:wink:

The following instructions of course DON’T apply generally to all kinds of viruses/malware (so don’t panic ;)), especially NOT to “classic” viruses, e.g. simple EXE-Infectors (without further functionalities) or Boot/MBR-infections.

They are however aimed at the rather large category and growing threat of BACKDOORS & some trojans/worms (with keylogging and/or password-stealing functionality …)

So, here’s some advice if you have or had an ACTIVE Backdoor (or Keylogger/Password-Stealer etc.) on your system:

[i](ACTIVE means here that the backdoor installed itself to the system, i.e. you find its startup-entries, registry changes and its malicious files described in the respective virus/backdoor info. Often this means that its files are detected in the WINDOWS/WINNT or SYSTEM32/SYSTEM folder.
If however the backdoor/trojan was caught/blocked by avast’s residentShields in time and it is found ONLY in e.g.

  • Temporary internet files
  • TEMP-folders
  • a new Download/Email (which you didn’t ever click/activate, of course)
    then you’re probably lucky, because the backdoor is inactive and wasn’t able to install/do any harm.[/i]

So, if the backdoor is/was active:
→ At least change all your passwords after removal !!!
This means:

  • All Admin-/User-passwords
  • Also other important passwords which were entered on the PC via keyboard since the infection occured: As you probably don’t know for sure when it happened this usually means ALL passwords) .
    This ESPECIALLY includes PIN’s, (online-)banking-/onlineshopping-/ebay data etc etc…
  • Passwords or other sensitive data saved somewhere on the PC, especially if they are not or only weakly encrypted (something you shouldn’t do anyway…!!)

This MUST be done AFTER you’re pretty sure that the backdoor is completely removed from the PC, and while you’re disconnected from the internet.
(Changing the Admin/User passwords can be done additionally before you start removing the backdoor, but then change to new/unused/secure passwords AGAIN after Removal)

Again: Don’t panic now… :wink:

Some people advise a complete redo of the system from scratch, as it’s compromised=not secure anymore.
→ A malicious user could read/modify/delete all the data on your system, log/record your passwords, PIN’s etc etc…
This “setting up from scratch” is of course the ONLY way to ensure that your system is again safe & secure to spying/intrusion, because even if…

  • you removed the backdoor/trojan from the system according to instructions &
  • a virus/trojan scanner gives your PC a clean bill of health,
    you CAN’T be sure that the backdoor (or a malicious user who recognized/controlled it) didn’t do any other sneaky modifications to the system which you probably wouldn’t detect…

But everybody has to decide this for themselves according to how important the security of their system & the sensitivity of their data is because:

  • some people understandably don’t really want to go to all this trouble, especially not for a machine which is only used for surfing or gaming…
  • redoing/setting up the machine again needs to be done exactly RIGHT, otherwise it’s pointless !!
    If you don’t do this properly, you might just get reinfected with e.g. a network-worm with backdoor functionalities, before you’re even finished with installing/updating Windows & all your other stuff…

A “proper” Redo/Reinstallation of the system means:
a) backup of data, ServicePacks/Windowsupdates/patches, important drivers, and maybe emails, adressbooks, contacts and important settings (before you restore them, you must of course scan the backups thoroughly for viruses/backdoors etc etc)
b) FORMAT C: (or whichever is the system/windows partition)
c) Reinstall Windows WITHOUT going online
d) Apply ALL ServicePacks & important patches/windowsupdates OFFLINE, or behind a properly configured firewall (WIN XP’s firewall should suffice, if ACTIVATED!!).
That means do it before you ever connect to the internet !! Otherwise you might just get infected automatically by network worms (this happens without you even opening the browser or reading an email, just by going online)

  • Of course changing all password & generally securing your system & IE still applies (see above);
    again, you must do this while you’re still OFFLINE/before EVER going online!!
    :wink: :slight_smile:

I thought this link was worthy of a mention … lists all the rogue spyware programes out there and has some great links to the trustworthy stuff (Spyware Blaster, Spyware Guard, Spy Bot etc etc).

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Hi Ianb,

Good advice. I am a member on the Dutch equivalent of these idealists. But you have to be very careful to be well adviced. There is a tremendous long list of malware vendours and marketeers, scan all on SpywareGuide.com, and some cannot be mentioned, because they sue the red socks out of you, when you mention their alledged actions. Some that say to clear out spyware, add their own on it, lure you to click-ons for it is big, big money, ye know. A good basic ad-/spyware solution is the Dutch collective program Hitman Pro, older windows versions, I personally would go for a combination of Ad-aware, A-squared anti-trojan, SpywareBlaster for protection at browser level, Spybot Search & Destroy, create an empty file in Program Files, name it HijackThis, get the latest version of HijackThis (alas, again a dutch programme), scan it with your virusscanner (always do), unzip it to the empty HJT folder, make a shortcut to you desktop, read the manual and run it, place the logs on the above mentioned forum, and ask the qualified helper to help you out. Easy peasy.
Thats all folks, bye for now,

Polonus

:slight_smile: Also EWIDO “specializes” in removing trojans, worms,
dialers, etc and recently on the Ad-aware Free version
Support forum at castlecops.com/forum142.html , it has
been frequently recommended as part of the cleansing
process for many of the “posters” there. EWIDO can be
found at www.ewido.net/en .

Some useful instructions for removing spyware can be found at here Spyware Removal as well.

thanx for usefull info !

Actually some of the stuff here is quite dated pointing to dead urls and even one dead company!

You might not have noticed but this post was started over 3 years ago.
In 3 years lots of things have changed. :slight_smile:

Actually I did notice. Which was my point exactly.

Either modify it to update, or just kill it.

Or, do what most of us do and that is to enjoy what’s still current and bypass the rest. :slight_smile:

Only the author (or moderator) can modify the links or you could start your own Topic or have placed corrected links in your post.

Nah I’ll leave it up to you “avast! Evangelists”.

They aren’t moderators, just ‘avast’ users trying to help other ‘avast’ users, the moderators are Alwil Software members. So I guess if you don’t want to help this topic can go back to bed and hopefully not clutter the topic up.

How rude! I’m gone. Your loss man.

Rude, I think not, you are reading into it something other than I intended, the clutter relates to the originators wish not to clutter up was was supposed an informative not discussion topic (hense the quoted text). This was exactly what it was turning into, with yours, Bob’s and my posts, nothing sinister or rude in that.

The “go back to bed” part is what made it rude. Whatever clearly you don’t want to admit it. I’m not going to press you on it.

Meaning the topic can go back to slumber/bed where it had been for some considerable time.

My god, Lusher, some of us actually want to read useful topics. Stop acting like a noob and get over it. You’re cluttering the posts with the arguing.

Now, how do I get the VBS:Malware [Script] out of my msn account? Avast only picked it up when I tried to view my e-mails. I did a full system scan with Avast and AVG and my pc is clean. Just to be on the safe side, I used Ad-ware and the Window Washer to clean my pc of all the junk our wonderful net piles up on it… then I ran the scans again and still nothing. But when I get into my account I get the pop up saying that the virus is still there. I have no way of removing it, that I know of. Any suggestions?

LOL, you are the one acting like a noob, clutterin this thread by posting your problems here!

Start a new thread, and I will tell what to do.