Hi,
this list of questions & tools is here to help you in case of problems with viruses, worms, trojans and other malware…
Please work through it, answer the questions (in your own topic, please, not here…)
and have a go at the advised tools & removal instructions…
*
A word of caution at first:
If a virus, trojan, worm etc. is found, you should
a) not panic
b) try and get some information on it & the proper removal procedure
c) try to REPAIR or CLEAN it first; only if this is not possible:
d) MOVE it to the avast CHEST
→ DON’T delete it (because then it’s not possible to undo any changes if the system is not working properly anymore), especially if you don’t really know what you are doing…
*
Check if the Worm or Virus is included in the list of malware that the avast CLEANER can remove:
http://www.avast.com/i_idt_171.html
If so, please try the Cleaner first…
It’s also very helpful in a number of cases where programs won’t run (e.g. after a botched-up attempt to remove/delete a virus or worm)
*
Don’t panic, but:
If you have found an ACTIVE Backdoor (or Keylogger/Password-Stealer etc.) on your system, please read the next article to decide whether to just remove it or better to flatten the system and properly redo it (in case you have sensitive data on the PC, or if you use online-banking etc etc…)
So here goes with the info we need to help you and/or how you can resolve this yourself:
-
What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!
-
What name does avast give the virus (e.g. like: “Win32:Netsky-P [Wrm]” ) ?
-
Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ?
You’ll get this info from the Alert/PopUp window or from avast’s report/Log-files. If you can’t start avast, look for the info in the logfiles in the avast (sub-)folders and
in the EventLog of Win XP / 2000: Controlpanel → Administration → Event-log
Sometimes, to get rid of it, it’s enough to:
- clear all TEMP-folders (via drive CleanUp AND best also manually)
- empty Temp.Int.Files folder(s) (via IE->Extras-Internetoptions->Delete files, including OFFLINE files !!) and
- empty java-Cache (controlPanel → java-Plugin → Cache)
Or, if the virus/trojan/worm is found (only) in the RESTORE folder of WIN ME/XP:
disable system restore INCLUDING a REBOOT!!
—> Howto: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Test the file with OnlineScanners e.g. from KAV, Trend & RAV (see below) to get a more specific name. You need to temporarily pause AV-ResidentShield/Monitor/Guard to be able to scan the file online
Trend: http://housecall.trendmicro.com/housecall/start_corp.asp
RAV: http://www.ravantivirus.com/scan/indexie.php (use with IE & ActiveX enabled)
KAV: http://www.kaspersky.com/remoteviruschk.html
*** Multiple Scan-Engines: JOTTI & VirusTotal
(If they all don’t show it as infected, please send it in a password-protected RAR- or ZIP-file to:
virus (at) avast.com
→ How To treat False Positives
Sometimes (especially if the trojan is of the “trojan-gen”, “trojano” or “startpage” kind):
Spybot, Ad-aware and Cwshredder might also help
→ see www.lurkhere.com ->nicefiles and www.lavasoft.de
Be sure to update them after installing
- Clean/Remove the Virus/Malware and it’s system modifications according to VirusInfos
from Avast, VGREP & TrendMicro,
McAfee & Symantec
You might also try searching for the virus name or filename with google or here in the board search (see above).
*** If you search for virus names here or elsewhere, it’s often better NOT to use the complete name given by avast, but only the main/central part of it:
→ instead of “Win32:DyfucDldr-C [Trj]” use “Dyfuc” because other antivirus companies name it differently (e.g. “TrojanDownloader.Win32.Dyfuca.af”),
(Of course, when you post here in the board, please give us the complete & exact name,
up to the last :-/[ & space if possible ).
There are also lots of sites which provide free Removal Tools for some wide-spread viruses, worms & trojans:
→ First of all, of course avast’s CLEANER:
http://www.avast.com/eng/avast_cleaner.html
Then have a look at these sites:
http://www.bitdefender.com/html/free_tools.php
http://vil.nai.com/vil/averttools.asp#stinger
http://securityresponse.symantec.com/avcenter/tools.list.html
CLRAV: ftp://ftp.kaspersky.com/utils/clrav/clrav.zip
ESCAN: http://www.mwti.net/antivirus/free_utilities.asp
Set the options as shown in this ->Screenshot<-
*
*** NOTE: If you (did) use an AV-product of PANDA, be prepared to get a harmless “false positive” about it from avast, because PANDA don’t encrypt their files, so that avast (and lots of other scanners !!) CORRECTLY identify (harmless) pieces/strings of virus code in it
(infamous examples: “KUANG2” & “MATYAS” detected in files like imscan.dll & PAV.sig)
For more details, please read HERE
General removal procedure:
- For Win ME/XP: best disable system restore (including a REBOOT), especially if the virus is (also) found in the RESTORE folder
- You might want to start your WIN in “SafeMode”, as then only the “bare bones” of WIN are loaded: lots of Malware processes are not active then and the nasties are easier to remove
→ How to start the computer in Safe Mode - kill respective Virus/Worm/Trojan process with task manager ( CTRL + ALT + DEL )
- search for the file/process names in the registry; remove the malware’s startup entries in the registry
!!! Make a Registry backup beforehand (at least backup the registry keys you change) in case something goes wrong:
How to back up the Windows registry - disinfect/clean or (if disinfection is not possible) move the file to quarantine (avast’s CHEST); this may be possible only after a reboot
When you’ve removed the virus/malware:
- Scan your whole system with updated AVAST (and maybe a 2nd scanner ,e.g. TrendMicro, RAV, COD to check whether your PC is clean)
- If needed, reenable system restore on Win ME/XP
If you still can’t remove it, you could post a logfile of Hijackthis here in the forum (but in a new/your own topic, please): http://tomcoyote.org/hjt
This shows what stuff (good or bad) is starting on your PC and is excellent for diagnosis.
Be sure to unpack the ZIP-file, i.e. NOT to run hijackthis.exe from TEMP-folder or Desktop, but from a new folder of its own.
Otherwise you might lose backups of the stuff changed with it…
DON’T remove/fix anything with it yet, if you’re not 100% sure, as this tool lists GOOD & BAD stuff starting/running !!
& please read this first: http://www.spywareinfo.com/~merijn/htlogtutorial.html
VERY IMPORTANT: Secure your system !!!
→ NO! antivirus detects everything or offers 100% protection, and there are continuously found new security holes in WINDOWS, but you can do much (with just a few steps) to ensure that YOUR pc is quite safe from known nasties:
- Change passwords or set more secure ones, disable or secure shares, install patches/updates for WIN & IE (InternetExplorer);
- Disable ActiveX and Scripting in IE except for known, secure sites
- Even better, use a secure browser/Mailprogram like Opera, Mozilla or Netscape, instead of the notoriously unsafe IE & Outlook !
*** Read How did I get infected in the first place and follow Tony’s advice. He will tell you about some ways to make your computer more secure and link to some excellent free tools to help with that.
Further Details and Links via the board search above …:
http://forum.avast.com/index.php?board=;action=search
E.g. entering a virus/trojan name there (or even the filename of an infected file) will usually get you lots of topics with specific advice for its proper removal
Another HotSpot for Malware-Removal & Security is Eddy’s page
Please also read Technical’s excellent “User’s FAQ”: to get more info on problems/tweaks/advice related to the functions of AVAST & WIN
Another place you want to look at are the
avast! 4 FAQs & Links! (for almost everything)
*
If you couldn’t resolve the problem yourself, you’re very welcome to start/continue your own topic asking for further help, but please:
- provide the requested info & maybe other stuff you deem important
- describe in detail what you’ve tried so far, and with what results…
Corrections, additions, suggestions etc. are very welcome, but better via PM to me (so that this topic doesn’t get too cluttered)