TonyLSharp.com

Computer Virus and Spyware Information/Removal Procedures

Tony Sharp, 2008

This can be a very lengthy subject, but I will try to keep it as brief as possible. I have outlined some of the basic questions that I get asked most of the time and what to do if you get a virus.

What is a computer virus? What is spyware or malware?

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. However, the term "virus" is commonly used, albeit erroneously, to refer to many different types of malware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Meanwhile viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless. Both worms and Trojans will cause harm to computers when executed. (Definition from Wikipedia.org)

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. (Definition from Wikipedia.org) 

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. (Definition from Wikipedia.org)

What are the symptoms of a computer virus?

• Your computer is running slower than usual.
• Your computer locks up or stops responding.
• Your computer crashes, and then it restarts every few minutes.
• Your computer restarts on its own, and does not run as usual.
• Programs that you have on your computer do not work the way they should. 
• Disk drives or disks do not show up properly in My Computer or are inaccessable. 
• You see error messages or possibly Blue Screen Error messages.
• Your menus or dialog boxes do not look the way they normally do.
• You see a file with a double extension that you opened recently. 
• An antivirus program is disabled for no reason. Additionally, the antivirus program cannot be restarted.
• An antivirus program cannot be installed on the computer, or the antivirus program will not run.
• New icons appear on the desktop that you did not put there, or the icons are not associated with any recently installed programs.
• Strange sounds or music plays from the speakers unexpectedly.
• A program disappears from the computer even though you did not intentionally remove the program. (Definition from Microsoft.com)

What are the symptoms of worms and trojan horse viruses in e-mail messages?

• The infected file may make copies of itself. This behavior may use up all the free space on the hard disk.
• A copy of the infected file may be sent to all the addresses in an e-mail address list.
• The computer virus may reformat the hard disk. This behavior will delete files and programs.
• The computer virus may install hidden programs, such as pirated software. This pirated software may then be distributed and sold from the computer.
• The computer virus may reduce security. This could enable intruders to remotely access the computer or the network.
• You receive an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear, or a sudden degradation in system performance occurs.
• Someone tells you that they have recently received e-mail messages from you that contained attached files that you did not send. The files that are attached to the e-mail messages have extensions such as .exe, .bat, .scr, and .vbs extensions. (Definition from Microsoft.com)

How will ordinary Windows functions respond if you are infected?

• Windows does not start even though you have not made any system changes or even though you have not installed or removed any programs.
• There is frequent modem activity. If you have an external modem, you may notice the lights blinking frequently when the modem is not being used. You may be unknowingly supplying pirated software.
• Windows does not start because certain important system files are missing. Additionally, you receive an error message that lists the missing files.
• The computer sometimes starts as expected. However, at other times, the computer stops responding before the desktop icons and the taskbar appear.
• The computer runs very slowly. Additionally, the computer takes longer than expected to start.
• You receive out-of-memory error messages even though the computer has sufficient RAM.
• New programs are installed incorrectly.
• Windows spontaneously restarts unexpectedly.
• Programs that used to run stop responding frequently. Even if you remove and reinstall the programs, the issue continues to occur.
• A disk utility such as Scandisk reports multiple serious disk errors.
• A partition disappears.
• The computer always stops responding when you try to use Microsoft Office products.
• You cannot start Windows Task Manager.
• Antivirus software indicates that a computer virus is present. (Definition from Microsoft.com)

How many different viruses are there?

• The number changes every day as new types of viruses and strands are released on the internet. You can look at http://us.mcafee.com/virusInfo/ for information on current threats and a listing of known threats.

How did I get a virus? How did I get spyware? Why is my computer running slow?

• Not running an antivirus program.
• Having an antivirus program but not keeping it updated properly.
• Not running antispyware detection program.
• Having an antispyware detection program but not keeping it updated properly.
• Not running a firewall.
• Having a firewall on your operating system but not turning it on.
• Not keeping important security updates for your operating system and software current and up-to-date.
• Using and downloading with file-sharing programs such as Kazaa, which are notoriously loaded with spyware programs. Also, they will make your computer more prone to hackers.
• Downloading or installing anything on your computer from a non-known source or media.
• Using USB, CD or floppy disks that have content that is not known (somebody burned you a CD and you loaded it).
• Visiting web sites that contain malicious code (sometimes you will not even know that the site loaded a malicious file on your pc, there will be no indication of it immediately).
• Visiting pornography or illegal file-sharing websites.
• Accepting an Instant Message from another person who is infected or who has intent on giving you a virus.
• Opening and email from a sender that you are unfamiliar with.
• Opening an attachment on an email from a sender that you are unfamiliar with (I clicked on this picture that was in my email and now my pc crashes all the time)

• Downloading a file or visting a website that is trying to install something on your pc. You ignore your spyware/virus program and install it/download it anyway. 

What can I do to try and remove the virus/spyware or malware?

Disclaimer: I am not responsible for your actions or what you do with this information that I have written, I am just trying to help people, so don't come crying to me if you lost everything on your computer because you have a virus or spyware infection, it is not my responsibility. If you understand this statement, then you can proceed with the instructions below. Remember these are merely suggestions on what you can try to do to fix the problem, and what you do with these instructions are not my responsiblity.

Tony L. Sharp

NOTE: In the following section, we will attempt to remove the virus by scanning and quarantining or removing the virus(es). You may notice that something doesn't work right after you do this or you may have some Documents, Pictures or Music missing after you do this. Why? Because the virus or spyware has probably attached itself to the file and there is no other choice other than to delete it. Most of the programs will attempt to clean the file first before deleting it, but if that does not work then the program will either quarantine or delete the file. Just be prepared to reinstall some applications if necessary.

 • You can try to see if System Restore will let you restore your computer to an earlier date. This is not a complete restore of your system back to when you first purchased it, this is the Windows System Restore, which will let you restore Windows and your settings back to a prior time. This is a good first attempt to solving the issue. To use the Windows System Restore, click the Start button, choose All Programs then Accessories, then System Tools and finally System Restore. On the first screen, make sure Restore My Computer To an Earlier Time is checked, and just follow the instructions on the System Restore Wizard to restore your computer to a prior time. You can also create a restore point if you anticipate making changes to your computer that you think may make it unstable. Use the same path above to get to the System Restore Wizard, but choose Create A Restore Point, click Next and follow the Wizard.

 • Try cleaning out Temporary Files in Internet Explorer and your user folder:

Cleaning Temporary Files: Go to your desktop. Double click the My Computer icon. Right click the C: drive, and select Properties. Click the Disk Cleanup button. It will scan your pc for temporary files. After a few minutes, when you see the Cleanup dialog box, make sure that Temporary Files and  Recycle Bin are the only two checked, and click OK. Cleaning will commense.

Cleaning Internet Explorer Temporary Files: Click the Start button, then choose Settings and click Control Panel. Find the Internet Options icon and double click it. Click the Delete Files button in the section Temporary Internet Files. Another window will appear, check the box  Delete All Offline Files. Click the Clear History button also and let it clear your temporary history files.

Internet Explorer 7: If you are running Internet Explorer 7, there is a one-step delete all function for clearing out the temporary internet files. Click Tools, then Internet Options, then under the Browsing History section, click the Delete button. At the bottom of the next window that appears you will see a Delete All... button. Click that button and it will delete Temporary Internet Files, Cookies, History, Form Data and Passwords. 

Also, with Internet Explorer 7, there is a  Reset that will reset the browser deletes all the temporary files, disables the add-ons that you have installed and resets all the settings to default. To access this, in Internet Explorer 7, click Tools, then Internet Options. On the left side click the Advanced tab. At the bottom of that window is the Reset... button, that resets the browser to default as just explained.

• Try the disk cleanup wizard in Windows XP. Double click the My Computer icon on your desktop. Right click the C: disk drive and choose Properties at the bottom of the menu. On the window that pops up, choose the Disk Cleanup button. Let it analyse your disk and clean up the temporary files that it finds.

• See if any unwanted programs have installed theirselves in the Add/Remove Programs section of your Control Panel. Click Start, choose Control Panel. Double click the Add or Remove Programs icon. Scroll down the list and see if notice any strange or odd looking programs that are installed. If you are unfamiliar with a program that is installed, do a search on Google (http://www.google.com) to see if it is a valid program. Usually you can find out if it is valid or not by just searching Google for an answer. If you see anything that you are unfamiliar with or you have found it on Google to be a known spyware or malware program, remove it.

• Next, try to remove the virus or spyware using antivirus, antisypware and cleaning programs. There are 6 programs that I use that are currently available free for in-home use only. Install them and be sure to update them during or after install:

AVG Antivirus. (Antivirus) Available at: http://free.grisoft.com . Click on the Download button under Free Basic Protection, and follow the links. Install the program. During installation, it will ask you to update it. Just choose Internet as the type of connection and it will update during install. The program is set to automatically update itself when you boot into Windows, by default.

Ad-Aware 2007 Free. (Antispyware) Available at: http://www.lavasoftusa.com/single/trialpay.php . Click on the Download button under Continue to Download Ad-Aware 2007 Free. Install the program. After installing, Click the Update button under the Update Status section to update it.

Spybot 1.5 (Antispyware). Available at: http://www.safer-networking.org/en/spybotsd15/index.html . Click on the Download section on the left of the site, then the Download icon on the right side of the next page at the top of the downloads. Install the program. After installation, a wizard will appear. Create a registry backup, update the program, immunize your system, and finally, click on Start Using The Program.

CCleaner (System Optimization Tool). Available at http://www.ccleaner.com/ . Click on Download CCleaner Now link. Install the program. After installing Analyze then Run Cleaner. More on this program below.

RemoveIt! Pro. (Antispyware) Available at: http://www.incodesolutions.com/removeit.php. Click on Download Click Here. Install the program. After installing, start the program. It will automatically check for updates after you launch it. Just give it a minute after you launch it. If nothing appears, then you are up to date. If you get a windows asking you to update it, apply the update.

SuperAntiSpyware. Available at: http://www.superantispyware.com/ . Click on Download Free Version For Home Users button. Install the program. After you install the program, when you start it, it will ask you if you want to check for updates. Select Yes.

• After installation and updating each program then run a "scan" of your system using each one. If needed, consult the Help section of each program to see how to do this. Remove any viruses or suspicious files that each one finds. In the case of CCleaner, remove the junk files and temporary files that it finds.

• Reboot your computer.

Note: RemoveIt! Pro may find a file and ask you to manually delete the file. Write this file name and it's location down on paper. (For example if it says: C:\Windows\System32\xxx.zzz , this file will be located in the C: drive, under the Windows Folder, under the System32 folder and it's name will be xxx.zzz.).

The only way to remove this file or files is to boot into Safe Mode, which is explained next:

Safe Mode: If your pc is running, select Restart. If your pc is not running, turn it on. Press the F8 key while it is booting. On some computers, if you hold the F8 continually, you will get an error message about the keyboard. Reboot and just tap the F8 key several times during the bootup. You will see a menu with: Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt and several other choices. Use your arrow keys and arrow up to Safe Mode. Select it by hitting enter. You will see the computer boot into Safe Mode and alot of text messages will appear as Windows loads. This is normal. When you finally get into Windows, you will see a notice indicating that you are in Safe Mode. Click OK.  You are now in Safe Mode.

Now that you are in Safe Mode, browse to the file(s) that RemoveIt! Pro found. Delete these files.

To exit Safe Mode, simply shut down the computer by selecting the Start button then Shut Down. The next time you start your computer it should start normally.

• Now that you have scanned your computer with the programs above, there are some handy utilities in the program CCleaner. Click the Registry button on the left side of the program. Next, click Scan for Issues on the right. You will see any errors that it finds with the registry. Next, click the Fix Selected Issues... button and it will ask you to back up the registry first before repairing. Do this, and write down the name of the file that it backs up, it usually starts with CC and several numbers, that it stores in your My Documents folder. This will allow you to fix your registry if it happens to remove something that you need, although I have never had the program do that, it only cleans what it finds to be a known issue. After you have saved the registry, then clean the problems that CCleaner finds. To restore your registry after you reboot, if you find an error or problem, just Right click on the .REG file created and select Merge. 

There are other utilities that this program has, and it is hard to believe it is a free product, but it is. Read the documentation that comes with it and learn to use the program. Here are some of the things it can do: Clean Internet Explorer- Temporary File Cache- URL History- Cookies- Hidden Index.dat files- Last download file location, Clean Firefox- Temporary File Cache- URL History- Cookies- Download manager. Clean: Recycle Bin, Clipboard, Windows Temporary files, Windows Log files, Recent Documents (on the Start Menu), Run history (on the Start Menu), Windows XP Search Assistant history, Windows XP old Prefetch data, Windows memory dumps after crashes, Chkdsk file fragments. Advanced Options allow cleaning of: Menu Order cache, Tray Notifications Cache, Window Size and Location Cache, User Assist history, IIS Log Files, Custom Folders. Application cleaning includes: Firefox, Opera, Safari, Media Player, eMule, Kazaa, Google Toolbar, Netscape, Microsoft Office, Nero, Adobe Acrobat Reader, WinRAR, WinAce, WinZip and more...Registry cleaning includes: File Extensions, ActiveX Controls, ClassIDs, ProgIDs, Uninstallers, Shared DLLs, Fonts, Help File references, Application Paths , Icons, Invalid Shortcuts and more...  

• Run the scanners again. It should show clean this time with no files found. If the virus or spyware shows up again and is the same thing, then it could be stuck in the System Restore folder. Note the location of the files that the scanners find. You will usually see the word RESTORE in the path of the file that it finds if it is in the System Restore folder. The only way you can get rid of this is to turn off System Restore, but if you do that, you will have no way of restoring your system to a prior date using the System Restore function in Windows. If you understand this, you can proceed:

Turning Off System Restore: Click on the Start button, right click My Computer, then select Properties. In the System Properties dialog box, click the System Restore tab. Click to clear the Turn Off System Restore checkbox, or, click Turn Off System Restore on all Drives checkbox. Click OK.  Wait a few moments and the System Properties dialog box will close.

Reboot your computer again after you get the System Restore turned off. Run the programs above again, scanning your pc for viruses. Reboot if necessary.

Turn System Restore back on: Use the same path above except remove the check in the box Turn Off System Restore on all Drives. It will indicate that System Restore is now running. Click the OK button.

• Try cleaning out the user temporary folder location manually:

Boot into Safe Mode as described above. Click Start, choose All Programs and select Windows Explorer. Click Tools then Folder Options. Click the View tab. Under Hidden Files and Folders, click Show Hidden Files and Folders. Navigate to C:, Documents and Settings Folder, <User Name>, Local Settings folder, then Temp folder. Select everything in that folder by clicking Edit then Select All. Select File then Delete. This will delete all the user Temporary files. Turn Show Hidden Files and Folders off by repeating the same process to turn them on except uncheck the box Show Hidden Files and Folders. Click OK. Reboot your pc and bring it up in normal mode. Run another set of scans to see if this fixed the problem.

• If all else fails, you can restore your computer to factory defaults:

WARNING: If you choose to do this, you will lose everything that is on your computer, including photos, documents, email or anything that you have installed or put on the computer since you purchased it. First, you can try to rescue what personal files you have off of the computer before restoring it. If the computer is in infected really bad, it may not be able to burn a cd and let you copy any of your personal files off before restoring the computer. Also, if you attempt to copy the files of an infected computer onto a CD, then use that CD to copy them back to a freshly restored computer, then you might wind up in the same shape you were, with an infected computer. If you are able to copy your files to a CD, I would highly recommend using a virus scanner and scan that CD before you use it to copy your personal files back to your computer. That is why I stress so much to keep a good backup of everything you have. You can't replace those pictures or documents you worked on very easily.

If the computer came with a restore CD, use that CD and read the instuctions in the manual that came with the computer on how to restore your computer to factory defaults. If it did not come with a restore CD, then consult either the manual that came with the pc or the company that makes the computer, IE Dell, Gateway, EMachines ect. You should be able to find their website on line by searching. Usually, if you do not have a restore CD and you can find either the manual or contact the company website, it will step you through a program that comes pre-loaded on your pc to restore it, either in Windows or upon a reboot. If you are still unable to find help of find how to restore your computer, call the company tech support number. Most of the major manufacturers have a toll-free support number that you can call. They can step you through restoring your computer to factory default.  

What can I do to prevent this from happening and how do I keep my pc clean or healthy?

 • Most importantly, USE COMMON SENSE when you are using your computer. If somebody hands you a disk that you really are uncertain of it's contents, don't load it. If somebody tells you to download a pirated version of software, don't download it. If you are trying to look at pornography, then it's highly likely you will get a virus. If you get an email from someone that you do not know, do not open it....DELETE IT!, and don't let your curiousity get you by trying to open or view the attachment such as a picture. These practices just mentioned are a good way to get a virus or spyware. Just think about what you are doing before you do it.
• There are alot of people who download music and video from the internet. BE CAREFUL when you do such things. Just as above, use common sense. If you are using a file sharing program such as Kazaa, and you are downloading music, you probably already have a virus. If you are not paying for that music, then it is probably illegal. Yep, just because you have Emule or Limewire doen't make what you download legal. Secondly, you never know what you are downloading when you download this stuff, it is a very risky practice to do things like this. You may have thought you got a song but when you open it...POOF! you just lost 1/2 of your operating system.....
• If you do download things from the internet, do so from a TRUSTED site. What I mean by a trusted site is a known name or product. For example, I would download an antivirus scanner that I purchased from Symantec.com, but I sure wouldn't download a free full version from Joe'sVirusRemovalShack.com. Again, common sense will tell you whether you are doing the right thing or not.

• BACK IT UP! Did I mention back your important files up? That is one thing that I stress on the job and at home. A computer is a machine, and it will fail eventually, it is enevitable. People rely on computers too much, thinking that if they copy documents and pictures on there, it will always be there and have them whenever they want. Not so. Take the time, buy some CD-R's and back up those important documents and pictures. It takes probably 10 minutes to write out a CD and no telling how long to try to replace some of those documents that you worked on or pictures that you took. Besides, that picture will never be the same, even if you try to take it again. So back it up folks.....be smart.  

• Keep your Operating System up to date. Make sure you have your Windows Updates turned on and you are keeping the system up to date. On your desktop, right click the My Computer icon. Select Properties, then click on the the Automatic Updates tab, and make sure that Automatic (recommended) is selected. Alternatively, you can click Start, select Control Panel, click on Performance and Maintenance, then select the System icon. Click on the Automatic Updates tab, and make sure that Automatic (recommended) is selected. Click the OK button, then close the Control Panel.

• Make sure that your Windows Firewall is turned on. Your Windows Firewall is turned on by default. If you want to check the status of the Firewall, click Start then Control Panel then choose either the Security Center icon or the Windows Firewall icons and be sure that this is turned on.

• If you feel that the Windows Firewall is not adequate, there is a free for in-home use Firewall available that is very good, Zone Alarm Free. Zone Alarm Free is available at http://www.zonealarm.com , click on the Download and Buy tab at the top of the site, select More Free Programs. Click Free Zone Alarm Firewall on the left side of the next page, then the Download button on the right side of the following page. Finally click the silver Zone Alarm Firewall button under the Get Basic PC Protection section on the right. Download and install the program. Zone Alarm takes some getting used to if you are not used to a fully active Firewall. You will see it pop up when you access the internet, try to download things and other activities. If you know what you are doing and you want it to accept what you are doing is ok, just click the OK button on the firewall when it pops up. There may also be a checkbox to remember this setting when you OK the action, please read the documentation that comes with the program.

• Install an Antivirus program such as AVG and keep it up to date. Also, set it to periodically scan your computer for viruses. Refer to installing AVG above.

• Install an Antispyware program such as Spybot 1.5 or Ad-Aware 2007 and keep it up to date. Also, set it to periodically scan your computer for spyware. Refer to installing Spybot 1.5 and installing Ad-Aware 2007 above.

• Maintain your computer on a regular basis by cleaning out the temporary files and running the Disk Cleanup as described above and running Disk Defragment. You can run Disk Defragment by clicking the My Computer icon, right clicking the C: drive and selecting properties. Click the Tools tab and select the Defragment Now button.

• Don't download things from untrusted sources. This includes file sharing websites and file sharing programs. Again, use your common sense when doing things like this.

• Stay away from websites that are not a trusted known website. IE: Pornography and file sharing websites.  

• Don't use file sharing programs to download music and video. These programs are packed with spyware and some even make you prone to hackers and hijacking. If you choose to do things like this then you are just asking for trouble.  

• Don't load a floppy, USB drive or CD on your pc unless you know what it is and where it came from. For example, don't load something that a friend's friend gave you and you are uncertain of it's contents.

• Don't open up email or look at attachments in email from sources you do not know. Simply delete the email without reading or opening it.

• Don't ignore your popup blocker and install something anyway, be sure that it is coming from a known or trusted site and you know what it is before you install it.  

In conclusion, your computing habits will dictate whether you stand the chance of getting infected or not. Be careful, be safe and use common sense when using your computer.