how-to block ads
This FAQ is long, but that is because the instructions are step-by-step. You will go through most of the steps quite quickly, although a couple of scans may take a half-hour to run.
Please note that if you're here because you're infected and you're planning to ask for help in our Security Cleanup forum, then this is the link you should go to. It's shorter and it is kept up to date more frequently.
You will have to close your web browser windows later, so it is recommended that you print out this checklist and check off each step as you complete it.
When you need to come back here to link to something, use this URL:
If you need time to think and plan, unplug your computer from the Internet.
If you have a question on the steps, or something interesting to pass on, feel free to post in the BBR Security Forum, one topic per infected computer. Please include the virus, symptom or filename as part of the subject line. BBR Security Forum
If you are unable to perform a step, make a note and move on to the next step.
Don't stop when you find the first piece of malware. It is not uncommon for a computer that has been exploited through a security flaw to have been penetrated more than once. Also, some malware opens backdoors that facilitate the installation of software that enables use of the infected computer by remote control.
This FAQ is organized to guide you through these steps:
1. Update and run the defensive tools already on your computer
2. Run tools that look for viruses, worms and well-known trojans
3. Run tools that look for well-known adware and search hijacks
4. Create a report that will allow forum experts to do a manual examination for less common adware and trojans
5. Submit any malware that appears to be new or modified to the anti-malware vendors
6. Run tools that allow for examination of some security and system settings that might be changed by a hacker to allow remote control of the system
7-10. Determine the steps to clean the computer, and clean the computer
11. Rescan to verify that the computer was successfully cleaned.
12. Re-secure the computer and any accounts that may be violated. If applicable, report identity theft, cancel credit cards and change passwords.
13. Check that the anti-virus monitor is working again.
14. Take steps to prevent a repeat incident.
15. Post about lessons learned.
16. Report the crime.
17. Reference links to product tutorials and additional information sources.
a) Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. If at all possible, copy (quarantine) suspected malware files to a password-protected compressed file (zip file) before deleting them. Do this in addition to any quarantine function that other products have. There is more on this in step 6. Be careful not to click (left-click), open or run suspect files. (How do I create a password protected zip file?)
Note the location of the file (the full path) because this is an important clue as to where the file is from and whether it has been activated yet. If only part of the path to the file is shown by the AV scanner, use the Windows search tool (Start button / Search) to locate the file and write down the full path to the file.
Compressed folders (also called archives, files with file extensions like .zip and .cab) are now decompressed to temporary files by many malware scanners. If the only sign of malware is in one of these temporary decompression folders it is unlikely that the malware has been activated. So be sure to mention the full path and file name when posting about any file found.
b) A file's properties may also give a reminder as to what the file is part of. Right-click on the file in Windows Explorer or Search and select Properties. Remember, properties can be faked by hackers, so consider them reminders not proof.
c) When in doubt about a suspicious file, submit if for analysis. Your iexplorer.exe may not be the same as someone else's iexplorer.exe.
d) When a step indicates running an update, activate the update function of the program. In general, once the update is complete, stop and start the program before running your scan. This will ensure your scan is done using the latest program and malware database versions.
e) Close all web browser (Internet Explorer) windows before having a tool actually fix a problem or remove a file.
f) Often, running in Safe Mode will solve problems removing files. Click here for instructions for running in Safe Mode.
g) If you are on a Windows system that has separate administrator accounts (Windows XP, 2000, NT), work using an account with administrator privileges.
Once complete, if you continue to have problems with a particular user account, repeat the scans in steps 2 and 3 using that user account. (On Windows XP, you will need to use the "Run As" function described here: HOW TO: Use the RUN AS Command to Start a Program as an Administrator in Windows XP.)
1. Update and run any anti-virus (AV), anti-trojan (AT) and anti-spyware (AS) products you already have installed on your computer. Do full scans of your computer.
Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.
If you can't access security web sites, check your "Hosts" file.
Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. So click here to submit the suspect file to the anti-virus product makers.
2. Run two or three free web-based AV scanners. (This scanning is the most time-consuming step in this checklist, but it is important.) Go to web-based AV scanners
Record the exact malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.
3. Download, install, update and run the following free anti-hijacking and anti-spyware (AS) products. Be sure to both download and install the latest version of the program, and then update each products database.
When running the scan, record exactly the details of any problems turned up. (Tracking cookies are easily cleaned up by deleting them, so don't bother recording them.) Quarantine then cure the malware.
3.1 Spybot S&D (donationware):
Download it here:
a) Download and install Spybot S&D.
b) Click on "Update" in the left column.
c) Click on "Search for Updates."
d) Select a download location (usually one close to you).
e) Click "Download Updates" and wait of the updating process to finish.
f) Check that all Internet Explorer (web browser) windows are closed.
g) Click "Search and Destroy" in the left column.
h) Click "Check for Problems."
i) Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
3.2 Ad-aware (free version available):
Download it here:
a) Download and install the latest version of Ad-Aware. If you previously had Ad-aware installed, grant the installer permission to uninstall it when it asks.
b) As the installation ends, leave these boxes checked: (i) Perform a full scan now, (ii) Update definition file now, (iii) Open the help file now. Click "finish."
c) Close all programs except Ad-Aware.
d) Wait for the scanning process to complete. (Optionally, glance through the Ad-aware Help window that has popped up.) Close Ad-aware Help when done.
e) Click "Next."
f) Click "Critical Objects" and select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
g) Click "Privacy Objects" tab. "MRU list" refers to history lists of "Most recently used" files for different programs. You can review this now and note anything that appears suspicious to post a question about later.
h) Reboot your computer.
i) From Start, All Programs, Lavasoft Ad-aware, rerun Ad-aware.
j) Repeat steps (c) through (i) until no more items are found
5. If the problem seems to be gone, skip this step. Otherwise, download and run HijackThis (HJT) (freeware):
Download it here: »www.trendsecure.com/portal/en-US···tall.exe
* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
* When the scan is finished, the "Scan" button will change into a "Save Log" button. Click the "Save Log" button.
* DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
* Copy the contents of the log you just saved and get ready to post it in the »Security Cleanup Forum
- The format of your post must be exactly as follows with no deviation or your post will be locked or deleted. This is to ensure you have followed the steps correctly and thoroughly, and to provide our helpful members as much information as possible, so they can help you faster and more effectively.
Start your own thread. Do not interrupt other similar threads with your problem.
i) Start the title of your post with "HJT Log" followed by a short remark regarding your problem.
ii) The first paragraph of your post should explain exactly what the problem is. For example, is it a system slow down? Is it Pop ups or ads? Is your computer trying to call out or send emails? Etc...
iii) The second paragraph should tell us in detail, which one of the above steps you followed and what the results were. Which steps you had to skip and why, etc... Please note the phrase "in detail." "I've followed all the steps" may not be enough information for those who are here to help.
iv) The third paragraph should contain the HijackThis log you copied in step 4.
- Most of what HJT lists will be harmless or even essential; don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
f) Carry on with the steps 5, 6 and 7 while you wait for feedback from HJT specialists in the forum.
Remember that file names suggest what a program file is, but files can be changed or renamed. It is file contents that determine what a file actually does. So it is important to run the scans in the earlier steps before creating the HJT log.
5. Submit the suspected malware to AV and AT vendors. This will probably be the one thing you can do to "get back at" the virus writer.
All anti-virus, anti-trojan and anti-spyware (AV, AT and AS) vendors are interested in samples of possible new or reemerging malware because viruses are often changed and adapted over time by hackers.
In particular, be sure to submit copies of suspect files that:
- Got on to your system undetected by an up-to-date AV monitor
- Are not consistently detected by some AV scans
- Are acting differently from what was described in the AV company's write-up
- The scanner says are generically or heuristically detected (have no specific signature)
- Are heuristically detected because heuristic methods are prone to false alarms
- That you have continuing doubts about
- If you don't submit a malware file, retain it in quarantine for at least 2 weeks in case later computer behavior indicates that the file may not be what it was initially identified as
File names suggest what is in a file, but files can be renamed. Also, friendly files can have extra functions added. Only an internal analysis of the file can reveal what it really does. Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it.
a) Copy the suspected malware files to a compressed folder (a .zip file). This will prevent the file from accidentally being activated. It will also stop the suspected malware being disinfected by email servers when you submit it for analysis.
In Windows XP, right-click the file and select "send to compressed (zipped) folder." Then double-click the .zip file to open it and do File .. Add a password. Make the password "infected."
In earlier versions of Windows, you need some third party software. WinZip is very easy to use and comes with a free trial period. Simply install WinZip and follow the wizard. Be sure to add "infected" as the password. (How do I create a password protected zip file?)
b) Click here to submit the suspected malware file (Outlook, Outlook Express and most other email clients).
Some Outlook clients may have a problem with the link above, in that case, Click here.
c) Attach the password-protected zip file and send. You're done.
(The above method sends your file to 36 anti-malware vendors. However, if the above is too complex for you, Hispasec lab's free multi-engine single file scan and submission tool www.virustotal.com is much simpler to use. It will scan your file and submit it to 19 anti-malware vendors.)
6. Even if the problem seems resolved, run security analysis products to check your settings and installed software. These analysis products are definitely not 100% thorough in the checks they do; they only check for common problems. Also, the messages produced are usually cautions to check that something is as you want it to be and are not definite instructions to change something.
6.1 Install and run Belarc Advisor (free): www.belarc.com
When you run Belarc Advisor, look for:
6.1.1 Users you didn't add. Check whether your computer maker or reseller added the users for support purposes before you bought the computer. Otherwise, they indicate a hacker has accessed your system.
6.1.2 Microsoft Hotfixes with red Xs beside them, indicating they can be verified by the automated process but failed verification. The earlier the version of Windows, the more likely the fix came off "innocently" when new software was added or upgraded. Click on "details." This will take you to a Microsoft webpage explaining the fix and allowing you to reapply it.
6.1.3 Under software versions, software you didn't install. Many software packages include other third-party software. So installing one product can make 3 or 4 products show up in Belarc and this is not a problem. On the other hand, hackers often install legitimate FTP server or email server software, and because the server software is legitimate, it will not show up in a virus scan.
6.1.4 Save a copy of the Belarc Advisor results. In a few weeks, compare your saved scan with a new scan, looking for unexpected changes.
6.1.5 Ask in the BBR Security or Software Forums before making changes other than reapplying hotfixes. BBR Security Forum
6.2 Install and run Microsoft Baseline Security Analyzer (MBSA) (free):
6.2.1 Review the results to see that they correspond with how you have set your computer up.
- Changes might indicate that someone has altered settings, or the settings may have been altered when other software was added or updated.
- Security updates with reason "306460" simply cannot be verified by the automated process.
- "File version is greater than expected" just means your software has updates MBSA doesn't know about yet.
- You may notice invalid password attempts in your security log. MBSA causes them when it checks for weak passwords.
- The messages above are not normally problems.
6.2.2 Save a copy of the results. Compare them with the results in a few weeks, looking for unexpected changes.
6.2.3 Ask in the BBR Security or Software Forums before making changes, other than re-applying hotfixes.
7. Different vendors have different names and version identifiers for the same virus, so first look up the virus in the encyclopedia of the scanner's vendor for specific disinfection instructions:
Go to virus encyclopedias
8. To end a process (program) that won't terminate any other way, use Advanced Process Termination (freeware): www.diamondcs.com.au/index.php?page=products
9. Depending on the instructions in the virus encyclopedia for your scanner, it may be necessary to use auxiliary virus removal tools.
9.1 First, be sure to submit a copy of any malware that is not consistently detected or that doesn't behave as excepted. Submit suspected malware.
9.2 If a removal tool is required, it is best to first try the tool of the scanner's vendor. If you need to use another AV maker's removal tool, use one of the multi-engine scanners here to find the name other vendors give the virus.
9.3 Read the complete write-up of the virus in the encyclopedia of the removal tool's vendor to find the disinfection instructions. In addition to running the scanner or removal tool, there may be a few manual steps required.
9.4 Generally, each removal tool will only detect and effectively remove the virus variants it says it will.
9.5 For very new virus versions, it may be advisable to wait half a day for the AV maker to update the removal tool.
Removal Tool Links
Microsoft Malicious Software Removal Tool
Panda & ActiveScan
PC-cillin & Housecall
10. In Windows XP and Me, to prevent important system files being deleted accidentally, System Restore makes backups of them and restores the backups if the original file goes missing.
To prevent malware being restored by the operating system, it is often necessary to clear the backup files from System Restore after the malware is deleted. (This is called "clearing the System Restore points.") To do this, turn System Restore off, wait 30 seconds and then turn System Restore back on.
Waiting until after cleaning to clear the System Restore points means that if there is a problem during cleaning, System Restore can be used to try to correct it.
The instructions on turning System Restore off and on are here:
Microsoft System Restore Instructions (KB 842839) --OR --
Symantec System Restore Instructions
11. If you removed any malware, reboot and repeat the scans that revealed it earlier. This is to make sure that the malware has not managed to reinstall itself.
If the malware did come back, use this sequence of actions:
a) Turn off System Restore
b) Repeat the cleaning procedure used earlier
d) Only then turn on System Restore
If the malware comes back a second time, it is likely that the malware is in multiple files, each of which will replace the others if they go missing. In that case, additional research into your malware is required before cleaning can be successful. Post fully describing your problem here: BBR Security Forum.
12. Re-secure your computer and accounts. The ideas in the following step-by-step guide are useful for cleaning any version of Windows: CERT Guide to Recovering from System Compromises
12.1 In particular, if private information is kept on or entered into the computer, and if the description of the malware uses the words or phrases "backdoor," "allows arbitrary code to be run" or "remote access trojan," and if it is likely that a hacker may have used the backdoor, strong consideration should be given to backing up data to be retained and then reformatting and reinstalling programs on the computer from trusted sources.
This is because a backdoor allows a hacker to make other changes that may reduce your security settings, but that are not readily detectable with current tools.
- After what kinds of viruses and trojans should one reformat and reinstall?
- Security Program Manager Microsoft Corporation: Help: I Got Hacked. Now What Do I Do?
12.2 If a keystroke logger or backdoor was detected, then hackers may have access to what was typed into your computer, including passwords, credit card numbers and account numbers.
12.2.1 Immediately cancel any credit cards used on the computer while the keystroke logger or backdoor may have been active and ask for replacements with new account numbers.
12.2.2 Using an uninfected computer, change any website and server passwords that were entered on the infected computer.
12.2.3 Depending on what information you have typed into your computer in the past, you may need to report a possible "identity theft."
13. Check that your anti-virus software is working again.
14. Go to How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach for tips on preventing re-infection.
In addition to a firewall and anti-virus scanner, SpywareBlaster and SpywareGuard will help keep malware off of your computer. Weekly scans by your anti-virus scanner, Spybot S&D, Ad-aware and Belarc Advisor will help detect malware that gets on your computer.
Remember to keep your operating system, security software and Internet-capable software up to date.
15. Feel free to post a question, or something you learn and want to pass on, in the BBR Security Forum, one topic per infected computer. (Please include the virus, symptom or filename as part of the subject line.) BBR Security Forum
16. Report the crime.
Reports of individual incidents help law enforcement prioritize their actions. With computer crimes, the total damages officially reported by all victims influences the criminal's sentence.
* Victims can report companies that distribute malware or that use fraud to get software installed to the FTC here.
* Victims can report malware incidents to the US DHS Computer Emergency Readiness Team (US-CERT) here.
17. Additional reference:
* Tutorial on Spybot S&D
* Tutorial on Ad-aware
* User-friendly registry editing tool, Registrar Lite
* HostsXpert: User-friendly tool for editing the "Hosts" file
* Microsoft Security Center
* Microsoft Knowledge Base: Info on messages and symptoms from MS products.
* MS DLL Help Database: Info on MS DLL, EXE and COM file versions.
* Eric Howe's excellent "Rogue/Suspect Anti-Spyware Products & Web Sites"
* How to find out what is using a port
* One way of removing Browser Help Objects
* BBR Security Forum FAQ on HijackThis!
* BBR FAQ on Adware and Spyware
* Other BBR Security Forum FAQs
* Virus hoaxes
* Webopedia encyclopedia of computer terminology
* What is the most efficient way to find information about computer security?
* US Computer Emergency Readiness Team (US CERT): for security alerts and tips, and reporting vulnerabilities.
* Internet Storm Center
* Internet Traffic Report
* The Internet Health Report
* PC World: Bigger Threats, Better Defense
* Subtram's Removal Tool Links. Please use the tools there only the advice of an expert.
* Subtram's Useful Tool Download Page
* For any "MSVBVM60.DLL not found" message, click here to download the VB6 runtime library."
* How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach
* Terminating Spyware With Extreme Prejudice/Re-formatting & Re-installing
* When should I re-format? How should I reinstall?
The advice in this FAQ is general in nature. If you are a business or organization that depends on its computers, we recommend you also obtain the services of an IT security specialist to assist you.
Most recent changes:
29 July 2010 by Wildcatboy: Added the link to the mandatory steps for requesting Assistance in SCU.
19 Nov 2008 by CalamityJane: Fixed broken link for HostsXpert
20 Oct 2008 by CalamityJane: Remove Virus@cai.com from Malware Submission list: Reported not working. Replaced with current new email submission for Computer Associates is: firstname.lastname@example.org (added to list)
30 July 2008 by Wildcatboy: Removed the reference to Malware Archive forum from the malware submission email form.
30 July 2008 by CalamityJane: Removed old/obsolete tools and references (CWShredder, AboutBuster, etc.); eliminated Step 4 re: AntiTrojan scanners (no longer needed) and renumbered steps accordingly; Updated URL & references for HostsXpert by FunkyToad.
04 July 2008 by CalamityJane: removed Mike@F-Prot.com from malware submission list - no longer valid
26 May 2008 by CalamityJane:
Changed Comodo submit email addy to: email@example.com
Removed F-Secure submit addy of: firstname.lastname@example.org due to emails bouncing reports
23 Nov 2007 by CalamityJane: Changed submit address for Comodo from email@example.com to: firstname.lastname@example.org
09 Oct 2007 by CalamityJane: Added to malwware submit list: email@example.com
Revised download link and instructions for HijackThis (now owned by Trend-Micro)
04 Oct 2007 by CalamityJane:
Removed firstname.lastname@example.org from malware submit list due to bounces.
Removed AboutBuster from list of removal tools (obsolete and no longer supported)
03 April 2007 by CalamityJane:
Section 4 removed temporarily for revision. BOClean purchased by Comodo (to be re-released at a future date); Ewido purchased by AVG, now branded AVG Antispyware (instructions to be updated soon)
03 April 2007
by CalamityJane: Changed BOClean submissions email address from email@example.com to firstname.lastname@example.org
03 July 2006:
By CalamityJane: Added email@example.com to malware submission list
30 June 2006:
By CalamityJane: Added SpySweeper to malware submission list firstname.lastname@example.org
24 Jun 2006:
By CalamityJane: Added F-Prot to malware submission list; made changes for Ewido AntiSpyware v 4.0
By CalamityJane: Updated link for Trojan Hunter update and install
(thanks to amysheehan )
by Wildcatboy: Added email@example.com (Super Antispyware) to the Malware submission list
by CalamityJane: Added firstname.lastname@example.org (Microsoft Windows Defender) to the malware submit list
by Keith2468: For the Virus Submit list, added email@example.com
by CalamityJane: For the Virus Submit list, fixed two bad email addys:
firstname.lastname@example.org (changed to: email@example.com)
firstname.lastname@example.org (changed to: email@example.com)
by CalamityJane: Updated various URLs, programs, Security Cleanup Forum links
by Keith2468: Added a section on reporting the crime
by CalamityJane: Revised instructions for new AboutBuster v. 6.0
by CalamityJane: AboutBuster download URL updated (is now Malwarebytes.org)
by Wildcatboy: Removed TDS and a duplicate from the virus submission email list
by CalamityJane: Adjusted instructions for AboutBuster (new ver. 5.0); adjusted instructions for use of Ewido
Removed TDS discontinued
Added Ewido Security Suite
Updated Hoster URL in list of programs
Removed Tips on TDS
By Keith2468: Added table of contents links to improve navigation within this page. Updated various links to other sites
By Keith2468: Added link to Eric Howe's "Rogue/Suspect Anti-Spyware Products & Web Sites"
By Keith2468: Update to virus submission email list
By CalamityJane: Updated the URL for CWShredder (now owned by Trend-Micro)
Updated BOClean instructions; thanks, K McAleavey
Added VirusTotal.com as an alternative virus submission method.
Added link to "Terminating Spyware With Extreme Prejudice"
Feedback received on this FAQ entry: