This section is devoted to viruses, adware, spyware, and other such nuisances.

Q: I think my hard drive has been infected at the boot sector by a virus. Will formatting take care of it?

A: No! Formatting will not remove a boot sector virus. Although you may clean out the rest of the hard drive of all viruses, you'll just re-infect your drive after you boot up again.

There are two ways of clearing out a boot sector virus, if your antivirus software was unable to do so. I will explain it as simply as possible.

First, find a computer that you know is virus-free, and running DOS, Win 95, or Win 98, and make a bootable floppy by putting a floppy disk in the drive and typing the following (assuming your 3.5" 1.44 MB floppy drive is A: ) :

format a: /s

Then, copy over the fdisk.exe and sys.com (or it couuld be sys.exe ) files over to this floppy disk. Write protect this disk.

Physically shut down your computer (power off), and let it sit for a minute. Boot your computer from the floppy drive, and wait until you see the A:\ prompt. Type the following command:

fdisk /mbr

and this will reset your master boot record.

For those of you who, for some reason or another, can't find fdisk.exe on a PC, or don't know how to type fdisk (yes, there are some people here like that), you can accomplish the same thing by typing in this command instead, from the A:\ prompt after you have booted from the floppy disk:

sys c:

If you don't know how to boot from a floppy disk, there is one final method that you can use. You can physically remove the suspect hard drive from your system, and use it as a slave on another computer that has Norton Antivirus running on it. Do NOT boot from the infected hard drive; boot from the computer's drive it normall boots from. Scan the disk thoroughly.

Remember, this only works if your operating system recognizes the filing system. Thus, a system running Win 95, 98, or ME, will not see a drive that has been formatted with NTFS, unless you somehow got a hold of third party program. Because the installation and configuration of that third party program is a pain, I will not say how to do this.

If the above suggestions seem like too much of a task, and you don't want to spend the time, then you'll have to spend the money to have a computer shop fix it for you, and that's no guarantee of you leaving your data intact. Let's face it: you can be either lazy or poor, and still have a working computer. You can't be both.

Note:

Using fdisk /mbr or sys c: also restores boot sectors that have boot managers on them, if you don't want to keep that boot manager. This is a common mistake of people who want to setup a dual boot system of Linux and Windows, where they accidentally install the Linux booter on the master boot record, and suddenly find that they can't boot Windows at all.

Q: Help! I think I have a virus, but I'm not sure. I want to get rid of it, but I am too much of a cheapskate to buy antivirus software, and nobody will give me a copy of theirs!

A: If you are a student, or someone connected with an academic institution in any way, shape, or form, you may be able to get a license for software such as Norton Antivirus or McAfee, for a very minimal fee or even for free. Ask the IT personnel. That's their job.

Otherwise, bite the bullet and buy the antivirus software, you would-be pirate... If you actually buy the software, you are putting your money to good use, as the company will have more funds available for research and development.

If you are that much of a cheapskate that you are unwilling to pay 19 dollars for a copy of Norton Antivirus, then I will suggest two possibilities:

1) You can go to ftp://ftp.f-secure.com/anti-virus/free/ and get f-prot for DOS. Download the files in that directory, and read the instructions. Make a clean bootable floppy disk (READ THIS THREAD! I HAVE ALREADY EXPLAINED HOW TO DO THIS!) and boot with it so you have a sterile environment. Then run the DOS-based software. If you have any complaints, talk to the folks at F-Secure. Because they are offering a free service, and because you are unappreciative of their generosity, my guess is that F-Secure gives a big F-You...

2) You can use Trend Micro's web-based scanning, although it's not nearly as thorough as the other, computer based, scans.

http://www.trendmicro.com/free_tools/

Click on "Scan your PC -- Free" and follow their instructions.

Another website that does web-based scanning:

http://kaspersky.com/

Click on "Online Virus Checker."

Q: I am getting bombarded / spammed with messages, some of which are ads, and others are just plain garbage. How do I turn off this feature?

A: From Incubus:

Disable the Messenger Service. Start -> run -> services.msc. Scroll down to the Messenger Service, right click -> properties -> Change start up type to 'disabled' and then stop the service (the button labelled stop).

It is a service that is built into windows to facilitate IT messages, but can easily be exploited by less than ethical individuals.

Q: What is Adware / Spyware and how do I get rid of it?

A: Adware and spyware are two different things that operate on the same principle. Basically both programs are data miners that invade your computer, and broadcast information back to a company.

Adware is generally less malicious, since it is "only" supposed to track things such as your web surfing habits, or what general types of programs you have on your system.

Spyware is more malicious, as it can harvest personal data stored on your computer, possibly even all of your passwords.

Both types of scumware invade your memory, your registry, as well as your hard drive.

Most of these forms of scumware will hijack your bandwidth to varying degrees. Some, such as Gator, are horrible, in that they will do this at a regular interval. If you've ever noticed your ping jumping from 50 ms to 500 ms on a regular, timed, basis, there's a significant chance you have Gator.exe on your system.

These bits of scumware can be removed by using various programs, such as Ad-Aware or Spybot Search and Destroy, both of which are free:

http://www.lavasoftusa.com for Ad-Aware

http://spybot.safer-networking.de/ for Spybot Serach and Destroy

Whichever one you get, make SURE that you also update the definition files, just as you would with virus definitions. The makers of scumware are constantly finding ways to avoid detection.

Q: OK. I've just removed Gator and a bunch of other spyware / scumware from my system, and now Kazaa (or whatever installed it in the first place) won't work.

Some companies bundle Gator and similar pieces of scumware, with their product. To avoid this, do not install Kazaa, and instead, use Kazaa-lite. Same features, but no spyware.

Q: My system has been infected with a virus, and I keep running scans with the latest definitions, and deleting the infected files. Why hasn't it gone away?


A: You are probably infected with a virus that needs a specific removal tool. Viruses such as Kakworm, CodeRed, or Nimda, require specific tools for their removal.

You can find all of the specific tools here:

http://www.sarc.com/avcenter/tools.list.html

You do not need to be running Norton's Antivirus to use these tools.

Q: I just did a system restore on my computer, and now my computer has been infected again. What happened?

A: What essentially happened, is that dormant copies of the virus were still hiding in the files used by the system restore tool employed by these operating systems.

When you are doing scans and removal for viruses on Windows Millenium Edition or XP, turn OFF system restoring options. Some viruses can bury themselves in this feature.

Q: I just installed Kazaa, and now my system is overrun with all sorts of popups and my browser has been hijacked. What happened?

A: Installing the full version of Kazaa results in you installing Gator on your system as well. Kazaa cannot function without the spyware known as Gator.

First, uninstall Kazaa, and then run AdAware and Spybot Search and Destroy. Get rid of all traces of Gator from your computer.

Secondly, if you must use Kazaa, get Kazaa-lite, which does not install the scumware known as Gator.

Q: My browser has just been hijacked by

click2findnow

and everytime I try to do something, this interferes with my regular surfing. What is this, and how do I get rid of it?

A: This is yet another piece of scumware that is very similar to Ilookup:

http://doxdesk.com/parasite/ILookup.html

Most of the time, multiple runs of Spybot Search and Destroy, with the latest definitions, will destroy it. If that doesn't work, then you can try doing some registry editing, as described above.

The best way, is to take your affected hard drive, hook it up to a computer that already has Spybot Search and Destroy, and scan that drive while it is not being used as a boot device. This way, the scumware never gets a chance to load up and hijack resources.

Another tool that may prove helpful is "Hijack This!"

http://www.spywareinfo.com/~merijn/downloads.html

The above link has several links to all sorts of useful tools.

If neither works, cut and paste your results to this site:

http://www.spywareinfo.com/forums/

There are many experts there that specialize in such removal, and they can help you.

Q: My system is normally very fast, but recently has slowed down to a crawl. I get terrible consistent choke in games, and at times, my system will literally grind to a halt. Could this be due to various items of scumware?

A: Yes. The above symptoms are usually seen when someone is infected with trojans and / or worms. Hijacking programs such as Gator.exe can also produce some of the above symptoms, although Gator will do this on occasion, and "spike" your system at times, instead of constantly stealing resources.

Q: I just scanned my system for viruses, and found several worms on my system. I removed the files, but my system is still getting re-infected. Why won't the antivirus tools work?

A: Many worms, such as the infamous KakWorm, bury themselves deeply in your registry, and others can hide in areas that escape detection by standard virus detection protocols.

You should find out what the name of the virus that you detected is.

http://www.sarc.com

Do a search on the virus name, and you should be able to find the appropriate removal tools and / or instructions needed to remove the worm once and for all.

Q: What is this WINMAIN.EXE doing? I see it running in my processes.

A: WINMAIN.EXE is a piece of scumware, sort of a trojan.

Read this:

http://www.nsclean.com/psc-htas.html

Q: Why do I keep getting Gator on my system? I have not installed Gator, nor have I installed any programs that would do such a thing.

A: The Gator company has been putting cookies on people's browsers fairly recently, in the same manner that other "less" intrusive companies (such as Valueclick, hitbox, etc) use. It's a data miner cookie, and not the fully malicious Gator program that has pestered many computer users. Now, what exactly they are harvesting can't be too good, considering the company's past.

At this time, continue to use the latest versions of Spybot Search and Destroy as well as Ad-Aware, to continually remove it, as the Gator folks are always refining their scumware to constantly avoid detection.

If you get a request window for Gator or one of their affiliates, the safest advice I can give, is to close IE entirely from your Task Manager. I wouldn't put it above them (or their partners in crime) to link their "no" button to a "yes" answer.

Also important: Update your Popup killing software, as some spyware (not just Gator) can actually trick older versions into automatically accepting their garbage.

Q: Hey! I did NOT request that Hotbar be installed on my computer in any way, shape, or form, and yet, it's automatically installing itself on my system! What gives?

A: See the above post, regarding the Gator garbage. Hotbar is doing the same thing, and sneaking in "allow install" code without the user's permission.

Update your popup killing software, and get the latest versions and reference files for Spybot Search and Destroy as well as Ad-Aware. Remember, it's generally best to use both scanners.

Q: Is there any legal action I can take against the Gator Corporation?

A: Possibly.

http://www.classactionamerica.com/misc/contactUs.asp

The more, the merrier.

Q: Every time I run Adaware / Spybot S&D on a freshly formatted system, or a freshly patched system, it finds "Alexa." What is this?

A: Alexa is a registry key that basically points your browser to a local web page installed on your system, or to msn.com. As long as you haven't installed any Alexa extras, such as those found in Microsoft IE accessories, then it really doesn't do any spying on you.

It's all a moot point anyways, since you can safely remove Alexa and not have to worry about compromising system stability. The only people who will probably lose some functionality are those who use the "Show Related" functions of IE.

Q: Do you have any links with information to various forms of spyware / adware / thiefware?

A: As always, this is under construction. For now...

http://www.thiefware.com/
http://www.cexx.org/

Q: I have some instances of GMT.EXE running on my system, and occasionally, I get errors related to GMT.EXE. Is this file necessary?

A: GMT.EXE is NOT part of your Windows operating system. It's yet another pile of dung that the Gator company is trying to disguise.

http://cexx.org/gator.htm

First, update your Ad-Aware reference files, since the Gator company is constantly refining their scumware to evade detection.

Secondly, get Spybot Search and Destroy, update the reference files, and do a full scan. Both Ad-Aware and Spybot Search and Destroy are good tools to use one after another, since each can detect certain things that the other might miss.

Q: My browser has been hijacked by iLookup.com. Are there any easy ways of removing this garbage?

A: Norton Antivirus now removes the hijacking components, but you should also unregister the related .DLL garbage that the hijacking software registered.

iLookup.com has several names:

i-lookup.com
globalwebsearch.com
superwebsearch.com
traffichog.com
searchbus.com
globaltoolbar.com

You can now use Norton Antivirus to remove it.

http://securityresponse.symantec.com/avcenter/venc/data/adware.ilookup.html

Q: I keep getting a popup called "Sticky-stay." I did not install anything, I can't get rid of it. What's going on?

A: Even if you didn't install anything, these days, there's a new forum of scumware that buries itself deeply into your system.

Beware of any site redirecting you to something that has uchase.com listed. Getting redirected to this site will automatically open up your system for attack by Sticky-Stay.

As a result, you'll probably see a windows that says ""Inbox: http://w w w .u c h a s e .c o m /e xi t/ st ic ky /s t ay. h t m l" (I've intentionally crippled the link to prevent some of you from accidentally clicking on it) and you will suddenly find that you can't right click (this piece of scumware disables right click).

This is going to then send popup ads to your system every minute, or so, and the "Inbox" window listed above, will constantly resize itself, going from a 600x400 sized window, to a 25x25 sized window as your mouse cursor gets close to it. Nasty, isn't it?

Many of these popup ads will be pornographic-related, and it certainly won't look good if you're browsing from school.


Now, how to get rid of it:

I would imagine, that after some time (this crap just came out), Ad-Aware / Spybot Search and Destroy will be able to get rid of it, but in the meantime, you may have to do this manually.

First, and foremost, open up your task manager, and manually shut down anything related to sticky stay.

Get CWShredder and run it:

http://209.133.47.200/~merijn/files/CWShredder.exe

or

http://www.spywareinfo.com/~merijn/downloads.html

Then, download Rapidblaster Killer:

http://www.wilderssecurity.net/specialinfo/rapidblaster.html#removal

Run this as well.

Then do a Regedit, and do a search for anything related to the term "uchase"

I'll have more info on this later.

Q: Why is my system freezing when I try to download the updates to Spybot Search and Destroy?

A: Many people in North America may experience this problem when trying to download from the European server that is set as the default.

Change the download server to one of the USA-based ones.

Why am I getting this error message that says something about "Bridge.dll" whenever I first login?

A: Bridge.dll is a piece of scumware. It's a nasty parasite, and invades your system deeply.

http://www.pestpatrol.com/pestinfo/w/winfavorites_bridge.asp

You should read this:

http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html

and follow the EXACT instructions listed. This includes doing the registry fix, otherwise you won't be rid of it.

Basically, you need to find this key in your registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\explorer\
Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}

and delete it.

Then, find this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

and delete only the value in the right pane of the window that says:

"Systray"="<the full path of the adware program>"

Then find this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Uninstall\bridge

and delete it.

Q: What are these "Browser Helper Objects?" Are these something I should remove?

A: It depends. Browser Helper Objects are basically small programs that run every time you first run your browser. Most of them are harmless, but lately, many unscrupulous scumware companies are using them as exploits.

I would suggest using BHO Demon to check your system, and remove the ones you don't want:

http://www.definitivesolutions.com/bhodemon.htm

Q: Why won't my Ad-Aware or Spybot program update anymore? I haven't seen any updates from them in weeks.

A: You are using an old version of the software. Spybot Search and Destroy is now up to v1.3, while Ad-Aware is now at Ad-aware SE.

You can download the latest version from:

http://www.download.com