Help! I think I have a virus!

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)

Translated versions available: in het Nederlands and en Français

Anti-Virus Main Menu
Main Menu
Contributed by: Frederic Bonroy, Andrew Lee and Brian J Goggin

You have probably come to this page because your computer is not working properly. You may have heard that things named computer viruses can cause computers to act abnormally, and now you think you have a virus. Before you go ahead...

Do NOT panic!!

This is very important. Having a virus basically means that there is a program on your computer that doesn't belong there. It's this simple, so really there is no need to panic. In fact, a panicking user can be much more dangerous than any virus! Users often cause more damage while attempting to exterminate a virus than the virus itself could ever have caused.

Panic may cause a user to do two very silly things: formatting and using FDisk.

Formatting
You may have overheard rumors according to which there is an infallible method to get rid of a virus, namely formatting. Formatting is a process that effectively removes all data stored on a medium (although that is not its actual purpose), including any virus.
Well, don't fall for this myth. It's not always true. In fact, it may work, but formatting is generally a bad idea for several reasons:
  • Formatting is in most cases absolutely unnecessary. Most viruses can be removed quite easily.
  • Formatting and reinstalling the operating system and all applications is time consuming.
  • Data loss will occur if you forget to back up your data before wiping everything.
  • Format may remove everything except the virus.
FDisk
Some of you may even have heard about a miraculous tool named Fdisk (generally in connection with so-called "boot sector viruses" or the MBR). The MBR is a small sector on your hard disk that contains a small program and partition information. The truth about Fdisk is that it can be useful, but its use can also result in data loss. If you don't know exactly which virus you are dealing with, Fdisk can be very destructive!! Fdisk is definitely not an anti-virus tool, so don't use it.

 So, now that you know what you should not do, here is what you should do:

1. Distinguish between a virus and a "normal" hardware or software problem.

The word "virus" comes to the mind of many users when their computer behaves abnormally. In most cases, however, viruses are not at the root of the problem. Chasing a virus that isn't there is obviously pointless.

The following list contains symptoms that may indicate the presence of a virus. Note that I said "may"! None of these symptoms definitely indicates virus activity!
  • The system slows down.
  • The operating system or applications display unusual error messages.
  • Weird messages pop up (greetings, insults, etc.)
  • You notice uncommon graphic effects on the screen.
  • Frequent data loss occurs.
  • Frequent program crashes. Programs crash often, unfortunately, but if applications begin to crash excessively often, you should become suspicious.
  • The operating system or regular applications refuse to start.
Finally, the most reliable symptom is: Your virus scanner reports a virus!

(If it turns out not to be a virus, there are thousands of *newsgroups where you can ask for help. Consult the manual or online help of your newsreader to find out how to obtain a list of available newsgroups and how to subscribe to them. While you are at it, you should also carefully peruse Netiquette guidelines and read the FAQ of the newsgroup before posting a question.)
*A short list of helpful newsgroups:

   alt.comp.periphs.* hierarchy
   alt.comp.hardware.overclocking
   microsoft.public.win95.*
   microsoft.public.win98.*
   microsoft.public.windowsme.*
   microsoft.public.win2000.*
   microsoft.public.windows.inetexplorer.*
   many, many more

2. Identify the virus

If you know that you have a virus because your scanner told you, note down the exact name of the virus. This is important because various kinds of viruses exist and they require different removal methods. Even viruses from the same family may demand different disinfection approaches!

If you haven't run a virus scanner, do it now.


2.1 The virus scanner reports the "Eicar" virus

A virus named "Eicar" does not exist. Your virus scanner has simply stumbled across what is called the Eicar Anti-virus test file. It enables people to test whether their virus scanner is working correctly. Obviously yours does.

The file is harmless and you can delete it. Go to the following web page for more information: http://www.eicar.org/anti_virus_test_file.htm

2.2 The virus scanner reports the "Bloodhound" virus

A virus named "Bloodhound" does not exist. "Bloodhound" is the name of the heuristic engine of Norton Antivirus (which you are most likely using if you got this message). The heuristic engine is the part of the virus scanner that tries to detect unknown viruses based on a set of rules. The Bloodhound alert indicates that Norton has possibly found an unknown virus. Refer to paragraph 2.3.

2.3 The virus scanner reports an unknown virus

Today's scanners are capable of detecting some unknown viruses (not all of them of course). This technology is called "heuristics" and while it can be very useful, it also tends to produce false alarms. In order to determine whether you are dealing with a real virus or a false alarm, several factors must be taken into consideration:
  • Is the virus scanner up-to-date?
    An "unknown" virus detected by a scanner that is already several months old is very probably not unknown anymore. Update your scanner (both the scanning engine itself and the virus definition files) and scan the file again. A known virus is much easier to deal with than an unknown virus. If it's a false alarm, the scanner manufacturer may already have corrected the problem.
  • Is the virus scanner too aggressive?
    Some scanners enable you to specify the sensitivity level of the heuristic engine. It determines how aggressively the virus scanner searches for unknown viruses. If it's too high, you might be swamped with alerts and it will be difficult to filter out the "serious" alerts. Note that it is NOT a good idea to deem a file to be clean just because it's no longer reported as being infected when you decrease the sensitivity!
  • Can the supposedly infected file contain virus code?
    Heuristics combined with a full scan of all files regardless of their type or extension is rarely a good idea. The scanner will certainly report files as infected although those files cannot even contain viruses (.bmp, .jpg, .wav, etc.).
    Beware of double extensions!
    (A file can have more than one extension; the last extension always determines the file type but Windows does not show it by default if the file type is known to Windows. This means that a file named hello.txt.exe, for instance, will be displayed as hello.txt. It appears to be a harmless text file although it's in fact an executable program which could contain a virus.)
  • Is it a legitimate program?
    Disk formatting tools and similar types of programs might be reported as infected because they contain potentially dangerous code.
If you simply want to know whether a file is infected, your best option is to send the file to a virus lab. This is a list of email addresses:
Virus lab email address
CAI (IPE, Vet) ipevirus@vet.com.au
Eset (NOD32) samples@nod32.com
F-Secure samples@f-secure.com
Frisk (F-Prot) viruslab@f-prot.com
H+BEDV (AntiVir) virus@antivir.de
Kaspersky Labs (AVP/KAV) submit-virus@avp.ch
NAI (McAfee) virus_research@nai.com
Norman analysis@norman.no
Panda virus@pandasoftware.es
Sophos support@sophos.com
Symantec (Norton) avsubmit@symantec.com
Trend viruslab@trendmicro.fr

A few notes:
  • Send the file to as many virus labs as you want, but don't forget to send it to the company that produces the scanner that reports the unknown virus.
  • Before sending a file, take a look at the web site of the virus lab. There might be more specific instructions. For example, some virus labs want you to submit the file in a password-protected archive.
  • Do NOT open or run the file until you receive the confirmation that it is clean.
  • There have been reports of the Symantec virus lab reporting a file as being clean and then revoking this declaration later. So it's maybe a good idea to send the file to another virus lab as well and not trust Symantec too much.

2.4 Different virus scanners disagree on whether a file is infected

Make sure that both scanners are up-to-date. Submit the file to the respective virus labs for analysis if the problem persists after having updated both scanners.

2.5 Different virus scanners find different viruses

Different anti-virus producers may have given the same virus different names (this happens often!). Compare the descriptions of the two viruses in the virus encyclopedias of the scanner producers. You can also search for the virus name in the VGrep database (http://www.virusbtn.com/VGrep). Note that it has not been updated in a while. If the descriptions or names do not match, submit the file for analysis.

2.6 The scanner reports a virus in memory

Many viruses stay active in memory once they have been executed. This enables them to infect other files whenever they are accessed. Since most viruses try to remain undetected to be more successful they can sometimes interfere with your anti-virus program, by somehow bypassing it, or even disabling it. Viruses that hide themselves are called "stealth" viruses. Some of them will even remove themselves from a file before the scanner opens it, and then reinfect that file again after the scanner has examined it! Because of this, it's not a good idea to attempt to clean files while a virus is active in memory. You could easily end up with more infected files. There are a few things you should consider if your scanner finds a virus in memory:
  • Make sure that there is really a virus in memory. Please note that it is not absolutely necessary to follow the instructions in the next 2 paragraphs. You may safely skip them. They are here only for the sake of completeness; if they confuse you then please ignore them.

    You may have a false alarm. One possible (although unlikely) source of false alarms is running two virus scanners in succession. The first one may leave unencrypted virus scan strings (short, harmless sequences of virus code used to detect and identify viruses) in memory, triggering an alert with the second scanner. Note that this is possible, but will only occur with older or badly written scanners, most modern scanners now use more reliable techniques.

    To check for a false alarm, exit the anti-virus program and run it again. If you are running a DOS scanner in a DOS box under Windows, close the DOS box, open another instance and run the scanner again. You can also consult the description of the virus in a virus encyclopedia to see whether the virus resides in memory.
    If you still have doubts, assume that there is a virus and read on.
  • Some scanners claim to be able to disinfect viruses in memory, and they may even succeed in doing so, but it is generally highly recommended that you first make sure that there is no virus in memory before you attempt to clean your computer.
The only way to ensure that there are no viruses in memory is to boot from a clean boot disk (usually a floppy disk) and to run a DOS anti-virus scanner from there. It is recommended that you do this in all cases where you suspect a memory resident virus.

To check whether you have a virus in memory that is hiding itself from your (Windows) scanner, you should boot from a clean boot disk and run a DOS scanner. Do this whenever you suspect an active virus infection. It's not necessary if you merely want to scan files you just downloaded or for routine scans.

2.7 The scanner reports multiple infections

In some cases a file can be infected with one virus, and then another virus may infect that resultant file. In this situation (or in any situation where an executable is infected), it is highly recommended to delete the infected file and then restore from a backup.

If it isn't possible to restore the file from a backup, you can certainly try to disinfect these files. However, you should always run another scan if you have disinfected a file with an anti-virus program. This is to ensure your machine has been disinfected and that there are no viruses remaining as a result of this problem. AVP/KAV is particularly good at disinfecting this type of multiple infection.

* You should note that disinfecting files can sometimes cause your machine to become unstable.


3. Gather information

Get to know the enemy. Search for the virus name in a virus encyclopedia. It's always good to know what your virus does and what it does not do. The virus description may also provide removal tips and precious advice which you should heed. If your virus scanner offers the option to disinfect the virus and it does so successfully, you may want to skip this step.


4. Locate the virus

It is generally recommended to replace infected files by clean copies. This means: Delete infected files and reinstall the affected application or restore the infected file from a back up. You do regularly create back-ups of your data, don't you?

So ask your scanner to scan all drives and to create a report file. That file will contain the names of the infected files.

Please note:
  • If you just received the infected file via email or on a floppy and you have not yet opened it, then you are safe. If it came on a floppy, simply do not open it. If it came via email, delete the message to which the infected file was attached both from the incoming mail folder and from the trash folder. Then let your email application compact/purge folders. Your email program certainly provides a corresponding menu item or compacts folders automatically when you exit the application.
  • If your on-access scanner reports the virus (the scanner which is constantly monitoring your system in the background), then it will probably deny access to the infected file or message. Disable the scanner first, but do not forget to enable it right after you have deleted the infected item.

5. Remove the virus

If you are able to delete and replace infected files, do it. It's a better option than disinfection, which amounts to separating and deleting the virus code from the infected item. Disinfection may or may not work. There is no guarantee that the virus will be really gone, or that the application will still work correctly afterwards.

Of course, if you can't replace infected files, let the scanner attempt to disinfect them.

Note that for some viruses, it's not enough to simply clean infected files. You may have to delete entries from the registry or delete virus-related files. (The registry is a huge database where Windows and applications store their configuration information. There is a program on your computer named Regedit which allows you to manipulate the registry.) Instructions for manual removal of such viruses exist. Search the web sites of anti-virus producers or ask for them in the newsgroup alt.comp.virus. A virus description (see Step 3) should tell you whether that is necessary.

The virus scanner reports that it can't disinfect an infected file!

There can be 2 reasons why your scanner is unable to disinfect an infected file.
  1. The file is currently in use and is therefore locked. This means that an application is using the infected file, so Windows will not allow you to access it at the same time. In this case you must terminate the application that uses the file and try again. Very often, Windows itself is the culprit. The only solution is to boot to DOS and to use a DOS virus scanner. Wsock32.dll is a famous example of a file that cannot be cleaned by a Windows scanner.
     
  2. The virus has destroyed the file. Overwriting viruses overwrite part of the file, making it impossible for an anti-virus program to restore the original content. You must delete the file and replace it with a clean copy.


6. Verify that the virus is gone

You think you have successfully exterminated the beast? Good! Nevertheless, you should make sure it's really gone. Some viruses are stubborn and won't refrain from anything to achieve their goal, which is to stay on your computer and to spread to other computers.

Run a virus scanner, better run two virus scanners (make sure they are both up-to-date!) and pray that they don't find anything. You should also scan floppy disks and CD-ROMs. Notify people with whom you have shared data that you had a virus and tell them to watch out. Even a simple email you sent those people while the virus was active is enough of a reason to inform them!


7. Make sure it doesn't happen again

Removing a virus is good, but not contracting it in the first place is best. Read and heed the Safe Hex rules which you can find here: http://www.claymania.com/safe-hex.html

Take into consideration that you indirectly jeopardize other people's valuable data if you behave carelessly, because viruses spread!

© Claymania Creations 2001 - 2008. All rights reserved.

Updated: May 25, 2002