(This is part one of a multi part tutorial.)
Having problems with Task Manager, Regedit, Msconfig, etc not opening? Can't run a virus scan or update your .dat files? Seems to be a fairly common problem these days. There could be a variety of explanations, but most likely you have a virus / trojan infecting your machine. Many viruses / trojans / malware attempt to circumvent the tools to find and remove them. This is now your problem.
(*note – Before proceeding (provided you are not reading this from the infected computer), disconnect all internet connections, particularly if you are on broadband or DSL. An active connection may allow a malicious user to do additional damage to your machine while you are reading. Reconnect only when instructed to do so. In fact it is a best practice, to immediately disconnect your computer from the internet any time you suspect or determine that you have a virus until you can get it cleaned or get advice from an expert.)
How can I avoid this? (Top dozen)
Let me start with some best practices:
- If you don't have one already, install and religiously use a good Anti-Virus program such as Symantec's Norton http://symantec.com/ or McAfee http://mcafee.com/us/ . Religiously update the dat files and run scheduled weekly (or daily) scans.
- Make sure Realtime scanning is enabled. A Firewall is a definite plus.
- If you can't afford a cost effective virus protection then use some free online tools like TrendMicro http://www.trendmicro.com/en/home/us/enterprise.htm or Grisoft http://www.grisoft.com/doc/1 on a regular basis.
- Don't trust pop-ups that tell you that you may have spyware on your machine. Most of these are money making schemes designed to get you to buy their removal product, which in some cases also contain adware and spyware. For a list of those to avoid see here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
- Make back-ups of your most essential files frequently by whatever means you have available, i.e. Tape, CD, DVD, USB Drives, Ghost programs, etc. You never know when you'll have to reformat and start from scratch and without current backups of your essential files, you're basically screwed. You can always reformat and reinstall programs, but you cannot replace your data if you haven't made backups.
- Uninstall and quit using P2P networking proggies like Kazaa and Limewire. These are your most likely weakest links if you're using them. Primarily most stuff transferred is illegally obtained and if you won't give it up -- suck it up and pay the consequences.
- Install and regularly use anti-spyware removal tools such as Adaware and Spybot S&D
- Don't give access to your computer to friends / family who appear to be clueless about what they are doing. Otherwise you'll come home from school / work one day and your computer will be trashed.
- Many "free" online games come bundled with adware / spyware and simply won't work without them. If you have Wild Tangent installed on your computer you are already a victim.
- Don't install Weather Bug. If you want a free weather service install the Weather Channel version instead.
- When in doubt -- don't download it and don't install it until you've researched it. You are always welcome to ask OZZU about questionable programs for advice.
Back to the topic at hand.
I can't run Virus scans or do Updates
Chances are your hosts file has been hijacked and modified. Your host file is used to tell your browser where it should find files/sites -- normally it's never used except by experienced users. By default, the only thing that comes with a clean Windows install in your host file is 127.0.0.1 Localhost. In essence what that means is that anything that has the 127.0.0.1 address in your hosts file redirects to your computer, hence making the webpage undisplayable (for example if you included 127.0.0.1 http://www.google.com in your hosts file you would get a page not found error, because your browser would be looking for google on your machine). What many new viruses / trojans attempt to do is edit your hosts file to essentially make most recognized antivirus proggies unusable, or disallow access to definition updates. This file is located in c:\WINDOWS\system32\drivers\etc. or c:\WINNT\system32\drivers\etc (depending on what version of Windows you use) and does not include a file extension. In order to open and edit it, you can use Notepad, but to see it, you must select "all files" from the dropdown menu instead of text .txt files. If this file contains anything other than 127.0.0.1 Localhost that you didn't add there yourself, then delete the additional entries and save the file (be sure to scroll all the way down as some viruses add their entries with many spaces below the valid ones.) When you save, select File and Save. Do not select "Save As" as this will by default add a .txt file extension and will make the file unusable. *note the host file in system32 is not the same as hosts.ics or lmhosts.sam. Do not confuse them.
By editing this file (without rebooting - rebooting may cause the file to be overwritten again by the virus), there is a possibility that you could now update your virus protection files or at least run online scans. It doesn't completely fix the problem but at least it's a start. Your best practice is to attempt to get a dat update for your Virus protection and then reboot to safemode and run your virus protection in safemode. If you have configuration options available, configure your virus protection to first "clean" infected files, and as a second option "delete". In my opinion Quarantine is useless. Why would you want to leave a virus on your machine? Get rid of it from the start. Your virus protection may or may not find anything, depending on how current the virus is, and how up-to-date your anti-virus definition files are.
I've edited my Hosts file, but my virus protection still won't run.
Many users today are running their computers on a home network. If your computer is networked with others, then you may have some easier solutions than others. One of the benefits of being networked is that you can connect to your problem machine from another unaffected computer on the network and run virus scans via the clean machine. For those of you who are experienced with networking, simply map a drive to the administrative share (c$) on the infected computer and use your virus scanner to scan the mapped drive. If you already know how to do this, then skip the next part of these instructions. If you are clueless about what I just said, read on.
Being networked allows you to share files and view files and directories between machines. Windows NT, Windows 2000 and Windows XP come with a built in "Administrative Share" for each drive you have on the machine. Here's how to connect from one machine to another if you don't know how. Make sure both machines are booted to Windows and you are logged in as Administrator. You will need to know the Computer Name of the infected computer. If you don't know the name, right click My Computer and select Properties. Go to the Computer Name tab and note the Full Computer Name.
If you have disconnected your network from internet access as previously instructed, temporarily reconnect and update the virus definition files on the uninfected machine you are going to use. Then disconnect from the internet again.
Open Windows Explorer and Select Tools | Map Network Drive. In the dialog box, uncheck reconnect at next logon. Choose whatever drive letter you would like to use and in the folder section type \machinename\c$ (Replace "machinename" with the name of your infected computer. Select the link "Connect using a different user name". In the username box type in machinename\username (Replace "machinename" with the name of the infected computer and replace "username" with an administrative user on the infected computer). For password type in the password of the administrative user. Click OK. Click Connect. This should open an Explorer Window showing the contents of the C drive on the infected computer.
Open your virus scan program on the clean computer and run a full scan on the drive letter you chose for the mapped drive. Run the scan (if possible) choosing the option to delete infected files. This will scan the infected computer and work just as if you were running the virus scan on the machine itself. This should find any existing viruses just as if you were running it on the machine itself. Delete any virus files the scan detects.
Reboot the infected machine. Hopefully this has solved the bulk of your problems. If not (or if you are not networked and can't follow these steps) head on to part two.
This concludes part one of this tutorial. You'll have to forgive me, but given time constraints it may take me a few days before I can finish part two. Hopefully this section will be enough to at least get you closer to having a working computer again. If you need additional assistance please post for help in this board.
Please feel welcome to reply with feedback on this tutorial or questions if something is not clear, and I'll do my best to update it accordingly. Please do not post your problems in this thread. Create a new top level post to describe your problems.
This page was published on