What to do if your computer is infected with a virus? How to clean an infected computer Cleaning your computer using CCE and TDSSKiller

Not all website owners are professional programmers. Many people use engines and order resource development.


Sooner or later you have to face problems, they are different. Infestation of websites with a virus is not such a rare occurrence; you should be wary of this and periodically scan the site.

What does it mean – the site is infected with a virus? It turns out that even professionals get confused when asked such a question.

Everyone knows that a computer gets infected with malware, but how does this happen on websites? Here everything is a little different, although if the server (where the site is located) is infected, then there is practically no difference.

What does a web virus look like?

If a site is infected with a virus, it means that a special script is installed in its code that performs additional operations. Most often, infected sites immediately reveal themselves as soon as you access them.

This can have different consequences for visitors:

• subscription to paid content is performed;
• malware is downloaded;
• displaying advertising on the site;
• redirecting traffic to other resources.

As a rule, hackers do everything without the victims noticing anything. Webmasters need to visit their own website more often and perform internal transitions. You also need to respond to messages from users.

For the site owner, infection of his project can lead to other consequences.

Mainly:

• denial of access to the administrative panel;
• blocking site scanning by antivirus;
• account blocking from the hosting side;
• blocking in advertising services (for example, Google Adsense);
• a sharp drop in attendance;
• additional windows, left mailings;
• deterioration of behavioral factors.

Competitors dream of infecting their opponents’ website with a virus, but this is not so easy. In addition, this is a judicial matter, so not every programmer will help with hacking.

You need to beware of any suspicious changes; if you don’t do anything, then why does everything change? There must be an explanation.

What to do if the site is infected with a virus?

The consequences of a site being infected with viruses may be different, but positions in search engines will definitely drop. It is necessary to identify site infection as early as possible in order to find and remove malicious code.

Before you start searching, remember if you yourself have installed any suspicious codes. For example, a script from , which runs paid subscriptions, is also a virus, since it deceives honest visitors.

If you notice any changes on the site and for preventive purposes, run a check through the service. On the main page you will need to specify the site address and within a couple of minutes the verification status will appear:

As you can see, everything is clean on our blog. If problems were found, the service would point out the problems. It’s not difficult to remove malicious code from a website, but to prevent the virus from doing much harm, order notifications from this service.

If the site is infected with a virus, you don’t know what to do, contact professionals. There are many specialists from any niche, they provide paid services.

Sites with malicious pieces of code and scripts quickly lose positions and their reputation decreases. You need to monitor your sites and remember that only honest monetization methods bring greater profits, because otherwise visitors will never return to the site.

You might also be interested in:
—
—
—

This is not the first year that they have been the main activity of our company. And we can confidently state that infection of the site with viruses is a real pandemic.

Infection can occur by introducing malicious codes through various scripts on the site, through hacking access to the admin panel, through the theft of FTP login and password, through holes, etc.

This leads to disastrous results:

• infection of visitors;
• disruption of the site;
• and, perhaps, the worst thing is that the site ends up on the Black List of search robots such as Google or Yandex, which in turn leads to the loss of visitors, and in the case of a business site, to the loss of profit and reputation.

You can find out if a site is infected in the following ways:

• using an antivirus;
• you can determine the infection by checking the source code, for example, in the browser by simultaneously pressing the Ctrl+U keys;
• look at the index file - when was the last time changes were made, if at that time you did not update the information, then...
• use the services of Yandex-Webmaster or Google-Webmasters.

Your website has been infected, what can you do?

Everything here will depend on the degree of infection, your hosting provider, etc.

The first way to solve this problem is to seek help from specialists; this is especially true for beginners. So we are waiting for your call!

The second method depends on your hosting and account, whether a site backup is available to you and whether you did it regularly. If the answer is yes, feel free to roll back to before infection. If the backup was made by the hosting, tell them your problem and your request to “roll back” your site to the date before the infection. But there is one thing - how long has the site been infected? If it’s been a long time, there’s a very high probability that the backups contain a virus.

If the two previous solutions are not available, you will have to do this manually. It is possible that the virus did not cause significant damage and only a few files are infected, usually index.php and index.html. But it may be that other files are also infected. Block access to the site by placing the “.htaccess” file in the root of the site - this is so as not to spoil your ranking in search engines. Next, download the contents of your site to your computer, preferably as an archive, and run the antivirus, it will do at least half of the work. Whatever he doesn't do, he'll have to do it manually. But it’s still better than starting the website creation all over again. Always monitor the security of your PC.

The problem of infection may also be on your computer; do not forget about a decent antivirus program on it.
If there is an infection, be sure to change all passwords for the site, both for accessing the “admin panel” and for accessing FTP, the password for your hosting account, etc. Because no one will tell you what information the attackers received.

Remember the safety of both your PC and the site, follow all precautions and recommendations. And we hope that your experience will not be sad, good luck to you!

16.02.2015 16:05:23

There is always a chance that your computer will be infected by malware, even if you have an antivirus installed. And when no security software is installed on the computer, this probability is even higher.

If infection occurs, it is best to contact specialists for “treatment.” However, there is not always a computer expert nearby. In this article, you can learn how to recognize the infection yourself and fix the problem - or, if possible, reduce the risk of harm before a specialist arrives.

Signs of infection

If you suspect a virus

Since modern viruses are “tailored” to work on a network, if you suspect an infection, it is extremely important to disconnect the network cable from the computer - or, if the network is wireless, turn off the Wi-Fi module.

Unfortunately, there are situations when the network is needed to carry out “treatment” - for example, to download an antivirus program. Of course, it would be more correct to download the anti-virus utility from another place, and then copy it to an infected but disconnected computer, for example using a flash drive. If this method is not available, you can try using the Internet. However, in no case should you log into online banking systems, connect to mailboxes, and so on, that is, do not expose confidential data in any way. As soon as all the necessary antivirus tools have been downloaded, the network must be turned off.

It should be understood that the very fact that a computer is infected, that is, the presence of an active virus in the operating memory, can make “treatment” difficult. The virus can resist: for example, block access to the websites of antivirus manufacturers or camouflage itself from specific antivirus programs. This means that in some cases “treatment” with the help of an additional “clean” system may be necessary. For example, you can boot the system from a CD, or you can remove the hard drive with the infected system and connect it as a second one to a known “clean” computer.

How to cure a computer

There are different ways to get rid of malware, each of which has its own advantages and disadvantages. If infection occurs, it is best to contact specialists for “treatment.” However, there is not always a computer expert nearby. In this article, you can learn how to recognize the infection yourself and fix the problem - or, if possible, reduce the risk of harm before a specialist arrives.

Method 1. Using ready-made antivirus tools

The vast majority of users will be satisfied with “cleaning” their computer using ready-made tools that are offered by antivirus software developers. In particular, you can easily find free utilities designed specifically for “curing” an infected computer. Here are some examples of such programs with a Russian-language interface:

• Dr.Web CureIt! (http://www.freedrweb.com/cureit/);
• Kaspersky Virus Removal Tool (http://www.kaspersky.ru/antivirus-removal-tool);
• Microsoft Safety Scanner (http://www.microsoft.com/security/scanner/ru-ru/default.aspx).

Of course, you can use other utilities, but it is recommended to download them only from the official developer sites. And it is advisable to first download it to a “healthy” computer and then transfer it to the infected one.

Despite the comparative simplicity of this method, before embarking on “treatment”, you need to understand a number of principles:

1. Even if your computer is protected by antivirus software, it can be infected with a virus because the antivirus does not recognize it.
2. If the antivirus does not recognize this particular virus at this particular moment, it is quite possible that it will begin to recognize it in the future, for example, if you update the databases with virus signatures.
3. If the installed antivirus does not recognize this particular virus, it is quite possible that an antivirus from another manufacturer will recognize it.
4. If none of the antiviruses finds viruses on your computer, this does not mean that they are not there. However, we have no choice but to assume with a high degree of probability that the computer is “clean”.

In other words, it is possible that you will need to carry out treatment using several utilities from different manufacturers.

The general treatment regimen is as follows:

1. If your computer is infected with a blocker, you must first unblock it (you can read more about this in the article on Trojan blockers
2. Install and run the treatment utility.
3. Follow instructions.
4. After completing the utility, install and run one or more utilities from other manufacturers in the same way.
5. The computer has been disinfected. Now you need to install (or reinstall) the antivirus complex.
6. The computer is disinfected and protected. You should change all passwords for all Internet services, email programs, instant messengers, etc. It is highly recommended to monitor the movement of funds through plastic cards and bank accounts if you use online banking systems: in case of suspicious transactions, you should contact the bank for approval necessary measures - cancellation of payments, re-issuance of cards, etc.
7. If you were unable to cure your computer on your own for some reason, you need to contact a specialist. Don't forget about the availability of technical support for antivirus users: this can save you a lot of time, nerves and money.

Method 2: Reinstalling the operating system

This is a radical method that should be resorted to if antiviral agents do not help. Before installing the OS again, it is advisable to first format the hard drive, which is not always convenient, since it leads to the destruction of not only malicious programs, but also useful data. In addition, the installation procedure and especially customizing the OS is quite labor-intensive.

The task of reinstalling the system can be made easier if you take care of this in advance. For example, the “My Documents” folder in Windows can be moved to another logical or physical drive, which will allow you to format the system partition at any time without fear of losing personal data. In addition, owners of the latest versions of Windows have the opportunity to create an OS installation disk that also stores its own set of programs and settings.

You should also keep in mind that if your computer is infected with a ransomware virus, simply reinstalling the system will not help you recover encrypted personal data.

Method 3: Manually detect and remove malware

It should be said right away that this method is recommended last. Even a deep knowledge of the operating system is unlikely to help you implement it adequately: there is a high probability that you will either miss some malicious modules, or, on the contrary, mistake a useful program for a virus and delete something you need, violating the integrity of the OS.

Even if we give you some general recommendations, for example, that you should check the program startup folder and Windows registry startup keys, this will not be of much help, because without professional knowledge and experience in IT security issues, it will be very difficult for you to distinguish between “bad” ones. "files from the 'good ones'.

Sometimes it happens that an antivirus scans your site and signals threats. This means that it is infected with a virus, that is, malicious code. Due to viruses, the site begins to load more slowly, and some of its scripts stop working. All this will be immediately noticed by visitors and their dissatisfaction with the poor performance of the site will increase sharply. If the site is infected, then in order to eliminate the virus, the site owner needs to understand what it is, where it came from and how it works.

What is a virus and how does it infect a website?

A virus is an encrypted malicious code that is embedded in the code of a resource page. It is often formed in an iframe - an element that allows one page to be embedded in the content of another. Typically, an iframe embeds an even more infected page, the code of which looks for vulnerabilities in the browser and uses them to download and run virus files on the computer of users who visit the site.

As a rule, most viruses work on the same principle. Once on a computer whose owner logged into the site using the FTP protocol, the virus finds the login details for this site. The found data is sent to the computers of hackers. Using these details, hackers, with the help of robots, scan the site and look for root files. When the files are found, they are downloaded to the hacker's computer, dangerous code is added to them, and the infected file is sent back to the site.

For the site owner, such activity is almost invisible. He only sees user authorization and work with files, which usually happens when a developer updates a resource.

How to eliminate an infestation

To combat a site infection, you need to strictly follow the following steps:

1. If a site is infected, then first of all, it poses a danger to its customers. To protect them, disable the web server. After that, using an antivirus, check all the files on the web server, and also change absolutely all passwords for all workstations.
2. If you have a backup from before the site was infected with a virus, download it. Be sure to update all site software and study the vulnerabilities fixed in the latest versions. This may help in finding the cause of file infection.
3. Remove elevated privileges from any users you are not completely sure about. Carefully check whether there is a web shell on your server, using which hackers can make changes to the code of your resource without authorization.

Search for dangerous code

• Scan all templates, scripts, databases.
• Scan your configuration files.
• Check all files hosted on the same server as you. Perhaps the entire server is at risk, and it’s not just your site.

To more successfully search for malicious code in infected files, pay attention to the following features:

• The malicious code is different from the code in the backup version. Make regular backups and use version control systems. This often makes it easier to fight the infestation.
• The code is unreadable and has no clear structure.
• The time the file was modified and the time the site was infected with a virus coincide. This parameter is not always objective, since the file modification time can be falsified by the virus itself.
• The code contains functions similar to virus code.

Preventing Infection

It is better to deal with site infection before it occurs. In order to get rid of all vulnerabilities and minimize the possibility of infection, follow these rules:

• Make sure that FTP clients do not have the ability to save passwords.
• Change your access passwords regularly and do not store them on your computer.
• Reduce the number of users who can connect via FTP from their addresses.
• All user computers that have access to FTP must be equipped with antivirus software and the latest updates for all programs.

If your site is connected to the webmaster panel and there was also a message about the threat, after getting rid of it, you need Yandex to remove the danger mark from your site. To do this, you must submit a corresponding request. The recheck will be done without a request, but it will take much more time.

Unfortunately, sometimes it happens that the antivirus installed on the system with the latest updates is not able to detect a new virus, worm or Trojan. Alas, no antivirus protection guarantees 100% security. In this case, it is necessary to determine the fact of infection, detect the virus file and send it to an anti-virus company, whose product “missed” the harmful program and was unable to protect the computer from infection.

However, in most cases, it is quite difficult to notice on your own (without the help of anti-virus programs) that your computer has been infected - many worms and Trojans do not show their presence in any way. There are, of course, cases when Trojans explicitly inform the user that the computer is infected - for example, in cases of encrypting user files and then demanding a ransom for the decryption utility. But usually they secretly install themselves into the system, often use special camouflage methods and also secretly conduct their Trojan activities. The fact of infection can only be confirmed by indirect signs.

Signs of infection

The main signs of infection include an increase in outgoing Internet traffic - a rule that is fair for both individual users and corporate networks. If there is no active Internet activity (for example, at night), then this means that someone else is doing it. And, most likely, for malicious purposes. If you have a firewall, a signal of infection may be attempts by unknown applications to open Internet connections. Numerous advertising “pop-ups” when visiting websites can signal that an advertising system (Adware) is present in the system.

Frequent freezes and crashes in your computer can also be caused by infection. However, in many cases, the cause of failures is not a virus, but hardware or software. If similar symptoms appear on several (many) computers on the network at once, if at the same time intranetwork traffic increases sharply, then the reason most likely lies in the spread of another network worm or Trojan backdoor program over the network.

Indirect signs of infection may also include non-computer symptoms. For example, bills for phone calls or SMS messages that actually did not exist. This may indicate that a “telephone Trojan” has appeared on your computer or mobile phone. If cases of unauthorized access to a personal bank account or facts of using a credit card are recorded, this may be a signal of spyware embedded in the system.

It is possible that the set of anti-virus databases is out of date - you need to download the latest updates and check your computer. If this does not help, then antiviruses from other manufacturers may help. Most well-known antivirus companies release free versions of their products (trial versions or one-time “cleaners”) - it is recommended to use this service. If a virus or Trojan program is detected by another antivirus, in any case, the infected file should be sent to the developer of the antivirus that did not detect it. This will help you add it to updates more quickly and protect other users of this antivirus from becoming infected.

If nothing is found, then before you start searching for the infected file, it is recommended to physically disconnect the computer from the Internet or from the local network, if it was connected to it, and turn off the Wi-Fi adapter and modem (if any). In the future, use the network only when absolutely necessary. Do not use online payment systems or online banking services under any circumstances. Avoid accessing personal and any confidential data, and do not use Internet services that require a login and password to access.

How to find an infected file

Detecting a virus or Trojan on a computer can be either a difficult task, requiring high qualifications, or quite trivial - depending on the complexity of the virus or Trojan, and on the methods used to hide malicious code in the system. In “severe cases”, when special methods of masking and hiding infected code in the system are used (for example, rootkit technology), it is not possible for a non-professional to find the infected file. This task will require special utilities, perhaps connecting the hard drive to another computer or booting the system from a CD. If you encounter an ordinary worm or Trojan program, you can sometimes find it in fairly simple ways.

The vast majority of worms and Trojans must be controlled at system startup. To do this, in most cases, two main methods are used:

• recording a link to an infected file in the autorun keys of the Windows system registry;
• copying the file to the Windows startup directory.

The most “popular” startup directories in Windows 2000 and XP are as follows:

• \%Documents and Settings%\%user name%\Start Menu\Programs\Startup\
• \%Documents and Settings%\All Users\Start Menu\Programs\Startup\

If suspicious files are found in these directories, it is recommended to immediately send them to the antivirus developer company with a description of the problem.

There are quite a lot of autorun keys in the system registry, the most “popular” of them are the Run, RunService, RunOnce and RunServiceOnce keys in the registry branches:

Most likely, several keys with unintelligible names and paths to the corresponding files will be found there. Particular attention should be paid to files located in the Windows system or root directory. It is necessary to remember their name, this will be useful in further analysis.

Also “popular” is writing to the following key:

The default value for this key is “%1″ %*”.

The most convenient place to place worms and Trojans is the system (system, system32) and root directory of Windows. This is due to the fact that, firstly, by default, displaying the contents of these directories in Explorer is disabled. And secondly, there are already a lot of different system files there, the purpose of which is absolutely unknown to the average user, and it is very problematic for an experienced user to understand whether a file named winkrnl386.exe is part of the operating system or something foreign.

It is recommended to use any file manager with the ability to sort files by creation and modification date and sort the files in the specified directories. As a result, all recently created and modified files will be shown at the top of the directory, and these are the ones that will be of interest. The presence among them of files that have already been found in autorun keys is the first alarm bell.

More experienced users can also check open network ports using the standard netstat utility. It is also recommended to install a firewall and check the processes that conduct network activity. It is also recommended to check the list of active processes, and use not standard Windows tools, but specialized utilities with advanced capabilities - many Trojan programs are successfully disguised as standard Windows utilities.

But there is no universal advice for all occasions. Often you have to deal with technically “advanced” worms and Trojan programs, which are not so easy to detect. In this case, you need to seek help either from the technical support service of the anti-virus company, protection from which is installed on your computer, or from one of the companies specializing in computer help, or ask for help on the appropriate Internet forums. Such resources include Russian-language www.virusinfo.info and anti-malware.ru, as well as English-language www.rootkit.com and www.gmer.net. By the way, many antivirus companies also have similar forums that specialize in helping users.