Helping people with computers... one answer at a time.

Your anti-virus program may claim successful virus removal, but if symptoms remain then clearly the job's not really done.

My machine was recently infected by a worm called _____. My anti-virus removed it, but I am still getting _____. How do I fix that last left-over symptom?

That's a composite question since I get many variations of it on a regular basis.

The scenario is simple: you've been infected with a virus of some sort, and your anti-virus program reports, much to your great relief, that it has cleaned it out for you. And yet, there's some nagging leftover specific symptom.

The solution isn't nearly as simple as the scenario.

If you have left over symptoms, of any sort, then it's clear that the virus has not been eradicated from your system.

That, at least, seems fairly obvious. Here's the non-obvious version:

Even if you don't have leftover symptoms then the virus still may not have been eradicated from your system.

Read that last sentence again, because I want to make sure you understand what it implies.

"How do you know - I mean really know - that the virus has been completely removed?"

You get a virus. You clean it up. Your anti-virus program says it's gone. Your computer behaves normally. Nothing would appear to be amiss.

And yet ...

How do you know - I mean really know - that the virus has been completely removed?

Answer: you don't.

So my answer to your question is this: you can spend a lot of time and effort attempting to track down that last symptom or whatever it is your experiencing, but even if you're successful at getting rid of it, you've proved nothing. Your system may still be infected.

In fact, the fact that there's a leftover symptom proves that your anti-virus program or whatever other technique you used failed to remove everything.

The rule is this:

Once your machine is infected, it's not your machine anymore.

I've discussed this before, but the fact is that once you've become infected there is simply no way to completely remove the virus, and know that you've removed all traces of a virus. There are exactly two approaches that work:

  • restore from your most recent complete backup prior to the infection.

  • reformat your hard disk and reinstall the operating system from scratch.

If you haven't been backing up, then really you have only one option.

Yes, that's painful. Very painful.

That's why prevention - through appropriate tools, technologies and behaviors - is so much easier and cheaper than the cure.

OK, so I know that you don't want to follow my advice. You were infected, you have a symptom, and you're not about to reformat your machine just to get rid of it, even though I'm telling you that you should.

Here are some things to try:

Google the specific symptom - be as specific as you can be when you search. The problem is that each of these leftover issues will likely have its own unique set of removal instructions. And there are probably thousands of different little issues like this - there no single place you're going to find all the answers.

Use System Restore - I don't recommend it as a solution by itself but it's possible that it may help in certain situations with certain symptoms.

Try a repair install of Windows - as part of a longer series of steps a repair install may re-install enough of the system or its settings so as to get rid of the symptom you're experiencing.

Moving forward I'd also want you to learn from this lesson and take some steps to protect yourself more completely in the future so you don't have to travel this path again.

Start backing up! Regular backups are the closest thing to a silver bullet that can save you from just about any kind of problem.

Learn to use the internet safely! You don't have to get infected - ever - if you follow some simple rules, and use some simple tools.

But for today's scenario, for today's infection, and for today's left-over symptom I have to repeat myself: the only sure solution is a reformat and reinstall.

Sorry.

Article C3601 - December 26, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Leland Wilburn
December 26, 2008 8:56 PM

How do I remove Rapid Antivirus? Norton 360 v2.0 will not unless I pay extra an extra $100 on top of what the program itself cost.

Mary
December 29, 2008 12:36 PM

Leland -
Try using the techniques at bleepingcomputer:

http://www.bleepingcomputer.com/malware-removal/remove-rapidantivirus

I used bleepingcomputer's advice a few months ago to get rid of a similar infection by Antivirus XP 2008. See this previous Ask-Leo article:

http://ask-leo.com/how_can_an_infection_like_antivirus_xp_2008_happen.html

john
December 30, 2008 1:42 PM

i like the answers you are giving and you are so right the only way to get rid and i do mean totally rid a virus or anything that slows your computor down is to fdisk and reformat and download windows again. , which alot of people just dont know how to do this. maybe you could run an article on this procedure, it would save people alot of headaches if they knew how to. i'm a self taught person and i learned alot from mostly library books but also from your site keep up the super work. p.s. free antivirus is available at avast go to c/net downloads for free. you might want to pass this on. thanks for being. john.

Allan
December 30, 2008 2:46 PM

G'day Leo. I agree with John, perhaps an article on backing up would be a good one for the new year. i have had computers for about 8 years and have never done a back-up, as i don't know how!
Happy New Year, Al.

fastfreddie1959
December 30, 2008 5:54 PM

This is my personal instructions on virus removal.
Ive passed it along to hundreds of people
and it works every time.
And i use both programs..and have been
attacked by the xp-2008-2009 trojan
and it has not entered my computer.
I use this everyday helping someone.
This must be done first......
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:

Then download this but don't buy it...just
use it to get rid of the trojan...
http://www.malwarebytes.org/rogueremover.php
Once the trojans are removed then you
need these 2 programs for better protection..

http://www.personalfirewall.comodo.com/download_firewall.html

http://www.comodo.com/boclean/CBO_download.html

Firewall comes with a Toolbar-you don't need it.
Just Uncheck the box for it.

Narc
December 30, 2008 10:55 PM

There is one further point to make, and it is this: even if you have been backing up and have a complete image of the system that you can roll back to, you cannot be sure it was made prior to the infection unless it was made immediately after installing the operating system, and before connecting the computer to a network (local network or the Internet). So, for truly paranoid people like myself, reformatting and reinstalling is still required. The backup therefore just gives you the ability to selectively restore data you've created, as long as proper precautions are taken.

Furthermore, there are any number of possible infections that are not obvious, or even apparent to even the most technical users (I'm thinking spambot trojans, which survive longer if they can hide from the computer operator). It's a truly terrifying world out there for us paranoid people.

Terry Hollett
January 2, 2009 4:26 PM

I just spent a couple of days trying to clear a rogue program called WiniGuard off my neighbour's computer. I tried two different virus programs, Avira and AVG. Neither one would update and WiniGuard alerts keep popping up.

The problem other than updating the antivirus was trying to research on an hijacked browser. I kept getting sent to other web pages.

I finaly did get what I thought was enough data to get rid of it;The program folder, reg entries, and a few extra ones in the System32 folder (baloon.exe and cfrog.exe).

Still, the browser was hijacked and the antivirus (AVG) was un-updated. I downloaded the updates from my computer burned them on a CD and used the option in AVG to update manually from folder.

Updated successful, but scanner didn't seem to be scanning anything. So I restarted in Safe Mode, and ran their scanner there. It removed a few items one being a file called autorun.inf (from another virus program). Did some more resaerch, checked for associated files...luckily found none.

Everything seemed to be clean but then every time Internet Explorer started up AVG would complain about an infected file called msqpdxiveoypff.dll with Trojan horse Generic 12.AH1J.

Using Hijackthis I was able to delete this threat but still no updates. A day later I tried again and found some WiniGuard traces had reappeared. Deleated them as before, finally I was able to get eniugh control of the browser to download Malewarebytes and update it. It SEEMS to have taken care of the rest.

AVG is now updating normally. Formating and reinstalling Windows from scratch is not an option when you don't have a CD and don't have the finances to buy one.

http://www.geocities.com/terryhollett2003/

andrea
September 30, 2010 9:24 PM

i would like to know how to get this off my comp i wasnt home my boyfriend was i am not sure what happened and i cant even get into remove programs its called secutity tool number is 500625

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.