If you can't find what you need, use the site search on the toolbar above.


The Scream, 1893. Apologies to Edvard Munch.

Includes advice on how to get virus & malware infections, plus lots of information on getting rid of them.

Test Your Virus Checker - "Using real viruses for testing in the real world is rather like setting fire to the dustbin in your office to see whether the smoke detector is working. Such a test will give meaningful results, but with unappealing, unacceptable risks."

Do not install a software package named "XP Antivirus 2008", which is rogue security software. It uses deception to get you to install it whereupon it will use scare tactics to tell you that you have spyware or malware installed on your computer. It will also offer to fix the problem if you pay up. See this link for removal information.

Free Antivirus and Anti-Malware Software

How to get Infected

If you want to guarantee a malicious infection of your machine, run these packages: Grokster, Kazaa, BitTorrent, Direct Connect, Shareaza, FlashGet, Gozilla, NetAnts, BearShare, Audiogalaxy Satellite, iMesh and any number of other file-sharing and peer-to-peer (P2P) packages. This does not imply that the names listed here carry malware, though some dubious versions do; it means that downloading and installing files from disreputable sources, including unidentified P2P users and 'warez' websites, is how malware often gets into your system. Need some proof? "Spyware" piggybacks on Napster rivals

A good way to get spyware on your system is to not read the terms of use, or the End User License Agreement, which is usually presented before you install the software. In most cases, the EULA will tell you that it intends to install adware or spyware, only not in those words. If you install spyware or adware without reading the EULA, you have only yourself to blame because they did warn you.

Unexplained computer behaviour may be caused by deceptive software

Free (Mostly) Tools

McAfee AVERT Stinger - "Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimisations."

BackDoor-AQJ, BackDoor-ALI, BackDoor-CEB, BackDoor-JZ, Bat/Mumu.worm,
Downloader-DN.a, Exploit-DcomRpc, Exploit-LSASS, Exploit-MS04-011, HideWindow,
IPCScan, IRC/Flood.ap.dr, IRC/Flood.bi.dr, IRC/Flood.cd, NTServiceLoader, ProcKill,
PWS-Narod, PWS-Sincom.dll, W32/Anig.worm, W32/Bagle@MM, W32/Blaster.worm (Lovsan),
W32/Bropia.worm, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Doomjuice.worm,
W32/Dumaru, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/IRCbot.worm,
W32/Klez, W32/Korgo.worm, W32/Lirva, W32/Lovgate, W32/Mimail, W32/MoFei.worm,
W32/Mumu.b.worm, W32/MyDoom, W32/MyWife.d, W32/Nachi.worm, W32/Netsky,
W32/Nimda, W32/Pate, W32/Polybot, W32/Sasser.worm, W32/Sdbot.worm.gen,
W32/SirCam@MM, W32/Sober, W32/Sobig, W32/SQLSlammer.worm, W32/Swen@MM,
W32/Yaha@MM, W32/Zafi, W32/Zindos.worm, W32/Zotob.worm

McAfee Klez Removal - Deletes all Klez-related services; Removes any registry entries that were created by Klez; Terminates all processes that are associated with the Klez virus; Detects and removes all types of Klez infections.

McAfee Bugbear Removal Tool - Deletes all Bugbear-related services; Removes any registry entries that were created by Bugbear; Terminates all processes that are associated with the Bugbear virus; Detects and removes all types of Bugbear infections.
BitDefender Removal Tools

Backdoor.IRC.Sticy.A, Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B, BackDoor.Rebbew (A,B,C,D), Backdoor.Sticy.B, I-Worm.Sircam,
Trojan.VB.AE, Win32.Antiman.A@mm, Win32.Auric.A@mm,
Win32.Badtrans.B@mm, Win32.Bagle.{C-E}@mm, Win32.Bagle.A@mm,
Win32.Bagle.AU@mm, Win32.Bagle.FO@mm, Win32.Bagz.B@mm,
Win32.Bride.A@mm, Win32.Bride.B@mm, Win32.Bride.C@mm,
Win32.Brontok.A@mm, Win32.BugBear.A@mm, Win32.BugBear.B@mm,
Win32.BugBear.C@mm, Win32.Dumaru.A@mm, Win32.Dumaru.B/C@mm,
Win32.Dumaru.Y@mm, Win32.Elkern.A, Win32.Evaman.A@mm,
Win32.Fizzer.A@mm, Win32.Frethem.F@mm, Win32.Funlove,
Win32.Ganda.A@mm, Win32.Gibe.A@mm, Win32.Gone.A@mm,
Win32.Holar.H@mm, Win32.IISWorm.CodeRed.F, Win32.Ivrol.A@mm,
Win32.Jeefo.A, Win32.Klez.A@mm, Win32.Klez.D@mm,
Win32.Klez.E@mm, Win32.Klez.H@mm, Win32.Lirva.B@mm,
Win32.LovGate.C@mm, Win32.LovGate.C@mm,
Win32.Mabutu.A@mm, Win32.Magistr.B@mm,
Win32.Melare.A@mm, Win32.Mimail.A@mm, Win32.Mimail.C@mm,
Win32.Mimail.D,E,F,H@mm, Win32.Mimail.I@mm, Win32.Msblast.A,
Win32.Msblast.B, Win32.Msblast.C, Win32.Msblast.F, Win32.Muce.A,
Win32.Mydoom.B@mm (Win32.Novarg.B@mm), Win32.Myparty.A@mm,
Win32.Neroma.A@mm, Win32.Neroma.B@mm, Win32.Netsky.B@mm,
Win32.Netsky.Q@mm, Win32.Nimda.A@mm, Win32.Nimda.E@mm,
Win32.Novarg.A@mm, Win32.Nyxem.E@mm, Win32.Parite.A/B/C,
Win32.Polip.A, Win32.Sober.A@mm, Win32.Sober.AD@mm,
Win32.Sober.B@mm, Win32.Sober.C@mm, Win32.Sober.D@mm,
Win32.Sober.F@mm, Win32.Sober.O@mm, Win32.Sobig.A@mm,
Win32.Sobig.B@mm (Palyh), Win32.Sobig.C@mm, Win32.SoBig.E@mm,
Win32.SoBig.E@mm, Win32.Sobig.F@mm, Win32.Valhalla.2048,
Win32.Worm.Benjamin, Win32.Worm.Bobax.A/C, Win32.Worm.Bobax.A/C,
Win32.Worm.Dabber.A, Win32.Worm.Korgo.A,B, Win32.Worm.Korgo.C,
Win32.Worm.Korgo.P, Win32.Worm.Korgo.R, Win32.Worm.Mexer.E,
Win32.Worm.Mytob.BY, Win32.Worm.Opaserv,
Win32.Worm.SQLExp.Slammer.A, Win32.Worm.Welchia.A,
Win32.Worm.Welchia.B, Win32.Yahaa.D@mm, Win32.Yahaa.E@mm,
Win32.Yahaa.J@mm, Win32.Yahaa.K@mm, Win32.Yahaa.P@mm/Q@mm,
Win32.Zafi.A@mm, Win32.Zafi.B@mm, Win32.Zafi.D@mm, Worm.Kibuv.A
Comprehensive List of Removal Tools - A great site for information on trojans, viruses and Worms! Worms! Worms! at virusall.com. Caution: virusall.com is an excellent resource, however it features PandaSoft and the Panda range of products. PandaSoft require you to register for spam before they will allow you to use their "free" tools. Whatever you do, do not give your email address to PandaSoft. You have been warned. On the subject of spam, here is the world's only official spam website.
SpywareBlaster - a preventative for many pestiferous types of ad and spyware. It does not scan for spyware, it prevents it from being installed. The SpywareBlaster page isn't exactly clear on how the product works, but once it has been run and configured for the first time, it apparently continues to do its job without loading into memory, assumedly because it has made registry changes that redirect miscreant behaviour.
AdAware - The entry level product is suitable for most users, and it's free.
SpyBot Search & Destroy
HijackThis - A general homepage hijackers detector and remover.

CWShredder - A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a million other names)

Kill2Me: A removal tool specifically for the Look2Me parasite.

KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it.
Trojan Remover - "...written to aid in the removal of Trojan Horses and Internet Worms when standard anti-virus software has either failed to detect the problem or is unable to effectively eliminate it. Trojan Remover has been written for Windows 95/98/NT/Millennium/XP. It has been successfully used by Windows 2000 users, although this platform has not been officially tested."

Commercial product. 30-day trail.
HOSTS File Blocks Ads and Prevent Redirects

To filter additional ads and to stop redirects, parasites, dialers and hijackers, visit mvps.org and download the hosts file from their Blocking Unwanted Ads with a Hosts File page. Save the file as "hosts" with NO extension into the "C:\WINDOWS\SYSTEM32\DRIVERS\ETC" directory. That’s all you have to do. WARNING: If you have had to modify the hosts file at some point in the past, be careful not to overwrite any earlier changes. The download file is updated on a regular basis.
Using Internet Explorer's Restricted Zone Feature

Visit mvps.org and read their Adding Sites to the Restricted Zone page. Download entries for suspect sites. From the website: "You can manually add an entry to the Restricted Zone or use the pre-made reg file that contains most of the major ad servers, hijackers, diallers and parasites. This will help prevent "drive-by" installs of unwanted software."

CoolWebSearch is the name given to a wide variety of different browser hijackers that can have substantially different symptoms from one variant to the next. All of the CoolWebSearch hijackers redirect your browser to coolwebsearch.com or to one of hundreds other affiliated sites.

This software causes the lop.com toolbar to pale into insignificance when it comes to criminal activity. Symptoms of a CoolWebSearch infestation vary greatly but often include:
  • Home page search settings pointing to coolwebsearch
  • Hosts file hijacked or deleted Encoded
  • Odd looking URLs
  • Programs set to run on every boot
  • coolwebsearch.com added to IE's Trusted Sites list
  • Impersonating msn.com
  • Masquerading  as a device driver
  • Direct attacks on your antivirus, firewall, hijack preventative and trojan removal software
  • Closing running processes and generating fake Windows errors to cause confusion
  • Overwriting various files belonging to security software, and much more
There are well over 1700 known affiliates of coolwebsearch. A full list is available here. It's a very long list. If you have a coolwebsearch infestation, download BOTH of these:

CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval
Lop Toolbar

The Lop Toolbar hijacks your home page and deliberately redirects you to advertisers associated with lop.com. It also tracks every website that you visit and reports your surfing activity to Lop Inc, as well as stuffing your favourites list full of spam links and hijacking your default search settings. The information gathered by the Lop Toolbar is used to target you with adverting. The Lop Toolbar is particularly nefarious because it updates itself without your permission and also renames itself to avoid detection by software designed to remove it.

Removing the Lop Toolbar is not going to be easy. It may well cost you a significant time and cash investment so you should consider if it's worth backing up your important data and doing a clean install of Windows XP.

AdAware and SpyBot Search & Destroy are likely to find a large proportion of a Lop infestation, but they have been known to miss some files if the Lop Toolbar has updated and renamed itself recently. There are any number of known Lop variants that change your home page to one of these, plus possible others:

aavc.com acjp.com ebav.com ebaw.com ebch.com
ebdv.com ebdw.com ebgo.com ebjp.com ebkb.com
ebkn.com ebky.com eblv.com ebmu.com ebvr.com
ecmh.com ecmp.com ecwz.com ecyb.com edhq.com
edty.com eduy.com eeev.com ibmx.com icwb.com
icwo.com icwp.com iddh.com idhh.com ifiz.com
iguu.com samz.com saoe.com sbee.com sbjr.com
sbnl.com sbnt.com sbvr.com scbm.com sckr.com
scrk.com sdry.com seld.com sfux.com sipo.com
smds.com srox.com srsf.com ssaw.com ssby.com
surj.com tbvg.com tdak.com tdko.com tdmy.com
tefs.com tfil.com thko.com tjar.com tjaw.com
tjdo.com tjem.com tjgo.com torc.com wabq.com
wabu.com wbkb.com wfix.com wflu.com farse.com

You should start your attempt to remove the Lop Toolbar by using HijackThis first because it has been reported to catch a large number of Lop changes missed by AdAware and SpyBot Search & Destroy.

If you want to check that Lop has been completely removed, read the article Lop remover and uninstalling guide, which details where Lop puts its files and what registry keys it uses.

Yet More Malware

Redirectors, rogues and spyware are a class of program and/or plug-in that can and do make dramatic changes to your Internet Explorer, Netscape, Opera, and Mozilla browsers, amongst others. They redirect the default search engine page, attach themselves to toolbars, alter your home page, as well as put shortcuts to websites on your desktop and into your favourites folder. They can cause your browser to lock and die, and they can, and do, track the types of pages that you visit then target your browser with ads that match your browsing habits.

You may also be wondering how the dreadful beast that now plagues you managed to parasite itself onto your system. A lot of people will tell you it's because you downloaded porn or warez, but more than likely you didn't deliberately download anything at all to get caught. Redirectors, rogues and spyware can easily be installed by ActiveX from many websites, often through seemingly innocuous pop-up advertisements. Unscrupulous websites create a mass of confusion on your screen by generating pop-up loops that open endlessly and then use the confusion to trick you into downloading the parasite. Unfortunately these tricks have also been employed by mainstream advertising networks. So, there is no real way of knowing where you actually got it from, but if you recently had a firestorm of pop up windows then that's the likely source.

If you have a problem with any of the symptoms described here, you might try the removal tools listed above.

Visit this link for specific issues with the invidious rogue called  Xupiter - there are removal instructions for Xupiter at that link.  Computer Associates have an online PestPatrol scanner. You can buy PestPatrol for around $US30, which may find some more of the remaining files.

Once you have tried removing any vermin from your system, if Internet Explorer hangs as a result of those changes, read this article: How to Reinstall/Repair Internet Explorer and Outlook Express.

Removal Instructions for Various Adware & Spyware

Visit SpyAny.com for a comprehensive list of removal instructions:

Remove Alexa Toolbar Remove Bonzi Buddy
Remove Comet Cursor Remove Click2FindNow
Remove Date Manager Remove Gator
Remove GoHip Remove Global-Finder.com
Remove Globaltoolbar Remove HotBar
Remove Huntbar Remove I-Lookup
Remove Look2Me Remove MemoryMeter
Remove N-Case Remove New.Net
Remove Precision Time Remove SaveNow
Remove Search Toolbar Remove SurferBar
Remove Speedblaster  Remove Xupiter Toolbar
Remove Xzoomy.com  Remove WinFixer
Patching Pre-SP1 XP via the Internet

Download and install these two patches immediately:

Security Update for Windows XP (KB823980)
Security Update for Windows XP (KB824146)

Before you connect your new installation of Windows XP (Pre SP2) to the Internet, you should enable your internet connection firewall and install an antivirus program. If you don't have these installed or active, you may find that any one of thousands of infected PC's on the Internet will burden you with one of a number of worms that will cause "NT Authority\system" shutdown via "Remote Procedure Call" (RPC) and your system will commence shutdown. Take these steps to stay online long enough to patch your XP:

"NT Authority\system" Shutdown

If you receive this message, select Run from the start menu and enter "shutdown -a" when the next RPC countdown has commenced. This will abort the shutdown process and allow you to stay online.

IMPORTANT: This error indicates that your system is infected.