- Panic Button -

If you think you have a security threat such as a Virus, Trojan, or Hacker attack, the first thing you should do is Print these pages and disconnect the Internet connection. Being offline from the Internet is the first line of defence against an attack. It may even be a good idea to print the page now and keep it safe for a later date should you have an attack in the future. Many virus attacks use the internet connection to do their damage, Trojans and Spyware rely totally on the connection, and some viruses allow you to connect but not browse web pages, therefore hindering your ability to view on-line resolutions. Follow the instructions for the scenarios below for an increased chance in finding the virus. Please bear in mind, that some of these solutions may not be a good idea if you are on a network such as restarting a machine. If you do have problems on a network, it is definitely advisable to contact your network administrator.

Please note, you must agree to the terms and conditions before you use any instructions provided by the PC Disinfection team

- What to do if you think you have a VIRUS -

Make note of the reasons why you think you have a virus, for example did you get an error message, or did your Anti-Virus software warn you of an attack. If so, write down as much information as you can, error codes, error messages, unusual events and the like. This information will help you during the research process or give clues to anyone trying to give you assistance.

First, close the Internet connection. The best way to do this is remove the physical cable from the computer or router or wall socket. Removing the physical cable means there is no way the virus can create any kind of connection without you knowing.

Then run a full system scan on your machine using your Anti-Virus software. To do this, open the application / program and look for an option to start a scan. If you are prompted to scan a certain location, select something that indicates a full system scan such as - 'my computer' or 'all hard disks'.

Leave the scan running, this should take around 20 - 30 minutes depending on the size and speed of the computer.

Once the scan has finished look closely at the results or log file. If the results provide you with a positive virus recognition, print the results. Take note if the Virus has been removed / deleted / quarantined, as opposed to a message similar to 'unable to remove'.

Restart the computer and if you have time run the scan again. This will determine if the Virus has been cleared. If the results show a negative result with no viruses, the chances are the virus has been removed. If the same virus returns you may have a difficult virus to remove. The first step you may want to take is to turn of the system restore. The purpose of system is to save a copy of the system setup and store it for safe keeping so that if you have any faults at any point when changing the system or installing new software you can revert back to the original setup which you know works. For this reason the system restore feature cannot be accessed by any windows programs or software in an attempt to preserve the working restore point. This means that Anti-Virus scanners will not scan the system restore folder. However, virus creators are also aware of this and create viruses to reside in the system restore files so that the Anti-Virus software will be unable to find and remove the threat. To temporarily disable the system restore whilst you scan the system - follow these instructions;

Windows ME -

Right-click My Computer, and then click Properties.

On the Performance tab, click File System, or press ALT+F.

On the Troubleshooting tab, click to select the Disable System Restore check box.

Click OK twice, and then click Yes when you are prompted to restart the computer.

To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

For further instructions with pictures click the following link - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam

Windows XP -

Click Start.

Right-click the My Computer icon, and then click Properties.

Click the System Restore tab.

Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:

Click Apply.

When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.

Click OK.

For further instructions with pictures click the following link - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Once you have done this and restarted you computer, run a full system scan with the Anti-Virus scanner. This should find any viruses hidden in the system restore files. If the virus still cannot be removed you could try running the scan in safe mode. To start the computer in safe mode - follow these instructions;

Restart your computer and when it first powers up (as if you had just pressed the button) repeatedly start pressing the F8 key on your keyboard. Once every second should do it.

You should then be presented with an option to boot into windows using 'Safe Mode'.

The next time you restart will be the standard Windows boot unless you follow the options again.

More information on safe mode can be found on this website - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

You should then run another system scan and take note of the results.

If the problem still occurs, there may be a solution offered on the Internet. You can perform a search for the virus name along with words such as 'removal' or 'help'. You may be offered to download a dedicated removal tool. One such website that may offer a removal tool if it is available would be http://www.sarc.com

If the problem persists or you don't wish to follow these steps, contact the PC Disinfection team from the 'contact page' or add a post in the forum.

- What to do if you think you have had a HACKING ATTEMPT -

The most likely ways you will know of an attack will be in the form of some sort of control of your computer that you are not responsible for. A classic example of this is the mouse moving over the screen without your control, or messages being typed on the screen without you pressing the keyboard.

The most important thing to do in this situation is to remove the Internet connection. The best way to do this is remove the physical cable from the computer or router or wall socket. Removing the physical cable means there is no way anyone can attempt to establish a connection to your computer.

Once this has been done, run a full system scan. Trojans and Spyware are the main reason a connection between you and the hackers has been established. If any viruses were found and removed, the chances of you being hacked are slimmer.

If you have a firewall, open up the program and see if there any settings to increase the security level.

If you are on a large network, contact your superiors immediately, and then get in touch with the network administrators and they can tell you what to do next. In this situation, it is more likely a vulnerability in the network setup, in which case the firewall will be at a loss to help you.

Once you have run a full system scan with your Anti-Virus scanner the next stage is to run all windows updates to fix any security vulnerabilities that may allow hackers in through a back door. To run windows updates, visit - http://windowsupdate.microsoft.com If you have been hacked it is very hard to tell exactly what has been tampered with, so it may be an idea not to back up any files until they have been thoroughly checked, and if possible, not backed up at all. If you are having serious problems with hacking attacks it is advisable to fully format the disk, and reinstall Windows, which will eliminate any programs or files installed by the hackers. This is quite an extreme method, but does yield failsafe results.