Read this before requesting malware removal help

[evilfantasy]

Computer Hope Virus and Spyware section Guidelines

Contents:
Post 1 - Guidlines by patio
Post 2 - Malware Removal Guide
Post 3 - How to add attachments to a post


First of all, welcome to Computer Hope.

Unfortunately, you have landed here because of an infection of some sort.  We wish the circumstances would have been better, but it is what it is.

There are some things we require of you first so that the cleanup process is hopefully both fast and efficient.

At a minimum you must have a current Anti-Virus program installed and if running XP, you need to have at least SP1a installed as well.  Because of the nature of more sophisticated malware, this is not negotiable.  Without SP1a or higher, it would pointless to even try helping you.  If you do not have SP1a installed on your computer, please get it from the following link...
http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&displaylang=en

NOTE:  SP2 is an important update that you should have.  However, if you don't already have SP2 installed on your computer, please don't do so until you have been instructed by one of our designated Malware Removal Specialists.  Installing this update on an infected computer could end up causing more harm than good.

Also required is to follow ALL steps as outlined to you in the order they are requested.  This may not make immediate sense to you, but it is done for a reason...a quick efficient resolution to your problems.

Under no circumstances should you attempt to fix things by following another log and doing it yourself.  This can only lead to more problems and possibly an un-bootable system.  Every machine and every infection is unique and this method will only cause more problems.

If this is a machine at your place of Business, we need to be informed beforehand.  This is also not negotiable and we will not be responsible should you fail to do so.

We also request patience.  The Experts here are Volunteers and are not here 24/7.  This is not a live session either.  If it takes a few hours or overnight for them to get back to you, trust me it is worth the wait.  See here why not to not bump your thread.  And once you have been given the all-clear, be sure to stick around until your Helper clearly concludes the issue, as they may have some additional steps and advice for you to follow.  Just because you have been cleaned of an infection, that doesn't always mean the work is over.

If you receive advice from someone other than the approved Malware Removal Specialists, you do so at your own risk. We are not responsible if you take potentially inaccurate/harmful advice from someone who is not a designated helper. Anyone interested in joining the crew must have a good amount of experience and submit references to CBMatt (Chris) in a PM. References will be checked. Others posting advice without approval are subject to have their posts removed immediately as the wrong advice is too risky. We welcome new helpers so if you are interested see this post: Would you like to learn to fight malware?

That being said, Travel Here for evilfantasy's Guide to Getting Started.

And last but not least, please remember after you have left the World of Despair you were in a, simple Thank You to the Experts is always a nice touch.  If we've helped, feel free to recommend us.




This disclaimer courtesy of the one and only patio.
-CBMatt

[evilfantasy]

Malware Removal Steps

Below are steps to begin the malware removal process. The steps will produce three logs which are requested to be added in your post.

* Important: Work the steps in order.
* If you don't understand a step stop and ask!
* Keep all questions/replies in the same thread.
* Continue to respond until given the all clear.
* Be patient: Malware removal can be just as time consuming and stressful for us as it is for you.
* Remember: Just because the symptoms may be gone does not promise that all of the malware is. It is strongly suggested to continue in posting all requested logs until given the all clear. You will then receive final cleanup steps specific to your PC, links to programs and advice to help you prevent infections in the future.

If for some reason you cannot perform one of the steps, move on to the next step and make note of what happened when posting your logs.

Spybot TeaTimer Users Only

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis and other tools we use to remove malware.

Please disable TeaTimer now and leave it OFF until we are done cleaning the computer.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol ) and choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

With both TeaTimer and Spybot closed download ResetTeaTimer.zip to the Desktop.
Unzip the file to the Desktop.
Double click ResetTeaTimer.bat to remove all entries set by Spybot's TeaTimer.

Delete ResetTeaTimer.zip and ResetTeaTimer.bat when complete.

If TeaTimer will not turn off go to Start > Control Panel > Add or Remove Programs and uninstall Spybot - Search & Destroy

It can be re-installed when we are done cleaning the computer.

Step A: Antivirus

Step A is for people who say yes to either of the following:

1) You do not have an antivirus installed.
2) You have an antivirus program or Security Suite that is expired.

If the answer to either of the above is yes:
Download one of the free antivirus programs listed below.

• Avast! Home Edition
  
• AVG Free Edition
  
• AntiVir Personal
  

.
AVG Users Only: If you still use AVG 7.5 you should update to the new AVG 8.0 now before continuing. AVG 7.5 is no longer supported by Grisoft so your PC is at risk! AVG 7.5 Free - Support ends 31/08/2008

Important: Uninstall any old/outdated antivirus program(s), including Security Suites before upgrading or replacing with a new one.
Install the new antivirus and make sure it is updated.
Do a full system scan and remove or quarantine everything found.
Continue on to Step One.

You should only have one antivirus and one firewall active at any time. If you have two of either installed then only ONE should be running. Either uninstall one now before continuing or adjust the settings to where the real-time protection is not running. Having two running at the same time will just cause problems.


Step 1: Add or Remove Programs

1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for any unknown or suspicious looking programs.
4. Do not uninstall anything you may be unsure of.
5. Post the details of unknown or suspicious programs when creating a thread and we will advise on which to uninstall.

For a list of Malware applications that can be found in Add or Remove Programs follow this link. Uninstall Malware via Add or Remove Programs

Programs to look for are adware/spyware toolbars (not Google, AOL, MSN or Yahoo) or security programs you did not install.


Step 2: House Cleaning

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes.Exit CCleaner after it has completed it's process.
.

Step 3: SUPERAntiSpyware

Download SUPERAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

• Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining
• Please leave the others unchecked
  
• Click the Close button to leave the control center screen.
  

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

• To retrieve the removal information please do the following:
• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
  
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  
• It will open in your default text editor (preferably Notepad).
• Save the notepad file to your desktop by clicking (in notepad) File > Save As...
  

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post


Step 4: Malwarebytes' Anti-Malware (MBAM)

Download Malwarebytes Anti-Malware and save it to your desktop. Alternate download link (.exe)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Save it to a convenient location like the Desktop.
  
• The log is also automatically saved and can be viewed later by clicking the Logs tab in MBAM.
  
• Copy and Paste the contents of the report in your reply.
  
• Exit MBAM.

.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 5: Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment

Be sure to close ALL open web browsers before starting the installation.

Remove any old version

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.


Step 6: HijackThis

Please run HijackThis only after the above steps have been completed

Download and rename HijackThis.exe (HJT)

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.

• Close HijackThis and rename it.
  
• Go to C:\Program Files\Trend Micro\HijackThis.exe
  
• Right click on HijackThis.exe and select Rename.
  
• Type in sniper.exe and press Enter.
  
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)

.
* From the desktop open HijackThis.
* If using Windows Vista, Right-click and Run As Administrator.
* Click on the Do a system scan and save a log file button
* HijackThis will scan and then a log will open in notepad.

• Copy and Paste the entire contents of the log in your post.
  .
  Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

.
Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.


Posting The Logs

Please give details. Just posting the logs in many instances is not enough information for us.

Post the logs in the Computer Viruses and Spyware forum.

Logs needed:
SuperAntispyware
Malwarebytes' Anti-Malware
HijackThis

[evilfantasy]

How to attach logs in a post

Save the log to somewhere you can easily find it. (usually the desktop)

To do this, from within the notepad go to the top of the page and select File > Save As... enter the file name and click Save Be sure the desktop is the location selected to save to.
Please save all files as Text Documents (.txt)

Posting the log

1. Below the text box click Additional Options...
1.1  If replying in a thread, before putting text into the reply box select Preview



2. Click Browse
3. Locate the file you want to attach and double click it to enter it into the window.
4. If you have more than one log click (more attachments) and a new window will open for adding another log.

If the log is too big to attach.

Upload the file to Savefile.com
There is no need to Register
Select Browse and locate the file.
Fill in the Title and Description and security code then click Upload
Copy the download link next to Your link to the file: and post the link in your reply.

[evilfantasy]

Bump for placement