You must follow all these steps for posting to the forum! No shortcuts!
Scroll down and view all
We want to help, really!
These instructions will tell you what we need run to pre-clean your computer, and what required logs to attach to your post.
This forum is for cleanup of symptomatic infections. It is not to diagnose operating system applications, debate security issues or analyze for the sake of analyzing.
Please follow the instructions below so we may better assist you.
DO NOT RUN COMBOFIX UNLESS ASKED
Those not following this carefully before posting, will find their topic closed, moved or removed.
Some malware will try to block programs. If you are unable to get some to run, rename the executable file to a random file name (such as somefile.exe, somefile.scr, etc) and double-click the file to see if it will run.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
First make a copy (or print out) these instructions so you have them handy as some of the infection cleaning steps will need to be done offline and in Safe Mode.
1. Download, install, update all of these free antispyware programs.
This will remove the most commonly known types of spyware, hijackers and other common malware and will make our job easier.
After installing and updating each one, Do the Scan to clean in SAFE MODE, offline with IE closed
How to start the computer in Safe mode
Windows 98: »support.microsoft.com/kb/180902
Windows XP: »support.microsoft.com/kb/315222
Windows Vista: »windowshelp.microsoft.com/Window···033.mspx
Copy the instructions in the link above for easy use in safemode since you will not be able to access online information. (Note: Safe Mode with Networking is not recommended) Copy any other instructions you need to operate the programs you are using so you have them handy.
Download, Install, Scan instructions
Malwarebytes' Anti-Malware (free/donationware):
»www.malwarebytes.org/mbam-download.php
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
-- If the program won't start, go to MBAM's program folder (normally C:\Program Files\Malwarebytes'
Anti-Malware), rename mbam.exe to a random file name (keep the .exe extension) and double-click on it
to start the program.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your topic along with a current HijackThis log after running utilties.
Note 1:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Note 2:
Some malware will try to block Malwarebytes' Anti-Malware. If you are unable to get Malwarebytes' Anti-Malware to run, rename the executable file (normally C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe) to a random file name (such as somefile.exe, somefile.scr, etc) and double-click the file to see if it will run.
Spybot Search & Destroy 1.6.2 (free/donationware):
If you already have Spybot, make sure it is the latest version 1.6.2
Download it here:
»www.safer-networking.org/en/down···dex.html
(a) Download and install Spybot S&D.
(b) Click on "Update" in the left column.
(c) Click on "Search for Updates".
(d) Select a download location (usually one close to you).
(e) Click "Download Updates" and wait of the updating process to finish.
(f) Close all programs and reboot into safe mode. Do not open IE.
(g) Click "Search and Destroy" in the left column.
(h) Click "Check for Problems".
(i) Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
(j) Reboot to normal mode and scan again. Repeat until no more bad (red highlighted) items are found.
Ad-aware AE Free (freeware version for personal use):
»www.lavasoft.com/products/ad_aware_free.php
Note: Windows 2000, XP, and Vista only!
(a) Download and install Ad-Aware AE Free. If you an had an older Ad-aware installed, grant the installer permission to uninstall it when it asks.
(b) As the installation ends, it will check for any program and definition updates needed. Please allow ALL to download and install. Then restart your computer.
(c) Reboot to SAFE MODE. Scan again with Adaware (full system scan)
(d) Wait for the scanning process to complete.
(e) When finished it will present a list of infected items found, if any and a recommended action. Use the *Perform Action Now* button to remove any infected items with a TAI above 3.
(f) Reboot your computer back into normal mode.
If you are running Win2000, WinXP, or Vista download and run these additional freeware scanners to clean for trojans and spyware (Note: These additional tools will not run on Win98/ME).
Windows Defender (Microsoft) (freeware) (XP and Vista Only)
»www.microsoft.com/windows/produc···ult.mspx
(a) Download and install Microsoft Windows Defender
(user the recommended settings on installation)
(b) Reboot to SAFE MODE
(c) Choose *Run Quick Scan Now*. Let it scan your system and choose to fix the infections found at the end.
(d) Reboot to normal mode and scan again. Repeat until no further bad items are found.
Complete instructions on using Windows Defender can be found here:
Using Windows Defender
»www.microsoft.com/athome/securit···ult.mspx
Q. Does the version of Windows Defender that is included in Windows Vista provide additional protection?
A. Yes. Windows Defender in Windows Vista offers additional performance and security enhancements including the ability to scan only files that have changed, to run under a security-enhanced account, and to scan files when you run them. Windows Defender will also allow you to scan files as you download them if you use Internet Explorer 7.
Malicious Software Removal Tool
»https://www.microsoft.com/security/malwa···ult.mspx
(Just download and run it - it will remove any malicious malware found)
ONLINE AV SCANS
2. Get a free online Antivirus scan at one or more of the following. This is an important step to do even if you ran your resident AV program, as some malware can disable the program currently installed on your PC. The online AV scanners can sometimes reveal infections your present AV can not. Use both scanners. Do a full system scan, delete any infected files found, and choose to save the log at the end (we may need to see a copy)
Go here: »www.eset.com/onlinescan to run an online scannner from ESET.
-Note: If IE doesn't work, try an alternate browser. Firefox & Opera are now supported w/ a downloadable tool. This is found here:
  esetsmartins···.exe.zip 587,671 bytes
-Tick the box next to YES, I accept the Terms of Use.
-Click Start
-When asked, allow the activex control to install
-Click Start
-Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
-Click Scan
-Wait for the scan to finish
-Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
-Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
(Includes 64-bit Platform Support)
Trend Micro Housecall - Free on-line Scan
»housecall.trendmicro.com/
3. If the above steps have solved the problem, please skip the following step. You can refer to this FAQ for additional cleaning, fine-tuning recommendations:
»Security »I think my computer is infected or hijacked. What should I do?
If you are still having a problem: Create a Diagnostic log using HijackThis
(a) Instructions for HijackThis:
* Download Trend Micro Hijack This™
»download.bleepingcomputer.com/hi···tall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
4. Do this only if you are still having a problem and need your HijackThis log analyzed.
Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.
(a) Start the title of your post with "HJT Log" followed by a short remark regarding your problem.
(b) The first paragraph of your post should explain exactly what the problem is. For example, is it a system slow down? Is it Pop ups or ads? Is your computer trying to call out or send emails? etc...
(c) The second paragraph should tell us in detail, which one of the above steps you followed and what the results were. Which steps you had to skip and why, etc... Please note the phrase "in detail". "I've followed all the steps.", may not be enough information for those who are here to help.
(d) The third paragraph should contain the HijackThis log you copied in step 3.
Also copy and paste in the logs from the online AV scan and Malwarebytes' Anti-Malware
5. Special Problems?
If you can connect to the internet but are having a problem accessing certain security sites,such as those listed in this topic for downloading software and help, etc., you may have a Hijacker that has manipulated your HOSTS file.
To correct this situation, download this free tool called HostsXpert:
»www.funkytoad.com/index.php?opti···temid=31
Unzip the HostsXpert file and doubleclick on HostsXpert.exe
(1). Press 'Restore Original Hosts' and press 'OK'
(2). Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
If you do not know what a HOSTS file is, you are most likely not using a custom one. If you are on a company computer, check with your system administrator first. For more information on HOSTS file hijacking, see here:
»Security »How do I recover from Hosts file hijacking?
Edit: 13 Sept 2009 by lilhurricane: Support added for Firefox & Opera / downloadable tool found above
Edit: 05 Jul 2009 by TheJoker: Added instruction to rename mbam.exe if program won't start.
Edit: 16 May 2009 by CalamityJane: Fixed Eset online scan link, added Windows Defender is now XP and Vista compatible only.
Edit: 13 Apr 2009 by TheJoker: MBAM instructions updated
Edit: 31 Mar 2009 by CalamityJane: Adjust Ad-Aware instructions, latest v. Ad-Aware AE; Spybot S&D latest v. 1.6.2
Edit: 21 Dec 2008 by CalamityJane: Fixed Windows Defender download link
Edit: 19 Nov 2008 by CalamityJane: Updated Microsoft Malicious Software Removal Tool link
Edit: 18 Nov 2008 by lilhurricane: Funky Toad link to HostsXpert Updated
Edit: 07 Aug 2008 by CalamityJane: (Removed) Ewido - no longer available / winsockfix (outdated)- no longer recommended for operating systems XP SP2 and up
Edit: 27 May 2008 by lilhurricane: Updated links to Safe Mode booting
Edit: 24 April 2008 by CalamityJane:
1. Removed AVG antispyware, no longer available as a standalone spyware scanner.
2. Added Microsoft Malicious Software Removal Tool
3. Added Vista where it was missing in some places
Edit: 03 Apr 2008 by CalamityJane: Updated for Ad-Aware 2007 and Hijackthis (installer version)
Edit: 19 Nov 2007 by lilhurricane: References to MS Anti-Spyware removed (Defender)
Edit: 16 Sep 2007 by CalamityJane: Updated Spybot v.1.5; and HostXpert (formerly "Hoster"); Added Ad-Aware 2007 Free for Vista
Edit: 01 Sep 2007 by CalamityJane: Updated HijackThis instructions for Trend-Micro version.
Edit: 20 July 2008 by lilhurricane: Windows Defender info now includes Vista as a supported operating system
Edit: 08 April 2007 by lilhurricane: Changed link for Safe Mode instruction to point to MS article. Using msconfig in WinXP is not recommended due to the fact that today's new malware sometimes deletes the safeboot key.
Edit: 24 Oct 2006 by CalamityJane: Added eTrust online scanner; removed CWShredder and AboutBuster; Windows Defender is for XP only
Edit: 07 Apr 2006 by CalamityJane: Microsoft Antispyware is now Windows Defender.
 feedback form
 feedback form
by CalamityJane  edited by lilhurricane
last modified: 2009-10-18 20:09:30 |
