Last Updated: August 16, 2009 - Click Here for Printable Version of This Topic

Is this your first time here? If so, welcome to Geeks to Go!

To access some of the download links provided below, and to post a topic in the forums you first need to register. You may want to print or bookmark this topic to reference later as rebooting may be required.

Malware (Spyware, Adware, Trojans, Viruses) are every increasing in their frequency, and abilities to disguise themselves. This forum is a resource for removal of this malicious software (malware). This guide will help you to remove many of the most common problems, and allow us to help you most efficiently. It may look daunting, but shouldn't take long to complete.

Please remember, people helping you here are all volunteers. Be patient, somebody will help you as soon as they become available. We have REAL jobs, families, have other interests, or may live half way around the world. Plus, there may be people in front of you waiting for help. Following the steps below will lighten our work load, and allow us to help more people. Please acknowledge that you've followed the steps in this cleaning guide (or our first reply will likely direct you here).

Finally, please follow your thread to a conclusion. Just because a popup is gone, or a desktop is restored, it does not mean your system is free of malware. It may still be sending spam silently in the background, or even collecting personal information. If you fail to follow your topic to conclusion, your system may not be completely clean, and it will be vulnerable to future infections. When finished, we will post instructions and advice on preventing future infections.

We offer self-help, malware removal guides for many common infections. Including these:
How to remove Antivirus 2009
How to remove Outerinfo
How to remove Trojan.Zlob-X.a - IEDefender
How-to remove Virtumonde, Trojan.vundo

Preparation:
TFC (Temp File Cleaner) - Download - Homepage
Why? This will remove unneeded temporary files from your system, make automated scans that follow run faster, and save you time. Many infections also load from a temporary file location.

1. Download TFC to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

System Restore (Windows Vista, XP and ME)
Why? This ensures there's a valid system restore point, in case it's needed. We use a simple program called SysRestorePoint that automates the steps of creating a restore point.

Create a New System Restore Point:
1. Download SysRestorePoint to your desktop, or other location.
2. Double click SysRestorePoint.exe to create a new system restore point.
3. A box will pop up as it's creating the restore point, and provide notification when complete. When finished, close that window and exit the program.

ERUNT - Download - Homepage
Why? This ensures we have a valid registry backup. ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.

1. Download ERUNT
2. Double-click erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
4. Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
   
5. Start ERUNT
6. Choose a location for the backup
   The default location C:\WINDOWS\ERDNT\[today's date] is preferred
   
7. The first two check boxes are ticked by default (System registry and Current user registry).
8. Press OK
9. When prompted, click YES to create a new folder.
10. Progress bars will show backup status.
11. A confirmation window will popup when complete. Click OK to close.

Step One: Scan for Spyware/Adware
Malwarebytes' Anti-Malware a.k.a. MBAM - Download Free Version (freeware) - Homepage
Why? Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past.

1. Double-click mbam-setup.exe and follow the prompts to install the program.
2. At the end, confirm a check mark is placed next to the following:
   
   
   • Update Malwarebytes' Anti-Malware
   • Launch Malwarebytes' Anti-Malware
   
   
3. Then click Finish.
4. If an update is found, it will download and install the latest version.
5. Once the program has loaded, select Perform quick scan, then click Scan.
6. When the scan is complete, click OK, then Show Results to view the results.
7. Be sure that everything is checked, and click Remove Selected.
8. When completed, a log will open in Notepad. The rogue application should now be gone.

When completed, a log will open in Notepad. If you need to create a new topic, please paste this log with it.

Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.

Extra Note: Do not run a full scan with MBAM. It is not required or needed, and in fact makes our job tougher.

Step Two: Viruses/Trojans
Why? Even the best antispyware programs are only able to remove about 70% of infections. Also, the line between spyware and viruses/trojans is getting blurred. Everyone should have an antivirus application installed on their system. If you don't have an antivirus installed, or if the subscription for yours has expired, see our recommendations for free antivirus applications. If you install an antivirus application, please run a full system scan immediately.

Important note: Geeks to Go highly recommends uninstalling any existing antivirus software BEFORE installing another antivirus application. Antivirus programs often conflict and can cause system slowdowns, crashes, or even leave you unprotected. Only ONE should be installed on a system at any time.

Step Three: Reboot - Test
The steps above will completely clear malware from the majority of systems. Test your system to see how it's working.

If you're still having problems, continue to the next step. Otherwise, read "Preventing Malware and Safe Computing" to prevent future Spyware/Hijack attacks.

Step Four: Rootkit Detection
RootRepeal - Download - Homepage
Why? Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the RootRepeal log as an initial check for the presence of rootkits:

1. Download RootRepeal.
2. Double click RootRepeal.exe to start the program
3. Click on the Report tab at the bottom of the program window
4. Click the Scan button
5. In the Select Scan dialog, check:
   1. Drivers
   2. Processes
   3. SSDT
   4. Hidden Services
6. Click the OK button
7. In the next dialog, select all drives showing
8. Click OK to start the scan
   Note: The scan should not take very long. DO NOT run any other programs while the scan is running
9. When the scan is complete, the Save Report button will become available
10. Click this and save the report to your Desktop as RootRepeal.txt
11. Go to File, then Exit to close the program

Please copy and paste the report into your Post.

Step Five: Post an OTL Log
OTL - Download
Why? OTL is currently our primary tool for searching key areas of the registry and other system locations for the telltale signs of malware. It generates a comprehensive log, and offers an initial diagnosis. The person helping you may have you run other scans or tools after reviewing your logs.

Important note: HijackThis has been replaced by OTL in this guide. Since being acquired by TrendMicro, HijackThis has not been regularly updated. Many infections are now able to hide partly, or completely from a HijackThis scan. OTL is authored by one of our staff members (OldTimer). It includes all the scan locations of HijackThis and more. It's not only a more comprehensive scan tool, but also offers more powerful removal features.

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  %SYSTEMDRIVE%\eventlog.dll /s /md5
  %SYSTEMDRIVE%\scecli.dll /s /md5
  %SYSTEMDRIVE%\netlogon.dll /s /md5
  %SYSTEMDRIVE%\cngaudit.dll /s /md5
  %SYSTEMDRIVE%\sceclt.dll /s /md5
  %SYSTEMDRIVE%\ntelogon.dll /s /md5
  %SYSTEMDRIVE%\logevent.dll /s /md5
  %SYSTEMDRIVE%\iaStor.sys /s /md5
  %SYSTEMDRIVE%\nvstor.sys /s /md5
  %SYSTEMDRIVE%\atapi.sys /s /md5
  %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
  %SYSTEMDRIVE%\viasraid.sys /s /md5
  %SYSTEMDRIVE%\AGP440.sys /s /md5
  %SYSTEMDRIVE%\vaxscsi.sys /s /md5
  %SYSTEMDRIVE%\nvatabus.sys /s /md5
  %SYSTEMDRIVE%\viamraid.sys /s /md5
  CREATERESTOREPOINT
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Note: Don't forget to post your MBAM and RootRepeal log, in addition to the OTL log.

Malware and Spyware Removal Forum Rules:

• Please do NOT post a Combofix log unless requested by the person helping you. Combofix should NEVER be run unless requested. While it's a powerful tool useful for removing a number of infections, things can, and do go wrong. Sometimes systems even refuse to boot. There are safeguards built into Combofix, but only someone trained in its use will be able to help you recover. The logs generated can also be very difficult to interpret properly.
• Please stay with your original topic when posting follow ups.
• The "Topic Title" should contain the name of the infection that you are having a problem with e.g. WinTools, http://...sp.html etc. Use the "Topic Description" to include more details. This will help you get faster responses as some people are more familiar with certain infections.
• Tell us if you're having any problems, and please be specific. Let us know what you've already done to fix it (if anything).
• If you do not understand a step, do not panic, simply ask for direction and information. We will offer any advice necessary to help you.
• Please only post your topic once. Duplicate posts will be closed, and just create additional work for the staff members trying to help you.
• Do not create posts at multiple forums. Logs take time to diagnose, and doing this will waste multiple helpers time which is already over-stretched. If you do this your topic will be closed.
• Don't attach your logs unless a helper asks you to as it is harder for us to read them that way. Post them instead

Click Here if not yet registered. Click Here to start a new topic and paste your log.

If you would like to learn more about removing malware and spyware, join our GeekU malware removal training program (free). If you're already an expert, and would like to help, please PM the admin.

Please acknowledge that you've followed these required steps (or our first reply will likely direct you here). Please be patient, let us know the results, and remember to thank the helper assisting you.

Printable View

Thanks!
--
Geeks to Go Malware Removal Staff

This post has been edited by Rorschach112: Today, 06:48 AM