Last Updated: February 3, 2009 - Click Here for Printable Version of This Topic

Is this your first time here? If so, welcome to Geeks to Go!

To access some of the download links provided below, and to post a topic in the forums you first need to register. You may want to print or bookmark this topic to reference later as rebooting may be required.

Note: We also offer self-help, malware removal guides for many common infections:
How to fix Google Redirects »
How to remove Internet Security »
...and more »

Malware (Spyware, Adware, Trojans, Viruses) are every increasing in their frequency, and abilities to disguise themselves. This forum is a resource for removal of this malicious software (malware). This guide will help you to remove many of the most common problems, and allow us to help you most efficiently. It may look daunting, but shouldn't take long to complete.

Please remember, people helping you here are all volunteers. Be patient, somebody will help you as soon as they become available. We have REAL jobs, families, have other interests, or may live half way around the world. Plus, there may be people in front of you waiting for help. Following the steps below will lighten our work load, and allow us to help more people. Please acknowledge that you've followed the steps in this cleaning guide (or our first reply will likely direct you here).

Finally, please follow your thread to a conclusion. Just because a popup is gone, or a desktop is restored, it does not mean your system is free of malware. It may still be sending spam silently in the background, or even collecting personal information. If you fail to follow your topic to conclusion, your system may not be completely clean, and it will be vulnerable to future infections. When finished, we will post instructions and advice on preventing future infections.

Preparation:
TFC (Temp File Cleaner) - Download - Homepage
Why? This will remove unneeded temporary files from your system, make automated scans that follow run faster, and save you time. Many infections also load from a temporary file location.

1. Download TFC to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

ERUNT - Download - Homepage
Why? This ensures we have a valid registry backup. ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.

1. Download ERUNT
2. Double-click erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
4. Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
   
5. Start ERUNT
6. Choose a location for the backup
   The default location C:\WINDOWS\ERDNT\[today's date] is preferred
   
7. The first two check boxes are ticked by default (System registry and Current user registry).
8. Press OK
9. When prompted, click YES to create a new folder.
10. Progress bars will show backup status.
11. A confirmation window will popup when complete. Click OK to close.

Step One: Scan for Spyware/Adware
Malwarebytes' Anti-Malware a.k.a. MBAM - Download Free Version (freeware) - Homepage
Why? Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past.

1. Double-click mbam-setup.exe and follow the prompts to install the program.
2. At the end, confirm a check mark is placed next to the following:
   
   
   • Update Malwarebytes' Anti-Malware
   • Launch Malwarebytes' Anti-Malware
   
   
3. Then click Finish.
4. If an update is found, it will download and install the latest version.
5. Once the program has loaded, select Perform quick scan, then click Scan.
6. When the scan is complete, click OK, then Show Results to view the results.
7. Be sure that everything is checked, and click Remove Selected.
8. When completed, a log will open in Notepad. The rogue application should now be gone.

When completed, a log will open in Notepad. If you need to create a new topic, please paste this log with it.

Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.

Extra Note: Do not run a full scan with MBAM. It is not required or needed, and in fact makes our job tougher.

Step Two: Viruses/Trojans
Why? Even the best antispyware programs are only able to remove about 70% of infections. Also, the line between spyware and viruses/trojans is getting blurred. Everyone should have an antivirus application installed on their system. If you don't have an antivirus installed, or if the subscription for yours has expired, see our recommendations for free antivirus applications. If you install an antivirus application, please run a full system scan immediately.

Important note: Geeks to Go highly recommends uninstalling any existing antivirus software BEFORE installing another antivirus application. Antivirus programs often conflict and can cause system slowdowns, crashes, or even leave you unprotected. Only ONE should be installed on a system at any time.

Step Three: Reboot - Test
The steps above will completely clear malware from the majority of systems. Test your system to see how it's working.

If you're still having problems, continue to the next step. Otherwise, read "Preventing Malware and Safe Computing" to prevent future Spyware/Hijack attacks.

Step Four: Rootkit Detection
GMER Rootkit Scanner - Download - Homepage
Why? Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the GMER log as an initial check for the presence of rootkits:

1. Extract the contents of the zipped file to desktop.
2. Double click GMER.exe.
   
3. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
4. In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
   • Sections
   • IAT/EAT
   • Drives/Partition other than Systemdrive (typically C:\)
   • Show All (don't miss this one)
     
     Click the image to enlarge it
5. Then click the Scan button & wait for it to finish.
6. Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
7. Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Step Five: Post an OTL Log
OTL - Download
Why? OTL is currently our primary tool for searching key areas of the registry and other system locations for the telltale signs of malware. It generates a comprehensive log, and offers an initial diagnosis. The person helping you may have you run other scans or tools after reviewing your logs.

Important note: HijackThis has been replaced by OTL in this guide. Since being acquired by TrendMicro, HijackThis has not been regularly updated. Many infections are now able to hide partly, or completely from a HijackThis scan. OTL is authored by one of our staff members (OldTimer). It includes all the scan locations of HijackThis and more. It's not only a more comprehensive scan tool, but also offers more powerful removal features.

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Note: Don't forget to post your MBAM and GMER log, in addition to the OTL log.

Malware and Spyware Removal Forum Rules:

• Please do NOT post a Combofix log unless requested by the person helping you. Combofix should NEVER be run unless requested. While it's a powerful tool useful for removing a number of infections, things can, and do go wrong. Sometimes systems even refuse to boot. There are safeguards built into Combofix, but only someone trained in its use will be able to help you recover. The logs generated can also be very difficult to interpret properly.
• Please stay with your original topic when posting follow ups.
• The "Topic Title" should contain the name of the infection that you are having a problem with e.g. WinTools, http://...sp.html etc. Use the "Topic Description" to include more details. This will help you get faster responses as some people are more familiar with certain infections.
• Tell us if you're having any problems, and please be specific. Let us know what you've already done to fix it (if anything).
• If you do not understand a step, do not panic, simply ask for direction and information. We will offer any advice necessary to help you.
• Please only post your topic once. Duplicate posts will be closed, and just create additional work for the staff members trying to help you.
• Do not create posts at multiple forums. Logs take time to diagnose, and doing this will waste multiple helpers time which is already over-stretched. If you do this your topic will be closed.
• Don't attach your logs unless a helper asks you to as it is harder for us to read them that way. Post them instead

Click Here if not yet registered. Click Here to start a new topic and paste your log.

If you would like to learn more about removing malware and spyware, join our GeekU malware removal training program (free). If you're already an expert, and would like to help, please PM the admin.

Please acknowledge that you've followed these required steps (or our first reply will likely direct you here). Please be patient, let us know the results, and remember to thank the helper assisting you.

Printable View

Thanks!
--
Geeks to Go Malware Removal Staff

This post has been edited by admin: Feb 3 2010, 02:46 PM