Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

If after reading the above, you wish to clean your system, do the following.

=========================================================

Step 1

Temporarily Disable Real Time Monitoring Programs

This is because some real time protection programs can interfere with any fixes we are trying to run.

Once your system is clean, you are advised to turn the protection back on.

See these instructions on how to disable some of the more common real time monitoring programs. Thanks to CastleCops for the info.

If you have other protection that may need disabled feel free to ask in your thread in the security section.

=========================================================

Step 2

If you`re NOT running any antivirus or firewall software, you should install some ASAP If you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread.

Recommended Free Anti Virus:
Avira Free
Avast Free

Recommended Free Firewall:
Comodo
Zonealarm

=======================================================

Step 3

ATF Cleaner by Atribune

• Please download ATF Cleaner to your desktop from HERE
  
• Double-click ATF Cleaner.exe to open it. Vista users: Right Click and Select Run as Administrator

• Under Main choose:
  Windows Temp
  Current User Temp
  All Users Temp
  Cookies
  Temporary Internet Files
  Prefetch
  Java Cache
  *The other boxes are optional*
  Then click the Empty Selected button.

• Firefox or Opera installed:
  Click Firefox or Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program.

=======================================================

Step 4

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from Here or Here
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

======================================================

Step 5

SuperAntiSpyware Home Edition Free Version

• Please download SuperAntiSpyware from HERE
• Launch SuperAntiSpyware and click on 'Check for updates'.
• Wait for the updates to be installed
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.
  
  It's possible that the program will ask you to reboot in order to delete some files.
  
  Obtain the SuperAntiSpyware log as follows:
  Click on 'Preferences'.
  Click on the 'Statistics/Logs' tab.
  Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
  It will then open in your default text editor,such as Notepad.
  Attach the notepad file here on your reply

=======================================================

Step 6

Update your Java Runtime Environment

Many types of malware like to exploit out of date Java versions!

• First Verify that your version is up to date by clicking HERE
  
  If you need to update your version:
• Click Start -> Control Panel -> Double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• When it finds the newer version - Follow the on screen instructions (uncheck the yahoo toolbar option)
• After it installs the newest version Go back to Start -> Control Panel -> Add/remove programs (programs and features in vista)
• Uninstall any older versions of Java except the most current update that you just installed

You can manually install the most recent version of Java through this link -> Java Runtime Environment Make sure to scroll down to Java Runtime Environment

=======================================================

Step 7

Highjackthis Instructions

• Only do this step after completing the previous steps
• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your logs onto the forums

==========================================================

Step 8

Attach the requested logs
1) Malwarebytes Anti Malware log
2) SuperAntiSpyware log
3) Hijackthis log

Attachment Instructions

• ONLY attach .txt or .log files, that mean NO .doc or word files
• We prefer you to attach the logs into the thread, but if you have trouble with that, you are permitted to copy and paste them into your thread
• To attach a log click on New Thread (or use Post Reply in an existing thread).
• Scroll down until you see a button Manage Attachments. Click on that and a popup-window opens.
• Click on the Browse button, find the requested log file, and doubleclick on it.
• Now click on the Upload button in the popup. When done, click on the Close this window button.
• Please Note: you can attach more than one file to a post by repeating the above steps.

!!!Also remember to tell us any symptoms that you may be having !!!

Good, but...

1.

I still believe that IE users should run:

How to use Reset Internet Explorer Settings (RIES)

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

2.
Startup Control Panel: http://www.mlin.net/StartupCPL.shtml
Disable any not required Startups
Ideally these Startups should be disabled in the associated program settings

3.
Windows Update: http://windowsupdate.microsoft.com/
Yes that's right, many faults are caused by not having all the Windows Updates completed. It also secures users from being attacked by other insecurities.
ie. All Service Packs should be installed
---------------------------------------------------------------------------------------------

Using these tools will reduce the HJT log significantly in size (Before they run the HJT log, or actually any log!)
And may avoid the user from creating a new thread in the first place
i.e. We may not require any logs, if the fault is fixed

The instructions should serve as an option to help users completely, and possibly not require any more support

Thank you for the review and Good points -

My thinking is slightly different on some of those topics

As far as startups - those are easily seen in the hjt log and can be removed with 2 clicks after seeing the log - without additional software.

I do suggest removing certain things from starting up at the same time I have them fix the bad entries. 04 entries in the logs correspond to the startup registry entries - simply fix the entry and the program doesn't load anymore when you boot.

-------------------------------------------------------

Windows update you have to be careful as you don't want them to update their service pack on an infected machine - I save this for after checking that everything is clean - as part of the your all clean speech this is how to stay that way

--------------------------------------------------------

I still want users to post a log regardless if the errors are gone or not - This is for a few reasons
1) To make sure instructions were properly followed
2) A lot of malware can't be removed automatically.
3) To make sure that their security is satisfactory to reduce the risk of future infections.
4) I removed some of the hardcore tools from the preliminary removal because I feel they should only be used when necessary with proper instructions. Not everyone should be running these (ie smitfruadfix, vundofix) However, in some cases they are a must

I think this still all goes back to our previous disagreement - I think that removing all malware and securing the system from future infection is the way things should be done - this way they post, we solve, and they don't come back. You seem to want to remove the most obvious symptoms then they don't even post - I think that will end up in worse problems for them in the future.

There is a difference between removing symptoms and removing malware

kimsland:

Some of those thing you can add to your prevention speech. Just because they are not really need as an objective to remove malware. But I would add them to my prevention speech

Blind Dragon:

Nice alot better, easier for users

Step #2

Should be stated to update their Antivirus fully (sometimes even requires restart on big AntiVirus updates)

Then run a full scan (and remove any/all found infections)

Just as the other steps advise to do.

Maybe a note on uninstalling Norton AV Sorry that's a joke

Yes but I think that can be at the end or we can advice if we see that they need to you dont always have to it is best to

Going to add this

RealBlackStuff has already created a How to post your Hijackthis log-file as an attachment thread.

This may be linked to Step #8 3) Hijackthis log, as a good measure.

His post and HJT download are current (strangely)

I looked at that, and it seems a little harsh. The only thing I meant to include which I forgot was not to attach .doc files

Step 6 - Java. Personally, I don't have it installed. For malware removal purposes, I would think just deleting all instances and files re java would be good then after the cleanout re-install the latest version from the most reliable source.

imo anyway

thx CCT I updated it to show a manual install option - I don't want to say uninstall in every case as many people will already have the most current version and can skip the step altogether

I recommend your Sun Java "Recommendations" be "split" into 2 different
"Sections" . The One you posted is for those with OSs XP SP2 or later .

I happened to still be using XP SP1 and for that OS and earlier Editions, the
5.0 or 1.5 Series should be used, which is available at
http://java.sun.com/javase/downloads/index_jdk5.jsp .

Antivirus section still not updated

Note: it is generally accepted to do a full Antivirus regularly

Nice job Blind Dragon, I think some online anti-virus/spyware scanner should be added here, like Kaspersky Online Scanner and Trend Micro Housecall. Just a thought.

First of all, thank you for the comments...

I would say 1 or 2 out of 100 people that we help have pre XP SP2 OS - In my opinion not worth changing the instructions over - the idea was to simplify them for users from the previous instructions - I feel that in these cases we can advise the user on what to do verses complicating the instructions for the majority

--------------------------------------------------------------------

I added this...

"if you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread."

In the all clean speech - we usually note to use and anti-virus, update it regularly, and scan regularly - so I don't see that part being needed twice. We give examples of how to stay clean

-------------------------------------------------------------------

Good thinking - I thought about that too - and think it would be better to advise the online scan for a 2nd opinion after we think we have everything removed - this is a good way to check our work and will either A) Confirm that you got everything or B) Make you question yourself and go back through the other logs.

Yeah, but why not advise them to run the online scan while they are infected?? Isn't the better way to find out the infection?

also, I noticed some people open mutiple thread for the same problem. Why not include "Don't open mutiple thread for the same problem" at the end? It will make the helper's work easier

The reason is because not all infections require it and if you know what you are looking for you can easily fix it with out an extra step. The whole point of revising this was to make it shorter and easier for the user.

That we can add but put is this way it is par of the rules to not open multiple threads and they still dont follow get my point

All of you- nice job! If nothing else gets done, here is one thing that really needs to be stressed:
Someone actually tried to post the HijackThis log by copy and paste, not attach and she kept timing out. Needless to say, the log wasn't complete and she had what seems like about 100 programs installed.-that's all she managed to get on I suggested she review the programs, uninstall what wasn't being used, run the current HijackThis and attach the log. She was quoting something about not being able to do that until she had 5 posts on the boards- I know there's a misunderstanding there.

I think all of you who go through the malware cleaning with the patience that you do should be commended. It is not an easy tasks and must be very time consuming.

Thank you sir. The 5 post thing is when they try to copy and paste a log - the forum tells them they can not post links until 5 post or more - that means there is links in their log

I can't find the post that I'm referring to- the person quoted the messages she was getting. Part was about the 5 post restriction plus she was timing out somehow on the site.

Somehow it just isn't clear enough about attaching the logs instead of pasting.