TechSpot - PC Technology News and Analysis

Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

If after reading the above, you wish to clean your system, do the following.

-----------------------------------------------------------------------------------------------------------------------------------
Please make sure you complete all steps in this thread, BEFORE you post the requested log files.

Make sure you read and follow all the STEPS below, otherwise it just makes it that much harder for us to help you effectively.

DO NOT SKIP ANY OF THE INSTRUCTIONS

If you have any problems following any of the instructions, please ask for assistance.

-----------------------------------------------------------------------------------------------------------------------------------
STEP1:

Malware Removal: Temporarily Disable Real Time Monitoring Programs.

This is because some real time protection programmes can interfere with any fixes we are trying to run.

Once your system is clean, you are advised to turn the protection back on.

See these instructions on how to disable some of the more common real time monitoring programmes. Thanks to CastleCops for the info.

------------------------------------------------------------------------------------------------------------------------------------
STEP2:

If you`re NOT running any antivirus or firewall software, you should install some ASAP.

Download and install the free AVG or Avast antivirus programmes and either the free Zonealarm, Kerio or Comodo firewall programmes.

Install whichever firewall you chose, followed by whichever antivirus programme you chose. Reboot your system the required number of times. Run the antivirus updates.

ONLY INSTALL THE ABOVE ANTIVIRUS/FIREWALL SOFTWARE, IF YOU DON`T ALREADY HAVE ANY ANTIVIRUS OR FIREWALL SOFTWARE.

-----------------------------------------------------------------------------------------------------------------------------------
STEP3:

Run this online virus scanner. You will need to use Internet Explorer for this scanner. It`s one of the very few online scanners that will actually disinfect viruses etc. NOTE: If you have any problems with the online scanner, skip it and continue with the rest of the instructions below.

-----------------------------------------------------------------------------------------------------------------------------------
STEP4:

Make sure you have the LATEST version of HJT (currently v2.0.0.2) from HERE.

The above link will download the HijackThis installer. Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. It will also automatically OPEN HJT, close it.

-----------------------------------------------------------------------------------------------------------------------------------
STEP5:

THIS IS VERY IMPORTANT.

Open the C:\Program Files\TrendMicro\HijackThis folder in program files. Rename the Hijackthis.exe file to Crusty.exe. This is because some malware can hide from HijackThis.exe. Right click the HijackThis.exe file and choose rename. Click in the title box and press the delete key to clear what`s there, type Crusty.exe and press the enter key. Right click the Crusty.exe file and choose send to desktop(create shortcut).

Under no circumstances should you add any items to the HJT ignore list.

Do not run a HJT scan, until step15 of this thread.

------------------------------------------------------------------------------------------------------------------------------------
STEP6:

Download and install SuperAntiSpyware OR Malwarebytes' Anti-Malware:

Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE

• Launch SuperAntiSpyware and click on 'Check for updates'.
• Once the updates have been installed,exit SuperAntiSpyware.

Scan with SuperAntiSpyware

• Start SuperAntiSpyware.
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.
  
  It's possible that the program will ask you to reboot in order to delete some files.
  
  Obtain the SuperAntiSpyware log as follows:
  Click on 'Preferences'.
  Click on the 'Statistics/Logs' tab.
  Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
  It will then open in your default text editor,such as Notepad.
  Attach the notepad file here on your next reply

Alternatively you can use Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

-----------------------------------------------------------------------------------------------------------------------------------
STEP7:

Download and install the latest version of SS&D from HERE. Make sure you have the latest definition files(updates). Click the immunize button in the lefthand pane, then click the green immunize cross in the righthand pane. Close SS&D. Make sure that during installation the Teatimer protection is disabled.

-----------------------------------------------------------------------------------------------------------------------------------
STEP8:

Download and install the latest version of Ad-Aware 2008 from HERE. Make sure you have the latest definition files. Close Ad-aware.

-----------------------------------------------------------------------------------------------------------------------------------
STEP9:

Download the Ccleaner programme from HERE.

Close all browsers. Run the programme and make sure all the boxes are ticked, including "advanced" box under the Windows tab(except for the Old prefetch Data option, this should be unticked) and Applications tabs and click the run cleaner button. Do this several times.


-----------------------------------------------------------------------------------------------------------------------------------
STEP10:

Download and run these three tools. Follow the instructions for using each tool on the download site for each tool.

Tool1 Tool2 Tool3

-----------------------------------------------------------------------------------------------------------------------------------

Please continue with instructions in the post below.

STEP11:

Download the Panda Antirootkit programme.

Unzip it and run the PAVARK.exe file.

Tick the box that says In depth scan and follow the on screen instructions.

DO NOT remove any UNKNOWN ROOTKITS at this stage. Instead, let me know the results.

Let me know the results in your reply.

PLease Note: Panda Antirootkit is not compatible with Windows Vista.

If you are running Vista, please download the AVG Antirootkit programme.

Disconnect from the net and install the programme.

Run the programme and tick Indepth scan. Do not have AVG Antirootkit fix anything, instead let me know the results.

Once the scan is finished, reconnect to the net.

-----------------------------------------------------------------------------------------------------------------------------------

STEP12:

Delete all versions of Combofix you may already have.

Download Combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt Do not post the Combofix log, until you have completed the rest of the instructions below.

Please note: If you have any problems with Combofix, please do the following instead.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

Close all other windows before proceeding.

This means TURN OFF ALL other security programmes.
Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

Re-enable your security programmes and reconnect to the net.

-----------------------------------------------------------------------------------------------------------------------------------

STEP13:

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run a full system scan with your antivirus programme and delete whatever it finds, including anything in the virus vault.

-----------------------------------------------------------------------------------------------------------------------------------

STEP14:

Run SS&D and fix whatever it finds.

Run Ad-Aware 2008. Click start, uncheck scan for negligible risk entries.
Select perform full system scan and click next, fix whatever it finds.

[center][b]

Make sure all windows are closed.

Run SAS or MBAM.

[b]VERY IMPORTANT

Reboot into normal mode and rehide your protected OS files.

-----------------------------------------------------------------------------------------------------------------------------------

STEP15:

Run HijackThis.

Click on Scan. After the program is done with the scan, click on the "Save log". It should be the same button as the previous "Scan" button you clicked on.
Save the log to wherever you want. You can now attach your HJT log without having to rename it as a .txt file.

Attach the HJT logfile as an attachment into a new thread in our security and the web forum(unless you`ve already got a thread here).

See this thread for instructions on how to post a HJT log and your other logs as ATTACHMENTS.

Please note: HJT and any other logs must not be posted as .doc files. This is due to the risk of viruses etc.


Once you`ve finished these instructions, you should have 3 log files. HJT, Combofix and MBAM/SAS logs. They are the only logs we need, unless otherwise requested.

I don`t want to see any other log files, unless I specifically request them.

That means no Smitfraud log, no Vundufix log, No VirtumundoBeGone log, or any other kind of damn logs.

Don`t forget to: Let us know the results of the Panda Antirootkit scan


Let us know what symptoms you`re having if any.

Changelog:

* Many, many changes before writing this.
* Step 6, contributed by Blind Dragon. Updated AVG AS for SuperAntiSpyware OR Malwarebytes' Anti-Malware.