New Preliminary Removal Instructions - do you see any errors?

By Blind Dragon ยท 43 replies
Jul 30, 2008
  1. Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

    If after reading the above, you wish to clean your system, do the following.


    Step 1

    Temporarily Disable Real Time Monitoring Programs

    This is because some real time protection programs can interfere with any fixes we are trying to run.

    Once your system is clean, you are advised to turn the protection back on.

    See these instructions on how to disable some of the more common real time monitoring programs. Thanks to CastleCops for the info.

    If you have other protection that may need disabled feel free to ask in your thread in the security section.


    Step 2

    If you`re NOT running any antivirus or firewall software, you should install some ASAP If you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread.

    Recommended Free Anti Virus:
    Avira Free
    Avast Free

    Recommended Free Firewall:


    Step 3

    [​IMG]ATF Cleaner by Atribune

    • Please download ATF Cleaner to your desktop from HERE
    • Double-click ATF Cleaner.exe to open it. Vista users: Right Click and Select Run as Administrator

    • Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.

    • Firefox or Opera installed:
      Click Firefox or Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program.


    Step 4

    [​IMG]Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware from from Here or Here
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Step 5

    [​IMG]SuperAntiSpyware Home Edition Free Version

    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.

      It's possible that the program will ask you to reboot in order to delete some files.

      Obtain the SuperAntiSpyware log as follows:
      Click on 'Preferences'.
      Click on the 'Statistics/Logs' tab.
      Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
      It will then open in your default text editor,such as Notepad.
      Attach the notepad file here on your reply


    Step 6

    [​IMG]Update your Java Runtime Environment

    Many types of malware like to exploit out of date Java versions!

    • First Verify that your version is up to date by clicking HERE

      If you need to update your version:
    • Click Start -> Control Panel -> Double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • When it finds the newer version - Follow the on screen instructions (uncheck the yahoo toolbar option)
    • After it installs the newest version Go back to Start -> Control Panel -> Add/remove programs (programs and features in vista)
    • Uninstall any older versions of Java except the most current update that you just installed

    You can manually install the most recent version of Java through this link -> Java Runtime Environment Make sure to scroll down to Java Runtime Environment


    Step 7

    [​IMG]Highjackthis Instructions
    • Only do this step after completing the previous steps
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your logs onto the forums


    Step 8

    Attach the requested logs
    1) Malwarebytes Anti Malware log
    2) SuperAntiSpyware log
    3) Hijackthis log

    Attachment Instructions
    • ONLY attach .txt or .log files, that mean NO .doc or word files
    • We prefer you to attach the logs into the thread, but if you have trouble with that, you are permitted to copy and paste them into your thread
    • To attach a log click on New Thread (or use Post Reply in an existing thread).
    • Scroll down until you see a button Manage Attachments. Click on that and a popup-window opens.
    • Click on the Browse button, find the requested log file, and doubleclick on it.
    • Now click on the Upload button in the popup. When done, click on the Close this window button.
    • Please Note: you can attach more than one file to a post by repeating the above steps.

    !!!Also remember to tell us any symptoms that you may be having !!!
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Good, but...


    I still believe that IE users should run:

    How to use Reset Internet Explorer Settings (RIES)

    To use RIES in Internet Explorer 7, follow these steps:

    1. Click the Tools menu, and then click Internet Options.
    2. On the Advanced tab, click Reset.
    3. In the Reset Internet Explorer Settings dialog box, click Reset.
    4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
    5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

    Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

    Startup Control Panel:
    Disable any not required Startups
    Ideally these Startups should be disabled in the associated program settings

    Windows Update:
    Yes that's right, many faults are caused by not having all the Windows Updates completed. It also secures users from being attacked by other insecurities.
    ie. All Service Packs should be installed

    Using these tools will reduce the HJT log significantly in size (Before they run the HJT log, or actually any log!)
    And may avoid the user from creating a new thread in the first place
    i.e. We may not require any logs, if the fault is fixed

    The instructions should serve as an option to help users completely, and possibly not require any more support
  3. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Thank you for the review and Good points -

    My thinking is slightly different on some of those topics

    As far as startups - those are easily seen in the hjt log and can be removed with 2 clicks after seeing the log - without additional software.

    I do suggest removing certain things from starting up at the same time I have them fix the bad entries. 04 entries in the logs correspond to the startup registry entries - simply fix the entry and the program doesn't load anymore when you boot.


    Windows update you have to be careful as you don't want them to update their service pack on an infected machine - I save this for after checking that everything is clean - as part of the your all clean speech this is how to stay that way


    I still want users to post a log regardless if the errors are gone or not - This is for a few reasons
    1) To make sure instructions were properly followed
    2) A lot of malware can't be removed automatically.
    3) To make sure that their security is satisfactory to reduce the risk of future infections.
    4) I removed some of the hardcore tools from the preliminary removal because I feel they should only be used when necessary with proper instructions. Not everyone should be running these (ie smitfruadfix, vundofix) However, in some cases they are a must

    I think this still all goes back to our previous disagreement - I think that removing all malware and securing the system from future infection is the way things should be done - this way they post, we solve, and they don't come back. You seem to want to remove the most obvious symptoms then they don't even post - I think that will end up in worse problems for them in the future.

    There is a difference between removing symptoms and removing malware
  4. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069


    Some of those thing you can add to your prevention speech. Just because they are not really need as an objective to remove malware. But I would add them to my prevention speech

    Blind Dragon:

    Nice alot better, easier for users
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Step #2

    Should be stated to update their Antivirus fully (sometimes even requires restart on big AntiVirus updates)

    Then run a full scan (and remove any/all found infections)

    Just as the other steps advise to do.

    Maybe a note on uninstalling Norton AV :) Sorry that's a joke :)
  6. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    Yes but I think that can be at the end or we can advice if we see that they need to you dont always have to it is best to
  7. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Going to add this
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  9. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    I looked at that, and it seems a little harsh. The only thing I meant to include which I forgot was not to attach .doc files
  10. CCT

    CCT TS Evangelist Posts: 2,653   +6

    Step 6 - Java. Personally, I don't have it installed. For malware removal purposes, I would think just deleting all instances and files re java would be good then after the cleanout re-install the latest version from the most reliable source.

    imo anyway
  11. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    thx CCT I updated it to show a manual install option - I don't want to say uninstall in every case as many people will already have the most current version and can skip the step altogether
  12. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Sun Java

    I recommend your Sun Java "Recommendations" be "split" into 2 different
    "Sections" . The One you posted is for those with OSs XP SP2 or later .

    I happened to still be using XP SP1 and for that OS and earlier Editions, the
    5.0 or 1.5 Series should be used, which is available at .
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Antivirus section still not updated

    Note: it is generally accepted to do a full Antivirus regularly
  14. adu123

    adu123 TS Maniac Posts: 278

  15. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    First of all, thank you for the comments...

    I added this...

    "if you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread."

    In the all clean speech - we usually note to use and anti-virus, update it regularly, and scan regularly - so I don't see that part being needed twice. We give examples of how to stay clean


    Good thinking - I thought about that too - and think it would be better to advise the online scan for a 2nd opinion after we think we have everything removed - this is a good way to check our work and will either A) Confirm that you got everything or B) Make you question yourself and go back through the other logs.
  16. adu123

    adu123 TS Maniac Posts: 278

    Yeah, but why not advise them to run the online scan while they are infected?? Isn't the better way to find out the infection?

    also, I noticed some people open mutiple thread for the same problem. Why not include "Don't open mutiple thread for the same problem" at the end? It will make the helper's work easier:)
  17. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    The reason is because not all infections require it and if you know what you are looking for you can easily fix it with out an extra step. The whole point of revising this was to make it shorter and easier for the user.

    That we can add but put is this way it is par of the rules to not open multiple threads and they still dont follow :) get my point
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    All of you- nice job! If nothing else gets done, here is one thing that really needs to be stressed:
    Someone actually tried to post the HijackThis log by copy and paste, not attach and she kept timing out. Needless to say, the log wasn't complete and she had what seems like about 100 programs installed.-that's all she managed to get on I suggested she review the programs, uninstall what wasn't being used, run the current HijackThis and attach the log. She was quoting something about not being able to do that until she had 5 posts on the boards- I know there's a misunderstanding there.

    I think all of you who go through the malware cleaning with the patience that you do should be commended. It is not an easy tasks and must be very time consuming.
  19. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Thank you sir. The 5 post thing is when they try to copy and paste a log - the forum tells them they can not post links until 5 post or more - that means there is links in their log
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I can't find the post that I'm referring to- the person quoted the messages she was getting. Part was about the 5 post restriction plus she was timing out somehow on the site.

    Somehow it just isn't clear enough about attaching the logs instead of pasting.
  21. Blind Dragon

    Blind Dragon TS Evangelist Topic Starter Posts: 3,908

    Maybe that could use it's own page with pictures
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Hey, whatever you can do to make the point! Some get it, others don't!
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Is reasonable

    could be:

    Step 8

    Attach [​IMG] the requested logs

    That may help, and the pic does not fall into the maximum allowed problem
  24. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    He already has that part I think it is fine the way it is. The whole point of this was to make it easier for the user to follow & not to make it complex the way it is right now. Trust me half the tools on the current MR guide do not even have to be run, it was not intended for people that do not know how to use them. It is better if we advice them to use it when needed because the truth is if they use it and don't know how to use it right they can damage they OS. This is nothing bad to anyone do not think I am blasting some one. :)

  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Frankly, I suggest revising this: "We prefer you to attach the logs into the thread, but if you have trouble with that, you are permitted to copy and paste them into your thread"

    Instead, tell then "exactly" "how" to attach the log- leave out the 'paste is okay' part!

    Somehow the difference in attaching logs and posting URLs isn't getting through to some. I really wish I had saved a copy of the post I referred to. It's apparently been removed- nothing could have been done with it as it was. I was looking at yt another log pasted into a past earlier today.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...