Topic: INSTRUCTIONS - Read This Before Posting For Malware Removal Help

[Derek]

Virus/Trojan/Spyware Removal Help

* DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF. Do not run any specialized tools that you see being used in other threads without direct supervision from one of our trained analysts. Be advised that running any specialized tools not listed in this topic, on your own, is done solely at your own risk
* It is also this forum's policy that we only help users with a legal copy of Windows.  If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process.

==================================================
Change Your Login and Passwords to Financial Sites
==================================================

Many infections that the commercial scanners are failing to remove are the type of infections that allow hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all login and passwords where applicable. It would be wise to contact those same financial institutions to apprise them of your situation.  Please refer to Microsoft's Online Safety article for tips on creating a strong password.
I strongly recommend using ROBOFORM which keeps all passwords in a secure encrypted database that only you (not a keylogger or malware) can access and use it to create safe secure passwords

Do not change passwords or do any transactions from the infected computer until it has been cleaned.


===========================================
Preparing for the Malware Removal Process
===========================================

While we try our hardest to avoid them, accidents do happen. With today's malware being as it is, we will not be held responsible for any loss of your data. You're following the instructions given at your own risk. We recommend that you back up any data that’s important to you beforehand, just in case the worst happens.

1. As a general rule, to offset any unexpected mishaps, your personal data should be backed up regularly. If you do not already have a process in place that backs up your data,  it is highly recommended you do this now. Click here for guidelines on what to back up and how to do it.  

2.  Uninstall the following via Add or Remove Programs in Control Panel:

• If you have more than one antivirus software installed,  leave only ONE and uninstall the others.
• CD emulation software, such as DAEMON Tools or Alcohol, see this link for complete instructions. These can be reinstalled once any malware removal efforts are completed.
  
  
• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.  

=================================
Downloads and Reports Required:
=================================

Before scanning, ensure all other running programs are closed. Do not use your computer for anything else during the scan.
Also, ensure there aren't any scheduled antivirus scans running while the dds scan is being performed.  
*Note - Some antivirus programs falsely detect dds.scr as a threat.

====
DDS:
====
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs
• DDS.txt
• Attach.txt

• Save both reports to your desktop.

=====
GMER:
=====

Download GMER Rootkit Scanner from here or here.

Ensure you have uninstalled any CD Emulation programs before you run GMER as outlined above and here

 

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.  
• It will automatically run a quick scan.  Wait till that quick scan finishes before doing anything else
  
• If  during that quick scan or after it finishes the quick scan it then gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
  
  Click the image to enlarge it
  
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"  
  
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

===========================
How the logs should be furnished:
===========================

Copy/Paste the contents of 'DDS.txt' to be posted as text to your post
The other two logs ...

* attach.txt
* ark.txt

... should be attached to the post

When posting your reply, the files may be attached by clicking the [Reply] button.
Browse to where you saved the file, and select it then click open.Once that is done, if you have more files to attach, press More attachments and repeat, then when all atatchments are listed press Post

=================================
When posting the logs please observe the following
=================================

• Describe your issue/problem in DETAIL!.  We cannot second guess as to what your issue(s) may be. Please provide as much detail as possible, including virus/trojan/worm names and locations if available. The more information you can give us the better we can help
• Only Attach the logs that we've specifically requested for you to. (Otherwise post it as text in the Reply box).
• DO NOT Wrap the log using Quote or Code tags. (DO make sure notepad word-wrap is OFF)
  
• DO NOT Post another Program’s log (Unless we specifically ask for it)
  
• DO NOT Cut off the header of any log (It contains important information for the Analyst)
   

Checklist

• DDS.txt - copy/pasted directly into Reply box
  
• Attach.txt and ARK.txt - attached to post
  
• Rootkits that alter critical/legit Windows files are becoming more commonplace.  To facilitate a more rapid cleaning of your system, also tell us whether or not you have/have access to a Windows Install disc, or a Boot CD
  

Once you have posted, subcribe to your thread by going to Notify located at the bottom bar  of the thread Next to the reply button

This concludes the basic steps required before posting your logs. Thank you for taking the time to read this.