In order for the few volunteers who offer a bit of their free time and expertise in this forum to assist you in a timely manner, please complete the following steps before posting a request for help:


1 – Please familiarize yourself with the following instructions as you will be asked to perform them at various points in the cleaning process:

• Booting to Safe Mode

• Enabling the Viewing of Hidden Files

• Turning Off (Disabling) System Restore - (Windows ME / XP / Vista Only)

You will need to flush your restore points AFTER the fixing process has been completed to ensure that no malware is preserved. This is done by disabling and then re-enabling System Restore as per the above link.
With the addition of such tools as ComboFix, much of the malware removal process is “automated” these days and the above will be done for you via instructions for these types of tools. Still, it is good to be familiar with these procedures in the event you need to manually track down and remove stubborn malware.


2 – Please Download ATF-Cleaner.exe by Atribune (Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access. Leave it for now.

Deckards System Scanner is currently unavailable. Please continue with the rest of PhilliePhan's recommendations.
3 – Please Download Deckard’s System Scanner (DSS) from HERE or from HERE and save it to your Desktop.

• When you are asked to run it, DSS will do the following:

• Create a new System Restore point in Windows XP and Vista. NOTE: System Restore should NOT be disabled unless you are asked to do so by your Forum advisor.
• Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
• Scan your computer and produce a report for your advisor to review.
• Automatically run HijackThis. DSS will ask to install HijackThis if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer YES. A shortcut to HJT will also be placed on your Desktop.

Now, please begin the Initial Cleaning Process:

4 – Please look in Add or Remove Programs (Start > Control Panel > Add/Remove Programs) for any suspicious items (typically programs you do not remember installing) and note them for us in the event you need to post back for further assistance.


5 – Please Enable the Viewing of Hidden Files. Be sure to uncheck the Hide Protected Operating System Files option! This should be done in the event that we need to track down and manually remove some baddies.


6 – If your OS is Windows 2000/2003, XP or Vista, please run the Microsoft® Windows® Malicious Software Removal Tool
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.


7 – If you are able, RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

8 – Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

9 – Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

• You will need to use Internet Explorer to to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• ESET Online Scanner

• Kaspersky Online Scanner

• Panda Active Scan

• Trend Micro HouseCall

• F-Secure Online Virus Scanner

After the initial cleaning has been completed:

Please take note of any problems that you had with the above instructions and any problems that remain.
Should any malware issues remain, please start a thread requesting assistance. Please describe the problem(s) in as much detail as possible.


ALSO, please submit a Deckard's System Scanner Log along with your post. Be sure follow the instructions below carefully!

• You must be logged onto an account with administrator privileges when you run Deckard’s System Scanner!

• Close all applications and windows.
• DoubleClick on dss.exe to run it and follow the prompts. (On Vista; RightClick dss.exe and choose run as administrator)
• If your anti-virus program or firewall pops up with an alert, please instruct them to allow DSS to run.
• When the scan is complete, two text files will open in Notepad:
  • main.txt <- this one will be maximized
  • extra.txt <- this one will be minimized
• If Notepad doesn’t open automatically, both files can be found in the C:\Deckard\System Scanner folder.
• Please attach or copy&paste the contents of BOTH main.txt and extra.txt along with your post for assistance.

** Be sure to let us know if Deckard’s System Scanner hangs or gets stuck during the scan.

**** Using the shortcut on your Desktop, please run HijackThis and open the Misc Tools section.

• Under the System Tools section, Click on Open Uninstall Manager and Click Save list.
• Save it to your desktop and then please post this Uninstall List as directed below.

When you post your request for assistance, please be sure to submit these FOUR requested scanlogs:

• MalwareBytes’ Anti-Malware log
• ESET Online Scanner log
• BOTH Logs from Deckard's System Scanner (main.txt and extra.txt)
• Uninstall List

ADDITIONALLY:
Please note that responses to threads requesting help may be limited as this is a community forum dependent on the free time and good will of volunteers. Many forums are overwhelmed with requests for help and have few volunteers, so please do not be offended if there are few or no replies to your post.
Also, please be aware that not all of the advice given in an open forum is accurate. Do not be afraid to question any advice you believe to be suspect!


~ PhilliePhan ~
Originally Posted 7-16-2008