Read me before posting a request for assistance
 

In order for the few volunteers who offer a bit of their free time and expertise in this forum to assist you in a timely manner, please complete the following steps before posting a request for help:


1 – Please familiarize yourself with the following instructions as you will be asked to perform them at various points in the cleaning process:

• Booting to Safe Mode

• Enabling the Viewing of Hidden Files

• Turning Off (Disabling) System Restore - (Windows ME / XP / Vista Only)

You will need to flush your restore points AFTER the fixing process has been completed to ensure that no malware is preserved. This is done by disabling and then re-enabling System Restore as per the above link.
With the addition of such tools as ComboFix, much of the malware removal process is “automated” these days and the above will be done for you via instructions for these types of tools. Still, it is good to be familiar with these procedures in the event you need to manually track down and remove stubborn malware.


2 – Please Download ATF-Cleaner.exe by Atribune (Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access. Leave it for now.

3 – Download DDS by sUBs and save it to your Desktop.

• Just leave it there for now.

Now, please begin the Initial Cleaning Process:

4 – Please look in Add or Remove Programs (Start > Control Panel > Add/Remove Programs) for any suspicious items (typically programs you do not remember installing) and note them for us in the event you need to post back for further assistance.


5 – Please Enable the Viewing of Hidden Files. Be sure to uncheck the Hide Protected Operating System Files option! This should be done in the event that we need to track down and manually remove some baddies.


6 – If your OS is Windows 2000/2003, XP , Vista or Windows 7, please run the Microsoft® Windows® Malicious Software Removal Tool
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.


7 – If you are able, RUN ATF-Cleaner.exe.

• Click on ATF-Cleaner to run it
• Where it says Select Files To Delete, Check the Select All Option
• Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

8 – Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT after running MBA-M!

If you are unable to update MBA-M, go to http://www.gt500.org/malwarebytes/database.jsp and download the latest database, then run it.


9 – Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner

• Panda Active Scan

• Trend Micro HouseCall

• F-Secure Online Virus Scanner

After the initial cleaning has been completed:

Please take note of any problems that you had with the above instructions and any problems that remain.
Should any malware issues remain, please start a thread requesting assistance. Please describe the problem(s) in as much detail as possible.


ALSO, please submit a DDS ScanLog along with your post. Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste the DDS.txt into your post for assistance.
• Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

When you post your request for assistance, please be sure to submit these FOUR requested scanlogs:

• MalwareBytes’ Anti-Malware log
• ESET Online Scanner log
• BOTH DDS ScanLogs (DDS.txt & Attach.txt)

ADDITIONALLY:
Please note that responses to threads requesting help may be limited as this is a community forum dependent on the free time and good will of volunteers. Many forums are overwhelmed with requests for help and have few volunteers, so please do not be offended if there are few or no replies to your post.
Also, please be aware that not all of the advice given in an open forum is accurate. Do not be afraid to question any advice you believe to be suspect!


~ PhilliePhan ~
Originally Posted 7-16-2008