Malware Removal
NOTICES:
Malware has progressed to the point where some infections can be extremely difficult to fully remove. And there can be residual left over damage to many aspects of the Windows Operating System that may also be very hard to repair. As such, the act of removing malware can sometimes cause unexpected problems due to how the malware has hooked itself into your operating system. While in most cases, we do not have problems, we cannot guarantee that there will not be any. Thus it would be a very good idea for you to begin by backing up all important personal information before undertaking the act of malware removal. You can bypass this step at your own risk, but remember that we cannot guarantee what the result will be from trying to remove malware from your PC.
Now if you are ready to continue with malware removal:
Complete ALL of the below steps including the specific malware removal cleaning instructions for your Windows Version.
If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
If you cannot boot in Normal Boot mode or can boot but not properly run in normal mode but your PC runs in safe boot mode, you can ignore our note about Normal Startup and just complete as much as you can in safe boot mode. Some programs may not install in safe boot mode.
If you cannot download required programs on the infected PC, download them using another PC and copy them to the infected PC via CD or USB drive.
Do you want your PC fixed?? If yes then attempt to finish everything requested. Please do not cheat by skipping any steps. Attempt to run ALL steps in the READ & RUN ME. The only steps you should skip are ones that you are blocked from running by your problems.
You are only hurting yourself and you will waste more time in the long run if you ignore or skip steps.
There is no risk in posting logs. Nothing in them will give anyone the kind of info that some people may be concerned about. If you are concerned about logs that might show your real name, you can just edit those out before attaching them; however, do realize that fixes we may have to provide may not automatically work properly since they will need to refer to the original unedited information.
Once you start this cleaning process to remove your malware please do not do anything to your PC except what is requested in this procedure. Do not install anything on your own and do not run other scans.
Step 1: Getting Started
Please begin by reading our Forum Rules and Guidelines
if you are having browser re-direction problems please click the lnk http://forums.majorgeeks.com/showthread.php?t=230267
ONLY run the above link if you are having Google Hijacking problems and when you finish the above, you MUST return here and continue!!!!!!
If you cannot connect to the internet, see if this helps >> http://forums.majorgeeks.com/showthread.php?t=207357
SLOW PC PROBLEMS? - Read the below info
If you are here because your PC is booting or running slowly, remember that this is a malware removal guide and not a cure all for slow PC's guide.
A slow PC is not always caused by malware. It could just be due to what you run! Or it could be an inadequate amount of memory. We recommend an absolute MINIMUM of 2 GB for Windows XP and a MINIMUM of 3 GB for Vista or Windows 7 but the more memory you can add the better.
If you have less than the above amount of memory and we do not find any malware, we will be telling you to install more memory or uninstall applications that use memory full time.
Also see the below to Optimize Vista Performance
Step 2: Uninstalling Multiple Protection Applications
*** IMPORTANT NOTES - READ THESE ***
You must uninstall all but one antivirus program.
If you have multiple antivirus applications installed on your PC, please choose the one you prefer and uninstall all others. Do this now before continuing because you will only be asked to do it later if not done now. This does not mean online scanners. It is only referring to full antivirus applications like McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky, etc.
You must uninstall all but one software firewall.
Only use one software firewall. Running multiple software firewalls is unnecessary and using more than one software firewall on the same connection could cause issues with connectivity to the Internet or other unexpected behavior including excessive use of system resources which will slow down overall PC performance.
Step 3: Configuration & Setup
Determine whether you have a 32-bit or 64-bit version of Windows because you will need to know this later during cleaning instructions
Enable viewing of hidden files, system files and file extensions
Some programs hide themselves by making their files invisible in normal Windows settings. Run the steps in the below link (this has steps for ALL Win OS's) to make them easier to find.
Not doing this would allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible.
Step 4: Disable Any Disk Emulation Software (like Daemon Tools..etc)
If you skip this step, we may be just telling you to start the cleaning process over again! DON'T SKIP THIS STEP.
This is become a critical step before continuing the cleaning process. Disk emulation software is making it difficult to separate real rootkit like malware from valid software.
See the instructions provided in the following link to disable emulation software and keep it disabled while we are still working on your PC.
http://www.bleepingcomputer.com/forums/topic293569.html
Step 5: Temp File/Folder Cleaning
**** WARNING ****
Skip running CCleaner or any other disk cleaning program if you are missing icons, items from your Star Menu, from All Programs....etc.
Download and install >>>>> http://api.viglink.com/api/click?for...13536157001532
Now run Ccleaner with the default options (that means don’t change anything) to clean out temporary files.
Only use the default settings on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
Also it is highly recommended to login to all other User Accounts on the PC.
Run CCleaner on each account. This can greatly reduce scan time and log sizes from the later scanning you will do below.
If you don’t see Ccleaner’s link when logging into the other accounts, just go to the C:\Program Files\Ccleaner folder and double click on the ccleaner.exe file to run it. You can also create a shortcut to the file on the Desktop of your other user accounts to make it easier to run in the future
Step 6: Windows OS Specific Cleaning Instructions
Select and run all steps in the malware removal cleaning link below based on your Windows Operating System.
If you have Windows 95, 98, or ME, continue here: http://forums.majorgeeks.com/showthread.php?t=139301
If you have Windows XP, continue here http://forums.majorgeeks.com/showthread.php?t=139313
if you have windows vista 7 or 8 read below
Vista and Win 7 Malware Removal/Cleaning Procedure
Notes:
Some programs (like MGtools mentioned later and maybe other tools too) may not run on restricted user accounts so you may need to temporarily change the user account to an admin type account and then complete the scans.
If you are a Spybot Search and Destroy user, make sure that you do not have Teatimer enabled. If you already have Teatimer enabled, see this to disable it: .... how to >>>>> http://forums.majorgeeks.com/showthr...light=Teatimer
Step 1: Downloading Tools
In this section we are going to download tools we will use. We will install and configure the programs and then run scans at a later point so please only download right now.
Make sure you download the tools to the exact locations specified below in the procedures to avoid problems later. It is not a good idea to download them to any folder within C:\Documents and Settings.) It is also a bad idea to download and save anything you need into any kind of Temp folder. Malware hides in Temp folders and standard cleaning practices will delete everything from Temp folders.
If you have difficulty knowing how to download and save files to locations on your PC, check out the below Video Tutorial by TimW
http://www.youtube.com/watch?v=acz-x...layer_embedded
Now download the below tools ( PLEASE only download at this point )
http://api.viglink.com/api/click?for...13536159170352 this is for Rogue Killer
http://api.viglink.com/api/click?for...13536159521133 this is for Malwarebytes Anti-Malware - See the download links under this icon
Important: Rename the downloaded mbam-setup.exe file to mb.exe to help work around certain malware that will block it from being run.
TDSSKiller- Save to your desktop. See the download links under this icon >>>> http://api.viglink.com/api/click?for...13536160087565
download Hitman pro >>>
http://api.viglink.com/api/click?for...13536160219416
MGtools - Recent bugs in many antivirus programs are detecting this as malware. Disable your AV while you download and run MGtools if you have this problem. Rest assured that it is clean. Your AV is incorrect. We prefer that you download this file to the root folder of the drive where you have installed Windows (Typically this would be C:\ and thus you would have a C:\MGtools.exe file after downloading). If you use FireFox and still have it set to defaults, it will not let you choose where to download files to. To change FireFox, run FireFox and Click Tools, Options, and on the Main tab select Always ask me where to save files. If for some reason you still have a problem trying to save MGtools.exe properly which can happen with Vista and Win7, you can download and run it from your Desktop as long as your Desktop folder is located on the same drive that you boot Windows from.
http://forums.majorgeeks.com/chaslang/files/MGtools.exe
Step 2: Disabling User Account Control
For Vista users - to turn off UAC ( UAC = User Account Control )
Click Start, and then click Control Panel.
In Control Panel, click User Accounts.
In the User Accounts window, click User Accounts.
In the User Accounts tasks window, click Turn User Account Control on or off.
If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK. If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any mesages about UAC being disabled.
Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)
NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted.
For Windows 7 users - to turn off UAC ( UAC = User Account Control )
Click Start, and then click Control Panel.
Click User Accounts and Family Safety
In the User Accounts and Family Safety window click Change User Account Control Settings
Then move the Slider all the way to the bottom to Never Notify
Click OK and then Yes to the popup warning that you are turning off UAC
If it is already unchecked, then you should also notice a red shield with an X in it located in your system tray. Ignore any mesages about UAC being disabled.
Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)
NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted.
Step 3: Installing Tools and Running Scans - please only run one scan at a time and only run each scan one time. Also try to complete all scans before attaching any logs!
RogueKiller Instructions
Double click RogueKiller.exe to run (Note: If running Vista or Win 7 use right-click and select Run as Administrator)
When it opens, press the Scan button. Only run a scan! Do not fix anything at this time.
When it is finished, there will be a log on your desktop called RKreport[1].txt
Attach RKreport[1].txt to your next message ( after you complete all scans or get as far as you can go).
Malwarebytes Anti-Malware Instructions
Please carefully follow the instructions in the below link to most effectively run it and obtain a log:
http://forums.majorgeeks.com/showthread.php?t=154672
TDSSKiller Instructions
Now run this procedure TDSSkiller - How to run to get a TDSSKiller log >>> http://forums.majorgeeks.com/showthread.php?t=222773
HitmanPro Instructions
Now run this procedure HitmanPro - How to scan and obtain a log to get a HitmanPro log >>>. http://forums.majorgeeks.com/showthread.php?t=260397
MGtools Instructions
Now follow the directions in the below link for running MGtools. It also explains possible reasons for not being able to run MGtools
Using MGtools http://forums.majorgeeks.com/showthread.php?t=137630
Step 4: Do You Still Have Problems
Yes, I’m still having problems
DO NOT run the READ ME again!!!! And DO NOT move on to Step 4 below!!! Please just attach your logs as given below and tell us what problems you are still having.
If you do not already have a thread started, start a new thread otherwise post the following in your original thread. Clearly describe in detail the problems you are having and how long ago they started. Think about what you were doing at the time.
Now you need to attach (See: HOW TO: Attach Items To Your Post ) ( Or View: How to Attach Items to Your Posts) the below logs created while running the above scans.
RKreport[1].txt from RogueKiller
Malwarebytes' Anti-Malware log
TDSSKiller log
HitmanPro log
MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.
Be patient after posting your logs and wait for one of the helpers to get to you. It can take a while to read thru all of the logs and to create individual fixes for you.
Also DO NOT BUMP your thread to try and get a faster answer. This will actually significantly delay getting an answer. See this: Don't Bump! It Only Hurts You!!!
No, I’m not having any problems
If you are sure everything is okay ( give it a couple days to be sure ) and that you do not need to request any help, then jump to the next step below.
Step 5: Enable User Account Control (UAC)
While running the MGtools procedure, we had you disable UAC. Now we need to enable it again to help keep you safe.
You can either respond to the security notice in the System Tray alerting you to enable UAC or you can do the below.
navigate into the \MGTools folder just created in the root of your Windows boot drive.
locate the EnableUAC.reg file and double click on it and allow it to be added to the registry.
This registry patch is used to enable the User Account Control feature
You should reboot after applying the registry patch so that it works properly. You can wait to do this reboot in step 6 below if you are going to immediately perform step 6.
Now continue on to step 6
Step 6: Toggle System Restore
Before you toggle System Restore, make sure that you are no longer having any malware or other problems as specified above in step 3. If necessary, run your PC for a few days to make sure that everything is working well.
You only need to Toggle system restore if malware had been found during the cleaning procedures. If no malware was found, there are no infected restore points to worry about, thus you can skip to the next step.
Once you are sure all malware problems have been removed follow the below steps:
Disable System Restore ( see Disable And Enable System Restore)
Now reboot your PC
Now Enable System Restore using the same link as above
Why we toggle System Restore!
If you have been infected with any trojans, spyware, etc, they could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files that may contain viruses. Even though your tools may say they are deleting them, they are not! The reason for doing this after your system has been completely cleaned of problems, is so we can remove possible infected restore points. When you disable system restore, it removes restore points!
We only toggle System Restore after you are clean because keeping even infected restore points around while we are fixing things may prove useful if something goes wrong during the process. An infected restore point could be better than none at all!
Now continue on to the next step below!
Step 7: Keeping your computer safe and secure
See the following thread and complete the steps check this link http://forums.majorgeeks.com/showthread.php?t=44525
Step 8: Alternative Scans - If still having problems, see:
http://forums.majorgeeks.com/showthread.php?t=80343
Now surf safely!
if you still have problems attach all reports to a folder and unpload to tech support on this site http://forums.majorgeeks.com
Reply With Quote
Anyways it's in the wrong section.
Originally Posted by Krάtos
