WARNING this is ONLY a STARTING point and in most cases WILL NOT totally remove the infection.

Use at your own risk: WhatTheTech forum's, does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarantee the outcome.

Please Register first.
New here? Want to learn more about how free, community based tech support works? Click here.

Please Do NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

If you would like to know who is helping you here at WhatTheTech Forums please read The Different Groups Here At WhattheTech.

We suggest you print out these instructions

Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Preparation:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

System Restore (Windows Vista, XP and ME)
Why? This ensures there's a valid system restore point, in case it's needed. We use a simple program called SysRestorePoint that automates the steps of creating a restore point.

Create a New System Restore Point:
1. Download SysRestorePoint to your desktop, or other location.
2. Double click SysRestorePoint.exe to create a new system restore point.
3. A box will pop up as it's creating the restore point, and provide notification when complete. When finished, close that window and exit the program.

ERUNT - Download - Homepage
Why? This ensures we have a valid registry backup. ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.

1. Download ERUNT
2. Double-click erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
4. Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
   
5. Start ERUNT
6. Choose a location for the backup
   The default location C:\WINDOWS\ERDNT\[today's date] is preferred
   
7. The first two check boxes are ticked by default (System registry and Current user registry).
8. Press OK
9. When prompted, click YES to create a new folder.
10. Progress bars will show backup status.
11. A confirmation window will popup when complete. Click OK to close.

Important
Disable any script blocking protection (How to Disable your Security Programs)

Step One: Scan for Spyware/Adware
Malwarebytes' Anti-Malware a.k.a. MBAM - Download Free Version (freeware) - Homepage
Why? Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past.

1. Double-click mbam-setup.exe and follow the prompts to install the program.
2. At the end, confirm a check mark is placed next to the following:
   
   
   • Update Malwarebytes' Anti-Malware
   • Launch Malwarebytes' Anti-Malware
   
   
3. Then click Finish.
4. If an update is found, it will download and install the latest version.
5. Once the program has loaded, select Perform quick scan, then click Scan.
6. When the scan is complete, click OK, then Show Results to view the results.
7. Be sure that everything is checked, and click Remove Selected.
8. When completed, a log will open in Notepad. The rogue application should now be gone.

When completed, a log will open in Notepad. If you need to create a new topic, please paste this log with it.

Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.

Extra Note: Do not run a full scan with MBAM. It is not required or needed, and in fact makes our job tougher.


Step Two: Rootkit Detection
GMER Rootkit Scanner
Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

Note: If GMER doesn't start, Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


You must remember to re-enable your Emulation drivers once we are finished, double click DeFogger to run the tool.

• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


Step Three: Download DDS and save it to your desktop from
Here
here or
here.

• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

Malware and Spyware Removal Forum Rules:

• Please do NOT post a Combofix log unless requested by the person helping you. Combofix should NEVER be run unless requested. While it's a powerful tool useful for removing a number of infections, things can, and do go wrong. Sometimes systems even refuse to boot. There are safeguards built into Combofix, but only someone trained in its use will be able to help you recover. The logs generated can also be very difficult to interpret properly.
• Please stay with your original topic when posting follow ups.
• The "Topic Title" should contain the name of the infection that you are having a problem with e.g. WinTools, http://...sp.html etc. Use the "Topic Description" to include more details. This will help you get faster responses as some people are more familiar with certain infections.
• Tell us if you're having any problems, and please be specific. Let us know what you've already done to fix it (if anything).
• If you do not understand a step, do not panic, simply ask for direction and information. We will offer any advice necessary to help you.
• Please only post your topic once. Duplicate posts will be closed, and just create additional work for the staff members trying to help you.
• Do not create posts at multiple forums. Logs take time to diagnose, and doing this will waste multiple helpers time which is already over-stretched. If you do this your topic will be closed.
• Don't attach your logs unless a helper asks you to as it is harder for us to read them that way. Post them instead

NOTE:

Start your topic in Infections Removal

Note: Don't forget to post your MBAM and GMER log, in addition to the DDS log.

Please DO NOT bump your log.

We look for logs with 0 replies first.

If you are being helped and you haven't replied within 3 days your topic will be closed as inactive.
If that is the case, please start a new topic when you have the time needed to finish all the instructions.

bump

Updated May 2008

Updated Dec.08