Below are steps to take in order to remove difficult malware/greyware infected systems. Major Geeks is the provider of this information.
You may want to print this post....
***IMPORTANT NOTES - READ THESE***
I know it looks long, but much of this is explanatory text to help less experienced people.
Please do not cheat by skipping any steps. You are only hurting yourself if you do. And you will waste more time. The goal is to get your PC fixed. Completing the steps in this generic guide may or may not resolve all of your malware problems, but in all cases it gets your PC into a known state to help make it easier for us to fix your problems. Before you post a new thread requesting support, make sure you have completed all of these steps and tell us you did so!
After completing all steps, if you still need help, please start a new thread. Do not send private messages to any of the helpers!
You may have a problem trying to run steps in safe mode on user accounts that have limited privileges. This will only be on Windows 2K, XP, & 2003 systems. Limited user accounts will not show when you boot into safe mode. You have two options, run the steps in normal boot mode which may not work to remove malware, or you can temporarily change the user account to an admin account and then complete the steps.
Before you start the below procedure, you may want to first check to see if your problem is covered in the http://forums.majorgeeks.com/showthread.php?t=74501 sticky thread. If it is, try that procedure first and come back here to the READ & RUN ME if necessary afterwards.
0: Preliminary House Cleaning & Setup Work thru the below link and first uninstall any bad stuff that should not be installed on your PC. This may in some instances even resolve your problems.
http://forums.majorgeeks.com/showthread.php?t=79754
You MUST be sure that MSconfig.exe is not being used to control Startups. Note: That some Window's OS’s (like Win 2K) do not have MSconfig!
MSConfig Startup Mode
Please go to Start > Run > type msconfig and click OK! Select the General tab and select Normal Startup.
Then click Apply and OK and reboot PC before continuing. Remain in this Normal Startup mode while your PC is being cleaned of malware.
1: Secondary House Cleaning This second step of house cleaning may save a load of time later and can significantly reduce the size of logs being posted later.
Empty any quarantine folders for antivirus and anti-spyware applications. Make sure you do this. Logs could be huge otherwise. Here is just one example for doing this with Norton/Symantec http://service1.symantec.com/SUPPORT/na ... 1213443506
If you are a Symantec/Norton user, make sure you empty their Norton Nprotect folder guarding the Recycle Bin. See This page
Empty your Recycle Bin
Download and install http://majorgeeks.com/download4191.html
MAKE SURE you download from the above link to avoid getting the Yahoo Toolbar version. We do not want to install any unnecessary baggage.
Also it is recommended to login to all other User Accounts on the PC including the Administrator account which will only show when you boot in safe mode. Run CCleaner on each account. This can greatly reduce scan time and log sizes from the later scanning you will do below.
2: Enable viewing of hidden files, system files and file extensions! Some programs hide themselves by making their files invisible in normal Windows settings. Run the steps in the below link (has steps for ALL Win OS's) to make them easier to find.
http://forums.majorgeeks.com/showthread.php?t=74220
Not doing this would allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or .dll making manually finding it, if needed, difficult to impossible.
3: Do not use Multiple Antivirus Applications or Software Firewalls! Antivirus: If you have multiple antivirus applications installed on your PC, please choose the one you prefer and uninstall all others. Do this now before continuing because you will only be asked to do it later if not done now. This does not mean online scanners. It is only referring to full antivirus applications like McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky, etc.
Firewall: Only use one software firewall. Running multiple software firewalls is unnecessary and using more than one software firewall on the same connection could cause issues with connectivity to the Internet or other unexpected behavior including excessive use of system resources which will slow down overall PC performance.
4: Downloading Tools Download the following tools and save in your favorite download folder or create one, for example C:\Spyware Tools or C:\Downloads. (It is not a good idea to download them to any folder within C:\Documents and Settings.) And then install, update, and configure as indicated below. Do not run the scans until later when indicated. Also DO NOT confuse the word download with the actual installation of the program. You should install all programs to their recommended (by the install program) default installation folders. First you download the files and then you install (if the program requires installation) the program. Download GetRunKey.Zip and ShowNew.Zip from the below links and extract all files from both ZIP files into a folder of their own. You can extract both ZIP files into the same folder. Like C:\MGTools Do not run the scans yet!!!
http://forums.majorgeeks.com/showthread.php?t=83087
http://forums.majorgeeks.com/showthread.php?t=95941
http://www.majorgeeks.com/download2471.html
PLEASE leave all settings at default!!!! Install, do the search for updates now and get any updates, then fix the below problem with Spybot default products. If you get an error message about "bad checksum" when trying to update, just choose a different server location. Also look for the Immunize feature in Spybot and use it. Do not use the Teatimer function. It can be a resource hog and also makes removal of certain problems more difficult. Make sure you leave the SDhelper ( IE bad download blocker) checked to install (this is the default).
Fixing SpyBot's Ignore Products Bug: Please run SpyBot and get into the Advanced mode by selecting Mode and then Advanced mode. Then select Settings and the in the left column select Ignore Products. In the right window pane make sure the All products tab is selected. Then in that window, right click your mouse and choose "Deselect all". Now exit Spybot. We will run a scan later.
http://www.majorgeeks.com/Microsoft_Win ... d4466.html - Install it and update it (this can only be used with Windows 2000 SP4/XP SP2 /2003 SP1) http://www.majorgeeks.com/Microsoft_Mal ... d4471.html (this can only be used with Windows 2000/XP/2003) http://www.majorgeeks.com/CounterSpy_d4520.html
Only install and run CounterSpy if you cannot run Microsoft Windows Defender which is only for Windows 2000 SP4/XP SP2 /2003 SP1. So all you Win98Se and Win Me users should use CounterSpy. Win95 and Win98 users are out of luck. Also, if you do not have the correct SP levels for Win 2K/XP/2003, you should use CounterSpy. Time for you to get updated to a newer OS.
http://majorgeeks.com/download3155.html! – Please do not post HijackThis logs until steps 1 thru 6 are followed and then make sure you follow step 7 to post logs properly as attachments. Your system is now ready to be properly scanned for spyware, trojans and viruses. So let’s start the cleaning phase. Do not skip any of these procedures covered in steps 5 and 6 below!
5: Cleaning Malware Important Note Before continuing with the below scans: The best method to remove malware is to do it after booting in Safe Mode with no connection to the internet possible and no browsers running. Booting in safe mode is important because best results are achieved since safe mode disables most drivers and running programs. If you cannot boot in safe mode due to the malware problem then run the scans in normal boot mode but make sure you tell us later in any messages you post. Thus you will need to print or save these instructons locally in a text file so you can refer to them while offline. Do this before continuing!
Reboot into safe mode: http://service1.symantec.com/SUPPORT/ts ... ec_doc_nam
Physically unplug your cable to the internet (even if you have dial-up, unplug modem)
Shut down ALL non-required applications including browsers
Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
Microsoft Windows Malicious Software Removal Tool and clean all that it finds.
Run Spybot Search & Destroy and allow it to fix all that it finds. Make sure you use the Immunize feature and use the SDHelper function but do not use Teatimer.
Run Microsoft Windows Defender and allow it to fix all that it finds. If it will not run in safe mode, run it later after booting into normal mode. Also see the below bullet if for any reason you cannot run Windows Defender.
All of you Win9x & ME users and Win 2K/XP/2003 users with old SP levels should be running CounterSpy at this point since you cannot run Microsoft Windows Defender. Also attach the log from CounterSpy later if you still have problems. To get the log after scanning. Click View -> Spyware Scan -> View Spyware Scan History. Next click on the scan you want to view, then click view full details of scan. Right-click anywhere in the window that just opened, click on Select All, right-click again select Copy. Now open notepad and right-click anywhere in notepad and select Paste. Now Save As CounterSpy.txt and attach to your next post.
6A: Online Virus And Trojan Scanning Please run the below two online scanning tools and make sure you save and attach the logs later to any request for help that you post. From step 5 you should already be in safe mode but you will need to reconnect your cable now and possibly reboot and choose Safe Mode with Networking Support. If you cannot connect in safe mode for any reason (like dial-up users), run the online scanners in normal boot mode. You will need to use Internet Explorer to run these online scans. Also MAKE SURE YOU HAVE THE LATEST SUN JAVA Version installed (currently 5.0 Update 9) This may help prevent some problems in trying to get these online scanners to run. Get Sun Java here: http://www.majorgeeks.com/Sun_Java_Runt ... d4648.html ** MAKE SURE YOU RUN BITDEFENDER BEFORE PANDA ACTIVE SCAN ** *** But if Bitdefender cannot be run then run PandaActiveScan anyway *** http://www.bitdefender.com/scan8/ie.html agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan: Click-on the Detected Problems tab. Then select Click here to export the scan report When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html. If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us. Post the bdscan.txt file.You MUST attach the Bitdefender log even it it indicates no problems. We want to see it anyway!!!!
http://www.pandasoftware.com/products/activescan? It will only fix certain viruses and trojans. Most items found will not be fixed. When it finishes the scan click on See Report . Then in the next window click Save Report. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message when you begin a thread with a request for help. If you have any problems trying to get a PandaActiveScan log, see the following link with more detail and follow it step by step: http://forums.majorgeeks.com/showthread.php?t=88528
If you use Avast antivirus and it gives you and error like below when trying to use Panda, just disable Avast while your run the scan. The error is a false positive:
http://acs.pandasoftware.com/activescan ... r.cab\pska' Malware name: Win32-CTX Malware type: Virus/Worm
6B: Scanning for Additional Info Now REBOOT INTO NORMAL BOOT MODE: locate the folder where you downloaded GetRunKey.Zip and ShowNew.Zip (in step 4) and then run the below steps.
Locate the getrunkey.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment when you come back to post your results.
Locate the shownew.bat file and double click on it to run it. It will create a file named newfiles.txt in the root of drive C: (C:\newfiles.txt). This log will also popup in a notepad window which your can just close. Upload the newfiles.txt file here as an attachment when you come back to post your results.
6C: Next Course of Action You have a few options now if you still have problems at this point:
See if your problem is covered in one the the threads mentioned in another sticky thread titled http://forums.majorgeeks.com/showthread.php?t=74501 For example: about:blank or HSA hijacker problems, SpySheriff, SpyAxe, Spyware Quake, Smitfraud, Virtumonde aka WinFixer, etc.
Proceed on your own - if want to continue to work on your own, look at the Alternative Scans (section 9) below.
Request help - you should post a message requesting help, but make sure you indicate in your post that you've already followed the instructions on this page so we don't waste your time and our time by posting a link to it in your thread. Also, it would be helpful to indicate what kind of problems the above steps have found and fixed (and failed to fix). Also you must attach the all the logs from the previous steps:
CounterSpy (if you ran it instead of Windows Defender)
BitDefender
PandaActiveScan.
GetRunKey
ShowNew
You should also attach a log from HijackThis, but you must follow the directions in step 7 below.
7: HijackThis log posting Since so many new problems end in requiring a http://majorgeeks.com/download3155.html log anyway, it will be okay to post a HijackThis log if you are still having problems. But only if you have completed all the above steps and you must attach your log to your message. Also you must install HijackThis properly per the instructions in the below link. We are growing tired of saying this. If you do not listen, you are at risk of having problems if something is deleted and should not be. It will be YOUR FAULT if you do not install HijackThis properly. Depending on which OS you have, you may need an application like http://www.majorgeeks.com/download525.html to extract hijackthis.exe from the downloaded ZIP file. ***** MAKE SURE YOU CLICK THE BELOW LINK AND FOLLOW DIRECTIONS! TOO MANY PEOPLE ARE SKIPPING IT! ***** http://forums.majorgeeks.com/showthread.php?t=74216 *** IMPORTANT NOTE*** Once you have HijackThis installed in the proper location, as per http://forums.majorgeeks.com/showthread.php?t=74216. Double-Click on "My Computer", Double-Click on "(C"; navigate to "C:\Program Files\HJT", Right-Click on "hijackthis.exe", select "Rename", rename to "analyse.exe" ( do not rename to analyse.exe.exe ) click inside the window to complete the renaming operation, close Windows Explorer. Done. This is extremely important as there is a new variant of Virtumonde (Vundo), aka "Winfixer", that will not be detected unless you do the above.
8: Toggle System Restore on Win XP and WinME Systems Once you are sure all malware problems have been removed follow the below steps:
Disable System Restore (see http://forums.majorgeeks.com/showthread.php?t=31668 )
Now reboot your PC
Now Enable System Restore using the same link as above
Why we toggle System Restore! If you have been infected with any trojans, spyware, etc, they could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files that may contain viruses. Even though your tools may say they are deleting them, they are not! The reason for doing this after your system has been completely cleaned of problems is so we can remove possible infected restore points. When you disable system restore, it removes restore points! We only toggle System Restore after you are clean because keeping even infected restore points around while we are fixing things may prove useful if something goes wrong during the process. An infected restore point could be better than none at all!
9: Alternative Scans - If still having problems, see: http://forums.majorgeeks.com/showthread.php?t=80343
10: Keeping your computer safe and secure: See the following thread and complete the steps: http://forums.majorgeeks.com/showthread.php?t=44525
Improving PC Performance - Part one - Spyware etc
Moderators: Aladinsaneuk, MartDude, D-Rider, Moderators
-
Aladinsaneuk
- Aprilia Admin
- Posts: 9503
- Joined: Wed Jan 03, 2007 10:37 pm
- Location: Webfoot territory
Improving PC Performance - Part one - Spyware etc
Last edited by Aladinsaneuk on Tue Jan 15, 2013 11:19 am, edited 1 time in total.
-
Aladinsaneuk
- Aprilia Admin
- Posts: 9503
- Joined: Wed Jan 03, 2007 10:37 pm
- Location: Webfoot territory