Malware/Spyware Removal Guide

Browntoa

#### links confirmed working 15/06/2010 ########

The following is compiled with the help of Pchelpman, Toxteth_OGrady , Intel and Fran and is designed to be a new "Sticky" as a comprehensive guide to the steps required to remove the above from your PC. it will be split into three posts for ease of reading and printing.

The first 4 posts in this thread are our best solution to removing the infection from your PC

The rest of the thread is personal opinions on the rights and wrongs on those instructions. Do not post requests for help in this thread but start a new thread for your particular problem.

Please follow these instructions fully before posting for help on the Forum as 99% of the time this will clean your PC of the infection.

Please back up any important documents,emails and photographs before you start.

#### IMPORTANT :- if followed correctly these instructions should help you remove the infection in your PC, if followed incorrectly you may cause damage to your system . If you do not feel confident in following these instructions we would advise you to seek the advice of a professional to fix your PC. ######



for earlier versions of Windows 95/98/98se/Me Malwarebytes and Microsoft Defender will not work but all other software will and the steps remain the same

Browntoa

Download the following software, in each case as it downloads click on the “Run” button on the File download box that opens to install the software.

Before you start make sure you are at least up to date with Windows XP Service Pack 1a by going here

http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&displaylang=en






1) Please download Malwarebytes Anti-Malware and save it to your desktop. (unlike the rest of the software this needs to be run now)

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

if you find that the Intaller file will not run then "right click" on it and rename the file to minstall.exe or something and try again


if you find that malwarebytes will not run then navigate to

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

or wherever you installed the program and rename it to something like cleanmypc.exe and try again

thanks for the following information from Knarf44

I have always given the advice based on info found in the Malwarebytes forum, here.

That advice states quite clearly that a quick scan would pick up 99.9% of infections and that the Full scan option is there simply to provide reassurance.

Towards the end of the thread it also addresses the point that MBAM should always be run in normal mode rather than safe mode. The latter should only be an option when the program can not be run in normal mode.





2)Ad-Aware from Lavasoft from here


http://www.lavasoft.com/products/ad_aware_free.php

Install, click Check for Updates now and get any updates, then exit

3)Crap Cleaner from

http://www.ccleaner.com/ccdownload.asp

Install only making sure to untick the box for installing the Yahoo toolbar, then exit

4)Spybot Search and Destroy

http://www.safer-networking.org/

Install, do the search for updates now and get any updates, Make sure you leave the SDhelper ( IE bad download blocker) checked to install (this is the default).



if you find it impossible due to the infection to connect to any of the above and download , or the programs refuse to install/run then use another pc and download this tool to a USB drive or a CD

http://www.superantispyware.com/portablescanner.html

and follow the instructions

then attempt the above steps again. If you still have problems then start a new thread for advice and state that you cannot download/install etc

Browntoa

Malware Removal

Please back up any important documents,emails and photographs before you start. If the PC does not boot then please start a New thread about using a Linux boot CD to retrieve your data, as long as the hard disk is funtional you CAN get your data !

Important:- Before starting make sure you print these instructions as you will not be able to connect to the internet.

The best method to remove malware is to do it after booting in Safe Mode. Please note to complete ALL these scans may take some time so make sure you allow yourself plenty of time.

Boot to safe mode now.

For info on how to boot to safe mode click on the link below:

http://service1.symantec.com/SUPPORT...01052409420406

Shut down ALL unrequired applications including browsers

1) Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner

2) Run Spybot Search & Destroy and allow it to fix all that it finds

3) Run Ad-Aware SE and select Perform full system scan box and allow it to fix all that it finds

You will now need to get back into normal Windows mode by reversing the steps you took to get into safe mode

When Windows has booted up connect to the Internet and see if the problem is still happening, if so you may need to boot back into safe mode again and do a 2nd run of steps 2) to 6).

Should the problem persist despite all this then run all the free online scans at both these sites:

http://www.pandasecurity.com/uk/home...ns/activescan/


using the "Scan your PC now" button not the other button to buy the program


…and here…..

http://housecall.trendmicro.com.

When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. You do NOT want the default spyXposer scan.

You should run ALL the free scans offered by Housecall.

Make sure they both perform full system scans.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details in a new thread in the techie forum stating the name of the Malware and which version of Windows you are using.

If all is clear then please read the following and make sure that you have installed a Firewall and some AntiVirus software be reading the following thread

http://forums.moneysavingexpert.com/showthread.html?t=3356

and also it is important that you update your Version of Windows to the latest build as this will help stop a recurrence of the problem. You may need to go back and check for updates a 2nd time to make sure that you are fully up to date.

http://update.microsoft.com/microsof....aspx?ln=en-us

Please note that this will only work with a VALID Version of Windows XP or Vista

Browntoa

If problems still exist then download HijackThis



http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Note: You should only use HijackThis if you have advanced computer knowledge or if you are under the direction of someone who does. Improper usage of this program can cause problems with how your computer operates.

To use HijackThis, download the file and extract it to a directory on your hard drive called c:\HijackThis. Then navigate to that directory and double-click on the hijackthis.exe file. When the program is started click on the Scan button and then the Save Log button to create a log of your information.

You can then either paste the contents of the saved file to here for online analysis (please be aware that there is NO personal data in the log files and it is safe to do so )

www.hijackthis.de/en

or post your log file in the Techie Forum for advice , please include the log from your Ewido scan as well



##### Please note, all the posts after this do not make up part of the Spyware/Malware removal guide.

They are all the opinions of the person making the post and are commenting on the rights and wrongs of the initial 4 posts #####

Ganyam

"Some people recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You'll want to delete your old Restore Points, but the time to do that is later, not now."

http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

Ganyam

Browntoa wrote:

this post is not for comments...it should be closed

If what was said is correct then yes!! It will help, but some info on here is wrong..

Browntoa wrote:

the guy above does not know what he is talikng about

"..it is also true that, in cleaning highly infected systems, sometimes you make mistakes that cripple Windows and it is better to be able to take a step back to a working version of Windows - even an infected one! - rather than have Windows trashed completely. To quote Mow Green, "a leaky lifeboat is better than no lifeboat in a storm."

intel

Ganyam wrote:

"Some people recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You'll want to delete your old Restore Points, but the time to do that is later, not now."

http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

The Above information is incorrect when using Spyware removal software
as spyware will hide waiting to re-infect within the restore points
so disable restore run a scan then re-enable restore.

Fran

Due to differences of opinion I have decided to re-open this thread and merge it with the thread discussing malware, in keeping with the other stickies on this board which have been left open for discussion and comment.

I know some people wanted this thread closed but I don't see how we can close it when other people have different opinions which should be available to everyone to make a choice about how to do their removal.

I hope no-one minds this and please keep the discussions friendly! It's a very interesting thread and thanks to the people who put their time into it for the benefit of others. :T

Browntoa

I'm with intel...

I've yet to "kill" or cripple a PC by removing Spyware with the restore points off...and I've done a few !!!

PcHelpman is the real expert on this as he helps out on a Spyware forum elsewhere and he was the one who came up with most of the wording of that part (among many others )

intel

Even my mates on Experts Exchange reccomend restore off everytime.

m00nie

i wouldnt switch it off everytime, i would only switch it off of the problem came back after removing it with it on.

Not all spyware etc will hide in the restore points so no need to turn it off every time IMO

also is all 6 of the programs really required?

i only use cc cleaner, spybot and adaware and i keep my pc clean. (but then again im carefull in what i do online)