Ried

Welcome to Tech Support Forum

Virus/Trojan/Spyware Removal Help

* DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF. Do not run any specialized tools that you see being used in other threads without direct supervision from one of our trained analysts. Be advised that running any specialized tools not listed in this topic, on your own, is done solely at your own risk

* It is also this forum's policy that we only address users with a legal copy of Windows. If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process.

=============================

How Soon Can I Expect Help?

=============================


Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. Also please note that there are many more people in need of assistance than there are trained staff members who may assist. Patience for this free assistance is required. If there is an immediate need, please take the machine to a local technician.

If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words "BUMP, please" to move it forward. Do NOT bump the thread unless 72 hours has passed. We try to work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up. When looking threads to respond to, we look for threads with 0 reply, or 1 reply. If you bump, or add a post prior to the 72 hrs, your thread is highly likely to be overlooked by our queuing methods.

Additionally, do not bump more than once. If you do, it may appear as though the thread is being handled, and it may be overlooked. Early bump posts will be deleted.

NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.


Also be advised:

It is not our intent to repeatedly remove malware from the same member's machines. The intent of this free service performed by volunteers is to help remove malware from your machine, educate you on how it may have happened, and how to prevent that from happening again. To this end, we provide links to articles and tools which should make your visit to the Virus/Trojan/Spyware Help section of TSF a one time event. Please do enjoy the rest of Tech Support Forum as many times as you like!



==================================================

Change Your Login and Passwords to Financial Sites

==================================================


Many infections that the commercial scanners are failing to remove are the type of infections that allow hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all login and passwords where applicable. It would be wise to contact those same financial institutions to apprise them of your situation. Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.


===========================================

Preparing for the Malware Removal Process

===========================================


While we try our hardest to avoid them, accidents do happen. With today's malware being as it is, neither Tech Support Forum nor the Analyst providing the advice may be held responsible for any loss of your data. You're following the instructions given at your own risk. We recommend that you back up any data that’s important to you beforehand, just in case the worst happens.

1. As a general rule, to offset any unexpected mishaps, your personal data should be backed up regularly. If you do not already have a process in place that backs up your data, it is highly recommended you do this now. Click here for guidelines on what to back up and how to do it.

2. If you suspect the machine to have cracked (illegal) software installed, click here.


3. Uninstall the following via Add or Remove Programs in Control Panel:

• If you have more than one antivirus software installed, leave only ONE and uninstall the others.
  
  
• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link

=================================

Downloads and Reports Required:

=================================


Before scanning, ensure all other running programs are closed. Do not use your computer for anything else during the scan.

Also, ensure there aren't any scheduled antivirus scans running while the dds scan is being performed.

*Note - Some antivirus programs falsely detect dds.scr as a threat.

====
DDS:
====
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

=====
GMER:
=====

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



===========================
How the logs should be furnished:
===========================

Copy/Paste the contents of 'DDS.txt' to be posted as text to your post
The other two logs ...

* attach.txt
* ark.txt

... should be zipped/archived before attaching to the post







When posting your reply, the zipped file may be attached by clicking the [Manage Attachments] button.
It's located under [Additonal Options] on the composition page.
Browse to where you saved the file, and click Upload.






=================================

When posting the logs please observe the following

=================================

• Describe your issue/problem in DETAIL!. We cannot second guess as to what your issue(s) may be. Please provide as much detail as possible, including virus/trojan/worm names and locations if available. The more information you can give us the better we can help
  
  
• Only Attach the logs that we've specifically requested for you to. (Otherwise post it as text in the Reply box).
  
• DO NOT Wrap the log using Quote or Code tags. (DO make sure notepad word-wrap is OFF)
  
• DO NOT Post another Program’s log (Unless we specifically ask for it)
  
• DO NOT Cut off the header of any log (It contains important information for the Analyst)
  
• DO NOT Private Message the Analyst unless asked to do so.
  
• DO NOT post live suspicious links. We do appreciate that you want to give as much information as possible, but the links need to be munged. Alter the links to use hxxp:// instead of http://

Click here to post the following logs in the Virus/Trojan/Spyware Help Forum


Checklist

1. DDS.txt - copy/pasted directly into Reply box
2. Attach.zip (contains Attach.txt and ARK.txt) - attached to post
3. Rootkits that alter critical/legit Windows files are becoming more commonplace. To facilitate a more rapid cleaning of your system, also tell us whether or not you have/have access to a Windows Install disc, or a Boot CD
   

Once you have posted, subcribe to your thread by going to Thread Tools located at the top of the thread.
Select Subscribe. Make sure it is set to Instant Notification.

This concludes the basic steps required before posting your logs. Thank you for taking the time to read this.

Ried

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.