Malware Cleaning Guide
From MalwareTeks Wiki
Often problems are solved just by running Preliminary Scans.
Important Notice:
| No system that has been infected can be trusted ever again. The only way to ensure that your system is safe again, is to do a 'Clean Install' of the Operating System. If your system has a 'RootKit' installed, there is a good chance your system is completely subverted by the RootKit; and is not to be trusted ever again. Malware comes in many forms; Spyware, Adware, Viruses, Trojans, Worms, Keyloggers, Remote Administration Tools and RootKits; ranging in difficultly to remove. Some can simply be removed by uninstalling the Malware via Add or Remove Programs in the Control Panel; others can be extremely difficult to remove. However the only way to truly be sure that the Malware is completely gone is to completely remove the partitions, format the drive, and do a 'Clean Install' of the Operating System. If you don't take this advice and decide to do a manual clean instead of a reinstall of your system don't blame us if any sensitive data is stolen from you. The only reply you will ever get from us will be: "YOU WERE WARNED!" |
Make sure you know how to do the following:
Do NOT disable System Restore yet! An infected restore point is better than no restore point at all.
In order for the volunteers, who offer a their free time and expertise, to assist you in a timely manner, complete the following steps before posting a request for help:
Download and install the following tools. Make sure to get ALL updates.
This will self extract to C:\Program Files\Trend Micro\HijackThis.
If you already have HijackThis and it's not in this location. Uninstall HijackThis and reinstall HijackThis from the above link
| Many people are under the very mistaken impression that HijackThis (HJT) is a Malware removal tool. It is not. HJT is simply a tool that is used to identify browser hijackers and in some cases will show entries for 'some' Malware that is, for instance, running at startup, but HJT will by no means show everything. Those who have infected computers and are relying on HJT without the benefit of running additional scans such as the ones in this guide, listed below, are more than likely still infected. In most cases, where there is one Virus/Trojan there are more. |
IMPORTANT: Rename hijackthis.exe to analyse.exe. There is a variant of Virtumonde (Vundo), aka WinFixer, that keys on the name HijackThis. If you do not rename HijackThis we will not see the infection in the initial HJT log.
You will need to create a new shortcut to HijackThis or fix the path in the existing shortcut.
Update to the latest definitions and Enable its "Immunize" feature and Do NOT use TeaTimer!
Put this on your Desktop for easier access.
Double-click mbam-setup.exe and follow the prompts to install the program. Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Close Malwarebytes' Anti-Malware
Cleaning Process
1 - Look in Add/Remove Programs and uninstall any Applications that you deem suspicious.
For a list of Malware applications that can be uninstalled via Add or Remove Programs see: Uninstall Malware via Add/Remove Programs
2 - Enable the viewing of hidden files and folders. Also uncheck Hide Protected Operating System Files
Close ALL Browsers and physically unplug your Internet Cable
3 - Now reboot to Safe Mode and continue -->
- Run ATF Cleaner 3 by Atribune
| -- Click on ATF-Cleaner.exe to run it -- Where it says Select Files To Delete, Check the Select All Option
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: If you would like to keep your saved passwords, please click No at the prompt. |
NOTE: This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
Notes for Windows Vista users:
On Windows Vista "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Prefetch has been disabled on Windows Vista.
- Run Spybot Search and Destroy and allow it to "fix" anything it finds.
| -- Unblock Ignored Products - Choose Mode > Advanced Mode > Yes > Settings > Ignore Products > All Products tab. Right click and choose Deselect All |
- Run Malwarebytes' Anti-Malware
| -- Once the program has loaded, select Perform quick scan, then click Scan. -- When the scan is complete, click OK, then Show Results to view the results. |
- Open and run Microsoft Malicious Software Removal Tool and fix what it finds.
Reconnect your Internet Cable
4 - Now reboot to Safe Mode with Networking and continue -->
(Use of Internet Explorer is required for this step)
Choose 2 of the following Online scans and run them:
- BitDefender Online Scan
- Panda ActiveScan
- Kaspersky Online Virus Scanner
- Trend Micro Online Virus Scan
Be sure to save the logs.
If after doing the above steps you are still having problems, continue with the below:
Post Cleaning Process
5 - Reboot back into Normal Mode
- Run ISeeYouXP
NOTE: For Win9x and WinMe users! ISeeYouXP does not support Win9x and WinMe.
Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.
Double-click the ISeeYouXP shortcut to run ISeeYouXP.
| IMPORTANT NOTE: Vista Users UAC must be turned off to run this script. |
Vista Users: To Run ISeeYouXP right-click on ISeeYouXP.bat and select "Run as Administrator"
| Possible Error Messages -- If your ISeeYouXP.txt log appear to be empty or semi-empty or if you get an error message similar to the below
-- A possible second type of error message may occur as shown below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem |
- Run HijackThis
| -- Right-click the Start Button at the bottom-left corner of the screen. Click "Explore" to open Windows Explorer. -- Navigate to C:\Program Files\Trend Micro\HijackThis and double-click analyse.exe. |
Start a thread in our Malware Removal Forum where one of our approved volunteers will be happy to assist you.
You must be a registered member of our site; in order to post in the Forums.
If you are not registered you may do so now, by Clicking Here!
Attach the following logs:
- ISeeYouXP
- HijackThis
- Malwarebytes' Anti-Malware
- Both Logs from the Online Anti-Virus scanners (You chose to run)
To attach your logs, do the following:
- Save your files as a .txt file somewhere such as your desktop where they will be easy to locate.
- Under Add an Attachment you will see a Filename box
- Click Browse to the right of the Filename box and browse to where you saved your text file
- Highlight your file and choose Open
- Now choose Add Attachment
Please note that responses to threads requesting help may be limited as this is a community forum dependent on the free time and good will of volunteers. Also, please be aware that not all of the advice given in an open forum is accurate. Do not be afraid to question any advice you believe to be suspect!
MalwareTeks retains the Copyright to this article.
You may not reproduce this article in whole or part without the expression permission of the author.
Updated: 14 June, 1008
