:welcome:

Malware Removal: only people with the following titles above their avatar may assist members.

MRU Helper, Security Helper, Security Warrior, Security Expert, Developer, Team Spybot.

If another member sents you a PM with malware removal instructions, please be warned not to follow that advice. If someone posts advice in their own topic as in, "this worked for me", it will be removed. Just so you know. ;)

You are in capable hands with any person authorized to help out in this forum.
The responses of our MRU Helper's are posted after being passed by their teachers, some of whom are experts here.

That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure.

There is always risk involved in installing and removing any software. Even a fix that time has shown to be useful to thousands of users, can present problems to a few or be found to have a bug in development.

Duly noted by members, you may post logs in this forum for analysis. No HJT logs are to be posted in any of our other forums. :)

Before doing so, read post #2 below, Before you post a log (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

Preliminary Notes:

Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.



Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and don't run fixes until asked.This is especially important if your Operating System is Windows Vista!!



ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.



Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar.



Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't. Our analysts assist people at several forums. A member's user name may be different, the problem will not be. If you have posted elsewhere, please inform us and provide link/s to the thread/s.



Please do not pm logs or malware removal requests to volunteer helpers, assistance is provided in the forums.



HijackThis doesn't scan the entire system and is only used for undetected or hard to remove nasties.
It is not a spot check tool, therefore if you have no symptoms of infection there is no need to post a log in this forum.



Please do not start more than one topic for the same computer, during the same period. It will either be removed, or merged with your original thread.



Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't. :p:
Edit: Topics that are bumped may be closed and users would have to start again. http://forums.spybot.info/showpost.php?p=219168&postcount=6


The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37) to avoid a topic being archived without notice.

Open Topics moved to archives (http://forums.spybot.info/showthread.php?t=20965)

Note:

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Please do not attach or link to infected files!
If an analyst requests files s/he will give you a link to upload them.

All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
When adding posts to your topic, do so by clicking ADD REPLY (http://forums.spybot.info/faq.php?faq=vb_board_usage#faq_posting)


Please don't post a gif/jpeg picture to show the problem, they are not needed and also hard on anyone who uses dialup. The logs will suffice and are best read in default black font, thank you. :)

If one of our volunteers is working with you towards cleaning up your computer, and you are going away before closure, please do let them know.

--------------------------------------------
Note:

If you have lost your Internet connection on the infected computer, or otherwise cannot post from that machine; you can download HJT to a clean PC if one is available.

Upload to infected machine
Place HJT into own folder
Run HJT on the infected PC and post the log you produce using the clean PC.

---------------------------------------------
Can I edit my own posts?

In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.

---------------------------------------------
For your own safety and privacy, please do not post your email, personal address or phone number. We are not responsible for personal details malware removal logs may contain, please review before hitting the post button.

When Spybot-S&D is installed.

TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware. (http://forums.spybot.info/showthread.php?t=281)

TeaTimer can be re-enabled once the computer is clean. :)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Not for use in Vista.
Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).


HJT Logs
To produce a log, run Trend Micro HijackThis 2.0.2, not Beta, HijackThis v1.99.1. or any other version.


HiJackThis log - Trend Micro HijackThis 2.0.2
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" and Paste (http://www.webmasternow.com/copyandpaste.html) the entire contents of the log (no attachments) into your (Click --> ) own new topic (http://forums.spybot.info/newthread.php?do=newthread&f=22)



DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a helper will guide you.

Provide: The HJT log only.

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.

It is preferable, and the log easier to read, if you do not use the [code] or [php] options.

The topic's title should be the problem you believe you may have.
Please do not post *hot links* to malware sites in your post when describing the problem, the HJT log is enough.

Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.

Our volunteer helpers appreciate your letting them know if they have helped.

Thank you. :)

------------------------------------------------
This scan is no longer a prerequisite before starting a topic. However your helper may request one after analysing the HJT log.

Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

--------------------------------------
After the computer is clean:

If you have not yet installed Spybot-S&D



Spybot-Search & Destroy 1.6.0 Download (http://www.safer-networking.org/en/download/index.html)



Tutorial (http://www.spybot.info/en/tutorial/index.html)

Make sure you update Spybot-S&D (then immunize your system) so that your scan will be with the latest definitions.

Open Spybot-S&D
Click on 'Update' in the navigation bar
Search for available updates
Select all available relevant updates
Select a download location
Download the selected updates
If you receive a Bad Checksum!! error select another download server


Spybot-S&D Support Forums (http://forums.spybot.info/forumdisplay.php?f=4)

While they may prove useful in experienced hands, I have yet to recommend any in general to users.

If you have used an analyzer and 'fixed' items before requesting advice, please inform your helper so they are aware.

Thank you.

Note:
We do not support the use of illegal Pirated/Warez/Cracked software.

Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.

P2P programs

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.


If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.



Please be aware that tools used during the cleanup will likely remove them anyway, if that is not acceptable to you please withdraw your request for assistance.



If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.


We do not ask you to do this without reason.

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Many of these Downloads are targeted to carry infections.

Credit: GaryR, Elrond at MRU. Tweaked for this forum.

----------------------------------------------------

If your Operating System is XP without a Service Pack:

Please read this topic: Have you updated Windows? Security Programs? Links and Tips. (http://forums.spybot.info/showthread.php?t=425)

Although Windows XP Service Pack 3 is cumulative, meaning it includes Service Pack 1 and all updates predating the release of SP3; before you upgrade to Windows XP SP3 you must ensure the computer is free of malware.

However, before a helper can attempt to assist in the removal of any malware, you must update to Service Pack 1a.
Service Pack 1 (SP1) is no longer available for download.

Download SP1a here: http://www.microsoft.com/downloads/details.aspx?familyid=0136E5F8-1684-4202-B2D0-C6A43430F12A&displaylang=en

Differences Between Windows XP SP1 and Windows XP SP1a: http://support.microsoft.com/?kbid=813926

Note You must have either Windows XP Service Pack 1a or Windows XP Service Pack 2 installed in order to install Windows XP Service Pack 3.

Keeping Windows up-to-date and patched is your first line of defence against malware.

If you do not have a legitimate copy of Windows please rectify.

Aside from the legalities, there is little point in cleaning a system that will be re-infected almost immediately.


Thank you for your understanding, and assisting in keeping the net a safer place for everyone.

The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteers.

We realise on occasion an IT person might need a second opinion. In which case please state that up-front and note the steps already taken. Our volunteers appreciate that. :)

If you are a computer business claiming to remove spyware for your paying customers, please ensure it is a second opinion you are seeking, and not posting your jobs for others to clean. Volunteers are not here to support such. Personal computer clients may be directed to this forum to receive free advice in the first person.

---------------------------------------------

Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.

--------------------------------------------
Malware removal forum volunteers are unable to assist users with infected Corporate, Government or Institutional machines. Please contact our office support so they may provide direct assistance for your needs. Thank you. :)

Spybot S&D Corporate-Small Business Editions (http://www.safer-networking.ie/en/index.html)
For more information, please send an email to licenses(at)spybot.info

Regards.

Increasingly we see users who start a topic and bump it, sometimes within hours or a day of the thread being posted.

"Any help?" "Anyone there?" Etc.

Bump and the topic will probably be closed, the user would need to start again. :eek:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

Nudge to top.