"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) - Safer-Networking Forums

**tashi** · 2005-11-08, 17:13

The FAQ, we have to keep adding when people don't read it so please take the time. We can only help if you help us by following it before starting a topic.

Malware Removal Forum: volunteers with the following titles above their avatar are authorized to assist members.

Security Team, Anti-Malware Team, Security Expert, Developer.

Analysts on the Security Team are advanced students whose responses are passed by their teachers, some of whom help here.

You are in capable hands with any person authorized to assist members in this forum.

That said, there is always risk involved in installing and removing any software. Even a fix that time has shown to be useful to thousands of users, can present problems to a few or be found to have a bug in development.

While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Duly noted by members, please start a topic and provide the DDS log for analysis. No Malware logs are to be posted in any of our other forums.

Before doing so, read post #2 below, Before you post a log which also shows how to produce a DDS log. If the infection prevents DDS from running, or being copy/pasted, please start a topic and make note of the situation, provide details of the computer's current symptoms and wait for a response.

Preliminary Notes:

Please backup your Registry with ERUNT, instructions in post #2 below.

Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (dirty or not) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.

Wait to be advised and Do NOT run 'FIXES' (ComboFix etc) without being asked

If one has already run tools/fixes before posting please inform your helper, so that s/he is aware changes may have been made to the system and why. Running fixes before being assisted can destroy evidence in an infection, leaving the malware difficult to detect.

Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.

If someone posts malware removal instructions in their own topic, "this worked for me", it will be removed, possibly without notice. Just so you know.

Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums. Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties.

Do not pm logs or malware removal requests to volunteer helpers, assistance is provided in the forums.

Please do not start more than one topic for the same computer, during the same period. It will either be removed, closed or merged with your original thread.

If you have more than one infected computer in the house please let your helper know. Start a new topic for the next machine once the prior thread has been closed.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response. For that reason we may merge such posts but please do not count on it.

The same applies to "bumping". http://forums.spybot.info/showpost.p...68&postcount=6

Please do not attach or link to infected files/URLS, if an analyst requests files s/he will give you a link to upload them.

If your computer shows no symptoms of infection there is no need to post a log in this forum, as in requesting a 'checkup' for no malware removal reason but only to show a log.

The Waiting Room: Post here if waiting for help four days
Open Topics moved to archives

Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation, and when asked to post back one more time please do so. As much as we like our members

we would rather not see you back in a few weeks because the disinfecting wasn't finished and final instructions given.

Along the same vein, this free service is provided by volunteers to assist in the removal of malware from personal computers and provide useful information to prevent an infection from happening again. Although "stuff happens", a helper's intention is not to repeatedly remove malware from the same member's machine/s.

Our volunteers appreciate your letting them know if they have helped.

---------------------------------
Subscriptions

Members can keep track of their threads and choose how to be notified about updates.
---------------------------------
Can I edit my own posts?

In the Malware Removal Forum, members may not edit their posts.
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.

**tashi** · 2005-11-09, 07:30

Please back up your registry!

Download ERUNT The Emergency Recovery Utility NT Registry Backup and Restore for Windows NT/2000/2003/XP/Vista

Make sure you choose to download "ERUNT" NOT NTREGOPT
Save it to your desktop. Run and install this program.
In the box that opens ONLY choose "System registry"
Click OK.
Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it.

NOTE: Installing ERUNT may also install the "registry optimization tool" "NTREGOPT" by default. Please do NOT run NTREGOPT.

Registry Cleaners, not recommended

DDS Log

Download to your desktop DDS from one of the links below:

Link 1
Link 2

Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

If the infection prevents DDS from running, please start a topic anyway and make note of the situation.

Do not use a usb/external hard drive that has been connected to the infected machine to transfer media.

---------------------------------------------------------------------------------------------------------------

When Spybot-S&D is installed

TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.

TeaTimer can be re-enabled once the computer is clean.

1. Open Spybot-S&D in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Corporate, Government, Small Business or Institutional machines?

Please see: Personal computers

**tashi** · 2006-03-18, 17:49

If you have used a machine analyzer, (not recommended), and 'fixed' items before requesting advice, please inform your human analyst so they are aware.

Thank you.

**tashi** · 2006-05-14, 03:19

Note:
We do not support the use of illegal Pirated/Warez/Cracked software.

If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.
--------------------------------------------

P2P programs /Torrents

Many people seeking help in the malware removal forum have a computer infected by downloads from untrusted sources via P2P.

It is the volunteer analyst's choice to ask you to uninstall the clients before they continue providing help.

File Sharing, otherwise known as Peer To Peer. (P2P)
----------------------------------------------------

If your Operating System is XP without a Service Pack or you cannot validate.

Please read this topic: UPDATED WINDOWS - Your first line of defense, links and tips

When an operating system is not kept patched through "Windows Updates" it is a seriously vulnerable machine leaving a barn door open to malware. There is not only the risk of having your computer continually infected but also "owned" by a botnet. The computer would then be a zombied machine sending out spam/malware and infecting other net users all over the planet.

Note:
Many helpers in malware removal forums are reluctant to try and clean an operating system that is no longer supported, and therefore cannot be updated or patched.

For instance, End of support for Windows 98 and Windows ME

Furthermore the tools most often used for manual removals do not work on legacy systems.

If you have a legacy system and cannot upgrade to XP or above, please consider keeping the computer for word processing only and not using it for on-line surfing.
-------------
If you are experiencing difficulties with updating/upgrading: Validate Windows

Thank you for your understanding, and assisting in keeping the net a safer place for everyone.

**tashi** · 2006-05-17, 17:33

The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteer analysts.

When an infected computer is a company machine and/or in the workplace.

The intention of this forum is not to replace a company's IT department, helpers cannot anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

Another consideration is that company information may show in the logs and more than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected. If niether are available please consider calling in a local technician who can see the machine/network in person.

It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.

Thank you for your understanding.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Corporate, Government, Small Business or Institutional

Spybot S&D Corporate-Small Business Editions

Please contact our office support so they may provide direct assistance for your needs.

Thank you.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
If you are a computer business removing malware for paying customers, please don't post the logs here as our volunteers are not here to support such. Clients with infected PCs may be directed to this forum to receive advice in the first person.

**tashi** · 2008-08-02, 21:24

Sometimes within hours or a day a user may bump their new topic in an effect to get it back to the top of the page.

"Any help?" "Anyone there?" "Bump", etc.

Our volunteers are really doing their best to assist as many members as possible

bumping could get your topic closed and you'd need to start again.

Remember too that adding posts to a topic removes the zero response analysts search for, so bumping accomplishes the opposite of the desired effect.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days

Thanks.

**tashi** · 2010-08-02, 16:43

Nudge to top.

2005-11-08, 17:13	#1
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) The FAQ, we have to keep adding when people don't read it so please take the time. We can only help if you help us by following it before starting a topic. Malware Removal Forum: volunteers with the following titles above their avatar are authorized to assist members. Security Team, Anti-Malware Team, Security Expert, Developer. Analysts on the Security Team are advanced students whose responses are passed by their teachers, some of whom help here. You are in capable hands with any person authorized to assist members in this forum. That said, there is always risk involved in installing and removing any software. Even a fix that time has shown to be useful to thousands of users, can present problems to a few or be found to have a bug in development. While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss. Duly noted by members, please start a topic and provide the DDS log for analysis. No Malware logs are to be posted in any of our other forums. Before doing so, read post #2 below, Before you post a log which also shows how to produce a DDS log. If the infection prevents DDS from running, or being copy/pasted, please start a topic and make note of the situation, provide details of the computer's current symptoms and wait for a response. Preliminary Notes: Please backup your Registry with ERUNT, instructions in post #2 below. Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (dirty or not) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for. Wait to be advised and Do NOT run 'FIXES' (ComboFix etc) without being asked If one has already run tools/fixes before posting please inform your helper, so that s/he is aware changes may have been made to the system and why. Running fixes before being assisted can destroy evidence in an infection, leaving the malware difficult to detect. Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine. If someone posts malware removal instructions in their own topic, "this worked for me", it will be removed, possibly without notice. Just so you know. Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums. Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties. Do not pm logs or malware removal requests to volunteer helpers, assistance is provided in the forums. Please do not start more than one topic for the same computer, during the same period. It will either be removed, closed or merged with your original thread. If you have more than one infected computer in the house please let your helper know. Start a new topic for the next machine once the prior thread has been closed. Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response. For that reason we may merge such posts but please do not count on it. The same applies to "bumping". http://forums.spybot.info/showpost.p...68&postcount=6 Please do not attach or link to infected files/URLS, if an analyst requests files s/he will give you a link to upload them. If your computer shows no symptoms of infection there is no need to post a log in this forum, as in requesting a 'checkup' for no malware removal reason but only to show a log. The Waiting Room: Post here if waiting for help four days Open Topics moved to archives Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation, and when asked to post back one more time please do so. As much as we like our members we would rather not see you back in a few weeks because the disinfecting wasn't finished and final instructions given. Along the same vein, this free service is provided by volunteers to assist in the removal of malware from personal computers and provide useful information to prevent an infection from happening again. Although "stuff happens", a helper's intention is not to repeatedly remove malware from the same member's machine/s. Our volunteers appreciate your letting them know if they have helped. --------------------------------- Subscriptions Members can keep track of their threads and choose how to be notified about updates. --------------------------------- Can I edit my own posts? In the Malware Removal Forum, members may not edit their posts. In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.

2006-03-18, 17:49	#3
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	On-Line Analyzers If you have used a machine analyzer, (not recommended), and 'fixed' items before requesting advice, please inform your human analyst so they are aware. Thank you. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client Last edited by tashi; 2007-08-09 at 21:54. Reason: tweak

2006-05-14, 03:19	#4
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	You and Windows, a joint effort Note: We do not support the use of illegal Pirated/Warez/Cracked software. If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes. -------------------------------------------- P2P programs /Torrents Many people seeking help in the malware removal forum have a computer infected by downloads from untrusted sources via P2P. It is the volunteer analyst's choice to ask you to uninstall the clients before they continue providing help. File Sharing, otherwise known as Peer To Peer. (P2P) ---------------------------------------------------- If your Operating System is XP without a Service Pack or you cannot validate. Please read this topic: UPDATED WINDOWS - Your first line of defense, links and tips When an operating system is not kept patched through "Windows Updates" it is a seriously vulnerable machine leaving a barn door open to malware. There is not only the risk of having your computer continually infected but also "owned" by a botnet. The computer would then be a zombied machine sending out spam/malware and infecting other net users all over the planet. Note: Many helpers in malware removal forums are reluctant to try and clean an operating system that is no longer supported, and therefore cannot be updated or patched. For instance, End of support for Windows 98 and Windows ME Furthermore the tools most often used for manual removals do not work on legacy systems. If you have a legacy system and cannot upgrade to XP or above, please consider keeping the computer for word processing only and not using it for on-line surfing. ------------- If you are experiencing difficulties with updating/upgrading: Validate Windows Thank you for your understanding, and assisting in keeping the net a safer place for everyone. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client Last edited by tashi; 2009-04-11 at 10:32. Reason: Update

2006-05-17, 17:33	#5
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	Personal computers The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteer analysts. *When an infected computer is a company machine and/or in the workplace.* The intention of this forum is not to replace a company's IT department, helpers cannot anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware. Another consideration is that company information may show in the logs and more than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable. To prevent possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected. If niether are available please consider calling in a local technician who can see the machine/network in person. It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with. Thank you for your understanding. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Corporate, Government, Small Business or Institutional Spybot S&D Corporate-Small Business Editions Please contact our office support so they may provide direct assistance for your needs. Thank you. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you are a computer business removing malware for paying customers, please don't post the logs here as our volunteers are not here to support such. Clients with infected PCs may be directed to this forum to receive advice in the first person. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client Last edited by tashi; 2010-08-21 at 01:08.

2008-08-02, 21:24	#6
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	Bump and Topic May Be Closed Sometimes within hours or a day a user may bump their new topic in an effect to get it back to the top of the page. "Any help?" "Anyone there?" "Bump", etc. Our volunteers are really doing their best to assist as many members as possible bumping could get your topic closed and you'd need to start again. Remember too that adding posts to a topic removes the zero response analysts search for, so bumping accomplishes the opposite of the desired effect. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days Thanks. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client

2005-11-09, 07:30	#2
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	Before you post a DDS log Please back up your registry! Download ERUNT The Emergency Recovery Utility NT Registry Backup and Restore for Windows NT/2000/2003/XP/Vista Make sure you choose to download "ERUNT" NOT NTREGOPT Save it to your desktop. Run and install this program. In the box that opens ONLY choose "System registry" Click OK. Click save and then go to File > Exit. This is so the registry can be restored to this point if we need it. NOTE: Installing ERUNT may also install the "registry optimization tool" "NTREGOPT" by default. Please do NOT run NTREGOPT. Registry Cleaners, not recommended DDS Log Download to your desktop DDS from one of the links below: Link 1 Link 2 Double click the tool to run it. A black Screen will open, just read the contents and do nothing. When the tool finishes, it will open 2 reports, DDS.txt and attach.txt Copy/Paste the contents of 'DDS.txt' into your post. 'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) If the infection prevents DDS from running, please start a topic anyway and make note of the situation. Do not use a usb/external hard drive that has been connected to the infected machine to transfer media. --------------------------------------------------------------------------------------------------------------- When Spybot-S&D is installed TeaTimer needs to be disabled so that its protection does not interfere with fixes. How Spybot-S&D protects against the installation of Spyware/Malware. TeaTimer can be re-enabled once the computer is clean. 1. Open Spybot-S&D in Advanced Mode. 2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode". 3. On the left hand side, click on "Tools". 4. Then click on the Resident Icon in the List. 5. Uncheck "Resident TeaTimer" and OK any prompts. 6. Restart your computer. Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Corporate, Government, Small Business or Institutional machines? Please see: Personal computers __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client Last edited by tashi; 2010-08-20 at 21:32. Reason: Tweak

2010-08-02, 16:43	#7
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	Nudge to top. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode