Spybot Logo
Go Back   Safer-Networking Forums > General Malware > Malware Removal
Register ProjectsBlogs FAQ Search Today's Posts Mark Forums Read Home Support Download Donate

Closed Thread
 
Thread Tools Display Modes
Old 2005-11-08, 18:13   #1
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)



The FAQ, we have to keep adding when people don't read it so please take the time. We can only help if you help us by following it before starting a topic.

Malware Removal Forum: volunteers with the following titles above their avatar are authorized to assist members.

MRU Team, Security Team, Security Warrior, Security Expert, Developer.

If another member sents you a PM with malware removal instructions, please be warned not to follow that advice. If someone posts advice to others in their own topic as in, "this worked for me", it will be removed. Just so you know.

You are in capable hands with any person authorized to help out in this forum.
The responses of our MRU Team Helpers are posted after being passed by their teachers, some of whom are experts here.

That said, there is always risk involved in installing and removing any software. Even a fix that time has shown to be useful to thousands of users, can present problems to a few or be found to have a bug in development.

While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Duly noted by members, please start a topic and provide the Trend Micro HiJackThis (HJT) log, (not old version 1.99 or below), for analysis. No HJT/Malware logs are to be posted in any of our other forums.

Before doing so, read post #2 below, Before you post a log

Preliminary Notes:

  • Please backup your Registry with ERUNT, instructions in post #2 below.
  • Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.
  • Please wait to be advised and Do NOT run 'FIXES' (ComboFix etc) without being asked (Pinned Sticky topic) If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans.
  • However if one has run tools/fixes before posting please inform your helper, so that s/he is aware changes may have been made to the system and why. Running fixes before being assisted can destroy evidence of an infection, leaving the malware difficult to detect.
  • Note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.
  • Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't. Our analysts assist people at several forums. A member's user name may be different, the problem will not be. A worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere.
  • Please do not pm logs or malware removal requests to volunteer helpers, assistance is provided in the forums.
  • If you have no symptoms of infection there is no need to post a log in this forum, (as in requesting a 'checkup' for no malware removal reason but only to show a log).
  • Please do not start more than one topic for the same computer, during the same period. It will either be removed, closed or merged with your original thread.
  • If you have more than one infected computer in the house please let your helper know. Start a new topic for the next machine once the prior thread has been closed.
  • Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts but please do not count on it.

The Waiting Room: Post here if waiting for help four days to avoid a topic being archived without notice.

Open Topics moved to archives

Note:
If it has been four days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Please do not attach or link to infected files! For the safety of our members they will be removed.
If an analyst requests files s/he will give you a link to upload them.
You can also zip or rar them and send to: detections(at)spybot.info (Replace AT with @)
Please don't add live clickable urls to your topic linking to the malware sites that may have infected your computer.

All logs should be copy/pasted into topic and not attached or wrapped by "code" unless requested by helper in that format.
When adding posts to your topic, do so by clicking ADD REPLY


Please don't post a gif/jpeg picture to show the problem, they are not needed and also hard on anyone who uses dial up. The logs will suffice and are best read in default black font, thank you.

If one of our volunteers is working with you towards cleaning up your computer, and you are going away before closure, please do let them know.

--------------------------------------------
Note:
Do not use a usb/external hard drive that has been connected to the infected machine to transfer media.
---------------------------------------------
Can I edit my own posts?
  1. In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.
  2. In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.
--------------------------------------------
Subscriptions

Members can keep track of their threads and choose how to be notified about updates.
---------------------------------------------
For your own safety and privacy, please do not post your email, personal address or phone number. We are not responsible for personal details malware removal logs may contain, please review before hitting the post button.
tashi is offline  
Old 2005-11-09, 08:30   #2
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default Before you post a HJT log

When Spybot-S&D is installed.

TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.

TeaTimer can be re-enabled once the computer is clean.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please back up your registry!
  • Download ERUNT The Emergency Recovery Utility NT Registry Backup and Restore for Windows NT/2000/2003/XP/Vista
  • Make sure you choose to download "ERUNT" NOT NTREGOPT
  • Save it to your desktop. Run and install this program.
  • In the box that opens ONLY choose "System registry"
  • Click OK.
  • Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it.

NOTE: Installing ERUNT may also install the "registry optimization tool" "NTREGOPT" by default. Please do NOT run NTREGOPT.

Registry Cleaners, not recommended

HJT Logs


Click here to download Trend Micro HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your (Click --> ) own new topic Please provide only the one log until a helper responds, thanks.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a helper will guide you.
  • If the infection prevents HJT from running, please start a topic anyway and make note of the situation.
  • If you cannot disable Tea Timer, also make a note.

Note:
In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines. Otherwise the log is hard to read.

It is preferable, and the log easier to read, if you do not use the [code] or [php] options, unless requested in that format.
  • The topic's title should be the problem you believe you may have.
  • Please do not post *hot links* to malware sites in your post when describing the problem, the HJT log is enough.
Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation.
As much as we like our members we would rather not see you back in a few weeks because there was no follow up with the helper.

When asked to post back one more time please do so.

Our volunteer helpers appreciate your letting them know if they have helped.



------------------------------------------------

After the computer is clean:

To install Spybot-S&D

Make sure you update Spybot-S&D (then immunize your system) so that your scan will be with the latest definitions.
  • Open Spybot-S&D
  • Click on 'Update' in the navigation bar
  • Search for available updates
  • Select all available relevant updates
  • Select a download location
  • Download the selected updates
  • If you receive a Bad Checksum!! error select another download server

Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2009

Please help us improve Spybot, download our distributed testing client

Last edited by tashi; 2009-05-30 at 20:00. Reason: tweak
tashi is offline  
Old 2006-03-18, 18:49   #3
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default On-Line HiJackThis Analyzers

Not recommended, if you have used a machine analyzer and 'fixed' items before requesting advice, please inform your trained analyst so they are aware.

Thank you.
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2009

Please help us improve Spybot, download our distributed testing client

Last edited by tashi; 2007-08-09 at 22:54. Reason: tweak
tashi is offline  
Old 2006-05-14, 04:19   #4
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default You and Windows, a joint effort

Note:
We do not support the use of illegal Pirated/Warez/Cracked software.

Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms.

There is a high risk of infection involved in downloading and running crack codes, who wants Virut, and the possibility of your computer being turned into a zombie machine. In other words the computer won't be "yours" any longer.

You will be asked to remove any cracked programs.

In the case of your operating system please obtain a valid licensed copy.

--------------------------------------------

P2P programs

Many people seeking help in the malware removal forum have a computer infected by the practice of P2P file sharing.

Our policy:
  • If such programs are on your computer you will be asked to uninstall them and help withdrawn should you not agree.
  • Please be aware that Tools used during the cleanup will probably detect these programs and remove them.
  • Once the machine is clean, if you return with another infection contracted by the use of P2P programs, volunteer analysts may refuse assistance.
File Sharing, otherwise known as Peer To Peer. (P2P)

----------------------------------------------------

If your Operating System is XP without a Service Pack or you cannot validate.

Please read this topic: UPDATED WINDOWS - Your first line of defense, links and tips

When an operating system is not kept patched through "Windows Updates" it is a
seriously vulnerable machine leaving a barn door open to malware. There is not only the risk of having your computer continually infected but also "owned" by a botnet. The computer would then be a zombied machine sending out spam/malware and infecting other net users all over the planet.

If you are experiencing difficulties with updating/upgrading: Validate Windows

Thank you for your understanding, and assisting in keeping the net a safer place for everyone.
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2009

Please help us improve Spybot, download our distributed testing client

Last edited by tashi; 2009-04-11 at 11:32. Reason: Update
tashi is offline  
Old 2006-05-17, 18:33   #5
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default Personal computers or.....

The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteers.

If you are a computer business claiming to remove malware for your paying customers, our volunteers are not here to support such. Clients with infected PCs may be directed to this forum to receive free advice in the first person.

---------------------------------------------

Note:
When the infected computer in question is a company machine in the workplace, or you are an employee.


The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network. Another consideration is that company information may show in the logs.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected, immediately.

It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.

Thank you for your understanding.
--------------------------------------------
As Malware removal forum volunteers are unable to assist users with infected Corporate, Government, Small Business or Institutional machines, please contact our office support so they may provide direct assistance for your needs. Thank you.

Spybot S&D Corporate-Small Business Editions
For more information, please send an email to licenses(at)spybot.info

Regards.
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2009

Please help us improve Spybot, download our distributed testing client

Last edited by tashi; 2009-03-15 at 20:00. Reason: Added information, thank you Katana
tashi is offline  
Old 2008-08-02, 22:24   #6
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default Bump and Topic Will Be Closed

Increasingly we see users who start a topic and bump it, sometimes within hours or a day of the thread being posted.

"Any help?" "Anyone there?" "Bump", etc.

Our volunteer helpers are doing their best already. Bump and the topic will be closed, please start again.

Quote:
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)


Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2009

Please help us improve Spybot, download our distributed testing client
tashi is offline  
Old 2010-01-12, 20:24   #7
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 21,625
Rated LASSHes: 12
Default

Nudge up.
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2009

Please help us improve Spybot, download our distributed testing client
tashi is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 15:54.


Copyright © 2000-2010 Safer-Networking Limited. All rights reserved.