[Cookiegal]

Before beginning the cleanup process, it's very important that you back up all of your important data, photos, music, etc. to other media such as CDs or an external hard drive. An infected computer can be highly unstable and even a healthy one can crash and become unbootable at any time for a number of reasons so you should regularly back up anything that you wouldn't want to lose.

Also, many infections these days allow hackers to take control of your computer and obtain passwords and other sensitive information it may contain. With any infection, you should immediately change all passwords for logins, especially if you use your computer for banking and/or other types of financial transactions, but you must do so from a clean computer and not use the infected one for any such purposes.

Now you are ready to begin the clean up process. Please follow the steps outlined below and post the requested logs in your initial post(s). You may have to make more than one post if the logs are too long. Please only upload logs as attachments when specifically requested to do so as copying and pasting them is much easier to read and follow in the thread.


1. Please download HijackThis:

Please go here to download HijackThis.

• Save the HijackThis.exe file to your desktop.
• Double-click the HijackThis.exe file on your desktop to launch the program. If you get a security warning asking if you want to run this software because the publisher couldn't be verified click on Run to allow it.
• Click on the Scan button. The scan will not take long and when it's finished the resulting log will open automatically in Notepad.
• Save the log file to your desktop. Copy and paste the contents of the log in your post.

Please do not fix anything with HijackThis unless you are instructed to do so. Most of what appears in the log will be harmless and/or necessary..


2. Please download DDS by sUBs to your desktop from the following location:

http://download.bleepingcomputer.com/sUBs/dds.scr

Note: You must use Internet Explorer to download dds.scr, other browsers will open the file in the browser and not save it. Or if you must use Firefox, or Chrome, then right click the link and select "save link as" and save the file to your desktop or downloads folder and run it from there

Double-click the dds.scr file to run the program.

It will automatically run in silent mode and then you will see the following note:

"Two logs shall be created on your Desktop"

The logs will be named dds.txt and attach.txt".

Wait until the logs appear and then copy and paste their contents in your post.


3. Please download GMER from: http://www.gmer.net/#files

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze.

If you have a 64-bit computer be sure to only use the latest version (2.0 or later) as earlier versions were not designed to work on 64-bit systems.

Please post the requested logs/reports, as follows:

1. Copy and paste the HijackThis log.
2. Copy and paste the contents of the dds.txt file.
3. Copy and paste the attach.txt file. There is no need to zip and attach it as suggested in the DDS instructions
4. Copy and paste the contents of the ark.txt file.

Once you've posted the requested logs please be patient and wait for assistance. Our qualified helpers are all very busy and will try to get to you as soon as possible. If you haven't received a reply within 48 hours, you can post a reply to your thread that will simply "bump" it back up to the top where it's more likely to be noticed.

Other Important Notes:

Effective October 30th, 2008 a new procedure has been implemented so that everyone can easily see if posters are receiving assistance or not, even if they've replied to their own thread. In the past, this led us to believe they were receiving assistance as helpers looked for threads with 0 replies first when looking for posters to help.

Now, when a user starts a new thread in the Malware Removal & HijackThis forum, the thread is automatically tagged "New" which appears to the left of the thread title. The tag "New" remains there even if the thread starter replies back to their own thread to add additional information. This also means that the thread starter can now post a reply to "bump" their thread back up to the top as is done in other forums. However, we do ask that posters be patient and wait at least 24 hours before doing so.

When a helper replies to a thread they will change the tag to read "In Progress" so that other helpers will know that the poster is now receiving assistance.

When the thread is solved then the thread starter should click on the "Mark Solved" button that appears on the upper left side of the first post in the thread so that it can be tagged as "Solved".

Note: Duplicate threads will be merged, deleted or closed at Moderator discretion.

Threads will automatically close after 45 days of inactivity.


IMPORTANT NOTE REGARDING CORPORATE/COMPANY OWNED COMPUTERS

Please do not request assistance for corporate/company owned computers. Many changes/deletions are made during the clean up process, some of which may involve uninstalling programs, deleting folders/files, changing settings and/or removing policies etc. As we have no way of knowing for sure if these are actually needed for company operations, malware issues in these cases should be handled by your own IT Departments in order to avoid any undesirable results.

[dvk01]

Do not just post a HJT log or series of logs without an explanation of what is wrong. We need to know exactly what is wrong, so we can help you. The initial logs will only show less than 50% of modern malware and it depends a lot on the symptoms experienced by you for us to know what other tools to run or how to progress with the fix.

Please do not just post a HJT log and ask "is my computer clean". Any posts of that nature will be ignored and we will offer help to the user who wants help & is prepared to help themselves by giving us all the details we need to help them. Nobody can or will ever say that a computer is clean based on a HJT log. It all depends on what symptoms you tell us about

Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. We need to see the full details, such as full file names & paths to be able to fix an infected computer. If you insist on editing out anything then we will refuse to offer any help, because you have made it impossible for us to attempt any fixes