Malware (Spyware, Adware, Trojans, Viruses) are every increasing in their frequency, and abilities to disguise themselves. This forum is a resource for removal of this malicious software (malware). This guide will help you to remove many of the most common problems, and allow us to help you most efficiently. It may look daunting, but shouldn't take long to complete.
Please remember, people helping you here are all volunteers. Be patient, somebody will help you as soon as they become available. We have REAL jobs, families, have other interests, or may live half way around the world. Plus, there may be people in front of you waiting for help. Following the steps below will lighten our work load, and allow us to help more people. Please acknowledge that you've followed the steps in this cleaning guide (or our first reply will likely direct you here).
Finally, please follow your thread to a conclusion. Just because a popup is gone, or a desktop is restored, it does not mean your system is free of malware.
Preparation: 
1.
Download ATF Cleaner2. Double-click
ATF-Cleaner.exe to run the program. Under Main choose
Select All.
3. Click the
Empty Selected button.
If you use the Firefox browser
click Firefox at the top and choose
Select All.
Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use the Opera browser click Opera at the top and choose Select All.
Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
4. If prompted, click
"Yes" to reboot.
System Restore (Windows Vista, XP and ME)This ensures there's a valid system restore point, in case it's needed. We use a simple program called SysRestorePoint that automates the steps of creating a restore point.
Create a New System Restore Point:1.
Download SysRestorePoint to your desktop, or other location.
2. Double click SysRestorePoint.exe to create a new system restore point.
3. A box will pop up as it's creating the restore point, and provide notification when complete. When finished, close that window and exit the program.
ERUNT - Download - Homepage
This ensures we have a valid registry backup.
ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with
Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.
1.
Download ERUNT 2. Double-click
erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
4. Say
No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
5. Start ERUNT
6. Choose a location for the backup
The default location C:\WINDOWS\ERDNT\[today's date] is preferred
7. The first two check boxes are ticked by default (System registry and Current user registry).
8. Press
OK9. When prompted, click
YES to create a new folder.
10. Progress bars will show backup status.
11. A confirmation window will popup when complete. Click
OK to close.
Step One: Scan for Spyware/Adware Malwarebytes' Anti-Malware a.k.a. MBAM -
Download Free Version(freeware) - Homepage
Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past.
1.Double-click
mbam-setup.exe and follow the prompts to install the program.
2.At the end, confirm a check mark is placed next to the following:
◦Update Malwarebytes' Anti-Malware
◦Launch Malwarebytes' Anti-Malware3.Then click
Finish.
4.If an update is found, it will download and install the latest version.
5.Once the program has loaded, select
Perform quick scan, then click
Scan.
6.When the scan is complete,
click OK, then
Show Results to view the results.
7.Be sure that everything is checked, and
click Remove Selected.
8.When completed, a log will open in
Notepad. The rogue application should now be gone.
When completed, a log will open in
Notepad. If you need to create a new topic, please paste this log with it.
Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.
Step Two: 2nd Scan for Spyware/AdwareDownload and install SUPERAntiSpyware.
• Run SUPERAntiSpyware and click the
Check for Updates button.
• Once the update has finished, click the
Scan your Computerbutton.
• Click on
Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click
Next.
• Click
Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files.
• To get the log, click Preferences and then click the
Statistics/Logs tab. Click the dated log and press
View Log and a text file will appear.
Step Three: Viruses/TrojansEven the best antispyware programs are only able to remove about 70% of infections. Also, the line between spyware and viruses/trojans is getting blurred. Everyone should have an antivirus application installed on their system. If you don't have an antivirus installed, or if the subscription for yours has expired, get a free antivirus applications, like
Anti-Vir, If you install an antivirus application, please run a full system scan immediately. or do a online scan with
Nod32 Free Online Scan or
Bitdefender Free Online ScanThe steps above will completely clear malware from the majority of systems. Reboot and test your system to see how it's working.
If you're still having problems, continue to the next step.
Step Four: Rootkit DetectionRootRepeal - Download - Homepage
Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the
RootRepeal[/b log as an initial check for the presence of rootkits:
1.Download RootRepeal
2.Double click RootRepeal.exe to start the program
3.Click on the Report tab at the bottom of the program window
4.Click the Scanbutton
5.In the Select Scan dialog, check:
1.Drivers
2.Processes
3.SSDT
4.Hidden Services
•Click the OK button
•In the next dialog, select all drives showing
•Click OKto start the scan
Note: The scan should not take very long. DO NOT run any other programs while the scan is running
•When the scan is complete, the Save Report button will become available
•Click this and save the report to your Desktop as RootRepeal.txt
•Go to File, then Exit to close the program
Please copy and paste the report into your Post.
Step Five: Post an OTL Log
OTL - Download
OTL is currently our primary tool for searching key areas of the registry and other system locations for the telltale signs of malware. It generates a comprehensive log, and offers an initial diagnosis. The person helping you may have you run other scans or tools after reviewing your logs.
Important note: HijackThis has been replaced by OTL in this guide. Since being acquired by TrendMicro, HijackThis has not been regularly updated. Many infections are now able to hide partly, or completely from a HijackThis scan. OTL is authored by one of Geekstogo staff members (OldTimer). It includes all the scan locations of HijackThis and more. It's not only a more comprehensive scan tool, but also offers more powerful removal features.
Download OTL to your Desktop
•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
◦Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.
Note: Don't forget to post your MBAM and RootRepeal log, in addition to the OTL log.
