Login

Source: 

run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.


For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

Now please download this file and save it to your Flash Drive.


  fixlist.txt (Size: 1.9 KB / Downloads: 19) 

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

STEP 1: Run a HitmanPro scan

  1. Download the latest official version of HitmanPro.
    HITMANPRO DOWNLOAD LINK (This link will open a download page in a new window from where you can download HitmanPro)
  2. Start HitmanPro by double clicking on the previously downloaded file. and then following the prompts.
  3. Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click Next .
  4. Click Activate free license to start the free 30 days trial and remove the malicious files.
  5. HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.

Add to your next reply, any log that HitmanPro might generate.

You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

  1. Download Malwarebytes Chameleon from hereand extract it to a folder in a convenient location
  2. Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.
  3. If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose)
  4. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo
  5. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
  6. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
  7. Upon completion of the scan, if anything has been detected, click on Show Result
  8. Have Malwarebytes Anti-Malware remove any threats that are detected and click Yes if prompted to reboot your computer to allow the removal process to complete
  9. After your computer restarts, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats

Please add both logs in your next reply.

 

STEP 3: Run a scan with AdwCleaner

  1. Download AdwCleaner from the below link.
    ADWCLEANER DOWNLAOD LINK (This link will automatically download Security Check on your computer)

 

  1. Close all open programs and internet browsers.
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on Delete,then confirm each time with Ok.
  4. Your computer will be rebooted automatically. A text file will open after the restart.
  5. Please post the contents of that logfile with your next reply.
  6. You can find the logfile at C:\AdwCleaner[S1].txt as well.

STEP 4: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here

  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply

Download avenger.zip... © by Swandog46

  1. Unzip/extract it to a folder on your desktop.
  2. Double click on avenger.exe to run it. Click "OK"...at the prompt.
  3. Checkthe box... "Scan for rootkits"
  4. Uncheck the box... "Automatically disable any rootkits found"...if checked.
  5. Copy all of the text in the code box (below) and paste it in the text box in The Avenger

Code:

Folders to delete:
C:\Users\john\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVASoft Professional Antivirus
C:\$Recycle.Bin\S-1-5-21-1952303879-2284333571-2840854797-1000\

  1. Click the Execute button.
  2. Click "Yes" at the 2 prompts:
    • "Are you sure you want to execute the current script?".
    • "First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?".
  3. Your PC will automatically reboot.
    Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require 2 (two) reboots to complete its operation.
    If that is the case, it will force a BSOD (Blue Screen of Death) error ...on the first reboot. This is normal & expected behavior.
  4. After your PC has completed the necessary reboots, a log should automatically open.
    If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).


Please post the contents of the avenger.txt log, in your next reply.


STEP 2: Run a scan with ESET Online Scanner

  1. Download ESET Online Scanner utility from the below link
    ESET ONLINE SCANNER DOWNLOAD LINK (This link will automatically download ESET Online Scanner on your computer.)
  2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
  3. Check Yes, I accept the Terms of Use
  4. Click the Start button.
  5. Check Scan archives
  6. Push the Start button.
  7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  8. When the scan completes, push List of found threats
  9. Push Export to Text file and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.
  10. Push the back button.
  11. Push Finish

STEP 1: Run a scan with OTL by OldTimer

  1. Download the OTL utility using the below link : 
    OTL DOWNLOAD LINK (This link will automatically download OTL on your computer)
  2. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  3. When the window appears, underneath Output at the top change it to Minimal Output.
  4. Check the boxes beside LOP Check and Purity Check.
  5. Click the Run Scan button.
  6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    Please post this 2 logs in your first reply..


Settings You need to Select in OTL

  1. Click the Scan All Users checkbox.
  2. Change Standard Registry to All.
  3. Check the boxes beside LOP Check and Purity Check.


Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: OTL.scr, or OTL.com.

 

STEP 1: Run the below OTL fix

  1. Start OTL.exe
  2. Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:OTL
[2010/08/05 17:07:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\john\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/08/05 17:15:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\john\AppData\Roaming\mozilla\Extensions\This email address is being protected from spambots. You need JavaScript enabled to view it.
[2011/10/09 17:05:15 | 000,627,675 | ---- | M] () (No name found) -- C:\Users\john\AppData\Roaming\mozilla\firefox\profiles\6tcizlt8.default\extensio ​​​ns\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

:Files
C:\Users\john\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVASoft Professional Antivirus
C:\$Recycle.Bin\S-1-5-21-1952303879-2284333571-2840854797-1000\

:commands
[emptytemp]
[reboot]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  1. Then click the Run Fix button at the top
  2. Let the program run unhindered, reboot when it is done
  3. Attach the new log produced by OTL (C:\_OTL)

Double click on OTL to run it

  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

 


Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link


Keep your system updated

  • Keeping your programs (especially Adobe and Java products) updated is essentialUpdate Checker will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:


In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.


Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites


Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.


Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

What's next?

  1. Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
  2. Learn how to avoid malware by reading this article How to easily avoid malware
  3. Be an active member in the MalwareTips community!

 

Source: 

This is a comprehensive guide to removing a lot of malware infections. Please perform all the steps in the correct order. If you have any question or doubt at any point STOP and ask us for our assistance in our Malware Removal Assistance forum.



STEP 1 : Start your computer in Safe Mode with Networking

  1. Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
  2. Do one of the following:
    • If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
    • If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press F8.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER. For more information about options, see Advanced startup options (including safe mode).
  4. Log on to your computer with a user account that has administrator rights.

 


STEP 2: Check your internet connection for proxy servers
This infection may add a proxy server which prevents the user from accessing the internet,follow the below instructions to remove the proxy.

  1. Open Internet Explorer.
    • For Internet Explorer 9 : Click on the gear icon at the top (far right) and click again on Internet Options.
    • For Internet Explorer 8 : Click on Tools, select Internet Options.
  1. Go to the tab Connections.At the bottom, click on LAN settings
  2. Uncheck the option Use a proxy server for your LAN. This will remove the proxy server and allow you to use the internet again.



For Firefox users, go to Tools > Options > Advanced tab > Network > Settings > Select No Proxy


STEP 3: Download and scan with Kaspersky TDSSKiller

Kaspersky TDSSKiller is a utility that was created in order to provide you with a simple means of disinfecting any system that suffers a rootkit infection.A rootkit is a program or a set of programs designed to obscure the fact that a system has been compromised.

  1. Please download the latest official version of Kaspersky TDSSKiller.
  2. Before you can run Kaspersky TDSSKiller, you first need to rename it so that
    you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it to iexplore.exe

Code:

iexplore.exe

 

  1. Once the file is renamed, double-click on it to launch it.
  2. Kaspersky TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the 'Start Scan' button.
  3. Kaspersky TDSSKiller will now scan your computer for AV Security Essentials related malicous files.
  4. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
  5. If a suspicious object is detected, the default action will be Skip (If it saids TDL4/TDSS file system, select delete)
  6. If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.


WARNING: After you have rebooted your computer,please start again in 'Safe Mode with Networking' before proceeding to the next step.You can find details on how to start in 'Safe Mode with Networking' in Step 1.


STEP 4 : Download and scan with RKill to terminate known malware processes.

RKill is a program that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.

RKill is a program that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.

  1. After you have started your computer in Safe Mode with Networking , please download the latest official version of rKill. 
  2. Double-click on the RKill icon in order to automatically attempt to stop any processes associated with this rouge.
  3. Now RKill will start working in the background, please be patient while the program looks for various malware programs and tries to ends them.
    • If you receive a message that RKill is an infection, that is a fake warning given by the rogue. As a possible solution we advise you to leave the warning on the screen and then try to run RKill again.Run RKill until the fake program is not visible but not more than ten times.
    • If you continue having problems running RKill, you can download the other renamed versions of RKill from here.
  4. When Rkill has completed its task, it will generate a log. You can then proceed with the rest of the guide.


WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.


STEP 5: Download and scan with Malwarebytes Anti-Malware

  1. Please download the latest official version of Malwarebytes' Anti-Malware Free. 
  2. Install Malwarebytes' Anti-Malware by double clicking on mbam-setup.
  3. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
  4. Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select 'Decline' as we just want to use the on-demand scanner.
  5. On the Scanner tab,please select Perform full scan and then click on the Scan button to start scanning your computer for any possible infections.
  6. Malwarebytes' Anti-Malware will now start scanning your computer for AV Security Essentials malicious files as shown below.
  7. When the scan is finished a message box will appear, click OK to continue.
  8. You will now be presented with a screen showing you the malware infections that ]Malwarebytes' Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.
    Make sure that everything is Checked (ticked) and click on Remove Selected button.
  9. Malwarebytes' Anti-Malware will now start removing the malicious files. 
    If during the removal process Malwarebytes will display a message stating that it needs to reboot, please allow this request.

 


STEP 6: Download and scan with Emsisoft Emergency Kit

  1. Please download the latest official version of Emsisoft Emergency Kit
  2. After the download process will finish , you'll need to unpack EmsisoftEmergencyKit.zip
  3. Open the Emsisoft Emergency Kit Folder and double click EmergencyKitScanner.bat
  4. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the "Yes" button.



  5. After the Update process has completed , put the mouse cursor over the "Menu" tab on the left and click-on "Scan PC".
  6. Select "Deep scan" and click-on the below "SCAN" button.
  7. Emsisoft Emergency Kit will now start scanning your computer for malicious files as shown below.
  8. When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Please note that the infections found may be different than what is shown in the image.
    Make sure that everything is Checked (ticked) and click on the 'Quarantine selected objects' button.
  9. Emsisoft Emergency Kit will now start removing the malicious files. 
    If during the removal process Emsisoft will display a message stating that it needs to reboot, please allow this request.




As an addition step it's recommended that you download other free anti-malware software from the list below and run a full system scan :


Removing the residual damage from ZeroAccess rookit

STEP 3 : Check yourDNS settings

Check Windows 7 DNS

  1. On your Start menu, open the Control Panel.
  2. Under the Network and Internet section, click View network status and tasks.
  3. In the View your active networks section, click the item to the right of Connections:
  4. On the General tab of the Connection Status window, click Properties.
  5. On the General tab of the Connection Properties window, scroll down and select Internet Protocol Version 4 (TCP/IPv4), then click Properties.
  6. On the General tab of the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the lower section, select Obtain DNS server address automatically.
  7. Click OK and exit all the windows.




Check Windows Vista DNS

  1. On your Start menu, open the Control Panel.
  2. In the Control Panel window, click Network and Sharing Center.
  3. In the Network section, select View Status of each connection.
  4. On the General tab of the Connection Status window, click Properties.
  5. On the General tab of the Connection Properties, scroll down and select Internet Protocol Version 4 (TCP/IPv4), then click Properties.
  6. On the General tab of the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the lower section, select Obtain DNS server address automatically.
  7. Click OK and exit all the windows.



Check Windows XP DNS

  1. On your Start menu, open the Control Panel.
  2. In the Control Panel window, click Network Connections and choose your current connection.
  3. On the General tab of the Connection Status window, click Properties.
  4. On the General tab of the Connection Properties window, scroll down and select Internet Protocol (TCP/IP), then click Properties.
  5. On the General tab of the Internet Protocol Version (TCP/IP) Properties window, in the lower section, select Obtain DNS server address automatically.
  6. Click OK and exit all the windows.

 


STEP 4 : Check your Windows HOSTS file
The hosts file is one of several system facilities to assist in addressing network nodes in a computer network. It is a common part in an operating system's Internet Protocol (IP) implementation, and serves the function of translating human-friendly hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network.
Because of its role in local name resolution, the hosts file represents an attack vector for malicious software. The file may be hijacked, for example, by adware, computer viruses, trojan horse software, and may be modified to redirect traffic from the intended destination to sites hosting content that may be offensive or intrusive to the user or the user’s computer system.

  1. Go to > C:\WINDOWS\system32\drivers\etc.
  2. Double-click “hosts” file to open it.You can open this file with Notepad.
  3. The “hosts” file should look the same as our below code boxes. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista/7. If there are more, then remove them and save changes.

    Default Host file for Windows XP

Code:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Default Host file Windows Vista

Code:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost

Default Host file for Windows 7

Code:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handle within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost


You can find more details on how to reset your host file at Microsoft Support Center.


STEP 3 : Remove the residual damage 

If you still are experiencing residual damage after removing this infection, you can download and use the Windows Repair tool from tweaking.com to fix the problems.
Windows Repair is an all-in-one repair tool to help fix a large majority of known Windows problems including registry errors and file permissions as well as issues with Internet Explorer, Windows Update, Windows Firewall and more. Malware and installed programs can modify your default settings. With Tweaking.com - Windows Repair you can restore Windows original settings.
Use the bellow button to download Windows Repair (All In One) :




If you are still experiencing problems on your machine, please start a new thread here.

 

Go to top