This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.
Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.
Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.
Research
A lot of information can be found at this EliteKiller link, including...
Step 3 unzip the Kit, read the instruction file and run the tools in the order given.
Step 4 Thank me in about 3 hours for fixing your shit.
The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.
Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.
Taken from the readme in the Rogue Removal Kit:
Quality Online Virus Scanners: (all scanners offer detection and removal)
My two cents on downloading anti-malware software...
Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.
Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.
The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.
Other Helpful Tips & Tools
Rkill will kill processes that may be preventing scanners from completely removing malware.
To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.
Still infected, or just want to make sure everything is okay?
HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.
If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.
You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.
Windows Performance
A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.
To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.
Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore. [Reply]
Originally Posted by Sofa King:
Well, i got a big problem...
Got something on the other comp, malwarebytes didn't pick it up, but symantec did. got one of the two it was messing with in quarantine, but it is giving me major RAM, memory, and hard drive not found errors.
Files are missing from my documents, i tried sticking in a usb card, but apparanantly it was instantly corrupted, so no dice adding anymore anti viruses.
keeps trying to get me to "defrag" using "Good Memory", whatever the hell that is... looks like a fake defrag/antivirus program.
Any ideas? i can't get into safe mode either... says windows vista, and i have XP
Originally Posted by BigRedChief:
Didn't your XP come with a "restore" option? Just go in there and restore to a time before these events started occuring.
when i hit F8 and tried to bring up the list for safe mode, it instead brought me to a 2 selection screen. either Windows Vista (which is not what i have) or memory diagnostic, which does give me the option to restart with the installation disk and try to repair, but i don't know if that will screw things up worse or not. [Reply]
Originally Posted by Sofa King:
when i hit F8 and tried to bring up the list for safe mode, it instead brought me to a 2 selection screen. either Windows Vista (which is not what i have) or memory diagnostic, which does give me the option to restart with the installation disk and try to repair, but i don't know if that will screw things up worse or not.
Hmmm.... Are you sure you don't have a CD or DVD in your drive that it's trying to boot to? Or another HD with a Vista install on it? This is really bizarre... [Reply]
Originally Posted by KC Fish:
Hmmm.... Are you sure you don't have a CD or DVD in your drive that it's trying to boot to? Or another HD with a Vista install on it? This is really bizarre...
Positive there's no cd in there.
any idea on the "memory" defrag/anti virus stuff? [Reply]
Originally Posted by Sofa King:
negative. i didn't have it installed because i thought malwarebytes was the almighty.
now i can't get into safe to download it, and it wont let me do it out of safe mode either.
Yeah, the Safe Mode issue is strange... you might check out the 2nd to last section in the OP about the BSoD when going into Safe Mode. It does seem like something else is going on, but you might try restoring those registry keys and trying again.
What do you mean by it won't let you download it? Are you being redirected when you click the link in the OP, you can't connect to the internet, you can download it but can't install it... ?
Alrighty. I did a system restore, and it got rid of some of the issues, except now my symantec, which was the only thing that found something, is disabled and i can't get it turned back on.
Now i have managed to get my stuff off of my usb card, so now i have a hijack this report, but i'm very leary about hooking that comp back up to the internet. the whole "your private data is at risk" warning made me gun shy.
any idea what i should look for in the report? i'm trying to find a way to print it, scan it, and then upload the scan to the other comp, but no luck so far. [Reply]
Originally Posted by Sofa King:
Alrighty. I did a system restore, and it got rid of some of the issues, except now my symantec, which was the only thing that found something, is disabled and i can't get it turned back on.
Now i have managed to get my stuff off of my usb card, so now i have a hijack this report, but i'm very leary about hooking that comp back up to the internet. the whole "your private data is at risk" warning made me gun shy.
any idea what i should look for in the report? i'm trying to find a way to print it, scan it, and then upload the scan to the other comp, but no luck so far.
The bug might have hosed Symantec. You may have to reinstall it.
It's not really worth it to try and tell you what to look for in your HijackThis log. There's too many possibilities to begin. We'll have to look at it and see what doesn't belong, as opposed to telling you what could be there. But I don't think you have anything to worry about by hooking it back up to the internet. The "Your private data is at risk" statement is slightly over dramatized. A HijackThis log only collects system and application data. It doesn't really do anything else. It will show every program that's running on your computer at that moment. That's about as personal as the information gets. There's zero harm in doing so, unless you just don't want people to know what apps you're running. [Reply]
i forgot i had this pile of crap laptop. i don't care if this things blows up, so i transfered the info the the card and took it home.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:51:33 PM, on 1/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal
perhaps a dumb question, but if i turn the internet back on that comp, can the virus/whatever transfer basically anything they want to from the comp? can they transfer anything? info, saved passwords, etc? [Reply]
Originally Posted by Sofa King:
perhaps a dumb question, but if i turn the internet back on that comp, can the virus/whatever transfer basically anything they want to from the comp? can they transfer anything? info, saved passwords, etc?
Yes, if that is what the virus is programmed to do. [Reply]
Originally Posted by Sofa King:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:59274
Looks like you have a proxy server set. If you didn't intentionally set that, you might want to turn it off.
Go to Control Panel\Internet Options\Connections\LAN settings
Uncheck the box that says Use Proxy server at the bottom.
The only thing on that LAN settings page that should be checked is Automatically detect settings.
Other than that, your log file looks pretty clean. Nothing really sticks out. [Reply]
Originally Posted by Sofa King:
perhaps a dumb question, but if i turn the internet back on that comp, can the virus/whatever transfer basically anything they want to from the comp? can they transfer anything? info, saved passwords, etc?
Not really. In the old days, there were apps like Back Orifice, in which you could do stuff like that. But it's been patched since the days of Win95. To do what you're indicating, someone would have to have physical access to the computer and manually load things without your knowledge. You're not going to catch a bug while watching gay midget porn that would have the capabilities of that. It's possible, but so unlikely that you shouldn't worry about it. [Reply]