Printable Version of Topic

Posted by: Grinler Nov 10 2005, 12:52 PM

Hi and welcome to the Bleeping Computer malware removal forum. If you are reading this article, then you are most likely looking for a solution to a possible malware infection on your computer. Please follow these steps in order to provide information that we can use to analyze your computer's configuration. Please note that these steps may appear to be long and daunting. In reality, though, they are very simple and are only so many steps as we wanted to be detailed as possible in the instructions.


- Backup your data!

Regardless of whether or not you have a malware infection, routinely backing up your data should be an important part of every computer users life. Whether it be a hard drive that has failed or malware that has caused your computer to become inoperable, not having your files, pictures, email, and music can be a disaster. We therefore suggest that before we move forward with this cleaning process, you first backup your data to a secure location. That secure location could be a burnable DVD, an external backup drive, or another computer. I have listed free backup software that you can use below:

• Cobian Backup
• DriveImage XML
• Microsoft Backup for XP
• Vista Complete PC Backup

- Not all slow computers are caused by Malware.

A very common reason members post malware removal topics is because they find their computer has become slow. We suggest that before you follow any of the steps below, you first read the following topic that provides a wealth of information on how to increase the performance of your computer.

Slow Computer/browser? Check Here First; It May Not Be Malware

If after following the suggestions in the above topic, you still have a problem, then please proceed with the rest of the steps.


- Create a free account

In order to submit a HJT log you will need to be a logged into the forums with a registered account. Registering is free and allows us to distinguish one user from another. To register an account simply click on the following link:



After you click on this link you will be brought to a page asking you to fill in some information in order to create your free account. Please enter a login name, a display name that will be your public nickname on the site, a password, and a valid email account that you check regularly. It is important that you enter a valid email address as notifications will be sent to this address when someone replies to a topic you have created. You can then optionally enter the other information that is requested. Finally, when all required fields are filled in, enter the security code found in the image and press the Submit my registration button.

After you press the Submit button, the site will generate an email and send it to the email address that you registered with. In this email is a validation link that you must click on in order to finish the registration of your new account. Once this process has been completed, you will now be able to post in all the forums at Bleeping Computer.


- Enable topic reply notification by default.

In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.
   
   
2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
   
   
3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
   
   
4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replies.
   

- Enable a firewall

Before you continue it is important that you enable a firewall. Doing so, will help to stop your computer from being further infected with malware as we are cleaning your computer as well as provide an easier disinfecting process for our helpers. When the cleaning process is done, we will recommend other firewalls that you can use instead of the built-in Windows XP or Windows Vista firewall if you wish.

For instructions on how to enable the Windows XP Firewall, you can read this tutorial. To enable the Windows Vista firewall, you should enter the Control Panel and then click on the Windows Firewall menu icon. Once the Windows Firewall settings open, you can enable or disable the firewall.



- Download and Run DDS which will create a Pseudo HJT Report as part of its log.

Download DDS from the following location:

DDS Tool Download Link

When you click on the above link you will see a download prompt similar to Figure 1 below.




Click on the Save button. You will now be presented with a screen similar to Figure 2 below asking where you would like to save the file.





Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop that looks like Figure 3 below.





Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. This warning is shown in Figure 4 below.




Click on the Run button to start DDS. If no warning appeared, as shown above, then you should just continue reading.

DDS will now display a small black window providing information as to what DDS is doing on your computer as shown in Figure 5 below.




DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt as shown below.





You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option. You will now be presented with a screen similar to Figure 8 below asking where you would like to save the file.







Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. The DDS.txt log will now be saved to your Desktop. Now click on the Attach.txt Notepad window and perform the same steps to save that file to your Desktop as well. When this is finished, please continue with the guide and learn how to post this information for our helpers to read.


- Create a RootRepeal Log

Rootkits are programs that try to hide themselves and other programs so that they are not easily removed. As these have become such a common problem, it is important to run a utility that will show rootkits that may reside on your computer. To start this process, download RootRepeal from the following location and save it to your desktop.

RootRepeal Download Link

When you click on the above link you will see a download prompt similar to Figure 8 below.






Click on the Save button. You will now be presented with a screen similar to Figure 9 below asking where you would like to save the file.




Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop that looks like Figure 10 below.





Double-click on the RootRepeal.exe icon to start the program. Once you double-click the icon a Windows security warning may appear asking if you are sure you would like to run the program. If this warning appears, please click on the Run button to allow RootRepeal to start. If no warning appeared then you should just continue with the guide.

You will now see the main RootRepeal window. Click on the Report tab as designated by the blue arrow in Figure 11 below. Once you are in the Report screen, click on the Scan button as designated by the red arrow in Figure 11 below.




You will now be shown a screen asking what you would like RootRepeal to scan. Put a checkmark in the checkboxes labeled Drivers, Files, Processes, SSDT, Stealth Objects, Hidden Services, and Shadow SDT. When you are done, the selection should look like Figure 12 below and you should then press the OK button.





You will then be asked to select the drives you would like to scan. You should select your computer's system drive, which is usually the C:\ drive, and then click on the OK to start the scan. RootRepeal will now start scanning your computer, and when finished will display a report as shown in the figure below.







You now need to save this report to your Windows Desktop by clicking on the Save Report button as designated by the red arrow in Figure 13 above. A screen will open asking where you would like to save the report. Click once on the Desktop button to change to the Desktop folder and then in the File name: field enter ark.txt. Finally, press the Save button to save the report to your desktop. Please do not act on any of the information you find in this report as many legitimate programs could be listed in it.

When finished, please continue with the guide and learn how to post this information for our helpers to read.


- Create a new malware removal topic and post the DDS logs and the RootRepeal log

Now click on the following link to open a new browser windows where you will create a new topic in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum:

Post a new malware removal request

In the new browser window you will see a screen that asks you to fill in various information. For the Topic Title please enter a description of your problem containing the infection name or something specific to the infection you are having. For example if you have a particular worm, type the name of the worm in the title. If you are infected with Virtumonde or Winfixer, type that into the title. We have found that those people who enter in specific and detailed info about their infection tend to get cleaned up quicker as the helper is prepared.

In the Topic Description field enter some more information that you think will be informative to the people helping with the logs. Examples of how we would like the titles and descriptions can be seen in the two images below:








The next part that you must fill out is the actual message of the post. An example of the message area appears below:




In the white message area, as shown above, write a detailed description of your problem and then press the enter key. Now copy and paste the contents of the DDS.txt log that you saved to your desktop. You can do this by going to your Desktop and double-clicking on the file named DDS.txt to open it. After the Notepad window is opened, right-click in the notepad and select Select All. Then right click again and select Copy. Now go back to the Post and right click in the post area and select Paste to paste the contents of the DDS.txt report into the post. If you performed as Kaspersky scan, please provide that report as well in the post. When done, you should now have a post consisting of the detailed description of your problem, the reports from DDS, and possible a Kaspersky scan report.

The more you can tell us about a problem, the better and easier it will be to help you. In other words, "Help, I get a blue screen when I start my computer" will only result in the helper asking you what the specific message is. Instead in your first post, actually tell us the exact message, word-for-word, that you are receiving.

Once you have finished entering your message into the message body of the post, we need you to attach the Attach.txt file created by DDS. To do this, click on the Browse button in the Attachment section of the post. This is shown by the red arrow in Figure 9 below.





You will now be at a screen asking you to choose a file to upload. Click on the Desktop button as shown by the red arrow in Figure 10.




You should now see the Attach.txt file. Click on it once to select it and then click on the Open button. You should now be back at the New Topic screen. Once there, click on the Upload button, as shown in Figure 9 above, and your file will become attached to the topic. Now perform the same steps to attach the Ark.txt log that you made previously when using RootRepeal and had saved to your desktop.

Now that all the information has been entered into the post and the file has been attached, click on the Post New Topic button to actually post your new topic to the forums.


- What to expect now that you have created your topic.

Now that your topic is posted, you should be patient and wait for someone to look at your log in order to advise as to what you should do. Everyone who works on this site is a volunteer, and there are a lot more people requesting help than there are helpers able to provide it. Therefore it may take a few days before someone can get back to you regarding your problem. While you are waiting we request that you do not do the following as it may affect the help you receive:

• Do not attempt to fix any of the entries that you find within these logs as it may cause damage to your computer's configuration. Any helper who answers topics in this forum is trained on how to interpret these logs. As there is a lot of wrong information on the Web, those who are not trained may remove entries that appear suspicious according to information you find, but are in fact legitimate programs.
  
  
• Do not post at another site asking for the same help for the same computer unless you previously have asked us to close your topic. If we find that you have posted for help at another site regarding the same problem, we will be forced to close your topic here. This is because two different sites can give conflicting advice, which makes it harder for our helpers to provide quality help.
  
  
• Last, but not least, be patient. I know it is very stressful to have a computer with a potential malware infection, but unfortunately it will take some time to get to your topic. We will, though, get to you and attempt to resolve your issues to the utmost of our ability.

Thank you and have a nice day!

The Bleeping Computer Staff

Posted by: harrythook Apr 5 2009, 06:20 AM

Reset order