BleepingComputer.com: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Hi and welcome to the Bleeping Computer malware removal forum. If you are reading this article, then you are most likely looking for a solution to a possible malware infection on your computer. Please follow these steps in order to provide information that we can use to analyze your computer's configuration. Please note that these steps may appear to be long and daunting. In reality, though, they are very simple and are only so many steps as we wanted to be detailed as possible in the instructions.

Before you perform these steps, it is suggested that you first check to see if there is a self-help guide for infection here:

Virus, Spyware, and Malware Removal Self-Help Guides

If there is one, then you can attempt to use the self-help guide first and then continue with these steps if you feel that you are still infected.


- Backup your data!

Regardless of whether or not you have a malware infection, routinely backing up your data should be an important part of every computer users life. Whether it be a hard drive that has failed or malware that has caused your computer to become inoperable, not having your files, pictures, email, and music can be a disaster. We therefore suggest that before we move forward with this cleaning process, you first backup your data to a secure location. That secure location could be a burnable DVD, an external backup drive, or another computer. I have listed free backup software that you can use below:

Cobian Backup
DriveImage XML
Microsoft Backup for XP
Vista Complete PC Backup

- Not all slow computers are caused by Malware.

A very common reason members post malware removal topics is because they find their computer has become slow. We suggest that before you follow any of the steps below, you first read the following topic that provides a wealth of information on how to increase the performance of your computer.

Slow Computer/browser? Check Here First; It May Not Be Malware

If after following the suggestions in the above topic, you still have a problem, then please proceed with the rest of the steps.


- Create a free account

In order to submit a Malware Removal log you will need to be a logged into the forums with a registered account. Registering is free and allows us to distinguish one user from another. To register an account simply click on the following link:

After you click on this link you will be brought to a page asking you to fill in some information in order to create your free account. Please enter a login name, a display name that will be your public nickname on the site, a password, and a valid email account that you check regularly. It is important that you enter a valid email address as notifications will be sent to this address when someone replies to a topic you have created. You can then optionally enter the other information that is requested. Finally, when all required fields are filled in, enter the security code found in the image and press the Submit my registration button.

After you press the Submit button, the site will generate an email and send it to the email address that you registered with. In this email is a validation link that you must click on in order to finish the registration of your new account. Once this process has been completed, you will now be able to post in all the forums at Bleeping Computer.


- Enable topic reply notification by default.

In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

• Click on this My Settings Link.
  
  
  
• Click on Notification Options.
  
  
  
• Put a checkmark in the checkbox labeled Watch every topic I reply to.
  
  
  
• Set the If enabled, choose default notification type menu option to Immediate Notification to have an email sent immediately when someone replies.
  
  
  
• Then scroll down a little bit and under Topics & Posts make sure that the Email checkbox is checked for the Notification method to use for topic replies and reply digests option.
  
  
  
• Click on the Save Changes button.

- Enable a firewall

Before you continue it is important that you enable a firewall. Doing so, will help to stop your computer from being further infected with malware as we are cleaning your computer as well as provide an easier disinfecting process for our helpers. When the cleaning process is done, we will recommend other firewalls that you can use instead of the built-in Windows XP or Windows Vista firewall if you wish.

For instructions on how to enable the Windows XP Firewall, you can read this tutorial. To enable the Windows Vista firewall, you should enter the Control Panel and then click on the Windows Firewall menu icon. Once the Windows Firewall settings open, you can enable or disable the firewall.


- Disable your CD Emulation Software

Certain CD emulation programs are known to cause problems when running anti-rootkit programs. Therefore, we ask that anyone wishing to receive help disable their CD emulation programs before using the programs in future steps. For this task we are using a program called DeFogger that will allow you to easily disable and enable your CD emulation drivers so that they do not interfere with the programs that we will ask you to run. For more information about why we request these programs be disabled and how to use DeFogger, please see this topic.

To disable CD Emulation programs using DeFogger please perform these steps:

• Please download DeFogger to your desktop from the following link:
  
  DeFogger Download Link
  
  When you click on the above link you will see be brough to a download page. Please click on the Download Now button and a download prompt similar
  
  
• Once downloaded, double-click on the DeFogger icon to start the tool.
  
  
  
• The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  
  
  
• When it prompts you whether or not you want to continue, please click on the Yes button to continue
  
  
  
• When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  
  
  
• If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

While waiting for help, please do not enable your CD emulation programs. Once you are done receiving help, you can use the instructions here to enable your programs again.


- Download and Run DDS which will create a log of programs running on your computer.

Download DDS from the following location:

DDS Tool Download Link

When you click on the above link you will see be brough to a download page. Please click on the Download Now button and a download prompt similar to Figure 1 below.




Click on the Save button. You will now be presented with a screen similar to Figure 2 below asking where you would like to save the file.





Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop that looks like Figure 3 below.





Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. This warning is shown in Figure 4 below.




Click on the Run button to start DDS. If no warning appeared, as shown above, then you should just continue reading.

DDS will now display a small black window providing information as to what DDS is doing on your computer as shown in Figure 5 below.




DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt as shown below.





You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option. You will now be presented with a screen similar to Figure 8 below asking where you would like to save the file.







Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. The DDS.txt log will now be saved to your Desktop. Now click on the Attach.txt Notepad window and perform the same steps to save that file to your Desktop as well. When this is finished, please continue to the next step. If you have any problems running DDS or generating a log, then please proceed to the next step and state what problems you had with DDS when creating your malware help topic.


- Create a GMER Log (32-bit versions of Windows only)

Rootkits are programs that try to hide themselves or other programs so that they are not easily removed. As rootkits have become such a common problem, it is important to run a utility that will show rootkits that may reside on your computer. Please note that if you are running a 64-bit version, please do not create a GMER log and instead skip to the next step.

To start this process, please go to the following link and then click on the Download ZIP button to download the file.

GMER Download Link 1
GMER Download Link 2 (Only use if the previous link does not work)

When you click on the above link you will see a download prompt similar to Figure 9 below.

Click on the Save button. You will now be presented with a screen similar to Figure 10 below asking where you would like to save the file.




Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop that looks like Figure 11 below.





Right-click on the gmer.zip icon and select the Extract all... menu option as shown in the figure below.




You will be shown a screen asking how you would like to extract the file. Just keep pressing the Next button until you geto the last screen and then press the Finish button to finish the extraction process. The GMER folder should automatically open and you will see that it contains the file called gmer.exe.

Please double-click on the gmer.exe program. Once you double-click the icon a Windows security warning may appear asking if you are sure you would like to run the program. If this warning appears, please click on the Run button to allow GMER to start. If no warning appeared then you should just continue with the guide.

You will now see the main GMER window. If it gives you a warning about rootkit activity and asks if you want to run a full scan, please click on the NO button. We now need to configure GMER to not use some settings. Please uncheck the following settings that we do not want in our scan.

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

When done, the screen should look similar to Figure 13 below.




Once your screen look similar to the above, click on the Scan button to scan your computer for rootkits. This may take a while, so please be patient. When it has finished you will be back at the main screen as shown in the figure below.

You now need to save the rootkit scan report to your Desktop by clicking on the Save ... button as designated by the red arrow in Figure 14 above. A screen will open asking where you would like to save the report. Click once on the Desktop button to change to the Desktop folder and then in the File name: field enter ark.txt. Finally, press the Save button to save the report to your desktop. Please do not act on any of the information you find in this report as many legitimate programs could be listed in it.

When finished, please continue with the guide and learn how to post this information for our helpers to read. If you have any problems running GMER or generating a log, then please proceed to the next step and state what problems you had with GMER when creating your malware help topic.


- Create a new malware removal topic and post the DDS logs and the GMER log

Now click on the following link to open a new browser windows where you will create a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum:

Post a new malware removal request

In the new browser window you will see a screen that asks you to fill in various information. For the Topic Title please enter a description of your problem containing the infection name or something specific to the infection you are having. For example if you have a particular worm, type the name of the worm in the title. If you are infected with Virtumonde or Winfixer, type that into the title. We have found that those people who enter in specific and detailed info about their infection tend to get cleaned up quicker as the helper is prepared.

In the Topic Description field enter some more information that you think will be informative to the people helping with the logs. Examples of how we would like the titles and descriptions can be seen in the two images below:

The next part that you must fill out is the actual message of the post. An example of the message area appears below:




In the white message area, as shown above, write a detailed description of your problem and then press the enter key. Now copy and paste the contents of the DDS.txt log that you saved to your desktop. You can do this by going to your Desktop and double-clicking on the file named DDS.txt to open it. After the Notepad window is opened, right-click in the notepad and select Select All. Then right click again and select Copy. Now go back to the Post and right click in the post area and select Paste to paste the contents of the DDS.txt report into the post. When done, you should now have a post consisting of the detailed description of your problem and the reports from DDS.

The more you can tell us about a problem, the better and easier it will be to help you. In other words, "Help, I get a blue screen when I start my computer" will only result in the helper asking you what the specific message is. Instead in your first post, actually tell us the exact message, word-for-word, that you are receiving.

Once you have finished entering your message into the message body of the post, we need you to attach the Attach.txt file created by DDS. To do this, click on the Browse button in the Attachment section of the post. This is shown by the red arrow in Figure 15 below.





You will now be at a screen asking you to choose a file to upload. Click on the Desktop button as shown by the red arrow in Figure 16 below.




You should now see the Attach.txt file. Click on it once to select it and then click on the Open button. You should now be back at the New Topic screen. Once there, click on the Attach This File button, as shown in Figure 15 above, and your file will become attached to the topic. Now perform the same steps to attach the Ark.txt log that you made previously when using GMER and had saved to your desktop.

Now that all the information has been entered into the post and the file has been attached, scroll down and click on the Post New Topic button to actually post your new topic to the forums.


- What to expect now that you have created your topic.

Now that your topic is posted, you should be patient and wait for someone to look at your log in order to advise as to what you should do. Everyone who works on this site is a volunteer, and there are a lot more people requesting help than there are helpers able to provide it. The current avg response time is about 5 days, but hopefully sooner, before someone can get back to you regarding your problem. While you are waiting we request that you do not do the following as it may affect the help you receive:

• Do not attempt to fix any of the entries that you find within these logs as it may cause damage to your computer's configuration. Any helper who answers topics in this forum is trained on how to interpret these logs. As there is a lot of wrong information on the Web, those who are not trained may remove entries that appear suspicious according to information you find, but are in fact legitimate programs.
  
  
• Do not post at another site asking for the same help for the same computer unless you previously have asked us to close your topic. If we find that you have posted for help at another site regarding the same problem, we will be forced to close your topic here. This is because two different sites can give conflicting advice, which makes it harder for our helpers to provide quality help.
  
  
• Last, but not least, be patient. I know it is very stressful to have a computer with a potential malware infection, but unfortunately it will take some time to get to your topic. We will, though, get to you and attempt to resolve your issues to the utmost of our ability.

Thank you and have a nice day!

The Bleeping Computer Staff

This post has been edited by Grinler: 18 May 2012 - 04:14 PM
Reason for edit: Updated for new forum settings.

Bump to reset order.