[Prework] Please Read Before Posting
Please follow these instructions in order, and thoroughly,
to allow our Security Team to assist you more quickly
to allow our Security Team to assist you more quickly
Please note: It is common for a computer to appear free from malware even when the malware has not been completely removed. Although your computer appears to be clean after following the Prework, to avoid further problems, or even re-infection, please post the requested logs in order to have a Security Analyst verify that all traces are removed. Thank you for your cooperation.
Also note: Each set of instructions is specifically tailored to the user that has posted with the issues. Following the instructions posted to another user when you yourself are infected is inadvisable, and could potentially result in your computer being rendered unbootable. If you think you are infected please do not hesitate to post.
First: read the following article, and follow suggestions/instructions if required
Warnings Regarding P2P Sharing Sites
Please Note: As long as you have any P2P/cracked/warez program(s) installed, as per the PCHF Rules, PCHF Security Analysts will not be able to offer you assistance. Please remove any and all P2P Clients, etc. before proceding. In the case of your operating system, please obtain a valid licensed copy before requesting assistance. Read more here.
If you are running a 64-Bit Operating System please read this thread:
Note For Users With A 64-Bit OS
Additionally, please read the following thread before posting:
Security Forum Guidelines
================================================== ====================
It takes an enormous amount of time, dedication, reading, research, and experience to learn how to recognize, and effectively remove today's malware. HijackThis has its uses, but no longer provides enough information in regard to today's malware which is why we use the scanning tools such as DDS etc.
Please follow these instructions for your operating system only. If you have a 32 bit OS do not follow the instructions for 64 bit users and visa versa.
If you are unsure as to which operating system you have please consult the related Microsoft Knowledge Base article:
Should you encounter any issues when running any of these programs please make a note of it and move on to the next step. Once you're done and ready to post, please let us know of any of these types of issues.
================================================== ====================
Now on to the instructions: As said above, only follow the instructions pertaining to your Operating System please.
1. Download RootRepeal (64-Bit Users Skip This Step) (Vista Users Right click and Run As Administrator)
Download RootRepeal.rar and unzip it to your Desktop. You'll need WinRAR to extract it
- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Click the Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
- Click the OK button
- In the next dialog, select all drives showing
- Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running - When the scan is complete, the Save Report button will become available
- Click this and save the report to your Desktop as RootRepeal.txt
- Go to File, then Exit to close the program
- Attach the log in your first post
1a. Download SysProt Anti-Rootkit (NOTE: 64-Bit Users ONLY. 32 Bit Users Skip This Step)(Vista Users Right click and Run As Administrator)
Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
- Run SysProt >> Click on the Log tab
- Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
- Hit the Create Log button
- When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
- Let it scan until finish
- Find the log.txt inside the SysProt folder and attach the log to your post.
2. Download DDS (NOTE: Users with 64-Bit OS's skip this step and use OTL)
Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, allow it.
- Double click DDS.scr to run it and wait for the scan to finish
- When finished DDS.txt will open
- A small while later, a prompt will open. Answer Yes
- DDS will continue scanning
- When done, Attach.txt will open
================================================== ====================
3. Download OTL (NOTE: 64 bit users only)
Please Download OTL.exe by OldTimer to your Desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in this red text.
%SYSTEMDRIVE%\*.exe
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and attach them to your post
================================================== ================
4. Download SecurityCheck
Please download and save SecurityCheck.exe to your Desktop from one of the links below.
Link 1
Link 2
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt
- Please copy and paste the contents of that document in your reply.
When you post:
Describe your issue/problem in DETAIL!. We cannot second guess as to what your issue(s) may be. Please provide as much detail as possible, including virus/Trojan/worm names and locations if available. The more information you can give us the better we can help
- Only Attach the logs that we've specifically requested for you to. (Otherwise post it as text in the Reply box).
- DO NOT Wrap the log using Quote or Code tags. (DO make sure notepad word-wrap is OFF)
- DO NOT Post another Program’s log (Unless we specifically ask for it)
- DO NOT Cut off the header of any log (It contains important information for the Analyst)
- DO NOT Private Message the Analyst unless asked to do so.
- DO NOT post live suspicious links. We do appreciate that you want to give as much information as possible, but the links need to be munged. Alter the links to use hxxp:// instead of http://
- Please include all requested logs from this PreWork. When finshed you should have four
- Post NEW THREADS ONLY here; New HijackThis Logs Forum
- If you have a current thread; post the logs in your thread, and one of the staff will move your thread to the HJT Forum for you.
- Please include a detailed description of the problem you are having, be as specific as possible, and tell us any symptoms, scans you may have already done, other than PreWork, and also any hard or software that you may have installed prior to the odd behavior starting.
- When a Security Analyst replies to your thread, it will be moved to the In Progress section.
To attach a log - Click Add Reply. Scroll down and choose Mange Attachments. Click the Browse button. Browse to the location of the log and click Ok. Hit Attach.
================================================== ====================
Important Note:
Many times in the various log files generated there may be entries that show personal information, such as your name.
You may edit your name or other identifying information out of these entries, if you wish, prior to posting your logs into the Forum. It is often difficult (or impossible) for the Staff to edit these out of a post once posted.
Pre-post editing is much easier than you might think.
When the log in question shows in Notepad, BEFORE you copy it to the Forum, please hit the Ctrl + A keys. This will highlight the entire log. Next hit the Ctrl + H keys. This will bring up the Replace utility, and allow you to exchange your name or other identifying information as many times as it occurs, all at one time. Use asterisk to replace any information that you need to.
See an example below, it may take a minute or so more time, but will help us and protect you.
ComboFix 09-02-21.01 - *******l 2009-02-23 18:58:08.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2936.1865 [GMT -8:00]
Running from: c:\users\*******\Desktop\ComboFix.exe
FW: ZoneAlarm Anti-virus Firewall *disabled*
IMPORTANT! DO NOT change any information other than the information that could personally identify you. Logs that are purposely falsified will only serve to defeat what Security Staff Members are trying to do for you, and may make it impossible to properly clean your computer.
================================================== ====================
Please do not follow any instructions from any user, or staff member other than those listed in the Please Read Before Following Advice thread.
When your thread has been replied to by a member of the Security Team, he/she will move it to the In Progress section. Subsequently it will be moved to the Fixed section once the all-clear is given.
We have an excellent Security Team, and will take the time and effort to assist you according to your technical abilities. Please feel free to ask for any clarification, guidance or information that you may need. That's what we're here for.
See you in the Forum,
The PCHF Security Team
Re: [Prework] Please Read Before Posting
Linear Mode
