You must be Registered and Logged in to Follow this Procedure.

Welcome to the PCHF Malware Removal Forums.

Please review the PCHF Security team Disclaimer prior to beginning your journey through malware removal. Additionally, please read the Security Forum Guidelines before posting.

Please follow these instructions in order, and thoroughly, to allow our Security Team to quickly assist you.

Please be sure not to do any banking, shopping, or Internet "personal" business on your computer while infected. Malware has the potential to compromise the security of your personal information when working on the Internet.

If you have access to a clean PC, you might give consideration to changing passwords at any financial, social or personal online sites that you typically access from the infected PC.

If you are running a 64-Bit Operating System please read Note for Users With A 64-Bit OS

Index (click on each link to take you to a section of the Prework):

Instructions Part 1: Diagnostic Scan with OTL
Instructions Part 2: Check the Master Boot Record (MBR)
Extra Notes
P2P Filesharing Concerns
What To Do When Posting
Trouble Posting?

Please do not follow any instructions from any user or staff member other than those in the Please Read Before Following Advice thread.

When your thread has been replied to by a member of the Security Team, it will be tagged as In Progress. If more than 24 hours has elapsed since a member of the Security Team has responded to your thread feel free to send them a Private Conversation.

Subsequently it will be tagged as Fixed once the all-clear is given.

We have an excellent Security Team, and will take the time and effort to assist you according to your technical abilities. Please ask for any clarification, guidance or information that you may need. That's why we're here.

See you in the Forum,
The PCHF Security Team



By posting a New Topic requesting malware removal help, you agree to all of the guidelines and important information, and understand the dangers associated with malware removal. By agreeing, you give us consent to be in control over how your system is cleaned, and release PCHF from liability for any possible damage associated with the malware removal.

Instructions Part 1 Diagnostic Scan With OTL:


Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
  
  Code:

  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.jpg
  %systemroot%\*.png
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lnk /x
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
  %USERPROFILE%\Desktop\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %systemroot%\*.src
  %systemroot%\install\*.*
  %systemroot%\system32\DLL\*.*
  %systemroot%\system32\HelpFiles\*.*
  %systemroot%\system32\rundll\*.*
  %systemroot%\winn32\*.*
  %systemroot%\Java\*.*
  %systemroot%\system32\test\*.*
  %systemroot%\system32\Rundll32\*.*
  %systemroot%\AppPatch\Custom\*.*
  %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
  %PROGRAMFILES%\PC-Doctor\Downloads\*.*
  %PROGRAMFILES%\Internet Explorer\*.tmp
  %PROGRAMFILES%\Internet Explorer\*.dat
  %USERPROFILE%\My Documents\*.exe
  %USERPROFILE%\*.exe
  %systemroot%\ADDINS\*.*
  %systemroot%\assembly\*.bak2
  %systemroot%\Config\*.*
  %systemroot%\REPAIR\*.bak2
  %systemroot%\SECURITY\Database\*.sdb /x
  %systemroot%\SYSTEM\*.bak2
  %systemroot%\Web\*.bak2
  %systemroot%\Driver Cache\*.*
  %PROGRAMFILES%\Mozilla Firefox\*.exe
  %ProgramFiles%\Microsoft Common\*.*
  %ProgramFiles%\TinyProxy.
  %USERPROFILE%\Favorites\*.url /x
  %systemroot%\system32\*.bk
  %systemroot%\*.te
  %systemroot%\system32\system32\*.*
  %ALLUSERSPROFILE%\*.dat /x
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\*.sys
  %systemroot%\system32\drivers\*.dll
  %systemroot%\system32\drivers\*.ini
  %systemroot%\system32\drivers\*.exe
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.
  %appdata%\*.*
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  disk.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  usbstor.sys
  /md5stop
  CREATERESTOREPOINT
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Make sure Use Safe List is selected under all categories
• Make sure both Purity Check and LOP Check are selected
• Make sure Scan All Users is selected
• Make sure File Age is set to 30 days
• Click the Run Scan button.
  When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  Please Attach the contents of these logs for review by our Security Team

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://www.itxassociates.com/OT-Tools/OTL.scr
http://www.itxassociates.com/OT-Tools/OTL.com

Instructions Part 2

Instructions Part 2: Check the Master Boot Record (MBR)


Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until we have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop.
  
  
• Attach the contents of aswMBR.txt in your post for review by our Security Team.

Extra Notes:

Please note: It is common for a computer to appear free from malware even when the malware has not been completely removed. Although your computer appears to be clean after following the Prework, to avoid further problems, or even re-infection, please post the requested logs in order to have a Security Analyst verify that all traces are removed. Thank you for your cooperation.

Also note: Each set of instructions is specifically tailored to the user that has posted with the issues. Following the instructions posted to another user when you yourself are infected is inadvisable, and could potentially result in your computer being rendered unbootable. If you think you are infected please do not hesitate to post.

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. The PCHF Security Team will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for us to foresee all interactions that may happen between the software on your computer and those used to clear you of infection, and we cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, we advise you to backup any personal files and folders before you start.

Person To Person (P2P) File sharing Programs:

The following post denotes the perils of P2P file sharing today:
Warnings Regarding P2P Sharing Sites

Please Note: As long as you have any P2P/cracked/warez program(s) installed, as per the PCHF Rules, PCHF Security Analysts will not be able to offer you assistance.

Please remove any and all P2P Clients, etc. before proceding. In the case of your operating system, please obtain a valid licensed copy before requesting assistance. Read more here.

It takes an enormous amount of time, dedication, reading, research, and experience to learn how to recognize, and effectively remove today's malware. HijackThis has its uses, but no longer provides enough information in regard to today's malware which is why we use the scanning tools such as OTL etc.

Should you encounter any issues when running any of these programs please make a note of it and move on to the next step. Once you're done and ready to post, please let us know of any of these types of issues.

What To Do When Posting:

When posting a new thread for the PCHF Security team please observe the following:

We require all logs to be attached to the post rather than pasted in.

See the following tutorial on how to add attachments to posts

Describe your issue/problem in DETAIL!. We cannot second guess as to what your issue(s) may be. Please provide as much detail as possible, including virus/Trojan/worm names and locations if available. The more information you can give us the better we can help

• Post the logs that we've specifically requested for you to.
• DO NOT Wrap the log using Quote or Code tags. (DO make sure notepad word-wrap is OFF)
• DO NOT Post another Program’s log (Unless we specifically ask for it)
• DO NOT Cut off the header of any log (It contains important information for the Analyst)
• DO NOT Private Conversation the Analyst unless asked to do so.
• DO NOT post live suspicious links. We do appreciate that you want to give as much information as possible, but the links need to be munged. Please make sure before sending your post, the options are checked like so:

• Please include all requested logs from this PreWork.
• If you have a current thread; post the logs in your thread, and one of the staff will move your thread to the Malware Removal Forum for you.
• Please include a detailed description of the problem you are having, be as specific as possible, and tell us any symptoms, scans you may have already done, other than PreWork, and also any hard or software that you may have installed prior to the odd behavior starting.

Again, We require all logs to be attached to the post rather than pasted in.

Disclaimer:

PC Help Forum shall not be held liable for any issues resulting from the following: direct,indirect, incidental, special, consequential, or exemplary damages.

Administrators and other specialized staff are the only users whom you shall receive any trusted advice on fixing your computer.

However, we cannot account for any damages arising from fixing your computer, since the results of removing malware are unpredictable. Approximately 75% of computers infected with malware are fixable; however, the latter margin is prone to issues beyond our control.

If your computer happens to be in the latter margin, we will do our best to help you through the process of recovering your data, and if need be - reformat and reinstall your operating system.

By starting a new topic, you agree to the disclaimer and are aware of the risks involved in malware removal.

Can't Post Your Logs?

Occasionally the maximum upload size for an attachment is exceeded due to the length of the logs.

If you encounter an error when posting please post them zipped as an attachment. To zip the file into an uploadable archive you can use either WinRAR or 7-Zip.

Still having difficulty uploading files? You can email the files to pchffiles[AT]gmail[DOT]com or upload them to Mediafire or Rapidshare

Note: If you use the email method please still post and let us know in your thread as it is not checked every day.