Remove Malware Guide Read These Important Notes:
Complete ALL of the below steps including the specific cleaning instructions for your Windows Version. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not. If you cannot boot in Normal Boot mode or can boot but not properly run in normal mode but your PC runs in safe boot mode, you can ignore our note about Normal Startup and just complete as much as you can in safe boot mode. Some programs may not install in safe boot mode. If you cannot download required programs on the infected PC, download them using another PC and copy them to the infected PC via CD or USB drive. Do you want your PC fixed?? If yes then attempt to finish everything requested. Please do not cheat by skipping any steps. Attempt to run ALL steps in the READ & RUN ME. The only steps you should skip are ones that you are blocked from running by your problems. o
You are only hurting yourself and you will waste more time in the long run if you ignore or skip steps.
Once you start this cleaning process to remove your malware please do not do anything to your PC except what is requested in this procedure. Do not install anything on your own and do not run other scans.
Step 1: Getting Started
Please begin by reading our Forum Rules and Guidelines If you are here because your PC is booting or running slowly, remember that this is a malware removal guide and not a cure all for slow PC's guide. o
A slow PC is not always caused by malware. It could just be due to what you run! Or it could be an inadequate amount of memory. We recommend a MINIMUM of 1 GB for Windows XP and 2 GB for Vista or Windows 7.
o
If you have less than the above amount of memory and we do not find any malware, we will be telling you to install more memory or uninstall applications that use memory full time..
Step 2: Uninstalling Multiple Protection Applications *** IMPORTANT NOTES - READ THESE ***
You must uninstall all but one antivirus program. o
If you have multiple antivirus applications installed on your PC, please choose the one you prefer and uninstall all others. Do this now before continuing because you will only be asked to do it later if not done now. This does not mean online scanners. It is only referring to full antivirus applications like McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky, etc. You must uninstall all but one software firewall. o
Only use one software firewall. Running multiple software firewalls is unnecessary and using more than one software firewall on the same connection could cause issues with connectivity to the Internet or other unexpected behavior including excessive use of system resources which will slow down overall PC performance.
Step 3: House Cleaning
Specifically look in Add/Remove Programs for the below programs and uninstall them if found: o o o o o
MyWay or MyWay Search Assistant Viewpoint Manager (Remove Only) Viewpoint Media Player Viewpoint Toolbar Viewpoint Toolbar (Remove Only)
Skip this Sun Java update procedure if using Windows 98 or ME. Uninstall ALL old Sun Java versions because they have vulnerabilities and then get updated. o
See: Updating Sun Java
Empty ALL Quarantine type folders for antivirus and antispyware applications. o
This step of house cleaning may save a load of time later (reduced scanning time) and can significantly reduce the size of logs being posted later. Here is just one example for doing this with Norton/Symantec:
Removing files from Norton AntiVirus Quarantine
Empty your Recycle Bin
Empty Norton Nprotect folder (if present) - If you are a Symantec/Norton user make sure you empty their Norton Nprotect folder guarding the Recycle Bin. o
See Emptying the Norton Protected Recycle Bin
Download and install CCleaner o o o
Now run Ccleaner with the default options (that means don’t change anything) to clean out temporary files. Only use the default settings on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs. Also it is highly recommended to login to all other User Accounts on the PC. Run CCleaner on each account. This can greatly reduce scan time and log sizes from the later scanning you will do below. If you don’t see Ccleaner’s link when logging into the other accounts, just go to the C:\Program Files\Ccleaner folder and double click on the ccleaner.exe file to run it. You can also create a shortcut to the file on the Desktop of your other user accounts to make it easier to run in the future
Step 4: Configuration & Setup
Determine whether you have a 32-bit or 64-bit version of Windows because you will need to know this later during cleaning instructions
Enable viewing of hidden files, system files and file extensions o
Some programs hide themselves by making their files invisible in normal Windows settings. Run the steps in the below link (this has steps for ALL Win OS's) to make them easier to find.
o
How to check for a 32-bit or 64-bit version of Windows
How to view hidden, system files & folders!
Not doing this would allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible.
MSconfig must be set for Normal Startup mode
o
If you don't do this you will be delayed in getting help for your problems!!!! You MUST make sure that MSconfig is not being used to control Startups.
o
Note: That some Window's OSs (like Win 2K, 2003) do not have MSconfig! Run the procedure in the below link for your Windows version:
o
Use MSconfig to setup for Normal Startup Mode
Read this to better understand why not to use MSconfig: Dealing with Startup Process
Step 5: Uninstall Known Malware and Unwanted Software
Work thru the below link to uninstall any bad programs that should not be installed on your PC. This may in some instances even resolve your problems. It takes a small amount of time (based on your experience level) to do this comparison, but it is well worth the effort. o Uninstall Malware via Add/Remove Programs
Step 6: Disable Any Disk Emulation Software (like Daemon Tools..etc)
If you skip this step, we may be just telling you to start the cleaning process over again! DON'T SKIP THIS STEP. This is become a critical step before continuing the cleaning process. Disk emulation software is making it difficult to separate real rootkit like malware from valid software. See the instructions provided in the following link to disable emulation software and keep it disabled while we are still working on your PC. o
http://www.bleepingcomputer.com/forums/topic293569.html
Step 7: Select and run the all steps in the cleaning link below based on your Windows Operating System You must click the blue underlined links to get to the cleaning procedures for your version of Windows!
If you have Windows 95, 98, or ME, continue here: Windows 98 and ME Cleaning Procedure
If you have Windows 2000 or 2003 continue here: Win 2000 & 2003 Cleaning Procedure
If you have Windows XP, continue here:Windows XP Cleaning Procedure
If you have Vista, continue here: Vista Cleaning Procedure If you have Windows 7, run the Vista procedure. Continue here: Vista Cleaning Procedure
Uninstall Malware via Add/Remove Programs Quite often many problem programs can be uninstalled just by going to Control Panel and selecting Add/Remove Programs. Doing this before running cleaning procedures may help to give better more complete cleaning results and could even speed things up. Look for any of the below items in Add/Remove programs and if found select them and uninstall them. Some of these items (and they are flagged with ****)are on the Rogue Tool List. #1 Spyware Killer **** 100 Percent Anti-Spyware **** 1-2-3 Spyware Free **** 1 Click Spy Clean **** 1stAntiVirus **** 180ClientStubInstall 180 Search Assistant 180Solutions 1stAntiVirus **** 888Bar Acoona Toolbar Active alert Ad Armor **** Ad Behavior Ad Destroyer **** AdDriller **** Ad-Eliminator **** AdProtector **** Ads Alert **** ADS Adware Remover **** Ad Service Ad-Purge Adware **** Adssite Advanced Toolbar AdTools AdTools Service AdwareFilter AdwarePunisher **** Adware Remover **** Adware Sheriff ****
Alexa toolbar AlfaCleaner **** ALOT eMusic Toolbar AlwaysUpdatedNews AntiSpy Advanced **** AntiSpyPro AntiSpyZone **** AntiVermins **** AntiVirusAdvance **** Antivirus-Golden or Antivirus-Golden 3.4 - or any other version number AntivirusGold **** AntiVirusPCSuite **** Anti Virus Pro **** Anti Virus Pro 2009 Anti Virus Pro 2010 AntiVirus Protector **** Antivirus Solution **** AntivirusXP ( any version/year ) Ask Toolbar AUN AutoUpdate AVSystemCare **** AzeSearch BargainBuddy BearShare BearShare Accelerator BearShare MediaBar BestGuardPlatinum **** BestOffers or BestOffers Shopping BHO or ActivShop or e-zshopper Bullseye Networks Brave Sentry BreakSpyware **** Browser Optimizer Dcads BrowserPal **** Browser Protection Volume CAS CasStub Casino Client CashBack CC2KUI or Comet Cursor Plus CleanX **** ClearSearch ClockSync (this is part of WhenU) CNSMin Command ContraVirus ****
Copperhead AntiSpyware **** cosmi CurePCSolution **** Delfin or Delfin Media or DelFin Media Viewer Desktop Defender 2010 Desktop Security 2010 DIARemover **** DMVlite DownloadWare E2Give or e2Give EasySearchBar eGroup Elite Bar Elite Sidebar Elite Toolbar Elitum Enhancement Browser Tools Superiorads ExpertAntivirus **** Fixer AntiSpy **** Froggie Scan **** Frontier Browser Assistant Frontier Search Helper GAIN Gator Grokster or Grokster Wiseupdt Hotbar Browser Hotbar Outlook Tools Hotbar Web Tools HuntBar IEDefender IExplorer Security Plug-in IE Host iMesh Internet Explorer Security Plugin 2006 Internet Explorer Secure Bar Internet Explorer Secure Plug-in Internet Optimizer Internet Security 2010 Internet Security Add-On InternetShield **** ISTbar ISTSvc Kazaa Logitech Desktop Messenger <-- this is not malware but very few people need it or want it and it does annoying things to the registry
MalwareAlarm **** Malware Defense MalwareScanner **** Malware Stopper **** MalwareWiped or MalwareWipe or MalwareWiper **** MaxiFiles Media Access Media Gateway or MediaGateway Media-Codec or MediaCodec or MMediaCodec MediaLoads Installer MediaPipe P2P Loader MediaTickets MediaTickets by OIN Messenger Plus (see the notes at the bottom) Messenger Plus Live! (see the notes at the bottom) Messenger Plus! Live & Sponsor (CiD) Messenger Service Middadle Morpheus 5.3 (remove only) Morpheus (any version) Morpheus Toolbar Mr.AntiSpy **** My Global Search Bar MySidesearch Search Assistant MySPyProtector **** MyWay or MyWayBar or MyWaySpeed or MyWaySearchBar or My Web Search Bar MyWebSearch or MyWebSearch Email Plugin My Web Search (Outlook, Outlook Express, and IncrediMail) MyWay Search Assistant or My Way Search Assistant NavExcel Search Toolbar NavHelper NaviSearch ncase Need2Find Need2Find Bar NeoSpace **** Network Monitor NewDotNet Notification Utility Oemji Toolbar Oin OnWebMedia Open Site Outerinfo OuterInfoAdSponsor
P2P Networking p2pnetworks Paltalk PCODEC 6.0 PerfectCleaner **** PestCapture **** PestTrap **** PestWiper **** Preview AdService Privacy Champion Privacy Crusader **** PrivacyScanner PSGuard Quick QuickSearch QuickSearch Toolbar RazeSpyware **** rdso Red Swoosh EDN Client (remove only) RelevantKnowledge RemoveIT Pro <---- Any version! Not malware but always has too many ridiculous false detections. The program is not properly tested and does not even know valid System files from malware. Safety Alert 2006 Safety Bar SaveNow Scan & Repair Utilities 2006 **** screensaver_rp Screen Saver Screensavers Installer Version 2 Search and Destroy <----This is a rogue. Do not confuse this with Spybot Search & Destroy which is valid!!! SearchAssist Search Assistant Adssite Search Assistant - My Web SearchBar Search Assistant - My Way SearchExe Search Maid Search Relevancy Search Settings ( any version ) Search Toolbar (HuntBar/WinTools) Security IGuard Security Messenger SeekmoToolbar SelectRebates ShopperReports by Hotbar ShopperLink 1.0.4
ShopperLink 1.0.5 ( or any other versions ) Sidefind SideSearch SideStep Slotchbar SmileyDistrict Optimizer SmileyDistrict Soap or Soap Pro Software Update Manager SpamBlockerUtility Browser SpamBlockerUtility Email Toolbar Spy Analyst **** Spy Defence **** SpyAdvanced **** SpyAway **** SpyAxe **** SpyBan **** SpyBuster **** SpyCleaner **** SpyContra **** SpyCut **** SpyCrush **** SpyDawn **** SpyDeface **** SpyFalcon **** SpyLocked **** SpyMarshal **** Spy Officer**** SpyOnThis **** Spy Reaper **** SpyShield **** Spy-Shield **** SpySoldier **** SpyiBlock **** SpyiKiller **** SpySheriff **** SpyShield **** Spy-Shield **** SpySpotter **** SpyVampire **** Spyware & Adware Removal **** SpywareBot **** Spyware Disinfector **** Spyware IT **** Spyware Knight **** Spyware Quake ****
Spyware Remover **** SpyWare Secure **** Spyware Scrapper **** Spyware Sheriff **** Spyware Sledgehammer **** SpywareStop Spyware-Stop **** SpywareStrike **** Spyware Striker SpywareXP **** SSK StartGuard **** StarWare StopGuard **** SurfAccuracy SurfSideKick or SSK or SurfSideKick 3 (uninstall any version you find) Super Codec 6.0 Sysnet System Alert Popup System Soap Pro Upspiral Toolbar The Spyware Shield **** TargetSaver Think-Adz Search Assistant removal ToolBar Top Search TopSpyware TurboDownload TV Media UnSpyPC **** Utility Notification Ultimate Defender **** Ultimate-Spyware Adware Remover **** VBouncer **** VCClient vidctrl Video ActiveX Solution (of any version number) Viewpoint <------- See additional info about all this Viewpoint stuff here: Viewpoint and Viewpoint to Plunge Into Adware Viewpoint Manager (Remove Only) Viewpoint Media Player Viewpoint Toolbar or Viewpoint Toolbar (Remove Only) Virtual Bouncer or Vbouncer Virtual Maid VirusBursters **** VirusBurst ****
VirusGuard **** VisFx VSAdd-in VSAdd-in for Internet Explorer VSToolbar VSToolbar for Internet Explorer WareOut WareOut Spyware Remover **** Warez P2P Client WeatherBug (this is really optional since it is only a minor adware nuisance) Weather Check Weather and Wowpapers Tools Weather Services Web Nexus Network Web Offer Web Rebates Web Savings from Ebates Web Search Toolbar (WinTools) or WebSearch Toolbar WebHancer WebHance Customer Companion WeirdOnTheWeb WhenU (any entry) WeirdOnTheWeb WildTangent Win-dh Window Active WinAntiSpy 2005 **** WinAntiSpyware 2005 **** WinAntiVirus 2005 **** WinAntiSpyware 2006 **** WinAntiVirus 2006 **** WinFixer **** WinFixer 1.1.62.4 <---(or any other version too) Winhound Spyware Remover **** winupdates Windows AdService Windows AdStatus Windows Safety Alert Windows ServeAd Windows SR 2.0 Winhound Win Police Pro 2009 Win Police Pro 2010 WinTools WinTools Easy Installer WSEM Update
Yazzle Sudoku by OIN X-Con Spyware Destroyer **** XP Antivirus Protection (any version/year)
NOTES: 1. We highly recommend uninstalling any version of Messenger Plus. It can be a major reason for having malware on your PC. It can even install a LOP infection. They all come in the 3rd party tools that can easily be installed by mistake. Software like this should not be trusted. And now the Messenger Plus Live! program is a source of Virtumonde infections due to bundling in WinAntiVirus . For additional info, see: http://www.liutilities.com/products/wintaskspro/processlibrary/msgplus/
Why we request you disable CD Emulation when receiving Malware Removal Advice As rootkit infections are becoming more and more commonplace, BleepingComputer.com has decided to make a rootkit scan using GMER part of our preperation steps for posting a malware removal request. Unfortunately, though, some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner . Another issue that may appear from having these programs installed are errors that appear when installing certain Windows updates. An example of this incompatibility can be found here: http://support.microsoft.com/kb/884675 Due to these reasons we request that all CD Emulation programs be disabled before requesting malware removal help. To make it easier for our users who may want to continue using these tools, we will use a tool called DeFogger to disable these drivers so that they do not interfere with our help. Then when your topic has been reviewed, or you no longer need our services, you can simply run the DeFogger program again to reenable the drivers so that you can properly use your CD Emulation programs again. We have included instructions below on how to disable and enable CD Emulation programs using DeFogger. All that we ask is that while we are working with you on your malware removal topic, please do not enable the CD Emulation programs. Instead please wait till we are finished helping you. If you absolutely need the use of your CD Emulation program, then you can reenable it with the instructions below. If still waiting for help, please remember to disable them after using it.
To disable CD Emulation programs using DeFogger please perform these steps: 1. Please download DeFogger to your desktop. 2. Once downloaded, double-click on the DeFogger icon to start the tool. 3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers 4. When it prompts you whether or not you want to continue, please click on the Yes button to continue 5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program. 6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button. To enable CD Emulation programs using DeFogger please perform these steps: 1. Please download DeFogger to your desktop. 2. Once downloaded, double-click on the DeFogger icon to start the tool. 3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers 4. When it prompts you whether or not you want to continue, please click on the Yes button to continue 5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program. 6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.