How to get rid of malware

Sat, 09 May 2009 08:18:01 Z

You may experience any one or more of the following symptoms:
- When you start your computer, or when your computer has been idle for many minutes, your - Internet browser opens to display Web site advertisements.
- When you use your browser to view Web sites, other instances of your browser open to display Web site advertisements.
- Your Web browser's home page unexpectedly changes.
- Web pages are unexpectedly added to your Favorites folder.
- New toolbars are unexpectedly added to your Web browser.
- You cannot start a program.
- When you click a link in a program, the link does not work.
- Your Web browser suddenly closes or stops responding.
- It takes a much longer time to start or to resume your computer.
- Components of Windows or other programs no longer work.

See:
http://support.microsoft.com/kb/827315/en-us
"Unexplained computer behavior may be caused by deceptive software".

1. Run the Microsoft Windows Malicious Software Removal Tool

2. Download ATF Cleaner by Microsoft MVP Atribune from http://www.atribune.org/

- Double-click ATF-Cleaner.exe to run the program.

- Click Select All found at the bottom of the list.

- Click the Empty Selected button.

- Click Exit on the Main menu to close the program.

- Shutdown/restart the computer.

3. Next, download Malwarebytes' Anti-Malware to your desktop.

[Malwarebytes' Anti-Malware was created by a Microsoft MVP and is free for personal use].

- Double-click mbam-setup.exe and follow the prompts to install the program.

- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

- If an update is found, it will download and install the latest version.

- Once the program has loaded, select Perform full scan, then click Scan.

- When the scan is complete, click OK, then Show Results to view the results.

- Be sure that everything is checked, and click Remove Selected.

4. Download, install, update and run: SUPERAntispyware (freeware)

- How do I download and install SUPERAntiSpyware?

- Customer Service and Product Support (FAQs)

5. If still no joy see and follow carefully:
"Checking for/Help with Spyware, Malware and Hijackware"

In the event you need further assistance with malware removal, I suggest you follow the instructions at one of the ASAP Member sites that provides malware removal assistance.

Part of this Guided Help courtesy of my colleague MVP Consumer Security Corrine

Hope this helps,

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003.
~ My Blog: http://blogs.dotnethell.it/vincent/

How to get rid of malware

Sat, 09 May 2009 09:02:49 Z

Guided Help Part Two

When all else fails, HijackThis v2.0.2 (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in conjunction with some other utilities).
HijackThis will NOT fix anything on its own, but it will help you to both identify and remove any hijackware / spyware with assistance from an expert.
Download: http://aumha.org/downloads/hijackthis.exe

Post your log to:
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30,
or another appropriate forum for review by an expert in such matters

If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
Or you might consider deleting the User Profile altogether (although I wouldn't and trust the security of all other Profiles).

Courtesy of my colleague Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

Hope this helps,

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003.
~ My Blog: http://blogs.dotnethell.it/vincent/

How to get rid of malware

Sat, 09 May 2009 15:40:17 Z

Update: Guided Help Part Two

When all else fails, HijackThis v2.0.2 (http://aumha.org/downloads/hijackthis.exe ) is the preferred tool to use (in conjunction with some other utilities).

Recently, many of the security help forums have begun moving away from HijackThis (HJT) as an initial tool, finding it useful only for a general idea of possible issues. Malware today is often not visible in a HJT log. In addition, preliminary cleaning often results in the issue not being visible in a HJT log.

As a result, it is suggested that anyone seeking additional assistance pay particular attention to the preliminary requirements of the site where they are obtaining help. It is particularly useful to the analyst if a clear and concise explanation of the nature of the problem is provided along with all requested logs.

The help sites are very busy. As a result, it may be a few days before a response is received. It is advisable that you track your topic so you will know when an analyst has replied. Because many of the sites track new help requests by zero (0) responses, it is not recommended that you "bump" your post. Most sites have a place to post if you think your problem has been overlooked.

It is important to note that many of the tools used at the security help forums are extremely powerful. If used incorrectly can turn your expensive computer into a large paperweight. For that reason, it is advisable that you seek help at an established, recognized site with trained analysts and not attempt to use specialized tools or fixes without proper guidance. You can find Microsoft MVPs and other trained analysts at the following help sites:

ASAP Member Forums Providing Log Analysis

Dansk - Danish
Spywarefri

Deutsch - German Spezifisch deutschsprachige Computerhilfe-Foren (german-language sites to get help from):
a-squared Anti-Malware Sie haben Probleme mit a-squared Anti-Malware? Fragen Sie hier unsere Experten!

English
247Fixes
5 Star Support
a-squared Anti-Malware If you have problems with a-squared Anti-Malware?
Amazingtechs
Atribune.org
BestTechie
Bluetack Internet Security Solutions
CyberAnswers.org
D-A-L Computer Help
Freedomlist
Gladiator Security
LandzDown
Lockergnome
Log'N'Rock
MalwareBytes
MalWare Removal
NutnWorks
Security Cadets
Security Central
Smokey's Security Forums
SpyWare BeWare!
SpywareInfoForum
Subratam.org
Techmonkeys
Tech Support Forum
Tech Support Guy
TeMerc Internet Countermeasures
The Spykiller
WhatTheTech
Windows Forum

Español - Spanish Sitios de ayuda contra el spyware en idioma español
a-squared Anti-Malware Tiene problemas con a-squared, con la página de inicio de a-squared o con algún Malware en especial? Siéntase libre de pedir ayuda.
InfoSpyware
ForoSpyware

Finnish Suomalaisia sivuja mistä saada malwaren poisto-apua (Finnish sites to get help from):
Virustorjunta

Français - French Voici des forums français sur lesquels vous trouverez une aide rapide et efficace :
a-squared Anti-Malware Vous avez des problèmes avec a-squared Anti-Malware ou avec certain Malware? Demandez ici à nos experts!
Assiste.com
Zebulon

Italiano - Italian
a-squared Anti-Malware Hai problemi con a-squared Anti-Malware o con malware speciale? Chiedi pure aiuto.
Alground Research Center

Nederlandstalig - Dutch Op deze Nederlandstalige forums wordt U snel en efficiënt geholpen :
Hijackthis.nl
Nucia / Anti Spyware Offensief
PCHelper

Portuguese
Linha Defensiva

Serbian/Croatian
MyCity

non-ASAP Forum Providing Log Analisis

Deutsch - German Spezifisch deutschsprachige Computerhilfe-Foren (German-language sites to get help from):
HijackThis.de Support Board
Protecus
Rokop Security
TrojanBoard

English
Asksomeone.net
Aumha.org
BleepingComputer
Dell Community Forum - HJT room
Geeks to Go
Safer-Networking
SpywareHammer
Spyware Warrior

Français - French
IDN - Infos-Du-Net
Vista-XP.fr
FS - Futura-Sciences
PCA - PC-Astuces
Génération Nouvelles Technologies
Telecharger.Com/01net

Nederlandstalig - Dutch
BlueMedicine
Minatica.be

Corrine, Microsoft MVP This posting is provided "AS IS" without warranty, and confers no rights.

How to get rid of malware

Sat, 09 May 2009 15:55:48 Z

Hi Corrine,

thank you very much for your update!

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~ My Blog: http://blogs.dotnethell.it/vincent/

How to get rid of malware

Sat, 09 May 2009 16:07:29 Z

You're welcome. I thought providing a list of some of the known international help sites would aid people needing further assistance. The trick is to remember to keep the list updated. :)

Corrine, Microsoft MVP This posting is provided "AS IS" without warranty, and confers no rights.

How to get rid of malware

Sat, 09 May 2009 16:34:15 Z

Hi again Corrine,

I agree with you ;-)

Now I hope that one MSFT - Moderator makes this thread "Sticky", thanks!

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~ My Blog: http://blogs.dotnethell.it/vincent/

How to get rid of malware

Sun, 10 May 2009 16:05:13 Z

I'm sorry but should have said that I'm using my laptop to post this message and be on the net, the problem is with my
Dell desktop (Vista)....
Karen

How to get rid of malware

Sun, 10 May 2009 17:07:08 Z

Hi Karen0451

Please go to your original Post
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/e4b33e63-d298-4ca7-ab66-56fba9c56117

If you need to download/reinstall Internet Explorer, you can do it on your laptop, burn it to a CD then re-install it on the Desktop.

http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_d69beac7-83c7-4a58-a655-68831a2e474a

Were you successfull in removing the Virus/Malware?

Ken
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think.

How to get rid of malware

Mon, 18 May 2009 09:25:08 Z

Thank you MSFTs and Moderators for making this thread sticky!

Cheers,

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~ My Blog: http://blogs.dotnethell.it/vincent/

How to get rid of malware

Mon, 18 May 2009 15:26:20 Z

An Excellent post Mr. Di Russo ^5

Typically, I run the MRT tool (Microsoft Windows Malicious Software Removal Tool, or, mrt.exe, for those that do not know) from an elevated (Administrator) command prompt.

During the monthly patching cycle, the mrt is updated in the system32 directory as I'm sure you know. This file is larger than the one offered by Microsoft on the page you listed. I realize that Microsoft recommends using the method you have described but, I feel the version in the system32 directory has more definitions and I am not aware that it is "targeted" by malware authors. Please correct me if I am wrong.

I'll quote a part from:
http://support.microsoft.com/?kbid=890830#Faq

The easiest way to download and run the tool is to turn on Automatic Updates. Turning on Automatic Updates guarantees that you receive the tool automatically every month. If you have Automatic Updates turned on, you have already been receiving new versions of this tool monthly. The tool runs in quiet mode unless it finds an infection. If you have not been notified of an infection, no malicious software has been found that needs your attention.

I did Google to see if this the mrt is targeted and came up empty, pretty much. I have also not seen any blogs from cnet, zdnet or slashdot about this. It also happens, sometimes, that a user is blocked from the Internet by malware and cannot get updates to any malware removal program.

I highly believe in the mrt so I am going to suggest the following for running the mrt locally:
Open an Administrator command prompt: Pres the Orb or start key, Or, use the Windows key and type:
cmd
Press all these keys together: CTRL+SHIFT+ENTER and deal with UAC as required.
type, in the command box that opens:
mrt and press enter.
In the windows that opens, click next then, choose the radio button for Full scan and click next.

Allow the tool to complete. This may take quite a while, depending.
If an infection is found, follow the on screen instructions.
If an infection is not found, press Finish.

I would also like to add Windows Defender to your list. It is continually being improved. It has also been given a thumbs up by one malware author:
http://blogs.zdnet.com/security/?p=2385
and
http://blogs.technet.com/mmpc/archive/2008/10/10/malware-writer-wants-an-eye-to-eye-with-us.aspx

I am open to a dialogue about this posting. I will follow all advice given about this post and, if so requested, delete it.

Kind Regards,
Avatar

edit: I forgot to mention this can be done from the Recovery Enviroment.

How to get rid of malware

Wed, 17 Jun 2009 16:17:33 Z

I've just posted my own question about adserv cookies but your posting may be able to help me. Will the steps you suggest remove adserv cookies and block them in future?

How to get rid of malware

Wed, 17 Jun 2009 16:48:15 Z

Hi orouka,

I see your post: Windows defender not detecting or blocking Adserve cookies

See if this thread helps:
http://www.lavasoftsupport.com/index.php?showtopic=23414

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

How to get rid of malware

Wed, 01 Jul 2009 02:22:31 Z

Vincenzo, thanks for your help. It worked!
I'm very new at this stuff and you really helped.
Gary

How to get rid of malware

Wed, 01 Jul 2009 04:17:40 Z

Hi Gary,

You're welcome. Glad to help and thank you very much for your feedback.

Cheers,

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

How to get rid of malware

Tue, 11 Aug 2009 13:37:06 Z

I have tried this but it it detected nothing. Tried to download malwarebytes but my anti-virus bloked it, i am using Kaspersky. Does Kaspersky offer a feature to solve these advert pop-up problems? I'm new to all this so any help is much appreciated.

How to get rid of malware

Tue, 11 Aug 2009 13:59:32 Z

Hi, Dal T

Kaspersky is not likely to block MalwareBytes Anti-Malware. I suggest that you try a couple on-line scans. Follow the instructions provided at the links below.

http://onecare.live.com/site/en-US/default.htm
http://www.eset.com/onlinescan/

Corrine, Microsoft MVP This posting is provided "AS IS" without warranty, and confers no rights.

How to get rid of malware

Thu, 20 Aug 2009 22:52:44 Z

grazie mille, Vincenzo!

I worked feverishly today to try to remove "Personal Antivirus" from a system for a customer--one that would be a problem to backup/reformat/reload. Your posting worked great! In particular the Malwarebytes software solved the problem. It worked even with the system logged in and running. I had first removed the HDD and scanned with ESET NOD32 to remove viruses and it did find over 100 infections, but was unsuccessful at removing "Personal Antivirus" once I reinstalled it to the original computer.

--BizMD

How to get rid of malware

Fri, 21 Aug 2009 04:43:35 Z

Hi BizMD,

You're welcome. Glad to help and thank you very much for your feedback.

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

How to get rid of malware

Fri, 11 Sep 2009 10:57:03 Z

Hi Vincenzo,

I noticed that these instructions are on the Vista thread. What should I do with a computer (Dell laptop Inspiron 8600) with Win XP?

Thank you,
JG

How to get rid of malware

Fri, 11 Sep 2009 11:23:40 Z

JG,

You can follow these directions also for Windows XP.

Hope this helps,

Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

How to get rid of malware

Thu, 17 Sep 2009 11:48:29 Z

sir i tried hijackThis ..it shows "C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE" is "NASTY"

now what to do? i was thinking to delete this folder but couldn't find this file in C:\Program Files....

plz help

How to get rid of malware

Thu, 17 Sep 2009 14:16:10 Z

sir i tried hijackThis ..it shows "C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE" is "NASTY"
now what to do? i was thinking to delete this folder but couldn't find this file in C:\Program Files....

plz help

HijackThis is an analysis tool and does not diagnose programs on the computer. That said, MyWebSearch has been classified as malware, spyware, spyware, adware, or other potentially unwanted software. I suggest that you start with Add/Remove Programs for an uninstall option. If there is no uninstall option, you can use WinPatrol to remove the browser hijack. http://www.winpatrol.com/bho.html . WinPatrol is free for personal use. There is also a one-time license purchase option for WinPatrol PLUS. See http://www.winpatrol.com/ .

Corrine, Microsoft MVP (Consumer Security). This posting is provided "AS IS" without warranty, and confers no rights.

How to get rid of malware

Mon, 21 Sep 2009 13:31:23 Z

Hi there. I received the Antivirus Pro 2010 virus on my computer this weekend. Unfortunately, it has taken control of my computer. I had read that I could delete the actually application by deleting it from my harddrive (manually since I could not get into Explorer-internet). I found and deleted it but my computer still is having issues. It now will load up and then after 5 minutes it does a restart. Also, I can not get into other applications. It seems to be a memory issue when looking at the error quickly.
What can I do to get rid of the remaining virus if I can't get into applications and the internet?

Thank you

Terri

How to get rid of malware

Mon, 21 Sep 2009 13:38:19 Z

Hi,

You can follow the instructions here. And you can download programs on another computer
and transfer them to your machine via removable media.

Remove Antivirus Pro 2010 (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2010

Download malwarebytes and scan with it, run MRT, and add Prevx to be sure it is gone. (If Rootkits run UnHackMe)

Download - SAVE - go to where you out it - Right Click on it - RUN AS ADMIN

Malwarebytes - free
http://www.malwarebytes.org/

Run the Microsoft Malicious Removal Tool

Start - type in Search box -> MRT find at top of list - Right Click on it - RUN AS ADMIN.

You should be getting this tool and its updates via Windows Updates - if needed you can download it here.

Download - SAVE - go to where you out it - Right Click on it - RUN AS ADMIN
(Then run MRT as above.)

Microsoft Malicious Removal Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

-----------------------------

also install Prevx to be sure it is all gone.

Prevx - Home - Free - small, fast, exceptional CLOUD protection, works with other security programs. This is
a scanner only, VERY EFFECTIVE, if it finds something come back here or use Google to see how to remove.
http://www.prevx.com/

PCmag - Prevx - Editor's Choice
http://www.pcmag.com/article2/0,2817,2346862,00.asp

--------------------------------------------
Here are some online free scanners to help if needed :

http://www.eset.com/onlinescan/

http://www.kaspersky.com/virusscanner

Other Free online scans
http://www.google.com/search?hl=en&source=hp&q=antivirus+free+online+scan&aq=f&oq=&aqi=g1

--------------------------------------------

Also do these to cleanup general corruption.

Run DiskCleanup - Start - All Programs - Accessories - System Tools - Disk Cleanup

Start - type this in Search Box -> COMMAND find at top and RIGHT CLICK - RUN AS ADMIN

Enter this at the prompt - sfc /scannow

How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program
generates in Windows Vista cbs.log
http://support.microsoft.com/kb/928228

Run checkdisk - schedule it to run at next start and then Apply OK your way out then restart.

How to Run Check Disk at Startup in Vista
http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html

-----------------------------------------------------------------------

If any Rootkits are found use this thread and other suggestions. (Run UnHackMe)

http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/a8f665f0-c793-441a-a5b9-54b7e1e7a5a4/

Hope this helps.

Rob - Bicycle - Mark Twain said it right.

How to get rid of malware

Mon, 21 Sep 2009 13:51:15 Z

Rob,

Thank you for the information. I believe you are stating that I will need to use removable media in order to download the application from my laptop to my desktop. What would be the best to purchase since I do not have this currently? And where should I purchase this?

Thank you again!!

How to get rid of malware

Mon, 21 Sep 2009 14:04:41 Z

Hi,

You can do some of that without extra programs. Run MRT and checkout the guide.

CD - DVD - USBThumb Drives - USB external drives.... whatever is best solution for your systems.

Good Luck

Rob - Bicycle - Mark Twain said it right.

How to get rid of malware

Sun, 25 Oct 2009 09:02:51 Z

"Download ATF Cleaner by Microsoft MVP Atribune from http://www.atribune.org/"

when i open this hyperlink there is a warning "Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only"

Is there a way to do this for vista?

How to get rid of malware

Sun, 25 Oct 2009 16:59:08 Z

Thank you very much!

How to get rid of malware

Sun, 25 Oct 2009 22:13:38 Z

Hi, Mattcb09.

Yes, you need to right-click the .exe file and select "Run as Administrator", allowing the UAC elevation prompt. As Atri indicated here :

Notes for Windows Vista users:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.

Corrine, Microsoft MVP (Consumer Security). This posting is provided "AS IS" without warranty, and confers no rights.

How to get rid of malware

Tue, 27 Oct 2009 07:57:12 Z

I've had the same problem as many others have listed... ie8 and unwanted websites opening themselves. The most common one I get is
http://dati.pzzz.org:8081/lt/1plus1.html?pid=15&mid=21904&channel=23&extra=-1&pt=df&clientid=1256628524
This is a new laptop and I've only installed Windows and updated to ie8 so it's not a problem with anything I've loaded, and I haven't visited any other sites than those I used to with my old laptop running ie7.

Rather than mess around downloading this, opening that, checking with this, cross referencing with that... I've got a better idea.
I'm just going to stop using ie and switch to Google Chrome or Mozilla Firefox instead!

I hate ie 8 and will not use it again... I've never had a problem like this with either of the other two browsers I've named!