remove malware guide
DESCRIPTION
A very thorough and extremely useful guide to remove all types of malware from your PC.TRANSCRIPT
Remove Malware Guide
Read These Important Notes:
Complete ALL of the below steps including the specific cleaning instructions for
your Windows Version.
If something does not run, write down the info to explain to us later but keep on
going.
Do not assume that because one step does not work that they all will not.
If you cannot boot in Normal Boot mode or can boot but not properly run in
normal mode but your PC runs in safe boot mode, you can ignore our note about
Normal Startup and just complete as much as you can in safe boot mode. Some
programs may not install in safe boot mode.
If you cannot download required programs on the infected PC, download them
using another PC and copy them to the infected PC via CD or USB drive.
Do you want your PC fixed?? If yes then attempt to finish everything
requested. Please do not cheat by skipping any steps. Attempt to run ALL
steps in the READ & RUN ME. The only steps you should skip are ones that
you are blocked from running by your problems.
o You are only hurting yourself and you will waste more time in the
long run if you ignore or skip steps.
Once you start this cleaning process to remove your malware please do not do
anything to your PC except what is requested in this procedure. Do not install
anything on your own and do not run other scans.
Step 1: Getting Started
Please begin by reading our Forum Rules and Guidelines
If you are here because your PC is booting or running slowly, remember that this
is a malware removal guide and not a cure all for slow PC's guide.
o A slow PC is not always caused by malware. It could just be due to
what you run! Or it could be an inadequate amount of memory. We
recommend a MINIMUM of 1 GB for Windows XP and 2 GB for
Vista or Windows 7.
o If you have less than the above amount of memory and we do not find any
malware, we will be telling you to install more memory or uninstall
applications that use memory full time..
Step 2: Uninstalling Multiple Protection Applications
*** IMPORTANT NOTES - READ THESE ***
You must uninstall all but one antivirus program.
o If you have multiple antivirus applications installed on your PC, please
choose the one you prefer and uninstall all others. Do this now before
continuing because you will only be asked to do it later if not done now.
This does not mean online scanners. It is only referring to full antivirus
applications like McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky,
etc.
You must uninstall all but one software firewall.
o Only use one software firewall. Running multiple software firewalls is
unnecessary and using more than one software firewall on the same
connection could cause issues with connectivity to the Internet or other
unexpected behavior including excessive use of system resources which
will slow down overall PC performance.
Step 3: House Cleaning
Specifically look in Add/Remove Programs for the below programs and
uninstall them if found:
o MyWay or MyWay Search Assistant
o Viewpoint Manager (Remove Only)
o Viewpoint Media Player
o Viewpoint Toolbar
o Viewpoint Toolbar (Remove Only)
Skip this Sun Java update procedure if using Windows 98 or ME. Uninstall ALL
old Sun Java versions because they have vulnerabilities and then get updated.
o See: Updating Sun Java
Empty ALL Quarantine type folders for antivirus and antispyware
applications.
o This step of house cleaning may save a load of time later (reduced
scanning time) and can significantly reduce the size of logs being posted
later. Here is just one example for doing this with Norton/Symantec:
Removing files from Norton AntiVirus Quarantine
Empty your Recycle Bin
Empty Norton Nprotect folder (if present) - If you are a Symantec/Norton user
make sure you empty their Norton Nprotect folder guarding the Recycle Bin.
o See Emptying the Norton Protected Recycle Bin
Download and install CCleaner
o Now run Ccleaner with the default options (that means don’t change
anything) to clean out temporary files.
o Only use the default settings on the Windows Tab and select Run
Cleaner. Do not run any other options from other tabs.
o Also it is highly recommended to login to all other User Accounts on the
PC.
Run CCleaner on each account. This can greatly reduce scan time
and log sizes from the later scanning you will do below.
If you don’t see Ccleaner’s link when logging into the other
accounts, just go to the C:\Program Files\Ccleaner folder and
double click on the ccleaner.exe file to run it. You can also create
a shortcut to the file on the Desktop of your other user accounts to
make it easier to run in the future
Step 4: Configuration & Setup
Determine whether you have a 32-bit or 64-bit version of Windows because you will need to
know this later during cleaning instructions
How to check for a 32-bit or 64-bit version of Windows
Enable viewing of hidden files, system files and file extensions
o Some programs hide themselves by making their files invisible in normal
Windows settings. Run the steps in the below link (this has steps for ALL
Win OS's) to make them easier to find.
How to view hidden, system files & folders!
o Not doing this would allow file extensions commonly used by trojans and
spyware to be hidden, for example a file ending in .exe or dll making
manually finding it, if needed, difficult to impossible.
MSconfig must be set for Normal Startup mode
o If you don't do this you will be delayed in getting help for your
problems!!!! You MUST make sure that MSconfig is not being used to
control Startups.
o Note: That some Window's OSs (like Win 2K, 2003) do not have
MSconfig! Run the procedure in the below link for your Windows version:
Use MSconfig to setup for Normal Startup Mode
o Read this to better understand why not to use MSconfig: Dealing with
Startup Process
Step 5: Uninstall Known Malware and Unwanted Software
Work thru the below link to uninstall any bad programs that should not be
installed on your PC. This may in some instances even resolve your problems. It
takes a small amount of time (based on your experience level) to do this
comparison, but it is well worth the effort.
o Uninstall Malware via Add/Remove Programs
Step 6: Disable Any Disk Emulation Software (like Daemon Tools..etc)
If you skip this step, we may be just telling you to start the cleaning process
over again! DON'T SKIP THIS STEP. This is become a critical step before continuing the cleaning process. Disk
emulation software is making it difficult to separate real rootkit like malware
from valid software.
See the instructions provided in the following link to disable emulation software
and keep it disabled while we are still working on your PC.
o http://www.bleepingcomputer.com/forums/topic293569.html
Step 7: Select and run the all steps in the cleaning link below based on your
Windows Operating System
You must click the blue underlined links to get to the cleaning procedures for your
version of Windows!
If you have Windows 95, 98, or ME, continue here: Windows 98 and ME
Cleaning Procedure
If you have Windows 2000 or 2003 continue here: Win 2000 & 2003
Cleaning Procedure
If you have Windows XP, continue here:Windows XP Cleaning
Procedure
If you have Vista, continue here: Vista Cleaning Procedure
If you have Windows 7, run the Vista procedure. Continue here: Vista
Cleaning Procedure
Uninstall Malware via Add/Remove Programs
Quite often many problem programs can be uninstalled just by going to Control Panel
and selecting Add/Remove Programs. Doing this before running cleaning procedures
may help to give better more complete cleaning results and could even speed things up.
Look for any of the below items in Add/Remove programs and if found select them and
uninstall them. Some of these items (and they are flagged with ****)are on the Rogue
Tool List.
#1 Spyware Killer ****
100 Percent Anti-Spyware ****
1-2-3 Spyware Free ****
1 Click Spy Clean ****
1stAntiVirus ****
180ClientStubInstall
180 Search Assistant
180Solutions
1stAntiVirus ****
888Bar
Acoona Toolbar
Active alert
Ad Armor ****
Ad Behavior
Ad Destroyer ****
AdDriller ****
Ad-Eliminator ****
AdProtector ****
Ads Alert ****
ADS Adware Remover ****
Ad Service
Ad-Purge Adware ****
Adssite Advanced Toolbar
AdTools
AdTools Service
AdwareFilter
AdwarePunisher ****
Adware Remover ****
Adware Sheriff ****
Alexa toolbar
AlfaCleaner ****
ALOT eMusic Toolbar
AlwaysUpdatedNews
AntiSpy Advanced ****
AntiSpyPro
AntiSpyZone ****
AntiVermins ****
AntiVirusAdvance **** Antivirus-Golden or Antivirus-Golden 3.4 - or any other version number
AntivirusGold ****
AntiVirusPCSuite ****
Anti Virus Pro ****
Anti Virus Pro 2009
Anti Virus Pro 2010
AntiVirus Protector ****
Antivirus Solution ****
AntivirusXP ( any version/year )
Ask Toolbar
AUN
AutoUpdate
AVSystemCare ****
AzeSearch
BargainBuddy
BearShare
BearShare Accelerator
BearShare MediaBar
BestGuardPlatinum **** BestOffers or BestOffers Shopping BHO or ActivShop or e-zshopper
Bullseye Networks
Brave Sentry
BreakSpyware ****
Browser Optimizer Dcads
BrowserPal ****
Browser Protection Volume
CAS
CasStub
Casino Client
CashBack
CC2KUI or Comet Cursor Plus
CleanX ****
ClearSearch
ClockSync (this is part of WhenU)
CNSMin
Command
ContraVirus ****
Copperhead AntiSpyware ****
cosmi
CurePCSolution **** Delfin or Delfin Media or DelFin Media Viewer
Desktop Defender 2010
Desktop Security 2010
DIARemover ****
DMVlite
DownloadWare E2Give or e2Give
EasySearchBar
eGroup
Elite Bar
Elite Sidebar
Elite Toolbar
Elitum
Enhancement Browser Tools Superiorads
ExpertAntivirus ****
Fixer AntiSpy ****
Froggie Scan ****
Frontier Browser Assistant
Frontier Search Helper
GAIN
Gator Grokster or Grokster Wiseupdt
Hotbar Browser
Hotbar Outlook Tools
Hotbar Web Tools
HuntBar
IEDefender
IExplorer Security Plug-in
IE Host
iMesh
Internet Explorer Security Plugin 2006
Internet Explorer Secure Bar
Internet Explorer Secure Plug-in
Internet Optimizer
Internet Security 2010
Internet Security Add-On
InternetShield ****
ISTbar
ISTSvc
Kazaa
Logitech Desktop Messenger <-- this is not malware but very few people need it or
want it and it does annoying things to the registry
MalwareAlarm ****
Malware Defense
MalwareScanner ****
Malware Stopper **** MalwareWiped or MalwareWipe or MalwareWiper ****
MaxiFiles
Media Access Media Gateway or MediaGateway
Media-Codec or MediaCodec or MMediaCodec
MediaLoads Installer
MediaPipe P2P Loader
MediaTickets
MediaTickets by OIN
Messenger Plus (see the notes at the bottom)
Messenger Plus Live! (see the notes at the bottom)
Messenger Plus! Live & Sponsor (CiD)
Messenger Service
Middadle
Morpheus 5.3 (remove only)
Morpheus (any version)
Morpheus Toolbar
Mr.AntiSpy ****
My Global Search Bar
MySidesearch Search Assistant
MySPyProtector **** MyWay or MyWayBar or MyWaySpeed or MyWaySearchBar or My Web Search
Bar MyWebSearch or MyWebSearch Email Plugin
My Web Search (Outlook, Outlook Express, and IncrediMail) MyWay Search Assistant or My Way Search Assistant
NavExcel Search Toolbar
NavHelper
NaviSearch
ncase
Need2Find
Need2Find Bar
NeoSpace ****
Network Monitor
NewDotNet
Notification Utility
Oemji Toolbar
Oin
OnWebMedia
Open Site
Outerinfo
OuterInfoAdSponsor
P2P Networking
p2pnetworks
Paltalk
PCODEC 6.0
PerfectCleaner ****
PestCapture ****
PestTrap ****
PestWiper ****
Preview AdService
Privacy Champion
Privacy Crusader ****
PrivacyScanner
PSGuard
Quick
QuickSearch
QuickSearch Toolbar
RazeSpyware ****
rdso
Red Swoosh EDN Client (remove only)
RelevantKnowledge
RemoveIT Pro <---- Any version! Not malware but always has too many ridiculous
false detections. The program is not properly tested and does not even know valid
System files from malware.
Safety Alert 2006
Safety Bar
SaveNow
Scan & Repair Utilities 2006 ****
screensaver_rp Screen Saver
Screensavers Installer Version 2
Search and Destroy <----This is a rogue. Do not confuse this with Spybot Search &
Destroy which is valid!!!
SearchAssist
Search Assistant Adssite
Search Assistant - My Web SearchBar
Search Assistant - My Way
SearchExe
Search Maid
Search Relevancy
Search Settings ( any version )
Search Toolbar (HuntBar/WinTools)
Security IGuard
Security Messenger
SeekmoToolbar
SelectRebates
ShopperReports by Hotbar
ShopperLink 1.0.4
ShopperLink 1.0.5 ( or any other versions )
Sidefind
SideSearch
SideStep
Slotchbar
SmileyDistrict Optimizer
SmileyDistrict Soap or Soap Pro
Software Update Manager
SpamBlockerUtility Browser
SpamBlockerUtility Email Toolbar
Spy Analyst ****
Spy Defence ****
SpyAdvanced ****
SpyAway ****
SpyAxe ****
SpyBan ****
SpyBuster ****
SpyCleaner ****
SpyContra ****
SpyCut ****
SpyCrush ****
SpyDawn ****
SpyDeface ****
SpyFalcon ****
SpyLocked ****
SpyMarshal ****
Spy Officer****
SpyOnThis ****
Spy Reaper ****
SpyShield ****
Spy-Shield ****
SpySoldier ****
SpyiBlock ****
SpyiKiller ****
SpySheriff ****
SpyShield ****
Spy-Shield ****
SpySpotter ****
SpyVampire ****
Spyware & Adware Removal ****
SpywareBot ****
Spyware Disinfector ****
Spyware IT ****
Spyware Knight ****
Spyware Quake ****
Spyware Remover ****
SpyWare Secure ****
Spyware Scrapper ****
Spyware Sheriff ****
Spyware Sledgehammer ****
SpywareStop
Spyware-Stop ****
SpywareStrike ****
Spyware Striker
SpywareXP ****
SSK
StartGuard ****
StarWare
StopGuard ****
SurfAccuracy SurfSideKick or SSK or SurfSideKick 3 (uninstall any version you find)
Super Codec 6.0
Sysnet
System Alert Popup
System Soap Pro
Upspiral Toolbar
The Spyware Shield ****
TargetSaver
Think-Adz Search Assistant removal
ToolBar
Top Search
TopSpyware
TurboDownload
TV Media
UnSpyPC ****
Utility Notification
Ultimate Defender ****
Ultimate-Spyware Adware Remover ****
VBouncer ****
VCClient
vidctrl
Video ActiveX Solution (of any version number)
Viewpoint <------- See additional info about all this Viewpoint stuff here: Viewpoint
and Viewpoint to Plunge Into Adware
Viewpoint Manager (Remove Only)
Viewpoint Media Player Viewpoint Toolbar or Viewpoint Toolbar (Remove Only)
Virtual Bouncer or Vbouncer
Virtual Maid
VirusBursters ****
VirusBurst ****
VirusGuard ****
VisFx
VSAdd-in
VSAdd-in for Internet Explorer
VSToolbar
VSToolbar for Internet Explorer
WareOut
WareOut Spyware Remover ****
Warez P2P Client
WeatherBug (this is really optional since it is only a minor adware nuisance)
Weather Check
Weather and Wowpapers Tools
Weather Services
Web Nexus Network
Web Offer
Web Rebates
Web Savings from Ebates Web Search Toolbar (WinTools) or WebSearch Toolbar
WebHancer
WebHance Customer Companion
WeirdOnTheWeb
WhenU (any entry)
WeirdOnTheWeb
WildTangent
Win-dh
Window Active
WinAntiSpy 2005 ****
WinAntiSpyware 2005 ****
WinAntiVirus 2005 ****
WinAntiSpyware 2006 ****
WinAntiVirus 2006 ****
WinFixer ****
WinFixer 1.1.62.4 <---(or any other version too)
Winhound Spyware Remover ****
winupdates
Windows AdService
Windows AdStatus
Windows Safety Alert
Windows ServeAd
Windows SR 2.0
Winhound
Win Police Pro 2009
Win Police Pro 2010
WinTools
WinTools Easy Installer
WSEM Update
Yazzle Sudoku by OIN
X-Con Spyware Destroyer ****
XP Antivirus Protection (any version/year)
NOTES:
1. We highly recommend uninstalling any version of Messenger Plus. It can be
a major reason for having malware on your PC. It can even install a LOP infection.
They all come in the 3rd party tools that can easily be installed by mistake.
Software like this should not be trusted. And now the Messenger Plus Live!
program is a source of Virtumonde infections due to bundling in WinAntiVirus .
For additional info, see:
http://www.liutilities.com/products/wintaskspro/processlibrary/msgplus/
Why we request you disable CD Emulation when receiving Malware Removal
Advice
As rootkit infections are becoming more and more commonplace,
BleepingComputer.com has decided to make a rootkit scan using GMER part of our
preperation steps for posting a malware removal request. Unfortunately, though, some
CD Emulation programs use a hidden driver that may be seen as a rootkit or that will
interfere with the proper operation of the anti-rootkit scanner .
Another issue that may appear from having these programs installed are errors that
appear when installing certain Windows updates. An example of this incompatibility can
be found here: http://support.microsoft.com/kb/884675
Due to these reasons we request that all CD Emulation programs be disabled before
requesting malware removal help. To make it easier for our users who may want to
continue using these tools, we will use a tool called DeFogger to disable these drivers so
that they do not interfere with our help. Then when your topic has been reviewed, or you
no longer need our services, you can simply run the DeFogger program again to reenable
the drivers so that you can properly use your CD Emulation programs again.
We have included instructions below on how to disable and enable CD Emulation
programs using DeFogger. All that we ask is that while we are working with you on your
malware removal topic, please do not enable the CD Emulation programs. Instead please
wait till we are finished helping you. If you absolutely need the use of your CD
Emulation program, then you can reenable it with the instructions below. If still waiting
for help, please remember to disable them after using it.
To disable CD Emulation programs using DeFogger please perform these steps:
1. Please download DeFogger to your desktop.
2. Once downloaded, double-click on the DeFogger icon to start the tool.
3. The application window will now appear. You should now click on the Disable
button to disable your CD Emulation drivers
4. When it prompts you whether or not you want to continue, please click on the Yes
button to continue
5. When the program has completed you will see a Finished! message. Click on the
OK button to exit the program.
6. If CD Emulation programs are present and have been disabled, DeFogger will
now ask you to reboot the machine. Please allow it to do so by clicking on the OK
button.
To enable CD Emulation programs using DeFogger please perform these steps:
1. Please download DeFogger to your desktop.
2. Once downloaded, double-click on the DeFogger icon to start the tool.
3. The application window will now appear. You should now click on the Enable
button to enable your CD Emulation drivers
4. When it prompts you whether or not you want to continue, please click on the Yes
button to continue
5. When the program has completed you will see a Finished! message. Click on the
OK button to exit the program.
6. If CD Emulation programs are present and have been enabled, DeFogger will now
ask you to reboot the machine. Please allow it to do so by clicking on the OK
button.