Infection Removal Guide | First Page | Forum

Gaia Forums » MISC Forums » Forum & Sticky Archive » C&T Tech-Talk

Report ad

The Last Rydian

(?)Community Member

Offline

Post: 71939023_1 created on Mon, 23 May 2011 22:09:20 +0000
Posted: Mon, 23 May 2011 22:09:20 +0000

Infection Removal Guide

This guide will cover basic infection removal.

If you have an infection you'd like to remove...
If you want to learn how to stop future infections...

The Last Rydian

(?)Community Member

Offline

Report Post
Post: 71939023_2 created on Mon, 23 May 2011 22:09:31 +0000
Posted: Mon, 23 May 2011 22:09:31 +0000

Setup

Before you start removing infections, there's a few precautions you should take.
These steps will help cripple most infections, making them easier to remove.

Restore file associations.
Sometimes infections will remove your ability to directly run programs. This is often done so that while you can use shortcuts to still launch your browser and other programs, you can't run installers or tools to remove the infection. Luckily this is a quick fix.

www.dougknox.com/xp/fileassoc/xp_exe_fix.zip
Download that file and open/run it. You should see something called xp_exe_fix.reg inside. Double-click that, and you should get a confirmation/warning. Click the Yes or Merge button (whatever your system says) to fix the EXE association information. You may need to restart afterwards before programs will run.
Disable Browser Addons
During the removal, you should run your browser with addons disabled so they don't get in the way of removing the infection.
- Internet Explorer
  In your start menu's programs list, go to Accessories, then System Tools, and then Internet Explorer (No Addons).
- Firefox
  Hold down the Shift key while starting firefox to go into it's Safe Mode (which has addons disabled).
- Chrome
  Open chrome normally, then press CTRL+SHIFT+N to open an incognito window, which has addons disabled. Close the original window and use the incognito one.
Disable System Restore
Viruses and other infections can hide in restore points, so we need to clear them.
- XP
  In your start menu, go to the control panel, and there should be a bunch of icons, one of them being system. If not, click switch to classic view on the left. Open system, and click the system restore tab at the top. In that section, click the checkbox to turn off system restore on all drives, if it not already checked. Save the settings. That will delete any older system restore points, which could easily contain viruses, to prevent them from coming back in the future if you use a restore point.
- Vista
  Open the start menu, right-click Computer, and click properties. In the new window, go near the top-left and click System protection. In a new window, you'll see a list of your drives. Uncheck them. Tell windows that you want to turn system restore off by clicking the button when it asks you.
- Windows 7
  Open the start menu, right-click Computer, and click properties. In the new window, go near the top-left and click System . In a new window, you'll see a list of your drives. Below that, click the configure button. In the next new window, choose Turn off system protection, then click the OK button.
Delete the HOSTS file.
The HOSTS file can be used to redirect good addresses (like google.com) to bad ones (like thiswebsiteisavirus.com), so we should delete it to be safe.

In your start/globe menu, go to the Run command. If you're on vista/7, you'd click in it the little white box near the bottom. Copy the below text and paste it in the box, then press enter.

Quote:
%systemroot%\System32\drivers\etc\
In the folder that pops up, there should be a file named hosts with no extension. Delete it.

The Last Rydian

(?)Community Member

Offline

Report Post
Post: 71939023_3 created on Mon, 23 May 2011 22:52:55 +0000
Posted: Mon, 23 May 2011 22:52:55 +0000

Removal

Malicious Software Removal Tool
Malicious Software Removal Tool (32-bit)
Malicious Software Removal Tool (64-bit)
This is the first program that you should download and run. It's a tool that checks your computer for infection by specific viruses known to affect windows, it is not a replacement for a normal anti-virus, but it is useful in removing something that has already infected you.
rKill
This tool will further attempt to kill any malicious program that's running, so we can actually get on with the removal. It comes in four "flavors", if one doesn't work try the others.
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/eXplorer.exe
http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
Anti-Malware
Next thing to do is a scan with an anti-malware. Download and install Malwarebytes, let it update, and then run a full scan with it. Fix/remove whatever it finds.
www.malwarebytes.org
Anti-Virus (Run-Once)
It's time to do an antivirus scan, this is a run-once tool meant to remove any existing standard virus infections. Download and run this tool, and allow it to scan your computer.
www.microsoft.com/security/scanner/
Anti-Virus (Boot-Time)
It's time for another antivirus scan, but this will be done a bit differently. Download and install Avast, then open the control window (main window). In there click the SCAN COMPUTER tab on the left, and then under that click Boot-time Scan. In that tab click the Schedule Now button and then click Restart Computer below that. Avast should boot before the windows desktop, and it should scan and remove whatever it can find. It will have to ask for confirmation on whatever it finds, but you can use the Repair All or Remove All commands to tell it what to do once it finds something.
www.avast.com

The Last Rydian

(?)Community Member

Offline

Report Post
Post: 71939023_4 created on Mon, 23 May 2011 23:25:05 +0000
Posted: Mon, 23 May 2011 23:25:05 +0000

Advanced Removal

If the normal removal steps didn't work or you can't follow them...
We can help you get past those blocks personally.
We will need certain pieces of info from you.

Post a thread in the main forum with the following info.

Windows version.
In the start/orb menu there should be a My Computer or Computer option. Right-click it and click Properties. The new window that comes up should have information about which version of Windows you're using. If you're not sure which info it is, just take a screenshot for us.
Nature of infection.
What's the exact problem? Are you getting slowdown? Random ads popping up? Google search is redirecting to ads? Can't open the task manager? Can't access certain files? Persistent ad trying to scare you out of your money?
Tell us exactly what's going on, and remember that a picture tells a thousand words, and we like screenshots!
Why you can't remove.
Unable to download one or more of the programs? Can't find a setting the guide told you to find? Can't run any of the programs for some reason? Did the programs run but not find anything? Does the infection keep coming back after you remove it?
The more you tell us about the situation, the easier it'll be to find the source of the infection and get rid of it.
RogueKiller log.
Download RogueKiller from majorgeeks.com, and run it. Press 1 to run a scan, and it should open the log when it's done. Visit dpaste.com and copy-paste the log into the big white box and submit/paste it. Then give us the link of the new page.
HijackThis log.
Download and run the executable version of HijackThis from free.antivirus.com/hijackthis. Choose Do a system scan and save a log file. It will open the log file when it's done scanning. Visit dpaste.com and copy-paste the log into the big white box and submit/paste it. Then give us the link of the new page.
Msconfig startup list.
In your start/globe menu, go to the Run command. If you're on vista/7, you'd click in it the little white box near the bottom. Type msconfig, then press enter. In the new window, click the Startup tab, then take screenshots to show us everything that's checked.