'Before You Post' guide: please run these scans

[NickGolovko]

Если вы не понимаете смысла данного текста, возможно, вам следует ознакомиться с русской версией
Wenn Sie die Inhalte nicht richtig verstehen, benutzen Sie die inoffizielle Anleitung auf Deutsch

Hello,

in order to fix your computer and remove the instances of active malware we need a special set of logfiles. Please follow the instructions below if you need our assistance.

NB:

1) If you have several infected machines or operating systems, please submit a separate query for each one.
2) Please do not send your submissions by email or using PM system. All requests to remove malicious software should be posted on the forum.
3) A query which has not been submitted in accord with these rules, will have the lowest priority for our specialists.
4) Please read and follow these instructions as carefully as you can; if a helper asks you to do something, please do exactly what he or she wants.

Getting Started

You will need to download and use the following instruments:

- AVZ Antiviral Toolkit (about 4.9 Mbytes). Mirror
*If you have already downloaded AVZ before and have a copy of it on your PC, please make sure that you have the latest version of the Toolkit.
- HiJackThis (about 400 kbytes). Mirror
*If you have already downloaded HiJackThis before and have a copy of it on your PC, please make sure that you have the latest version of it.
- Kaspersky Virus Removal Tool (about 70 Mbytes, developed by Kaspersky Lab) or Dr. Web CureIt! (about 42 Mbytes, developed by "Doctor Web").
You may use the special free version Dr. Web CureIt! only on your home computer
*We advise you to choose the concrete tool depending on antivirus software you use. If you use Kaspersky Anti-Virus, download and run Dr. Web tool, and vice-versa. If you have some other antivirus, or if you do not have any, then please make a choice yourself.

When you have downloaded all the instruments:

1. If you have any antivirus software, please update its database and do a complete scan of your computer.

2. Scan your PC by Kaspersky Virus Removal Tool or CureIt! in Safe Mode. Choose "Heal" action for any objects detected, move and / or delete those which cannot be healed. Then please reboot to Normal Mode.

3. Unzip AVZ Antiviral Toolkit to a separate folder. Run AVZ, update its database ("File" => "Database Update"), then exit the Toolkit.

4. Unzip HiJackThis to a separate folder.

5. Please disable System Restore (see Appendix 1).

6. Disconnect from the Internet and unload your antivirus, firewall software (if any), close games, text editors and all other programs; leave only Internet Explorer running (if it is not started, then please run it).

Everything is ready now to start the analysis of your system.

Analysis

1. Start AVZ*. Choose from the menu "File" => "Standard scripts" and mark the "Advanced System Analysis with malware removal mode enabled" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
*It is necessary now to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.


2. Connect to the Internet and start AVZ*. Choose from the menu "File" => "Standard scripts" and mark the "Advanced System Analysis" check box. Click on the "Execute selected scripts" button.
A system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

3. Start HijackThis*. Click 'I Accept' in the EULA window. If the program malfunctions or stops working right after the start, download the renamed file of HijackThis here and use it in the following instructions. Click "Do a system scan and save a logfile".



Save the logfile. The logfile will be saved in the program folder as hijackthis.log

* You should run these programs with administrator rights. In Windows Vista administrator accounts do not have full privileges, so please right-click on the executable file and choose 'Run as administrator' menu item.

4. Create a new thread in the "Help Me" section only. The header should contain a brief description of the problem and the body should provide the details. Attach the logfiles created during the system analysis (AVZ - virusinfo_syscure.zip, AVZ - virusinfo_syscheck.zip, HJT - hijackthis.log) to the message. There should be 3 logs in general. We will do our best to help you.
*You should start a new thread when submitting a query.
*Please attach the logfiles to the thread, do not upload them anywhere else unless requested. Do not rename the files, upload them with default names.
*Please do not give senseless headers (like "Save my soul", "HAAALP", etc) to your threads.
*Do not attach any other logfiles except for those of AVZ and HJT unless requested.

Important notice

Please do not use scripts that our helpers have written for other machines. Any case is unique, and running others' scripts would be equal to drinking others' medicines - you can cause certain harm either to your computer or to our service in general. Remember that VirusInfo will not be responsible for the results of such actions.

***

Appendix 1. How to turn off System restore.

Windows protects the system restore folders from all external programs. When viruses get into PC, Windows can also keep them in the system restore folders. Antiviruses and utilities cannot delete viruses from these folders. It is necessary to turn off System restore for healing. After healing it is necessary to turn it back on.

Windows Me:
1.Right-click My Computer, and then click Properties.
2. On the Performance tab, click File System, or press ALT+F.
3.On the Troubleshooting tab, click to select the Disable System Restore check box.4.Click OK twice, and then click Yes when you are prompted to restart the computer.
5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

Windows XP:
1.Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore: You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer. Do you want to turn off System Restore? After a few moments, the System Properties dialog box closes.

Windows Vista
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. Click on the System Protection tab.
5. Uncheck any check boxes listed for your hard drives (at least on the system one).
6. Press OK and restart your computer.

Appendix 2. File search in AVZ.

1. Start AVZ, go to "File" - "Add to quarantine by list".
2. Enter the list of files which were asked to send in the top window.
3. Press "Start" and wait until "File addition process – complete” notification appears at the bottom of the window.
4. Close current window.
5. Go to Appendix 3 for the following guidance.

Appendix 3. How to send us requested files.

1. Start AVZ, choose from the menu "File"-> "Quarantine folder viewer ".
2. Mark files in the list which should be sent.
3. Click "Archive" and specify a place on the disk where the archive should be kept. We recommend to accept the default filename, i.e. virus.zip.
4. Upload the archive using the download link (Upload quarantined files) at the top of your thread (the "thread link" field will be filled automatically), or use this link: http://virusinfo.info/upload_virus_eng.php, where you need to fill the "thread link" field manually. (It should look like httр: // virusinfo.info/showthread.php?t=XXXX).

***

Copyright (c) VirusInfo, 2004-2009
All rights reserved.
This text as a result of creative activity is an intellectual property of VirusInfo. Full or partial copying of it is not allowed without written consent of VirusInfo administrating team.