TnT Forum is a member site of the Alliance of Security Analysis Professionals (ASAP). This means that users can be assured they will receive high quality free help from a team of trained Analysts.
Please follow these instructions carefully if you are infected or think you may be infected.
IMPORTANT!
Please do not attempt to fix or delete anything yourself – this may make matters worse and leave you with a large doorstop.
This includes running any specialised programmes you may see being used here or elsewhere. Incorrect and unsupervised use may cause more damage than good. If you do decide to run such programmes without supervision or specific instructions from a trained Analyst then the outcome is your responsibility.
Please do not install or uninstall any programmes until you have been advised to do so by a Security Team member. Do not post logs from any scanners or AVs unless they are specifically requested.
Risks associated with malware removal
Yes, there are risks involved. Removing malware can, on the odd occasion, leave you with a broken PC. This is rare - but it is a possibility. We therefore only allow fully trained Analysts to offer a fix for your system. Look for the username in Red and the description beneath the avatar.
Please note that you follow the guidance of our Analysts at your own risk. Neither TnT Forums nor any Analyst or Security Team member can accept responsibility for any mishaps or data loss as a result of following the advice provided.
Back up your data
If you haven't already done this, then we recommend you backup any important data before beginning the malware removal process. Please see our guide for a Quick and Simple Backup Regime.
Corporate/Business Users
The help provided on this forum is intended for individuals and not for business users. Most companies have their own dedicated IT departments and you may be breaking company policy by using outside help to clean your system. If you have a company PC and still wish to post here for assistance, please ensure you have the authority of your company before posting. The same will apply to computer repair businesses. Similar to most forums, we aim to provide free help for the individual user - not support businesses. Business/corporate users will therefore not receive dedicated malware removal assistance. The final decision as to whether or not any individual receives help here rests with the Administrators.
Illegal versions of Windows
It is TnT policy that users with ‘hacked’ or ‘cracked’ versions of Windows will not receive any assistance to clean their systems. This Forum does not support illegal software.
'Cracked' or 'Hacked' software
Using cracks and keygens to 'break' software is illegal. It's also like issuing an invitation to malware to join your system. You could be handing over control of your system to an unknown party. Where cracks etc are discovered on your system, we will ask you to remove them. If you do not, the cleansing process will stop and no further assistance will be offered. Users who habitually use cracks and return to TnT infected, after previously having their system cleansed here, will not be assisted again.
64-bit versions of Windows
Users with 64-bit systems should be aware that we are very limited in what we can do to clean your system. Very few tools, including the online scanners from the major AV vendors, can see the full 64-bit system. 64-bit Internet Explorer does not allow direct access to system files and Java is completely sandboxed, so infecting a 64-bit system should be very difficult indeed. The Analyst will help as much as possible, but users should note that the best advice may be to simply re-format and re-install Windows.
The logs we require
We only require you to run 2 small programmes. A third utility may be required, depending on programmes installed.
Please ensure that you close all other programmes before running these tools.
IMPORTANT!! - Windows Vista and Windows 7 users should ensure they run these programmes with Administrator privileges.
DeFogger
You only need to run this small programme if you are using CD Emulation software such as Daemon Tools, Alcohol, AstroBurn or StarBurn. These programmes use drivers which could be interpreted as a rootkit - this utility will disable them temporarily. If active, they may produce inaccurate and misleading results in our other scanners.
Please download DeFogger to your desktop.
Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers.
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
DDS
This is a scanner that will not make any changes to your system, but will provide detailed information vital to the Analyst reviewing your thread. Note that no personal information regarding you or any personal files on your system is collected or shown in the log.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop.
Please include the following logs in your thread:
- Contents of the DDS.txt posted as text in your reply
- Attach the Attach.txt by referring to these instructions:
- in the Preview post box look for the ‘Upload attachment’ tab at the bottom left
- Click the tab and you will now see a ‘browse’ button
- Click the ‘browse’ button to locate the file on your system
- Once the file name appears in the ‘Filename:’ box, click ‘Add the file’
- Click ‘Submit’ to post your thread with the attachment.
GMER
This is a rootkit scanner – it will let us know if a rootkit is present on your system. The presence of a rootkit will influence the actions we take to clean your system.
Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please say ‘Yes’.
- If you receive a warning about rootkit activity and are asked if you want to run a scan...click NO.
Click the image to enlarge it - In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (this one is important)
- Then click the Scan button & let GMER finish.
- Once done click on the [Save..] button, and in the File name area, type in "gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop
Warning!
Rootkit scans can often produce false warnings. Do NOT take any action if you see a "<--- ROOKIT" entry.
You have the logs – what now?
Copy and paste the DDS and GMER logs (remember to attach the Attach.txt file) directly into a new topic in this Forum. If DeFogger was run without problems there is no need to post that log. Please do not post any logs other than those requested. If your logs are too long to post directly into the thread then zip them and attach them instead. To add an attachment:-
- in the Preview post box look for the ‘Upload attachment’ tab at the bottom left
- Click the tab and you will now see a ‘browse’ button
- Click the ‘browse’ button to locate the file on your system
- Once the file name appears in the ‘Filename:’ box, click ‘Add the file’
- Click ‘Submit’ to post your thread with the attachment.
What happens next?
Firstly, please be patient. Analysing your logs takes time and there are always more infected users than there are Security Analysts. We try to provide a reply as soon as we can. Remember, we are all volunteers, willingly giving up our spare time to help you.
When posting your logs, try to describe your problems in detail. This includes the thread title. A thread entitled “Help!” does not really provide much information!
Please try to reply within 24 hours of our posting a response. The longer you wait to reply, the more difficult and drawn out the cleansing process may become. In some cases, depending on the infection, we may need you to stay online and reply immediately. The Analyst will advise you if this is required.
Please be courteous when posting. We understand that you may be worried or frustrated about your situation but shouting about it will not help. An old adage is worth repeating here – “treat others as you would like to be treated yourself”.
If you have not received a reply with 72 hours of your first post, you should make a reply in your thread by adding the word “bump”.
Please try to avoid posting in different Forums/Sites about the same problem. This can just cause confusion and wastes your time and ours.
Please do not PM any Security Staff in an effort to secure assistance. Any such PMs will be ignored and a warning may be issued.
NOTE: If you do not respond to an initial reply from a Security Team member within 3 days, your topic will be closed.
Who is helping you
Only authorised Security Team staff may offer assistance. Each Security Team member will have the following banner in their signature
You can therefore be assured you are receiving quality assistance from trained staff.
Thanks for your co-operation.
