NOTE: You need to have McAfee VirusScan installed on the computer to be able to run the Dos Scan. Also clear the %temp% and temp folder before starting Dos Scan.
Download the SDAT File:
1. Please download the SDAT file from the following weblink:
http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise
2. Click the I Agree button (if needed) to verify you have a current support agreement with McAfee.
3. Click the link named sdatxxxx.exe (where 'xxxx' replaces the current SDAT version number) and save the file to your C:\ Drive.
4. From the Taskbar, select Start and then Run. In the Open field, type command and click OK. A DOS command window will open.
5. Type CD\ and press Enter. You should now be at a C:\ prompt.
6. Type SDATXXXX.EXE /E C:\SDAT and press Enter. (Note: The 'x's should be replaced with the appropriate numbers of the file that was downloaded above.)
Note: There is a space between SDATXXXX.EXE /E and C:\SDAT.
This will create an SDAT folder on the C:\ drive, and extract the SDAT files to this folder.
Note: Windows XP Users with Service Pack 2 installed will be presented with a security warning when attempting to extract the file. Please click Run to continue the extraction process.
7. Once the C:\ prompt is displayed again, please type exit and press Enter.
Disable System Restore:
After this, disable the Windows System Restore feature:
1. Right-click the My Computer icon on the Desktop and click Properties.
2. Click on the System Restore tab.
3. Put a check mark in the box next to Turn off System Restore.
4. Click the OK button. You may be prompted to restart the computer.
5. Click Yes to restart.
Note: To re-enable the System Restore utility, repeat the steps above and in step 3 remove the check mark from the box next to Turn off System Restore.
Restart the computer in "Safe Mode with Command Prompt":
1. Restart the computer.
2. When the computer is rebooting, press the F8 key repeatedly.
3. You will get a page with options. Use the arrow keys to select " Safe Mode with Command Prompt" and press Enter.
4. The computer will now start in Safe Mode with Command Prompt.
5. Login to your computer (if necessary) as Administrator.
6. When the computer is finished booting, the c:\> prompt will appear on the screen.
Note: If there is anything typed after c:\>, type cd\ and press Enter.
Scan the computer:
1. At the c:\> prompt, type cd sdat and press Enter.
2. Type scan /adl /clean /all /program /report report.txt and press Enter.
This will perform a virus scan, which will clean and delete any viruses you may have on your computer.
Note: After the scan has run, a summary report of the scan will be created in the sdat folder on the C:\ drive. If this summary reports that your computer had multiple infections, it is recommended that you run the scan again to make sure the computer has been completely cleaned.
Review the Scan Report
1. Restart the computer into Normal Mode.
2. Double-click the My Computer icon.
3. Double-click the C:\ drive. Double click the sdat folder. Locate the file named report.txt and double-click to open.
4. The report contains several lines. If the line named Possibly Infected has a number greater that 5, it is recommended that you run the scan in DOS again.
5. If you need to run the scan again, repeat the above instructions for Restart the computer in "Safe Mode with Command Prompt" and Scan the Computer.
Performing these steps should resolve the issue.
You can refer the following webpages for additional information:
( Windows XP )
http://service.mcafee.com/FAQDocument.aspx?id=101219&lc=1033
( Windows Vista )
http://service.mcafee.com/FAQDocument.aspx?id=307091&lc=1033
Reset TCP/IP:
1. Click Start, Run, type cmd, and press ENTER.
2. In the command prompt window, type:
netsh int ip reset reset.log
3. Press ENTER.
4. Close the command prompt window.
5. Restart the computer.
Clear DNS cache and renew IP address:
1. Click Start, Search, type cmd.exe, and press ENTER.
2. In the Search Results window, right-click cmd.exe and select Run As Administrator.
3. In the command prompt window, type:
ipconfig /flushdns
4. Press ENTER.
5. When the command prompt is returned, type:
ipconfig /renew
6. Press ENTER.
7. Close the command prompt window.
Repair WinSock component:
1. Click Start ->Run
2. Type netsh winsock reset and press Enter key.
Disable System Restore ( XP ):
Windows utilizes a restore utility that backs up and protects selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup and VirusScan would be unable to delete these files. The System Restore utility must be disabled to remove any infected files from the C:\_Restore folder.
After this, disable the Windows System Restore feature:
1. Right-click the My Computer icon on the Desktop and click Properties.
2. Click on the System Restore tab.
3. Put a check mark in the box next to Turn off System Restore.
4. Click the OK button. You may be prompted to restart the computer.
5. Click Yes to restart.
Note: To re-enable the System Restore utility, repeat the steps above and in step 3 remove the check mark from the box next to Turn off System Restore.
Disable System Restore ( Vista ):
1. Click Start, right-click Computer and select Properties.
2. Click System Protection.
3. Click Continue, if you are prompted by User Account Control.
4. Under Available Disks, remove the checkmark next to your disks.
5. Click Turn System Restore Off at any System Protection prompts you receive.
6. Click OK.
Note: To re-enable the System Restore utility, repeat the steps above and in step 4 put a check mark next to your disks..
Click on Start .
Click On run.
Type regedit.
Click OK.
1. In Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Image File Execution Options>
2. In the right panel, locate the following entries:
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avconsol.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
EGHOST.exe
FileDsty.exe
FTCleanerShell.exe FYFireWall.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPfwSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
Navapsvc.exe
Navapw32.exe
nod32.exe
nod32krn.exe
nod32kui.exe
NPFMntor.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
QQDoctor.exe
QQKav.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
rfwcfg.exe
rfwmain.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
vsstat.exe
webscanx.exe
WoptiClean.exe
3. For each key, locate and delete the following entry:
Debugger="C:\ WINDOWS\ System32\ .exe"
4. Close Registry Editor.
Virus Removal For Win XPPlease perform the steps in the given order:
For any virus removal chat/call, please restart the computer in Safe Mode with Networking and delete all third party software and then proceed with the removal steps. Below are the detailed information:
Start the computer in Safe Mode:
1. Restart the computer.
2. When the computer is rebooting, press the F8 key repeatedly.
3. You will get a page with options. Use the arrow keys to select " Safe Mode with Networking" and press Enter.
4. The computer will now start in Safe Mode with Networking.
Once the computer starts in Safe Mode, please search and delete all third party security software
1. Click Start, and then click Control Panel.
2. Click Add/Remove Programs.
3. Search and uninstall all third party security software like Norton, Windows Defender, Ad-aware, SpyBot, any Registry Cleaner software, etc.
4. Close all opened Windows.
NOTE: Please do not restart the computer if prompted.
Removal Steps:
STEP 1: Temp folder
Click Start->Run
Type %temp% and click OK
Delete all files and folders.
---------
Click Start->Run
Type temp and click OK
Delete all files and folders.
NOTE: Temp is the system temporary folder, %temp% is the user temporary folder. Both folders need to be emptied.
***************************************************************************************************************
STEP 2: Application shortcuts
Click Start->Run
Type prefetch and click OK
Delete all files and folders.
***************************************************************************************************************
STEP 3: Personal files/folders shortcuts
Click Start->Run
Type recent and click OK
Delete all files and folders.
***************************************************************************************************************
STEP 4: Delete cookies and temporary internet files
1. Open Internet Explorer
2. Click on Tools tab
3. Click on Internet Options.
4. Click on " Delete Cookies" , " Delete Temporary Internet Files", and " Clear History"
5. After this, click on Advanced tab and click on "Restore Defaults"
6. Click Apply and then click OK.
***************************************************************************************************************
STEP 5: Delete unnecessary files
1. Click Start- Run
2. Type cleanmgr
3. Click OK
4. Select C: drive and click OK.
5. Select all check boxes except " Setup Log Files "
6. Click OK.
7. On the next pop up box, click " Yes "
***************************************************************************************************************
STEP 6: Add/Remove Programs:
1. Click Start, and then click Control Panel.
2. Click Add/Remove Programs.
3. Search for any virus/spyware program and click on "Remove/Uninstall"
4. Close all opened Windows.
NOTE: 1. Please do not restart the computer if prompted.
2. Confirm with customers before deleting any programs, if you are unsure.
***************************************************************************************************************
STEP 7: Program Files:
Click Start->Run
Type %programfiles% and click OK.
Select the Virus folder and delete it.
e.g: MyWebSearch, ViewPoint, Video Add-On, Video Access
***************************************************************************************************************
STEP 8:Task Manager:
Click Start->Run
Type taskmgr and click OK.
The Task Manager Window will open.
We can stop any process by checking the program associated with it in System Information Tool.
***************************************************************************************************************
STEP 9: System Information Tool / MsInfo32:
Click Start->Run
Type msinfo32 and click OK.
The System Information Window will open.
Click on Software Environment.
Then check Running Tasks and Startup Programs
***************************************************************************************************************
STEP 10: Delete Programs in Users folder:
1. Click Start, and then click Control Panel.
2. Click Appearance and Themes, and then click Folder Options. (You can directly click on "Folder Options" in Control Panel if that option is available)
3. On the View tab, under Hidden files and folders, click Show hidden files and folders.
4. Click OK button.
After this, please perform the following steps:
1. Double click on My Computer.
2. Double click on C:/ Drive.
3. Double click on Documents and Settings.
4. Here you will find all the User folders. Please select one folder and double click on it.
5. Double click on Application Data.
6. Select and delete any virus/spyware folders.
7. Repeat the above steps for all User folders listed in Documents and Settings.
***************************************************************************************************************
STEP 11: MsConfig Utility:
Click Start->Run
Type msconfig and click OK.
The System Configuration Utility Window will open.
Click on the Startup tab.
Here we can disable programs or services that we do not want to run.
***************************************************************************************************************
STEP 12: System Folder:
C:\Windows\System32
Here we have to search for the virus entries and delete them. Most of the virus entries listed here will give you a access denied message when you try to delete it as the process or dll file associated with these files will be running in the background.
So we need to stop the process in Task Manager and then try to delete the infected file or we have to restart the computer in Safe Mode and delete the file.
***************************************************************************************************************
STEP 13: Remove infected registry entries:
1. Click Start --> Run
2. Type regedit and click OK.
The Registry Editor window will open.
3. Click the + sign beside HKEY_LOCAL_MACHINE
4. Click the + sign beside Software
5. Scroll down here and check for the virus folders.
6. Delete them if you detect.
7. Click the + sign beside Microsoft
8. Click the + sign beside Windows
9. Click the + sign beside Current Version
10. Click the + sign beside Run
Here check for any virus entries in right pane and delete them.
Repeat the same for RunOnce and RunServices keys.
Repeat the above steps for HKEY_CURRENT_USER
***************************************************************************************************************
STEP 14: Run Spybot:
Restart the computer in Normal Mode and download Spybot from this weblink & save it on the computer's Desktop:
http://www.spybotupdates.com/files/spybotsd15.exe
1. Install the tool on the customer's computer by double clicking on the saved icon.
2. Uncheck all options except " Check for Updates quickly "
3. Run the tool.
4. After the scan is completed, click on "Fix Selected Items" at the top the tool Window.
5. Close Spybot Window.
***************************************************************************************************************
STEP 15: Check McAfee Security Center:
1. Open McAfee Security Center and click on "Computers and Files" and then click on "Configure" at the right pane.
2. Click on "Trusted Lists" in left pane.
3. Check all the System Guards one by one and see if any virus file is located there.
4. If detected, click on it and then click on "Remove" button at the right bottom of Security Center Window.
5. After removing all virus file instances, click on "Updates" in Security Center Window.
***************************************************************************************************************
After completing all the above steps, perform Windows Update:
1. Open Internet Explorer
2. Type the following in the address bar and press the Enter key:
http://windowsupdate.microsoft.com
This should start the automatic updates of Windows.
3. Restart the computer and check if the issue is resolved.
***************************************************************************************************************
Ask the customer to follow this website to prevent his computer from future infections:
http://www.microsoft.com/protect/computer/advanced/default.mspx
General Virus Removal Information.
Virus - Vital Information Resources Under Seize
Most viruses will try to execute before the user logs in or after the user logs in to the computer.
Virus typicaly reside in Load Points of the Windows.
There are several Load Points of Windows namely Registry, Startup Folder, System 32 folder, Temp folder, etc.
The Virus entries in the Registry will try to execute before the user logs in i.e when the computer starts.
The Virus entries in Startup folder and Temp folders will execute after the User logs in.
The Registry Load Points are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects
HKCR\AppID\
e.g {01234567-89AB-CDEF-0123-456789ABCDEF}
Startup Folder:
C:\Documents and Settings\%user%\Start Menu\Programs\Startup
%user% is the name of the user who has logged in currently to the computer.
Here we have to search for the virus entries and delete it.
Temp folder:
Click Start->Run
Type %temp% and click OK
System Folder:
C:\Windows\System32
Here we have to search for the virus entries and delete them. Most of the virus entries listed here will give you a access denied message when you try to delete it as the process or dll file associated with these files will be running in the background.
So we need to stop the process in Task Manager and then try to delete the infected file or we have to restart the computer in Safe Mode and delete the file.
Program Files:
Click Start->Run
Type %programfiles% and click OK.
MsConfig Utility:
Click Start->Run
Type msconfig and click OK.
The System Configuration Utility Window will open.
TaskManager:
Click Start->Run
Type taskmgr and click OK.
MsInfo32:
Click Start->Run
Type msinfo32 and click OK.
The System Information Window will open.
Services Window:
Click Start->Run
Type services.msc and click OK.
Important Web sites for Virus Removal:
To check if a process running in the Task Manager is associated with a virus or not, we need to refer these two web sites:
http://www.processlibrary.com/
http://www.liutilities.com/products/wintaskspro/processlibrary/
Important Notes:
NOTE 1: We have to know the name of the virus by running a full scan of the anti virus software ( McAfee VirusScan ) before we proceed with the virus removal procedure. After getting the name of the virus, we can search it in google to find out the files and processes associated with it. Then it will be easy for us to detect these files and we can remove them from the Load Points.
NOTE 2: Whenever we are not able to delete a file/folder, we need to restart the computer in Safe Mode and then try deleting the file. In Safe Mode, the computer starts with minimum drivers and software and is mainly used for troubleshooting purpose in Windows.
1. Restart the computer.
2. When the computer is rebooting, press the F8 key repeatedly.
3. You will get a page with options. Use the arrow keys to select " Safe Mode" and press Enter.
4. The computer will now start in Safe Mode.
NOTE 3: Before proceeding with the Virus Removal steps, we need to disable the System Restore feature of Windows temporarily.
1. Right click on the 'My Computer' and select 'Properties'
2. Click on System Restore tab
3. Check the box next to "Turn Off System Restore on all drives"
4. Click 'Apply' and then click OK.
NOTE 4: Always inform the customer to take the backup of his/her personal data (music, videos, documents) and registry backup before proceeding with the virus removal.
NOTE 5: After removing the virus/spyware, open McAfee Security Center and check if the virus/spyware is listed in the "Trusted List" in "Computer and Files" section. If listed, please remove them from the list.
NOTE 6: After the virus removal procedure is complete, inform the customer to regularly perform the McAfee VirusScan update and Windows update and use the SiteAdvisor while surfing internet. Also refer him the following weblinks:
http://www.mcafee.com/us/threat_center/tips.html
http://www.microsoft.com/protect/computer/advanced/default.mspx
You can check virus history from this weblink:
http://www.virus-malware.com/virus+history/antvirus
If there is no internet connection, ask the customer to restart in Safe Mode with Networking and check if he can connect to Internet. If that fails, perform the following steps and check:
Repair WinSock component:
1. Click Start ->Run
2. Type netsh winsock reset and press Enter key
-----------
Repair TCP/IP:
1. Click Start, click Run, type cmd, and then press ENTER
2. At the command prompt, type netsh int ip reset resetlog.txt, and then press ENTER to reset the TCP/IP network protocol.
3. After this, at the command prompt, type ipconfig /renew, and then press ENTER.
-----------
Reinstall TCP/IP:
1. Right-click the network connection, and then click Properties.
2. Click Install.
3. Click Protocol, and then click Add.
4. Click Have Disk.
5. Type C:\Windows\inf, and then click OK.
6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.
7. Restart the computer.
-----------
Repair Windows system files:
1. Place the Windows CD in the CD drive and close the CD tray.
2. Close all the Windows that is opened or appears on the Desktop screen.
3. Click Start -> Run
4. Type sfc /scannow
Note: There is a space between sfc and /scannow
5. Press the Enter key.
This will start the System File Checker utility and repair any missing/corrupted Windows files. This will take time depending on the number of Windows files missing/corrupted.
NOTE: The above steps are for Windows XP. If still there is no internet connection, redirect customer to ISP or system manufacturer.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Windows Vista
· Right Click Start
· Select Explore
· Select Organize
· Select Folder and Search Options
· Select the View tab
· Under the Hidden files and folders heading select Show hidden files and folders.
· Uncheck the Hide extensions for known file types option.
· Uncheck the Hide protected operating system files (recommended) option.
· Click Apply
· Click OK
Windows XP
· Right Click Start.
· Select Explore
· Select the Tools menu and click Folder Options.
· Select the View Tab.
· Under the Hidden files and folders heading select Show hidden files and folders.
· Uncheck the Hide extensions for known file types option.
· Uncheck the Hide protected operating system files (recommended) option.
· Click Apply.
· Click OK.
Windows 2000
· Right Click Start.
· Select Explore
· Select the Tools menu and click Folder Options.
· Select the View Tab.
· Under the Hidden files and folders heading select Show hidden files and folders.
· Uncheck the Hide protected operating system files (recommended) option.
· Click Yes to confirm
· Click OK.
Windows ME
· Right Click Start.
· Select Explore
· Select the Tools menu and click Folder Options.
· Select the View Tab.
· Under the Hidden files and folders heading select Show hidden files and folders.
· Uncheck the Hide extensions for known file types option.
· Uncheck the Hide protected operating system files (recommended) option.
· Click Yes to confirm
· Click OK
If you do not see all the files you may need to click on an underlined link for the drive being accessed the link will say:
· View the Entire contents of this drive.
Windows 98
· Right Click Start.
· Select Explore
· Select the Tools menu and click Folder Options.
· Select the View Tab.
· In the Hidden files section select Show all files.
· Click OK.
IMPORTANT NOTE: Even after following these steps, some file extensions will still not be displayed. The extensions that will still not be displayed are all for file types that are executable. The extensions are .lnk, .pif and .shs .
Please delete these folders in C:/Program Files and check in Add/Remove Programs to remove the associated programs:
Also check in C:/Documents and Settings/ All Users/Application Data
#1 Spyware Killer ****
100 Percent Anti-Spyware ****
1-2-3 Spyware Free ****
1 Click Spy Clean ****
1stAntiVirus ****
180ClientStubInstall
180 Search Assistant
180Solutions
1stAntiVirus ****
888Bar
Acoona Toolbar
Active alert
Ad Armor ****
Ad Behavior
Ad Destroyer ****
AdDriller ****
Ad-Eliminator ****
AdProtector ****
Ads Alert ****
ADS Adware Remover ****
Ad Service
Ad-Purge Adware ****
AdTools
AdTools Service
AdwareFilter
AdwarePunisher ****
Adware Remover ****
Adware Sheriff ****
Alexa toolbar
AlfaCleaner ****
AlwaysUpdatedNews
AntiSpy Advanced ****
AntiSpyZone ****
AntiVermins ****
AntiVirusAdvance ****
Antivirus-Golden or Antivirus-Golden 3.4 - or any other version number
AntivirusGold ****
AntiVirusPCSuite ****
Anti Virus Pro ****
AntiVirus Protector ****
Antivirus Solution ****
AUN
AutoUpdate
AVSystemCare ****
AzeSearch
BargainBuddy
BearShare
BearShare Accelerator
BestGuardPlatinum ****
BestOffers or BestOffers Shopping BHO or ActivShop or e-zshopper
Bullseye Networks
Brave Sentry
BreakSpyware ****
BrowserPal ****
Browser Protection Volume
CAS
CasStub
Casino Client
CashBack
CC2KUI or Comet Cursor Plus
CleanX ****
ClearSearch
ClockSync (this is part of WhenU)
CNSMin
Command
ContraVirus ****
Copperhead AntiSpyware ****
cosmi
CurePCSolution ****
Delfin or Delfin Media or DelFin Media Viewer
DIARemover ****
DMVlite
DownloadWare
E2Give or e2Give
EasySearchBar
eGroup
Elite Bar
Elite Sidebar
Elite Toolbar
Elitum
ExpertAntivirus ****
Fixer AntiSpy ****
Froggie Scan ****
Frontier Browser Assistant
Frontier Search Helper
GAIN
Gator
Grokster or Grokster Wiseupdt
Hotbar Browser
Hotbar Outlook Tools
Hotbar Web Tools
HuntBar
IExplorer Security Plug-in
IE Host
iMesh
Internet Explorer Security Plugin 2006
Internet Explorer Secure Bar
Internet Explorer Secure Plug-in
Internet Optimizer
Internet Security Add-On
InternetShield ****
ISTbar
ISTSvc
Kazaa
Kazaa Lite v2.4.0 [K++ Edition] or Kazaa Lite K++ v2.4.3 or any other version
Kazaa Lite Resurrection any version
Kazaa Media Desktop 2.1 or any other version
Logitech Desktop Messenger <-- this is not malware but very few people need it or want it and it does annoying things to the registry
MalwareAlarm ****
MalwareScanner ****
Malware Stopper ****
MalwareWiped or MalwareWipe or MalwareWiper ****
MaxiFiles
Media Access
Media Gateway or MediaGateway
Media-Codec or MediaCodec or MMediaCodec
MediaLoads Installer
MediaPipe P2P Loader
MediaTickets
MediaTickets by OIN
Messenger Plus (see the notes at the bottom)
Messenger Plus Live! (see the notes at the bottom)
Messenger Service
Middadle
Morpheus 5.3 (remove only)
Morpheus (any version)
Morpheus Toolbar
Mr.AntiSpy ****
My Global Search Bar
MySPyProtector ****
MyWay or MyWayBar or MyWaySpeed or MyWaySearchBar or My Web Search Bar
MyWebSearch or MyWebSearch Email Plugin
My Web Search (Outlook, Outlook Express, and IncrediMail)
MyWay Search Assistant
NavExcel Search Toolbar
NavHelper
NaviSearch
ncase
Need2Find
Need2Find Bar
NeoSpace ****
Network Monitor
NewDotNet
Notification Utility
Oemji Toolbar
Oin
OnWebMedia
Open Site
Outerinfo
OuterInfoAdSponsor
P2P Networking
p2pnetworks
Paltalk
PCODEC 6.0
PerfectCleaner ****
PestCapture ****
PestTrap ****
PestWiper ****
Preview AdService
Privacy Champion
Privacy Crusader ****
PrivacyScanner
PSGuard
Quick
QuickSearch
QuickSearch Toolbar
RazeSpyware ****
rdso
Red Swoosh EDN Client (remove only)
RelevantKnowledge
Safety Alert 2006
Safety Bar
SaveNow
Scan & Repair Utilities 2006 ****
screensaver_rp Screen Saver
Screensavers Installer Version 2
SearchAssist
Search Assistant - My Web SearchBar
Search Assistant - My Way
Search Maid
Search Relevancy
Search Toolbar (HuntBar/WinTools)
Security IGuard
Security Messenger
SearchExe
SelectRebates
ShopperReports by Hotbar
Sidefind
SideSearch
Slotchbar
SmileyDistrict Optimizer
Soap or Soap Pro
Software Update Manager
SpamBlockerUtility Browser
SpamBlockerUtility Email Toolbar
Spy Analyst ****
Spy Defence ****
SpyAdvanced ****
SpyAway ****
SpyAxe ****
SpyBan ****
SpyBuster ****
SpyCleaner ****
SpyContra ****
SpyCut ****
SpyCrush ****
SpyDawn ****
SpyDeface ****
SpyFalcon ****
SpyLocked ****
SpyMarshal ****
Spy Officer****
SpyOnThis ****
Spy Reaper ****
SpyShield ****
Spy-Shield ****
SpySoldier ****
SpyiBlock ****
SpyiKiller ****
SpySheriff ****
SpyShield ****
Spy-Shield ****
SpySpotter ****
SpyVampire ****
Spyware & Adware Removal ****
SpywareBot ****
Spyware Disinfector ****
Spyware IT ****
Spyware Knight ****
Spyware Quake ****
Spyware Remover ****
SpyWare Secure ****
Spyware Scrapper ****
Spyware Sheriff ****
Spyware Sledgehammer ****
Spyware-Stop ****
SpywareStrike ****
SpywareXP ****
SSK
StartGuard ****
StarWare
StopGuard ****
SurfAccuracy
SurfSideKick or SSK or SurfSideKick 3 (uninstall any version you find)
Super Codec 6.0
Sysnet
System Alert Popup
System Soap Pro
Upspiral Toolbar
The Spyware Shield ****
TargetSaver
Think-Adz Search Assistant removal
ToolBar
Top Search
TopSpyware
TurboDownload
TV Media
UnSpyPC ****
Utility Notification
Ultimate Defender ****
Ultimate-Spyware Adware Remover ****
VBouncer ****
VCClient
vidctrl
Video ActiveX Solution (of any version number)
VideoAccessCodec
Video Add-Ons
Viewpoint <------- See additional info about all this Viewpoint stuff here: Viewpoint and Viewpoint to Plunge Into Adware
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar or Viewpoint Toolbar (Remove Only)
Virtual Bouncer or Vbouncer
Virtual Maid
VirusBursters ****
VirusBurst ****
VirusGuard ****
VisFx
VSAdd-in
VSAdd-in for Internet Explorer
VSToolbar
VSToolbar for Internet Explorer
WareOut
WareOut Spyware Remover ****
Warez P2P Client
WeatherBug (unless you have the paid version)
Weather Check
Weather and Wowpapers Tools
Weather Services
Web Nexus Network
Web Offer
Web Rebates
Web Savings from Ebates
Web Search Toolbar (WinTools) or WebSearch Toolbar
WebHancer
WebHance Customer Companion
WeirdOnTheWeb
WhenU (any entry)
WeirdOnTheWeb
WildTangent
Win-dh
Window Active
WinAntiSpy 2005 ****
WinAntiSpyware 2005 ****
WinAntiVirus 2005 ****
WinAntiSpyware 2006 ****
WinAntiVirus 2006 ****
WinFixer ****
WinFixer 1.1.62.4 <---(or any other version too)
Winhound Spyware Remover ****
winupdates
Windows AdService
Windows AdStatus
Windows ServeAd
Windows SR 2.0
Winhound
WinTools
WinTools Easy Installer
WSEM Update
Yazzle Sudoku by OIN
X-Con Spyware Destroyer ****
NOTES:
We highly recommend uninstalling any version of Messenger Plus. It can be a major reason for having malware on your PC. It can even install a LOP infection. They all come in the 3rd party tools that can easily be installed by mistake. Software like this should not be trusted. And now the Messenger Plus Live! program is a source of Virtumonde infections due to bundling in WinAntiVirus .
PLEASE READ THIS (IMPORTANT):
Please remove the below tools after running on the customer's computer. They can be removed from Add/Remove Programs, on C: drive; %temp% and %programfiles% folders and from Desktop. This is to ensure that these programs do not cause any issues with the working of McAfee products in future. Also some of the products are from direct competitors like TrendMicro. So the best practice is to run this tool and remove them after system is clear of infections. Some times we have to run more than one tool to ensure that all infected files and registry entries are cleaned. It's always a best practice to run the SpyBot after running any tool. (e.g : Run SmitfraudFix, restart the computer and then run SpyBot ). Please take some time out and download the tools on our "Test computers" and check all the functionalities. IMP: Check how to remove these tools after running on our computer. This will help while running the tool and removing malware from customer's computer.
Always clear the %temp%, temp, prefetch, recent, tasks folders and delete cookies & browsing history in Internet Explorer in-addition to running these tools.
Example:
Click Start --> Run
Type tasks
Press Enter key.
( You can type %temp%, temp, prefetch, recent inplace of tasks to open the respective folder )
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
If McAfee VirusScan does not detect the name of the virus/trojan/spyware but customer is getting pop-ups and clear symptoms of infection, then do an online scan from these weblinks:
http://housecall.antivirus.com/
http://www.ewido.net/en/onlinescan/
http://www.kaspersky.com/virusscanner
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Removal Tools:
SmitfraudFix:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
SpyBot:
http://www.spybotupdates.com/files/spybotsd15.exe
Trojan Hunter:
http://www.misec.net/products/TrojanHunterSetup.exe
Malicious Software Removal Tool:
http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-V1.34.exe
SUPER Anti Spyware:
http://downloads2.superantispyware.com/downloads/SUPERAntiSpyware.exe
Stinger:
http://download.nai.com/products/mcafee-avert/stinger.exe
CWShredder:
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
AntiPuper:
http://secured2k.home.comcast.net/tools/AntiPuper.exe
Fixwareout:
http://downloads.subratam.org/Fixwareout.exe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Hidden Files:
Rootkit Detective:
http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip
Rootkit Revealer:
http://download.sysinternals.com/Files/RootkitRevealer.zip
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Delete stubborn files:
KillBox:
http://killbox.net/downloads/KillBox.exe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Delete stubborn processes:
Process Explorer:
http://download.sysinternals.com/Files/ProcessExplorer.zip
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Delete temporary files, folders and cookies:
CCleaner:
http://download.piriform.com/ccsetup202.exe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Useful Weblink:
http://spyware-malware-removal.blogspot.com/2006/06/spyware-and-malware-removal-method-2.html
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Please perform the steps in the given order:
For any virus removal chat/call, please restart the computer in Safe Mode with Networking and delete all third party software and then proceed with the removal steps. Below are the detailed information:
Start the computer in Safe Mode:
1. Restart the computer.
2. When the computer is rebooting, press the F8 key repeatedly.
3. You will get a page with options. Use the arrow keys to select " Safe Mode with Networking" and press Enter.
4. The computer will now start in Safe Mode with Networking.
Once the computer starts in Safe Mode, please search and delete all third party security software
1. Click Start, and then click Control Panel.
2. Click Programs and Features.
3. Search any third party security software like Norton, Windows Defender, Ad-aware, SpyBot, any Registry Cleaner software, etc.
4. Select a program from list and click "Uninstall" or "Change"
5. Close all opened Windows.
NOTE: Please do not restart the computer if prompted.
Removal Steps:
STEP 1: Temp folder
Click Start->Search
Type %temp% and click OK
Delete all files and folders.
---------
Click Start->Search
Type temp and click OK
Delete all files and folders.
NOTE: Temp is the system temporary folder, %temp% is the user temporary folder. Both folders need to be emptied.
***************************************************************************************************************
STEP 2: Application shortcuts
Click Start->Search
Type prefetch and click OK
Delete all files and folders.
***************************************************************************************************************
STEP 3: Personal files/folders shortcuts
Click Start->Search
Type recent and click OK
Delete all files and folders.
***************************************************************************************************************
STEP 4: Delete cookies and temporary internet files
1. Open Internet Explorer
2. Click on Tools.
3. Click on Internet Options.
4. Click on the General tab. Under Browsing History section, click on 'Delete'
5. On the next screen, click on 'Delete All'
6. Click Yes on the next screen.
7. Click OK to close the Internet Options properties Window.
***************************************************************************************************************
STEP 5: Delete unnecessary files
1. Click Start -> Search
2. Type cleanmgr
3. Press the Enter key.
4. Select "Files from all users on this computer"
5. Click on " Continue" button.
6. Select the C: drive
7. Put a check beside all options except " Setup Log Files "
8. Click Ok.
9. On the next pop up box, click " Delete Files "
***************************************************************************************************************
STEP 6: Add/Remove Programs:
1. Click Start, and then click Control Panel.
2. Click Programs and Features.
3. Search for any virus/spyware programs and and click "Uninstall" or "Change"
4. Close all opened Windows.
NOTE: 1. Please do not restart the computer if prompted.
2. Confirm with customers before deleting any programs, if you are unsure.
***************************************************************************************************************
STEP 7: Program Files:
Click Start->Search
Type %programfiles% and click OK.
Select the Virus folder and delete it.
e.g: MyWebSearch, ViewPoint, Video Add-On, Video Access
***************************************************************************************************************
STEP 8:Task Manager:
Click Start->Search
Type taskmgr and click OK.
The Task Manager Window will open.
We can stop any process by checking the program associated with it in System Information Tool.
***************************************************************************************************************
STEP 9: System Information Tool / MsInfo32:
Click Start->Search
Type msinfo32 and click OK.
The System Information Window will open.
Click on Software Environment.
Then check Running Tasks and Startup Programs
***************************************************************************************************************
STEP 10: Delete Programs in Users folder:
1. Click Start, and then click Control Panel.
2. In the left pane of the Control Panel Window, click on " Classic View "
3. In the right pane, double click on "Folder Options"
3. On the View tab, under Hidden files and folders, click Show hidden files and folders.
4. Click OK button.
After this, please perform the following steps:
1. Click on Start --> Computer.
2. Double click on C: drive.
3. Double click on Documents and Settings.
4. Here you will find all the User folders. Please select one folder and double click on it.
5. Double click on Application Data.
6. Select and delete any virus/spyware folders.
7. Repeat the above steps for all User folders listed in Documents and Settings.
After this, please perform the following steps:
1. Click Start -> Search
2. Type programdata
3. Press the Enter key.
4. Select and delete any virus/spyware files/folders
5. Close all opened Windows.
***************************************************************************************************************
STEP 11: MsConfig Utility:
Click Start->Search
Type msconfig and click OK.
The System Configuration Utility Window will open.
Click on the Startup tab.
Here we can disable programs or services that we do not want to run.
***************************************************************************************************************
STEP 12: System Folder:
C:\Windows\System32
Here we have to search for the virus entries and delete them. Most of the virus entries listed here will give you a access denied message when you try to delete it as the process or dll file associated with these files will be running in the background.
So we need to stop the process in Task Manager and then try to delete the infected file or we have to restart the computer in Safe Mode and delete the file.
***************************************************************************************************************
STEP 13: Remove infected registry entries:
1. Click Start --> Run
2. Type regedit and click OK.
The Registry Editor window will open.
3. Click the + sign beside HKEY_LOCAL_MACHINE
4. Click the + sign beside Software
5. Scroll down here and check for the virus folders.
6. Delete them if you detect.
7. Click the + sign beside Microsoft
8. Click the + sign beside Windows
9. Click the + sign beside Current Version
10. Click the + sign beside Run
Here check for any virus entries in right pane and delete them.
Repeat the same for RunOnce and RunServices keys.
Repeat the above steps for HKEY_CURRENT_USER
***************************************************************************************************************
STEP 14: Run Spybot:
Restart the computer in Normal Mode and download Spybot from this weblink & save it on the computer's Desktop:
http://www.spybotupdates.com/files/spybotsd15.exe
1. Install the tool on the customer's computer by double clicking on the saved icon.
2. Uncheck all options except " Check for Updates quickly "
3. Run the tool.
4. After the scan is completed, click on "Fix Selected Items" at the top the tool Window.
5. Close Spybot Window.
***************************************************************************************************************
STEP 15: Check McAfee Security Center:
1. Open McAfee Security Center and click on "Computers and Files" and then click on "Configure" at the right pane.
2. Click on "Trusted Lists" in left pane.
3. Check all the System Guards one by one and see if any virus file is located there.
4. If detected, click on it and then click on "Remove" button at the right bottom of Security Center Window.
5. After removing all virus file instances, click on "Updates" in Security Center Window.
***************************************************************************************************************
After completing all the above steps, perform Windows Update:
1. Open Internet Explorer
2. Type the following in the address bar and press the Enter key:
http://windowsupdate.microsoft.com
This should start the automatic updates of Windows.
3. Restart the computer and check if the issue is resolved.
***************************************************************************************************************
Ask the customer to follow this website to prevent his computer from future infections:
http://www.microsoft.com/protect/computer/advanced/default.mspx
No comments:
Post a Comment