Using the Trend Micro Anti-Threat Toolkit to analyze malware issues and clean infections - For Home and Home Office users

Learn how to use the Trend Micro Anti-Threat Toolkit (ATTK) to perform system forensic scans and clean the following infections:
  • General malware infection
  • Master boot record Infection
  • CIDOX/ RODNIX infection
  • Rootkit infection
  • Zbot infection
  • Cryptolocker infection
[ Expand All ]

 

Collect suspicious files and system information

To collect suspicious files and system information, do the following:
  1. Download the Anti-Threat Toolkit by clicking your operating system version below:
  2. Read the Trend Micro License Agreement. Once you click I Accept, the download will start.
    License Agreement
  3. Choose the preferred directory where the tool will be stored, then click Save.
  4. Log on to the computer that is possibly infected by a malware. Copy the Anti-Threat Toolkit into the infected computer.
  5. After copying the Anti-Threat Toolkit, right-click the tool, then click Run as administrator.
    ATTK Collector
  6. Click Yes when the User Account Control window appears.
    A Command Prompt window will appear to show the system forensic analysis progress.
    CMD screen

    A browser window will appear after the analysis finishes.
  7. Click Proceed to send the information the tool collected to Trend Micro Technical Support. You will receive a temporary ID number that you can use when you contact Trend Micro Technical Support.
    Smart Protection Network (SPN) ID

    The Trend Micro Anti-Threat Toolkit folder will appear on the same folder where you ran the tool.
  8. Go to Trend Micro Anti-Threat Toolkit folder > Output.
    You will find a .ZIP file with the filename containing the timestamp and GUID.
    Time stamp and GUID
  9. Do either of the following:
    • If you have an existing case, send a copy of the .ZIP file together with the temporary ID number to the engineer who is handling your case.
    • If you do not have an existing case, send the .ZIP file to our Technical Support for analysis.

 

Clean infected computers

To clean infected computers, do the following:
  1. Download the Anti-Threat Toolkit:
    For computers with internet connection
    For computers without internet connection
  2. Read the Trend Micro License Agreement, then click I Accept to agree with the EULA and download the tool.
  3. Click Save when the File Download window appears.
  4. Select Desktop as the download location, then click Save.
  5. Log on to the computer that is infected by a malware. Copy the Anti-Threat Toolkit into the infected computer.
  6. After copying the Anti-Threat Toolkit, right-click the tool and then click Run as administrator.
  7. Click Yes when the User Account Control window appears.
  8. Click Scan Now when the Trend Micro Anti-Threat Toolkit window appears.
    Click Scan Now

    The scan may take some time. The tool will scan your computer and list the threats it finds.
    Fix Problems
  9. The tool will show a summary of the scan. Click Fix Now to clean your computer.
  10. Click Close to close the Anti-Threat Toolkit after your computer has been cleaned.
  11. Click Proceed to send the information the tool collected to Trend Micro Technical Support.
    Proceed

    You will receive a temporary ID number that you can use when you contact Trend Micro Technical Support and a Trend Micro Anti-Threat Toolkit folder will appear on the same folder where you ran the tool.
  12. Go to Trend Micro Anti-Threat Toolkit folder > Output.
    You will find a .ZIP file with the filename containing the timestamp and GUID.
    Time Stamp and GUID
  13. Do either of the following if you still need help after you cleaned your computer:
    • If you have an existing case, send the .ZIP file together with the temporary ID number to the engineer who is handling your case.
    • If you do not have an existing case, send the .ZIP file to our Technical Support for analysis.

 

Clean MBR, CIDOX/ RODNIX or Rootkit infection using ATTK with Cleanboot

To use the Trend Micro Anti-Threat Toolkit (ATTK) with Clean Boot, follow the steps below:
  1. Download the Anti-Threat Toolkit by clicking your operating system type below:
  2. Read the License Agreement, then click I Agree.
  3. A download will be initiated, run the downloaded tool to start.
  4. Once the tool is open, click on Scan Now to check the computer for threats.
    Scan Now
  5. After the scan, detected threats should be displayed. Click Fix Now to begin with the clean-up process.
    Fix Now

    Some threats require a special tool such as Clean Boot. If you get this option, click Clean Boot to continue.
    clean boot
    1. Click OKto confirm the installation of Clean Boot.
      remove threats
    2. Click OK to restart the computer.
      restart computer
    3. After the computer restarts, the computer will now start with Clean Boot. On the boot manager, press ENTER on Trend Micro Clean Boot.
      Clean Boot Manager

      On the next screen, you will get the Startup and initialization screen.
      Trend Micro Clean Boot

      Once the tool has been successfully initialized, the Quick scan will automatically trigger.
      Rescue Disk
    4. After the scan, the computer needs to be restarted. On the boot menu, select on your operating system then press enter.
      Windows Boot Manager
    5. After loading the operating system, ATTK will automatically run and display the results of the scan.
      Threats List

 

Clean ZBot or Cryptolocker infection using ATTK

To clean ZBot/Cryptolocker infection, do the following:
  1. Click any of the links below to download the tool:
  2. Read the Trend Micro License Agreement, then click I Accept to agree with the EULA and download the tool.
  3. Click Save when the File Download window appears.
  4. Select Desktop as the download location, then click Save.
  5. Once the download completes, right-click the tool, then click Run as administrator.
  6. Click Yes when the User Account Control window appears.
  7. Click Scan Now when the Trend Micro Anti-Threat Toolkit window appears.
    Click Scan Now

    The scan may take some time. The tool will scan your computer and list the threats it finds.
    Fix Problems
  8. The tool will show a summary of the scan. Click Fix Now to clean your computer.
  9. Click Close to close the Anti-Threat Toolkit after your computer has been cleaned.

 

Collect ransomware samples and system information

To collect ransomware samples, do the following:
  1. Download the Anti-Threat Toolkit by clicking your operating system version below:
  2. Read the Trend Micro License Agreement. Once you click I Accept, the download will start.
    License Agreement
  3. Choose the preferred directory where the tool will be stored, then click Save.
  4. Log on to the computer that is infected by a ransomware. Copy the Anti-Threat Toolkit into the infected computer.
  5. After copying the Anti-Threat Toolkit, right-click the tool, then click Run as administrator.
    ATTK Collector
  6. Click Yes when the User Account Control window appears.
    A Command Prompt window will appear to show the system forensic analysis progress.
    CMD screen

    A browser window will appear after the analysis finishes.
  7. Click Proceed to send the information the tool collected to Trend Micro Technical Support. You will receive a temporary ID number that you can use when you contact Trend Micro Technical Support.
    Smart Protection Network (SPN) ID

    The Trend Micro Anti-Threat Toolkit folder will appear on the same folder where you ran the tool.
  8. Go to Trend Micro Anti-Threat Toolkit folder > Output.
    You will find a .ZIP file with the filename containing the timestamp and GUID.
    Time stamp and GUID
  9. Do either of the following:
    • If you have an existing case, send a copy of the .ZIP file together with the temporary ID number to the engineer who is handling your case.
    • If you do not have an existing case, send the .ZIP file to our Technical Support for analysis.

Not a Trend Micro customer? Not a problem.

Get Expert help when you purchase our Premium Services. Learn more 
Video Tutorial

Applies To: Antivirus+ Security - 2015;Antivirus+ Security - 2016;Antivirus+ Security - 2017;Internet Security - 2015;Internet Security - 2016;Internet Security - 2017;Maximum Security - 2015;Maximum Security - 2016;Maximum Security - 2017;Premium Security - 2015;Premium Security - 2016;Premium Security - 2017;Titanium AntiVirus + - All;Titanium Internet Security - All;Titanium Maximum Security - All;Titanium Premium Security - All;

Last Updated: Jan. 13, 2017 5:51 AM (PST)
Solution ID: 1059509