If you’ve followed the suggestions in the Protection and Cleaning threads, and are still having problems, you most likely have an infection that will take some specialized tools and/or processes to remove.

Before requesting assistance, it would be helpful for you to read How To Ask Questions The Smart Way --
http://www.catb.org/~esr/faqs/smart-questions.html

The primary tool you will need to begin removing infections is HijackThis --

HijackThis (aka HJT)

{WARNING -- We ask that all members who use the advice given here to be prudent before deleting any files by backing up their data. There may be occasion when, unfortunately, the wrong advice is inadvertantly given. Hijackthis is a very powerful tool and must be used with wisdom. If there is anything you are uncertain about, search Google for information while waiting for a response from our members here. Assistance is offered in good faith and should be received in good faith. It's a wise person who makes sure their data is backed up safely before diving deep into the heart of their Operating System, and that's exactly what HijackThis does. Remember we're all here to help and not everybody is an expert. And even the experts don't necessarily get it all right all the time. A little wrong move, a bit of bad luck, and your system might stop working altogether! It doesn't happen often but it's YOUR job to be ready in case it does.}*

You can get a self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Here is a link to a tutorial to help you learn to use HijackThis yourself as you follow the given instructions:
http://www.bleepingcomputer.com/foru...howtutorial=42

For help with booting into Safe Mode, when necessary, see http://www.pchell.com/support/safemode.shtml)

Part I – How to use HijackThis, the basics

After you download HijackThis, close any open browser windows, double-click on the hijackthis.exe icon that is on your desktop, and then click the Do a system scan and save a log file button. Note: you should not scan with HJT while in Safe Mode unless instructed to do so.

HJT will scan your system (rather quickly), and a new window will pop up giving you the option of where you would like the log to be saved; save it in a location that will be easy for you to locate. As soon as you do this, the HJT log will be presented in Notepad, similar to this example of an actual scan:

Logfile of HijackThis v1.99.0
Scan saved at 6:31:44 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\Utilities\PestPatrol\PPMemCheck.exe
E:\Utilities\PestPatrol\PPControl.exe
E:\Utilities\PestPatrol\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
E:\Utilities\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PPMemCheck] E:\Utilities\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\Utilities\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay106.hotmail.msn.co...x/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Utilities\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Utilities\Ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Before you post your first HijackThis log, you should review it to assure common mistakes are avoided, thereby expediting the solution to your particular problem.

The first thing to do is make sure you are running the latest version of HijackThis. To see what the current version is, look through some of the recent threads and see what the highest level is. In the example above, the version of HJT running is out of date – Logfile of HijackThis v1.99.0, as of this writing, HJT is at version 1.99.1.

The next thing to check is where HijackThis is running from. HJT needs to be in its own permanent folder so that it can safely save the backups it will create. If it’s in any temporary folder, that’s a definite no-no. Nor should it be running directly from your hard drive or desktop. Proper and improper examples are shown in the example below. Note that in the example above, HJT is running from the E drive (E:\Utilities\hijackthis\HijackThis.exe) even though many of the processes are running on the C drive. HijackThis does not need to be installed on the same drive/partition as the operating system; the important thing is that it be in its own folder.

If you see an entry such as C:\Program Files\Internet Explorer\iexplore.exe, or C:\Program Files\Mozilla Firefox\firefox.exe, this means you had a browser window open; be sure to close any open browser windows when scanning with HJT.

Finally, be sure to post the entire log, including the header information, consisting of:
The version of HijackThis you are using
Time and date of the scan
Your operating system and current update level
Your Internet Explorer version and update level

Here are some typical log entries which users frequently have trouble with; both good and bad versions are shown to illustrate the difference:

Logfile of HijackThis v1.99.0 <-- Bad, older version of HJT
Logfile of HijackThis v1.99.1 <-- Good, current version of HJT (always check first)

C:\Program Files\Internet Explorer\iexplore.exe <-- Bad, indicates browser was open while scanning (IE)
C:\Program Files\Mozilla Firefox\firefox.exe <-- Bad, indicates browser was open while scanning (FF)
(There are no good versions of this entry because there should be no browser windows open)

C:\ Documents and Settings \me\Local Settings\Temp\HijackThis.exe <-- Bad, HJT in Temp folder
C:\HIJACKTHIS.EXE <-- Bad, HJT running directly from hard drive
C:\Documents and Settings\User\Desktop\HijackThis.exe <-- Bad, HJT running directly from desktop
C:\Documents and Settings\me\My Documents\HijackThis.exe <-- Bad, HJT not in its own folder
C:\Documents and Settings\User\Desktop\HJT\HijackThis.exe <-- Good, HJT in its own permanent folder
C:\Program Files\hijackthis\HijackThis.exe <-- Good, HJT in its own permanent folder
E:\Utilities\HijackThis\HijackThis.exe <-- Good, HJT in its own permanent folder
C:\HJT\HIJACKTHIS.EXE <-- Good, HJT in its own permanent folder

Now, check the log you save against the above entries and make sure you:

Have the latest version of HijackThis
Scanned with all browser windows closed
Have HijackThis in its own permanent folder

If everything is as it should be, please continue on to the next part. If not, make the necessary corrections and save a new log before you continue.

Part II – How to use HijackThis, basic cleaning

There are a few things you can clean up yourself with HijackThis. This way, when you post your log it will be easier and faster for whoever reviews it to complete the analysis.

When you are ready to fix some things with HijackThis, open it, but this time, instead of hitting the Do a system scan and save a log file button, hit the Do a system scan only button. The window that comes up will look similar to the saved log version, but without the header information and there will be boxes to the left of each entry. To have HJT fix an entry, simply click on the box next to it; this will place a checkmark in the box. When you have all the entries selected, click on the Fix checked button at the bottom. Now, entries you can have HJT fix…

If you have any R0 or R1 entries that have searchmiracle or searchassistant, have HJT fix them; here are some examples:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:// searchmiracle .com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qhuwh.dll/sp.html#63796

If you see an entry identical to this, have HJT fix it:
R3 - Default URLSearchHook is missing

If you see any O1 entries, and they are not there for a specific reason that you know about, you can safely remove them.

If an entry has both (no name) near the beginning, and (no file) at the end, you can have HJT fix it:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) If the entry does not contain both of these, please do not fix it unless instructed to do so.

O15 entries -- if there are any of these showing in your log that you did not put in your browsers Trusted Zone yourself, have HJT fix them.

All O16 entries can be safely fixed, as any legitimate ones will return when the website is revisited. Removing these can sometimes cut the length of a HijackThis log in half.

Be sure to close any open windows, other then HijackThis, before hitting the Fix checked button.

Part III – How to use HijackThis, program removal

There are some intrusive programs that you can remove with the assistance of HijackThis; if you have any questions, please ask for assistance before continuing.

To do this, go to Add/Remove Programs in your Control Panel and look for the name as shown in the HJT entry. Then remove it with Add/Remove programs, have HJT fix the entry, and then go to the location and delete the program’s folder.

Example – HijackThis shows this entry in the log:
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

Go to Add/Remove Programs and look for WildTangent; if you locate it, remove it; then have HJT fix the O4 entry and, finally, go to C:\Program Files and delete the WildTangent folder.

Below is a list of common programs that should be removed, as they may look in your HJT log. Even if the entry doesn’t look exactly the same, as long as it has Program Files\BadFileName, you can follow the removal instructions. The folder to be deleted is highlighted; the program name in Add/Remove Programs should be very similar. If you don’t find it in Add/Remove Programs, go ahead and have HJT fix the entry, and then delete the folder.

O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll

O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe

Remember to close any open windows, other then HijackThis, before hitting the Fix checked button.

Now that you’ve cleaned up everything that you can on your own, it’s time to empty your Recycle Bin and reboot.

At this point, if you’re still having problems, you will need assistance that is more specific. Look through the list below for anything that resembles the problem you are still having. If you see anything, go to the post that has the removal instructions for that particular infection. If you don’t see anything, go ahead and post a HijackThis log now in the Virus forum along with a description of your problem.

Infections

ABetterInternet (Fix coming soon, please post an HJT log now)

ABI (Fix coming soon, please post an HJT log now)

About:blank (Post #6)

Adware.ClickDLoader (Fix coming soon, please post an HJT log now)

AntivirusGold (Post #8)

Aurora (Post #5)

Bridge.dll (Post #3)

Browser Enhancer (Post #7)

Cassandra (Post #4)

Collected.5.L Trojan (Post #12)

CoolWebSearch (Post #6)

CoolWwwSearch (Post #6)

CWS (Post #6)

Desktophijack (Post #4)

Dsr/Dinst (Post #9)

Ebates (Fix coming soon, please post an HJT log now)

Error Message 317 (Post #4)

HomeSearchAssistant (Post #6)

HotOffers (Post #4)

Joke.Smitfraudoid (Post #4)

LOP (Post #7)

Martfinder (Fix coming soon, please post an HJT log now)

MediaAccess (Fix coming soon, please post an HJT log now)

MyWay / MyWaySearchAssistant / MyWaySA (Post #15)

Nail (Post #5)

Newdotnet (Post #11)

New.net (Post #11)

Newgenlook (Post #4)

Stop PurityScan Ads (Post #13)

Search Extender (Post #6)

Searchmiracle (Post #4)

Shopping Assistant (Post #6)

Shopping Wizard (Post #6)

Smitfraud (Post #8, and possibly #4)

Specialgoods (Post #4)

SpySherrif (Posts #4 & #8)

Infections in the System Volume Information\_restore folder (Post #2)

Ultimate Browser Enhancer (Post #7)

Vundo/Virtumonde. (Post #16)

White-Pages.ws (Post #6)

Win-eto/SwapX (Post #10)

Window Search (Post #7)

Window Searching (Post #7)

WindUpdates (Fix coming soon, please post an HJT log now)

YouFindAll (Post #6)

YupSearch (Post #14)


*'Warning' obtained from this thread by Crunchie -- http://www.daniweb.com/techtalkforums/thread12033.html

The problem:

Windows XP and ME have a tool called System Restore, which works by making automatic scheduled backups ("restore points") of critical Windows components, including the registry. That way, if your system becomes corrupted you can ideally "roll back" to a previous, working configuration. The backup files for these restore points are kept in the C:\System Volume Information\_restore folder, which is a hidden system folder.

Unfortunately, if your system is already infected at the time when Windows takes a given restore "snapshot," the infected files get backed up along with everything else. Obviously, this also means that the infections will be reinstalled with everything else if you choose to restore from that snapshot point.

Because the Restore folder is a protected system folder, most anti-virus and anti-spyware programs don't have permission to delete the infected files stored there. To erase the contents of the _restore folder, you need to turn off the System Restore function. When you turn off System Restore, Windows will automatically delete the contents of the _restore folder.

Note that because disabling System Restore deletes all data in the restore folder, you'll want to re-enable System Restore once you're sure that your system is clean.


The Fix

For Windows XP:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

5. Run another full scan with your anti-virus/anti-spyware programs to verify that the infected files have been deleted.


Once your system is clean: reactivate System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.


For Windows ME:

1. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

2. On the Performance tab, click File System.

3. Click "OK" twice, and then click "Yes" when you are prompted to restart the computer.

4. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the "Disable System Restore" check box.

(Link to original post -- http://www.daniweb.com/techtalkforums/thread13362.html)

Scan with HiJackThis and look for a line similar to this:

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load

Place a check in the box to the left, click Fix checked, and see if that resolves the issue.

If the entry is also in an 02 line of the
HhijackThis log, you may need to go to C:\WINDOWS\system32 & delete the file manually as well. At the least, go there to see if it is still there.
___________________________________________________________

BEFORE POSTING A HiJackThis LOG, PLEASE REVIEW THE FOLLOWING LINK:

http://www.2-spyware.com/file-bridge-dll.html

Bridge.dll is related to WinFavorites, which apparently is spyware. The above link tells you exactly what to do to resolve the issue. If this doesn't fix your problem, THEN AND ONLY THEN should you ask for help. Also, you should only post an HJT log if asked for one.

HiJackThis is an excellent tool, but only in the hands of a user skilled enough to interpret the results. It is unfair just to post an HJT log and basically say, "fix it!". These posts don't contribute anything to the community we're trying to build here, and it indicates a lack of initiative on the part of the original poster, basically showing that the user isn't interested in learning anything, only having their problem fixed. That's not the type of user we want to foster here...

(Link to original post -- http://www.daniweb.com/techtalkforum...ll+before.html)

This fix may work for any of the following infestations:
Cassandra
Desktophijack
Error Message 317
HotOffers
Joke.Smitfraudoid
NEWGENLOOK
SmitFraud
Specialgoods
Searchmiracle

In order to view some of the files and folders mentioned here, you will need to set your system to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Download, install, update, and run CWShredder -- http://www.intermute.com/spysubtract..._download.html

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix any R0 or R1 entries similar to this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
(hotoffers may be substituted with specialgoods, newgenlook, or searchmiracle)

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

The infection should now be gone. If remnants of it still remain, please follow these instructions:

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Navigate to and delete the following subkeys:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"

Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""

Exit the Registry Editor.

If these steps fail to remove your infection, you can find links to other removal tools and instructions here:
http://www.techzonez.com/forums/showthread.php?t=15689

Now, close any open browser windows, scan with HijackThis, and post a log in the Virus forum please, to verify your system is clean.

This fix should work for the Aurora / Nail infection.

You will need to be disconnecting from the internet, so you may wish to print these instructions.

If you don’t already have HijackThis, please download the self-extracting version of it from here (in line 2):
http://www.malwareremoval.com/downloads.html

Download Ewido Security Suite from here (XP users only):
http://fileforum.betanews.com/detail...e/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.p...50515010747824
Unzip it to your desktop, but do not run it yet.

Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido; during the scan it will prompt you to clean files, click OK. (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, Double-click on the Hijackthis.exe icon that is on your desktop; scan with HijackThis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

A gibberish O4 entry the ends with the letter 'r', similar to this one:
O4 - HKLM\..\Run: [wuntkqh] c:\windows\system32\ssxzrmh.exe r

And
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close any open windows, other then HijackThis, and click on Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\the gibberish file in the O4 entry above

Do a search for these files and delete any instances found:

commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe

If any of these files are located, but cannot be deleted, follow the Delete on reboot instructions:

Open HijackThis, and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) the file name into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Allow your computer to reboot normally.

Empty your Recycle Bin.

Close any open browser windows, scan with Hijackthis, and post the log along with the Ewido log in the Virus forum to verify your system is clean.

This post covers the removal of:

About:blank
CoolWebSearch
CoolWwwSearch
Home Search Assistant
Search Extender
Shopping Assistant
Shopping Wizard
White-Pages.ws
YouFindAll

You will need to disconnect from the internet, so you may wish to print these instructions.

Download, install, and update these utilities, and then close the programs (don't scan yet):

Ewido Security Suite (XP users only) -- http://fileforum.betanews.com/detail...e/1098736486/1
CWShredder -- http://www.intermute.com/spysubtract..._download.html
about:Buster -- http://www.besttechie.net/tools/AboutBuster.zip
HSRemove (XP users only) -- http://www.majorgeeks.com/download4286.html
Sp.html-Se.dll Hijack Fix (Windows 2000 & XP only) -- http://www.majorgeeks.com/Sp.html-Se...0XP_d4617.html
or
SpSeHjfix -- http://www.derbilk.de/SpSeHjfix112.zip (save it to the Desktop, and then right-click in a blank area of Desktop, select New, Folder, and name it spfix; unzip the file into that folder.

Disconnect from the net and reboot into Safe Mode.

Now run the utilities:

about:Buster

HSRemove

Sp.html-Se.dll Hijack Fix or SpSeHjfix (click on Start Disinfection. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Note: if it doesn't find any of the SE files or any hidden reinstallers, it will say System clean and not go on to next stage).

CWShredder

Ewido; during the scan it will prompt you to clean files, click OK (note: you will be posting the log from this scan later).

Scan with HijackThis and have it fix any entries similar to the following:

Any R0 or R1 entries that have an "sp.html" in them, like:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpkrr.dll/sp.html#28129

Any R0 or R1 entries that have about:blank in them:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

Any R0 or R1 entries that have SearchAssistant:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rpkrr.dll/sp.html#28129

Any R0 or R1 entries that have "index.php" in them:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/<span style="fo...dex.php</span>

R3 - Default URLSearchHook is missing

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste home search assistant, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the 'Find' instructions for search extender, shopping wizard, and shopping assistant.

Close the Registry Editor.

Reboot normally, close any open browser windows, scan with HijackThis, and post the log in the Virus forum along with the Ewido log.

Uninstall Messenger Plus as it comes bundled with LOP. You can reinstall Messenger Plus without the sponsor.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer

You may be given a code to insert, do so and reboot when done.

If none of these are listed, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

Reboot , close any open browser windows, scan with HJT, and post a log to verify your system is clean.

You can find complete instructions for removing Smitfraud and SpySheriff here:
http://www.bleepingcomputer.com/foru...xe-t22402.html

And this will work for AntiVirusGold, Smitfraud, and SpySheriff:
http://forums.techguy.org/showthread...=376692&page=1

Dsr/Dinst removal.

==

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.

==

Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.

• Download DSRFIX from HERE onto your Desktop.
  • Unzip and EXTRACT the files to your Desktop.
  • The program creates and names the new folder to house the files.
  • DO NOT RUN IT YET
• Download Cleanup from Here (Alternate site if the above is not working Go Here)
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET
• CLOSE INTERNET EXPLORER, if it is open
• Open the folder dsrfix
  • Double click on the dsrfix batch file( the one with the little gear in it )
  • Once dsrfix has completed it will close on its own
• Please restart HJT, put a checkmark next to the following items, and with all windows closed except for HJT, click “Fix Checkedâ€? and EXIT the program.
  
  Insert the 04 dsr and dinst entries here
  
  
• Run Cleanup
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
• REBOOT your system.
• Please restart HJT and post back a fresh HJT log for review.

Win-eto.

Download and install Ad-Aware SE.

Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

Once the update is finished close Adaware.

Reboot into safe mode following the instructions here.

Start Adaware and run a full scan. Remove all that is found, close Adaware and reboot normally.

If you still have problems with win-eto, post an hijackthis log.