Hi,
Download KillBox , extract it to your desktop.
Download CCleaner and install it. Do not run it now!
Download PuritySCAN Uninstaller .
Download and install Ewido Security Suite v3.5 . After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update.
Exit Ewido when done - DO NOT perform a scan yet.
Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.
Run PuritySCAN Uninstaller and remove the PuritySCNAN if found.
Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.
Uninstall this Software from Add/Remove Programs in Control Panel:-
True Sword (This is a dubious software!)
Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {69B73011-D7D7-F901-845F-AE7F671BD59B} - C:\WINDOWS\System32\vslcls.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {69B73011-D7D7-F901-845F-AE7F671BD59B} - C:\WINDOWS\System32\vslcls.dll
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\mstool.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\paqcok.exe reg_run
O4 - HKCU\..\Run: [Summdt] C:\WINDOWS\System32\ejgbyp.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt ndrv
Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.
Exit from HijackThis.
Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.
Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
Next, delete this folder, if found:-
C:\True Sword
Open KillBox.exe. Check the following box:-
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them.
C:\WINDOWS\System32\ejgbyp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\System32\mstool.exe
C:\WINDOWS\System32\paqcok.exe
C:\Program Files\apsi\wtta.exe
Then in Killbox click File > Paste from Clipboard.
At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.
Then click theRed X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
Reboot to Normal Mode. Now, scan the below mentioned file at www.virustotal.com and if its found to be infected, delete it:-
C:\WINDOWS\System32\outpstd.exe
After this, perform an online virus scan at Kaspersky Online Scanner . Save the log it gives after the scan.
Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.
