Fixes for Specific Infections

Question

dlh6213 27 Posting Maven

18 Years Ago

If you’ve followed the suggestions in the Protection and Cleaning threads, and are still having problems, you most likely have an infection that will take some specialized tools and/or processes to remove.

Before requesting assistance, it would be helpful for you to read How To Ask Questions The Smart Way - http://www.catb.org/~esr/faqs/smart-questions.html

The primary tool you will need to begin removing infections is HijackThis --

HijackThis (aka HJT)

WARNING -- We ask that all members who use the advice given here to be prudent before deleting any files by backing up their data. There may be occasion when, unfortunately, the wrong advice is inadvertantly given. Hijackthis is a very powerful tool and must be used with wisdom. If there is anything you are uncertain about, search Google for information while waiting for a response from our members here. Assistance is offered in good faith and should be received in good faith. It's a wise person who makes sure their data is backed up safely before diving deep into the heart of their Operating System, and that's exactly what HijackThis does. Remember we're all here to help and not everybody is an expert. And even the experts don't necessarily get it all right all the time. A little wrong move, a bit of bad luck, and your system might stop working altogether! It doesn't happen often but it's YOUR job to be ready in case it does.*

You can get a self-extracting version of HijackThis from here (in line 2) http://www.malwareremoval.com/downloads.html
Here is a link to a tutorial to help you learn to use HijackThis yourself as you follow the given instructions:http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
For help with booting into Safe Mode, when necessary, see http://www.pchell.com/support/safemode.shtml)

Part I – How to use HijackThis, the basics

After you download HijackThis, close any open browser windows, double-click on the hijackthis.exe icon that is on your desktop, and then click the Do a system scan and save a log file button. Note: you should not scan with HJT while in Safe Mode unless instructed to do so.

HJT will scan your system (rather quickly), and a new window will pop up giving you the option of where you would like the log to be saved; save it in a location that will be easy for you to locate. As soon as you do this, the HJT log will be presented in Notepad, similar to this example of an actual scan:

Logfile of HijackThis v1.99.0
Scan saved at 6:31:44 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
E:UtilitiesPestPatrolPPMemCheck.exe
E:UtilitiesPestPatrolPPControl.exe
E:UtilitiesPestPatrolCookiePatrol.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesMicrosoft OfficeOffice10WINWORD.EXE
C:WINDOWSmsagentAgentSvr.exe
E:UtilitieshijackthisHijackThis.exe


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:UtilitiesSpywareGuarddlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [PPMemCheck] E:UtilitiesPestPatrolPPMemCheck.exe
O4 - HKLM..Run: [PestPatrol Control Center] E:UtilitiesPestPatrolPPControl.exe
O4 - HKLM..Run: [CookiePatrol] E:UtilitiesPestPatrolCookiePatrol.exe
O4 - HKLM..Run: [PinnacleDriverCheck] C:WINDOWSSystem32PSDrvCheck.exe -CheckReg
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesMedia PlayersQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [WorksFUD] C:Program FilesMicrosoft OfficeMicrosoft Workswkfud.exe
O4 - HKLM..Run: [mmtask] c:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe
O4 - HKLM..Run: [Microsoft Works Portfolio] C:Program FilesMicrosoft OfficeMicrosoft Workswkssb.exe /AllUsers
O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSSystem32ctfmon.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIM95aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Unknown - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:UtilitiesEwidosecurity suiteewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:UtilitiesEwidosecurity suiteewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:Program FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe

Before you post your first HijackThis log, you should review it to assure common mistakes are avoided, thereby expediting the solution to your particular problem.

The first thing to do is make sure you are running the latest version of HijackThis. To see what the current version is, look through some of the recent threads and see what the highest level is. In the example above, the version of HJT running is out of date – Logfile of HijackThis v1.99.0, as of this writing, HJT is at version 1.99.1.

The next thing to check is where HijackThis is running from. HJT needs to be in its own permanent folder so that it can safely save the backups it will create. If it’s in any temporary folder, that’s a definite no-no. Nor should it be running directly from your hard drive or desktop. Proper and improper examples are shown in the example below. Note that in the example above, HJT is running from the E drive (E:UtilitieshijackthisHijackThis.exe) even though many of the processes are running on the C drive. HijackThis does not need to be installed on the same drive/partition as the operating system; the important thing is that it be in its own folder.

If you see an entry such as C:Program FilesInternet Exploreriexplore.exe, or C:Program FilesMozilla Firefoxfirefox.exe, this means you had a browser window open; be sure to close any open browser windows when scanning with HJT.

Finally, be sure to post the entire log, including the header information, consisting of:
The version of HijackThis you are using
Time and date of the scan
Your operating system and current update level
Your Internet Explorer version and update level

Here are some typical log entries which users frequently have trouble with; both good and bad versions are shown to illustrate the difference:

Logfile of HijackThis v1.99.0                   <-- Bad, older version of HJT
Logfile of HijackThis v1.99.1                   <-- Good, current version of HJT (always check first)


C:Program FilesInternet Exploreriexplore.exe        <-- Bad, indicates browser was open while scanning (IE)
C:Program FilesMozilla Firefoxfirefox.exe       <-- Bad, indicates browser was open while scanning (FF)
(There are no good versions of this entry because there should be no browser windows open)


C: Documents and Settings meLocal SettingsTempHijackThis.exe <-- Bad, HJT in Temp folder
C:HIJACKTHIS.EXE <-- Bad, HJT running directly from hard drive
C:Documents and SettingsUserDesktopHijackThis.exe <-- Bad, HJT running directly from desktop
C:Documents and SettingsmeMy DocumentsHijackThis.exe <-- Bad, HJT not in its own folder
C:Documents and SettingsUserDesktopHJTHijackThis.exe <-- Good, HJT in its own permanent folder
C:Program FileshijackthisHijackThis.exe <-- Good, HJT in its own permanent folder
E:UtilitiesHijackThisHijackThis.exe <-- Good, HJT in its own permanent folder
C:HJTHIJACKTHIS.EXE <-- Good, HJT in its own permanent folder

Now, check the log you save against the above entries and make sure you:

Have the latest version of HijackThis
Scanned with all browser windows closed
Have HijackThis in its own permanent folder

If everything is as it should be, please continue on to the next part. If not, make the necessary corrections and save a new log before you continue.

Part II – How to use HijackThis, basic cleaning

There are a few things you can clean up yourself with HijackThis. This way, when you post your log it will be easier and faster for whoever reviews it to complete the analysis.

When you are ready to fix some things with HijackThis, open it, but this time, instead of hitting the Do a system scan and save a log file button, hit the Do a system scan only button. The window that comes up will look similar to the saved log version, but without the header information and there will be boxes to the left of each entry. To have HJT fix an entry, simply click on the box next to it; this will place a checkmark in the box. When you have all the entries selected, click on the Fix checked button at the bottom. Now, entries you can have HJT fix…

If you have any R0 or R1 entries that have searchmiracle or searchassistant, have HJT fix them; here are some examples:

R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http:// searchmiracle .com/sp.php
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSqhuwh.dll/sp.html#63796

If you see an entry identical to this, have HJT fix it:R3 - Default URLSearchHook is missing

If you see any O1 entries, and they are not there for a specific reason that you know about, you can safely remove them.

If an entry has both (no name) near the beginning, and (no file) at the end, you can have HJT fix it:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) If the entry does not contain both of these, please do not fix it unless instructed to do so.

O15 entries -- if there are any of these showing in your log that you did not put in your browsers Trusted Zone yourself, have HJT fix them.

All O16 entries can be safely fixed, as any legitimate ones will return when the website is revisited. Removing these can sometimes cut the length of a HijackThis log in half.

Be sure to close any open windows, other then HijackThis, before hitting the Fix checked button.

Part III – How to use HijackThis, program removal

There are some intrusive programs that you can remove with the assistance of HijackThis; if you have any questions, please ask for assistance before continuing.

To do this, go to Add/Remove Programs in your Control Panel and look for the name as shown in the HJT entry. Then remove it with Add/Remove programs, have HJT fix the entry, and then go to the location and delete the program’s folder.

Example – HijackThis shows this entry in the log:

O4 - HKLM..Run: [WildTangent CDA] "C:Program FilesWildTangentAppsCDAGameDrvr.exe" /startup "C:Program FilesWildTangentAppsCDAcdaEngine0500.dll"

Go to Add/Remove Programs and look for WildTangent; if you locate it, remove it; then have HJT fix the O4 entry and, finally, go to C:Program Files and delete the WildTangent folder.

Below is a list of common programs that should be removed, as they may look in your HJT log. Even if the entry doesn’t look exactly the same, as long as it has Program FilesBadFileName, you can follow the removal instructions. The folder to be deleted is highlighted; the program name in Add/Remove Programs should be very similar. If you don’t find it in Add/Remove Programs, go ahead and have HJT fix the entry, and then delete the folder.

O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:program files180searchassistantsalmhook.dll

O4 - HKLM..Run: [EbatesMoeMoneyMaker0] "C:Program FilesEbates_MoeMoneyMakerEbatesMoeMoneyMaker0.exe"

O4 - Global Startup: Gator eWallet.lnk = C:Program FilesGator.comGatorGator.exe

O4 - HKLM..Run: [Media Gateway] C:Program FilesMedia GatewayMediaGateway.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program FilesPartyPokerIEExtension.dll

O4 - HKLM..Run: [SurfSideKick 3] C:Program FilesSurfSideKick 3Ssk.exe

O4 - HKLM..Run: [ViewMgr] C:Program FilesViewpointViewpoint ManagerViewMgr.exe

O4 - HKLM..Run: [WildTangent CDA] "C:Program FilesWildTangentAppsCDAGameDrvr.exe" /startup "C:Program FilesWildTangentAppsCDAcdaEngine0500.dll"

O4 - HKLM..Run: [Windows TaskAd] C:Program FilesWindows TaskAdWinTaskAd.exe

Remember to close any open windows, other then HijackThis, before hitting the Fix checked button.

Now that you’ve cleaned up everything that you can on your own, it’s time to empty your Recycle Bin and reboot.

At this point, if you’re still having problems, you will need assistance that is more specific. Look through the list below for anything that resembles the problem you are still having. If you see anything, go to the post that has the removal instructions for that particular infection. If you don’t see anything, go ahead and post a HijackThis log now in the Virus forum along with a description of your problem.

Infections

ABetterInternet (Fix coming soon, please post an HJT log now)

ABI (Fix coming soon, please post an HJT log now)

About:blank  (Post #6)

Adware.ClickDLoader  (Fix coming soon, please post an HJT log now)

AntivirusGold  (Post #8)

Aurora  (Post #5)

Bridge.dll  (Post #3)

Browser Enhancer  (Post #7)

Cassandra  (Post #4)

Collected.5.L Trojan  (Post #12)

CoolWebSearch  (Post #6)

CoolWwwSearch  (Post #6)

CWS  (Post #6)

Desktophijack  (Post #4)

Dsr/Dinst  (Post #9)

Ebates  (Fix coming soon, please post an HJT log now)

Error Message 317  (Post #4)

HomeSearchAssistant  (Post #6)

HotOffers  (Post #4)

Joke.Smitfraudoid  (Post #4)

LOP  (Post #7)

Martfinder  (Fix coming soon, please post an HJT log now)

MediaAccess  (Fix coming soon, please post an HJT log now)

MyWay / MyWaySearchAssistant / MyWaySA  (Post #15)

Nail  (Post #5)

Newdotnet  (Post #11)

New.net  (Post #11)

Newgenlook  (Post #4)

Stop PurityScan Ads (Post #13)

Search Extender  (Post #6)

Searchmiracle  (Post #4)

Shopping Assistant  (Post #6)

Shopping Wizard  (Post #6)

Smitfraud  (Post #8, and possibly #4)

Specialgoods  (Post #4)

SpySherrif  (Posts #4 & #8)

Infections in the System Volume Information_restore folder (Post #2)

Ultimate Browser Enhancer  (Post #7)

Vundo/Virtumonde.  (Post #16)

White-Pages.ws  (Post #6)

Win-eto/SwapX  (Post #10)

Window Search  (Post #7)

Window Searching  (Post #7)

WindUpdates  (Fix coming soon, please post an HJT log now)

YouFindAll  (Post #6)

YupSearch  (Post #14)

*'Warning' obtained from this thread by Crunchie -- http://www.daniweb.com/techtalkforums/thread12033.html

windows-virus

Edited 11 Years Ago by mike_2000_17 because: fixed formatting

2 Contributors
15 Replies
3K Views
4 Months Discussion Span
Latest Post 18 Years Ago Latest Post by crunchie

All 15 Replies

crunchie 990 Most Valuable Poster

18 Years Ago

Dsr/Dinst removal.

==

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.

==

Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.

Download DSRFIX from HERE onto your Desktop.
- Unzip and EXTRACT the files to your Desktop.
- The program creates and names the new folder to house the files.
- DO NOT RUN IT YET
Download Cleanup from Here (Alternate site if the above is not working Go Here)
- A window will open and choose SAVE, then DESKTOP as the destination.
- On your Desktop, click on Cleanup40.exe icon.
- Then, click RUN and place a checkmark beside "I Agree"
- Then click NEXT followed by START and OK.
- A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
- Click OK
- DO NOT RUN IT YET
CLOSE INTERNET EXPLORER, if it is open
Open the folder dsrfix
- Double click on the dsrfix batch file( the one with the little gear in it )
- Once dsrfix has completed it will close on its own
Please restart HJT, put a checkmark next to the following items, and with all windows closed except for HJT, click “Fix Checked and EXIT the program.
Insert the 04 dsr and dinst entries here
Run Cleanup
- Click on the "Cleanup" button and let it run.
- Once its done, close the program.
REBOOT your system.
Please restart HJT and post back a fresh HJT log for review.

crunchie 990 Most Valuable Poster

18 Years Ago

Win-eto.

Download and install Ad-Aware SE.

Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

Once the update is finished close Adaware.

Reboot into safe mode following the instructions here.

Start Adaware and run a full scan. Remove all that is found, close Adaware and reboot normally.

If you still have problems with win-eto, post an hijackthis log.

crunchie 990 Most Valuable Poster

18 Years Ago

Newdotnet, New.net removal.

Go to Start>Control Panel>add/remove programs and remove(ununstall) the Newdotnet entry from there, or go here and scroll down to the uninstall tool.

crunchie 990 Most Valuable Poster

18 Years Ago

Collected.5.L Trojan.

Click here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\(file name following Shell=Explorer.exe, from the F2 line in hijackthis)
C:\WINDOWS\System32\msdirectx.sys

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of the following items.

F2 - REG:system.ini: Shell=Explorer.exe,random.exe

Close all windows except HijackThis and click Fix checked:

Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

Doubleclick the file you made and confirm you want to merge it with the registry.
Reboot once more and post a new log.

dlh6213 commented: Thanks for the additions! :) -- dlh +4

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

dlh6213 27 Posting Maven Team Colleague · Answer 1 · 2005-07-15T20:55:49+00:00

The problem:

Windows XP and ME have a tool called System Restore, which works by making automatic scheduled backups ("restore points") of critical Windows components, including the registry. That way, if your system becomes corrupted you can ideally "roll back" to a previous, working configuration. The backup files for these restore points are kept in the C:\System Volume Information\_restore folder, which is a hidden system folder.

Unfortunately, if your system is already infected at the time when Windows takes a given restore "snapshot," the infected files get backed up along with everything else. Obviously, this also means that the infections will be reinstalled with everything else if you choose to restore from that snapshot point.

Because the Restore folder is a protected system folder, most anti-virus and anti-spyware programs don't have permission to delete the infected files stored there. To erase the contents of the _restore folder, you need to turn off the System Restore function. When you turn off System Restore, Windows will automatically delete the contents of the _restore folder.

Note that because disabling System Restore deletes all data in the restore folder, you'll want to re-enable System Restore once you're sure that your system is clean.

The Fix

For Windows XP:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

5. Run another full scan with your anti-virus/anti-spyware programs to verify that the infected files have been deleted.

Once your system is clean: reactivate System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.

For Windows ME:

1. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

2. On the Performance tab, click File System.

3. Click "OK" twice, and then click "Yes" when you are prompted to restart the computer.

4. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the "Disable System Restore" check box.

(Link to original post -- http://www.daniweb.com/techtalkforums/thread13362.html)

dlh6213 27 Posting Maven Team Colleague · Answer 2 · 2005-07-15T21:11:48+00:00

Scan with HiJackThis and look for a line similar to this:

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load

Place a check in the box to the left, click Fix checked, and see if that resolves the issue.

If the entry is also in an 02 line of the
HhijackThis log, you may need to go to C:\WINDOWS\system32 & delete the file manually as well. At the least, go there to see if it is still there.
___________________________________________________________

BEFORE POSTING A HiJackThis LOG, PLEASE REVIEW THE FOLLOWING LINK:

http://www.2-spyware.com/file-bridge-dll.html

Bridge.dll is related to WinFavorites, which apparently is spyware. The above link tells you exactly what to do to resolve the issue. If this doesn't fix your problem, THEN AND ONLY THEN should you ask for help. Also, you should only post an HJT log if asked for one.

HiJackThis is an excellent tool, but only in the hands of a user skilled enough to interpret the results. It is unfair just to post an HJT log and basically say, "fix it!". These posts don't contribute anything to the community we're trying to build here, and it indicates a lack of initiative on the part of the original poster, basically showing that the user isn't interested in learning anything, only having their problem fixed. That's not the type of user we want to foster here...

(Link to original post -- http://www.daniweb.com/techtalkforums/thread7370-bridge.dll+before.html)

dlh6213 27 Posting Maven Team Colleague · Answer 3 · 2005-07-15T21:34:31+00:00

This fix may work for any of the following infestations:
Cassandra
Desktophijack
Error Message 317
HotOffers
Joke.Smitfraudoid
NEWGENLOOK
SmitFraud
Specialgoods
Searchmiracle

In order to view some of the files and folders mentioned here, you will need to set your system to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Download, install, update, and run CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix any R0 or R1 entries similar to this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
(hotoffers may be substituted with specialgoods, newgenlook, or searchmiracle)

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

The infection should now be gone. If remnants of it still remain, please follow these instructions:

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Navigate to and delete the following subkeys:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"

Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""

Exit the Registry Editor.

If these steps fail to remove your infection, you can find links to other removal tools and instructions here:
http://www.techzonez.com/forums/showthread.php?t=15689

Now, close any open browser windows, scan with HijackThis, and post a log in the Virus forum please, to verify your system is clean.

dlh6213 27 Posting Maven Team Colleague · Answer 4 · 2005-07-16T15:02:33+00:00

This fix should work for the Aurora / Nail infection.

You will need to be disconnecting from the internet, so you may wish to print these instructions.

If you don’t already have HijackThis, please download the self-extracting version of it from here (in line 2):
http://www.malwareremoval.com/downloads.html

Download Ewido Security Suite from here (XP users only):
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido; during the scan it will prompt you to clean files, click OK. (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, Double-click on the Hijackthis.exe icon that is on your desktop; scan with HijackThis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

A gibberish O4 entry the ends with the letter 'r', similar to this one:
O4 - HKLM\..\Run: [wuntkqh] c:\windows\system32\ssxzrmh.exe r

And
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close any open windows, other then HijackThis, and click on Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\the gibberish file in the O4 entry above

Do a search for these files and delete any instances found:

commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe

If any of these files are located, but cannot be deleted, follow the Delete on reboot instructions:

Open HijackThis, and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) the file name into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Allow your computer to reboot normally.

Empty your Recycle Bin.

Close any open browser windows, scan with Hijackthis, and post the log along with the Ewido log in the Virus forum to verify your system is clean.

dlh6213 27 Posting Maven Team Colleague · Answer 5 · 2005-07-16T16:01:28+00:00

This post covers the removal of:

About:blank
CoolWebSearch
CoolWwwSearch
Home Search Assistant
Search Extender
Shopping Assistant
Shopping Wizard
White-Pages.ws
YouFindAll

You will need to disconnect from the internet, so you may wish to print these instructions.

Download, install, and update these utilities, and then close the programs (don't scan yet):

Ewido Security Suite (XP users only) -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.besttechie.net/tools/AboutBuster.zip
HSRemove (XP users only) -- http://www.majorgeeks.com/download4286.html
Sp.html-Se.dll Hijack Fix (Windows 2000 & XP only) -- http://www.majorgeeks.com/Sp.html-Se.dll_Hijack_Fix_2000XP_d4617.html
or
SpSeHjfix -- http://www.derbilk.de/SpSeHjfix112.zip (save it to the Desktop, and then right-click in a blank area of Desktop, select New, Folder, and name it spfix; unzip the file into that folder.

Disconnect from the net and reboot into Safe Mode.

Now run the utilities:

about:Buster

HSRemove

Sp.html-Se.dll Hijack Fix or SpSeHjfix (click on Start Disinfection. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Note: if it doesn't find any of the SE files or any hidden reinstallers, it will say System clean and not go on to next stage).

CWShredder

Ewido; during the scan it will prompt you to clean files, click OK (note: you will be posting the log from this scan later).

Scan with HijackThis and have it fix any entries similar to the following:

Any R0 or R1 entries that have an "sp.html" in them, like:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpkrr.dll/sp.html#28129

Any R0 or R1 entries that have about:blank in them:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

Any R0 or R1 entries that have SearchAssistant:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rpkrr.dll/sp.html#28129

Any R0 or R1 entries that have "index.php" in them:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php

R3 - Default URLSearchHook is missing

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste home search assistant, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the 'Find' instructions for search extender, shopping wizard, and shopping assistant.

Close the Registry Editor.

Reboot normally, close any open browser windows, scan with HijackThis, and post the log in the Virus forum along with the Ewido log.

dlh6213 27 Posting Maven Team Colleague · Answer 6 · 2005-07-17T15:27:34+00:00

Uninstall Messenger Plus as it comes bundled with LOP. You can reinstall Messenger Plus without the sponsor.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer

You may be given a code to insert, do so and reboot when done.

If none of these are listed, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

Reboot , close any open browser windows, scan with HJT, and post a log to verify your system is clean.

dlh6213 27 Posting Maven Team Colleague · Answer 7 · 2005-07-30T15:59:04+00:00

You can find complete instructions for removing Smitfraud and SpySheriff here:
http://www.bleepingcomputer.com/forums/How_to_remove_SpySheriff_Winstallexe_Spysheriffexe-t22402.html

And this will work for AntiVirusGold, Smitfraud, and SpySheriff:
http://forums.techguy.org/showthread.php?t=376692&page=1

dlh6213 27 Posting Maven Team Colleague · Answer 8 · 2005-08-11T12:24:20+00:00

PurityScan is an adware program that downloads and displays advertisements on a computer. To stop the ads, run the uninstaller found here:

http://www.purityscan.com/uninstall.html

dlh6213 27 Posting Maven Team Colleague · Answer 9 · 2005-08-28T20:31:03+00:00

First, you need to be sure your system is set to 'Show hidden files and folders.' Open Windows Explorer, go to Tools, and then Folder Options; when the Folder Options window opens, click on the View tab. You should find these entries in the list under Advanced settings:
Select Show hidden files and folders
Deselect (uncheck) Hide protected operating system files.

If you're getting any popup messages, don't click on them, not even the 'X' to close them; either right-click and select Close, or use Task Manager (Ctrl-Alt-Del) and End Task.

Download CleanUp from here:
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

Install it, but don't run it yet.

Download LQfix.exe from one of the following locations:
http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe

Install it, but do NOT run it yet (you will need to boot into Safe Mode first).
Installation and running notes --

To install, double-click LQfix.exe and click Next, then Next, and then Install.
When you run it:
Leave the default settings, if you change them, the fix will Fail!
You will need an active internet connection, so make sure your you're not blocking any connection now.
Make sure the "Launch LQfix" box is checked.
Click the Finish button to start the fix.
Follow the on-screen prompts.
Your system will reboot afterwards.
Please be patient after the reboot, there is a script running in the background that needs to complete.

Reboot into Safe Mode and run LQfix.bat.

When it's finished (after your system reboots), scan with HijackThis, and have it fix the following entries:

Note: This first entry should have elite followed by three letters and the number 32 -- and the second entry should have pokapoka followed by two numbers as in these examples:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterdj32.exe
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
And
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe

Close any open windows, other then HijackThis, and hit Fix checked.

With HijackThis still open, click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Copy and paste (the elite entry from your log, similar to this) -- C:\windows\system32\eliterdj32.exe into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes and boot into Safe Mode again.

Repeat the 'delete on reboot' instructions for C:\WINDOWS\etb\pokapoka62.exe, again rebooting into Safe Mode.

Then go to the following locations and delete the highlighted file and folder (if present):

C:\windows\system32\eliterdj32.exe (again, whatever elite file showed in your log)

C:\WINDOWS\etb

Empty your Recycle Bin and reboot normally.

Now run CleanUp!; click the Options... button and then move the Quick Setup slider to the Thorough Cleanup position. If you have any bookmarks, Uncheck the option Delete Favorites/Bookmarks. Click OK to return to the main window and click CleanUp! to start cleaning. When it's finished, click Close, and then No (to avoid logging off).

Close any open browser windows, scan with HJT, and post a log in the Virus forum.

dlh6213 27 Posting Maven Team Colleague · Answer 10 · 2005-08-30T11:22:07+00:00

(This fix obtained from http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42143)

Boot/reboot into Safe Mode

Go to Add/Remove Programs in the Control Panel and remove:
MyWay (or MyWaySA)

If you get a window to "Remove Share Component", click "Yes to All"

If you get a window to "Remove Share File", click "Yes to All"

Do NOT restart the computer when asked

Go to Start, Find (or Search), Files or Folders; Look In should say Local Hard Drives
Type MyWay (or MyWaySA) and hit Enter -- delete any instances found.

Go to Start, Run, and type in (or copy and paste) MsiExec.exe /X{78d944d7-a97b-4004-ab0a-b5ad06839940}

Click OK and follow the prompts to remove MyWay

Go to Start, Run, type in regedit, and hit Enter

Highlight My Computer

Click Edit, Find, type in MyWay, and hit Enter. Delete anything found, press F3 to continue searching, deleting any/all found until the search is complete.

Close all windows when finished and reboot normally.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2005-11-19T03:13:19+00:00

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

If you still require help, post an hijackthis log in the Viruses, Spyware & other Nasties forum.

Fixes for Specific Infections

Recommended Answers Collapse Answers

All 15 Replies

Recommended Answers