Let's start to fix your PC.
Make sure that you can see hidden files.
- Click Start.
- Click My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Uncheck the Hide file extensions for known file types.
- Click OK.
If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.
Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.
Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.
Click on the General Button on the left and select in green
- Under Safety
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Under Definitions
- Prompt to udate outdated definitions - set to 7 days
- Under Driver, Folders & Files
- Scan Within Archives
- Under Select drives & folders to scan
- choose all hard drives
- Under Memory & Registry
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
- Under Shell Integration
- Move deleted files to Recycle Bin
- Under Logfile Detail Level
- Include addtional object information
- DESELECT - Include negligible objects information (make it show a red X)
- Include environment information
- Under Alternate Data Streams
- Don't log streams smaller than 0 bytes
- Don't log ADS with the following names: CA_INOCULATEIT
- Under the Scanning Engine (Click on the + sign to expand)
- DESELECT Unload recognized processes & modules during scan (make it show a red X)
- Scan registry for all users instead of current user only
- Under the Cleaning Engine (Click on the + sign to expand)
- Always try to unload modules before deletion
- During Removal, unload Explorer and IE if necessary
- Let Windows remove files in use at next reboot
- Under the Log Files (Click on the + sign to expand)
- Include basic Ad-aware SE settings in logfile
- Include additional Ad-aware SE settings in logfile
- Include reference summarry in log file
- Include alternate data stream details in log file
______________________________
If Spybot - S&D 1.4 is already installed on your system, skip to Update Spybot - S&D before using it. Otherwise download Spybot - S&D from the following link:
Spybot - Search and Destroy
When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, pressing the Next button until you get to the Select Additional Tasks screen.
Under Permanent protection, make sure to uncheck the following items for now:
- Use Internet Explorer Protection
- Use system settings Protection (TeaTimer)
Launch Spybot - S&D
If you told Spybot to launch when it was done installing, the program should now be open. Otherwise find the icon on your desktop and double-click on it. When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the Next button. Click on the button labeled Start using this program to begin using Spybot - Search & Destroy.
Update Spybot - S&D before using it
Click on the Search for Updates button. If there are available updates, they will be listed. Click on the Download Updates button and Spybot - S&D will download the updates and install them.
______________________________
Please download the trial version of Ewido Security Suite 3.5 from here:
http://www.ewido.net/en/download/
- Install Ewido Security Suite.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________
Download Brute Force Uninstaller
http://www.merijn.org/files/bfu.zip
Create a folder for BFU on the C: drive called C:\BFU. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it BFU. Extract the files from the zip archive into that folder.
Run the program and click the Web button as shown by the blue arrow below:
Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu
Execute the script by clicking the Execute button. Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program. Reboot the computer.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
______________________________
I've put those 2 as optional, it's up to you. Limeware will depend on the version you use and Kazaa Lite is really up to you (see the link I did previously post)
If you remove Kazaa Lite : all the lines related are in blue
If you remove Limeware : lines in green
Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:
My Web Search (Smiley Central)
My Search Bar
MyWay Speed Bar
My Web Search Bar
Fun Web Products Easy Installer
Messenger Plus 3!
Kazaa Lite
Limeware
During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________
Click Start, then Run and copy/paste the following line in the edit box
regsvr32 /u "C:\Program Files\2Search\plugin.dll"
and hit enter.
Click Start, then Run and copy/paste the following line in the edit box
regsvr32 /u "C:\Program Files\The Guard\the007guard.ocx"
and hit enter.
______________________________
Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {0BBC1B5B-2E48-4D18-973B-8E74730051C0} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/180solu ... e-c266.cab
Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________
Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.
REGEDIT4
[-HKEY_CLASSES_ROOT\Interface\{03BE31FE-6526-4D9C-B197-4A3E5DCFF696}]
[-HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}]
[-HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}]
[-HKEY_CLASSES_ROOT\IEsearch.clsIESpy]
[-HKEY_CLASSES_ROOT\Interface\{0EB61AF8-0B15-48B6-A971-1F206F2E3D5E}]
[-HKEY_CLASSES_ROOT\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[-HKEY_CLASSES_ROOT\TypeLib\{20048BB0-DB68-11CF-9CAF-00AA006CB425}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{20048BB0-DB68-11CF-9CAF-00AA006CB425}]
[-HKEY_CLASSES_ROOT\The007Guard.The007GuardCtrl.1]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2search]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2search]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\the guard]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\the guard]
[HKEY_LOCAL_MACHINE\SOFTWARE\WinRAR SFX]
"C%%Program Files%The Guard"=-
[HKEY_CURRENT_USER\WinRAR SFX]
"C%%Program Files%The Guard"=-
[HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX]
"C%%Program Files%2search"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\WinRAR SFX]
"C%%Program Files%2search"=-
[-HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Joylogmemodefy]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BlockChecker]
Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg
Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
Using Windows Explorer, Search and Delete these Folders if listed:
C:\Program Files\MsMovies
C:\program files\Messenger Plus 3
C:\Program Files\2Search
C:\Program Files\The Guard
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts
C:\Program Files\LimeShop
C:\Documents and Settings\All Users\Application Data\Rule Cast Joy Log
You may have a folder named C:\Documents and Settings\Willie Clemie\Complete
This folder may contain up to 20,000 infected files, if found, delete the folder. These files are dropped here by the Trojan.
C:\Program Files\Kazaa Lite K++
C:\Program Files\Limeware
Using Windows Explorer, Search and Delete these Files if listed:
C:\window\System32\007guard.exe
C:\windows\system32\2searchinstaller.exe
If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________
Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Procede like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
______________________________
Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
- Click on Scanner
- Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
- Click Save Report button
- Save the report to your Desktop
______________________________
Run Ad-Aware and Click on the Scan Now Button
- Choose Perform Full System Scan
- DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Reboot to complete the removal of what Ad-Aware SE found.
______________________________
Run Spybot - S&D
Click the button Check for Problems
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.
If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.
At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.
______________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.
Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________
Enumerating Scheduled Tasks
Copy/paste the following quote box into a new notepad (not wordpad) document.
@ECHO OFF
dir %Windir%\tasks /a h > files.txt
notepad files.txt
del /q files.txt
Save it to your Desktop as findjobs.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: findjobs.bat
Locate findjobs.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close the Notepad, the text file will be deleted and the CMD window will be closed.
______________________________
Please post:
- Ewido log
- Kaspersky online scan results
- C:\WinPFind\WinPFind.txt
- Results from findjobs.bat
- a new HijackThis log
- Let me know if you still use Kaspersky Anti-Virus Service, Panda Antivirus, F-Secure or if you did uninstall them.
- You've got a LOP infection running on the PC due to the presence of Messenger Plus 3 - Please let me know how many different user accounts you have on the PC
Let me know how everything went please.
Kim