Ok, let's clean up now.
Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. You will need to activate the network connection again for the updates (just a few moments), stand alone programs can be downloaded from another PC and installed on the infected PC. Or put the PC on the network, just the time to download the requested files. Note that you will need admin rights on the PC to clean up. You will need Winzip or a similar utility - see previous posts for links please.
______________________________
Before we start to fix your computer, I would like you to move HijackThis to it's own folder. Do not attempt to fix anything before you moved HijackThis.
Create a folder for Hijackthis on the C: drive called C:\HJT. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it HJT.
Locate HijackThis.exe and right click on it, select cut, right click in the folder you just did create and select paste.
______________________________
First of all, I would like you to download a few tools, don't use them until you are instructed to do so.
- Download CWShredder to your Desktop or to your usual Download Folder.
http://www.trendmicro.com/ftp/products/ ... redder.exe
Run CWShredder.exe and Check for updates. - Download SpSeHjfix to your Desktop or to your usual Download Folder.
http://www.derbilk.de/SpSeHjfix112.zip
Create a folder for SpSeHjfix on the C: drive called C:\spfix. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it spfix. Extract the files from the zip archive into that folder.
Download Bobbi Flekman's RegSearch from
http://www.bleepingcomputer.com/files/regsearch.php
Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.
______________________________
Please download the trial version of Ewido Security Suite 3.5 from here:
http://www.ewido.net/en/download/
- Install Ewido Security Suite.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________
Please disconnect from the Internet and unplug your modem for the duration of this fix. Close ALL OPEN PROGRAMS!
Launch the Blacklight scan again and select the entries found before. Select "rename" for hidden *.exe, *.sys, and *.dll files
Reboot the computer.
______________________________
In the next step we are going to stop a Service:
Click Start then Run
Type in services.msc
Click Ok
Scroll down and double click on the service called SpywareCleanerService
Click Stop and then set the Startup Type to Disabled.
Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:
Spyware Cleaner
During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________
Open the spfix folder, double-click SpSeHjfix.exe and click on Start Disinfection
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the spfix folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.
Once it is finished, run CWShredder.exe. Close ALL windows except CWShredder and click on the Fix button, then click Next.
Reboot in Safe Mode and move to the next part of the fix.
Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply. then OK.
- Then you can set your home page to what you want on the General tab. Click Apply. then OK.
- Click OK.
Boot into Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1.UK\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1.UK\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5A735D13-F26E-4DBE-A3D1-676571607056} - C:\WINNT\system32\keea.dll
O4 - HKLM\..\Run: [windesktop] C:\WINNT\system32\windesktop.exe
O4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1.UK\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [windesktop] C:\WINNT\system32\windesktop.exe
O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sywsvcs.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: PowerReg Scheduler V3.exe
O18 - Filter: text/html - {CDCA7CAF-DEE9-42F8-93CD-EEA3BEEC72CB} - C:\WINNT\system32\keea.dll
O18 - Filter: text/plain - {CDCA7CAF-DEE9-42F8-93CD-EEA3BEEC72CB} - C:\WINNT\system32\keea.dll
O20 - Winlogon Notify: dvd4free - C:\WINNT\SYSTEM32\dvd4free.dll
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________
Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:
dvdkernl
One the next line, type (or copy and paste) dvd4free
One the next line, type (or copy and paste) nwr2
One the next line, type (or copy and paste) windesktop
then hit Ok
After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.
______________________________
Using Windows Explorer, Search and Delete these Folders if listed:
C:\Program Files\Spyware Cleaner
Using Windows Explorer, Search and Delete these Files if listed:
C:\WINNT\system32\keea.dll
C:\WINNT\system32\windesktop.exe
C:\WINNT\system32\icasServ.exe
C:\WINNT\system32\sywsvcs.exe
C:\WINNT\SYSTEM32\dvd4free.dll.ren
C:\WINNT\system32\dvdkernl.sys.ren
C:\WINNT\system32\Emhiqhng.exe.ren
C:\WINNT\system32\drivers\nwr2.ies4.ren
Double check that these files don't exist anymore :
C:\WINNT\SYSTEM32\dvd4free.dll
C:\WINNT\system32\dvdkernl.sys
C:\WINNT\system32\Emhiqhng.exe
C:\WINNT\system32\drivers\nwr2.ies4
If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________
Navigate to C:\WINNT\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Procede like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
______________________________
Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
- Click on Scanner
- Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
- Click Save Report button
- Save the report to your Desktop
______________________________
Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.
Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
Again, run the Blacklight scan.
- If it displays any items...don't do anything with them yet. Just hit exit (close)
- It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log.
______________________________
Please post :
- SpSeHjfix log
- Regsearch results
- Ewido log
- C:\WinPFind\WinPFind.txt
- Kaspersky log
- Latest Blacklight log
- a new HijackThis log
Kim