Hello StaticCP,
Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Please download SmitRem.exe by noahdfear to your Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double-click the
smitRem.exe and it will extract the files to a smitRem folder on your Desktop.
______________________________
Please download the trial version of Ewido Security Suite 3.5 from here:
http://www.ewido.net/en/download/
- Install Ewido Security Suite.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________
If you already have the latest Ad-Aware SE 1.06 version, skip to
Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from
here and install it. Uncheck all the options before leaving the Install Wizard.
Run Ad-Aware and Click on the
World Icon. Click the
Connect button on the webupdate screen. If an update is available download it and install it. Click the
Finish button to go back to the main screen.
Click on the
Gear Icon (second from the left at the top of the window) to access the Configuration Window.
Click on the
General Button on the left and select in
green- Under Safety
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Under Definitions
- Prompt to udate outdated definitions - set to 7 days
Click on the
Scanning Button of the left and select in
green- Under Driver, Folders & Files
- Under Select drives & folders to scan
- Under Memory & Registry
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
Click on the
Advanced Button on the left and select in
green- Under Shell Integration
- Move deleted files to Recycle Bin
- Under Logfile Detail Level
- Include addtional object information
- DESELECT - Include negligible objects information (make it show a red X)
- Include environment information
- Under Alternate Data Streams
- Don't log streams smaller than 0 bytes
- Don't log ADS with the following names: CA_INOCULATEIT
Click the
Tweak Button and select in
green- Under the Scanning Engine (Click on the + sign to expand)
- DESELECT Unload recognized processes & modules during scan (make it show a red X)
- Scan registry for all users instead of current user only
- Under the Cleaning Engine (Click on the + sign to expand)
- Always try to unload modules before deletion
- During Removal, unload Explorer and IE if necessary
- Let Windows remove files in use at next reboot
- Under the Log Files (Click on the + sign to expand)
- Include basic Ad-aware SE settings in logfile
- Include additional Ad-aware SE settings in logfile
- Include reference summarry in log file
- Include alternate data stream details in log file
Click on
Proceed to save the settings and close the program.
______________________________
If not already installed, download and install the
VX2 Cleaner 2.0 plugin from Lavasoft by following the instructions below.
Installing VX2 Cleaner 2.0- Close Ad-Aware, if it is currently open.
- Download the VX2 Cleaner 2.0 Plug-in here.
- Install the VX2 Cleaner by clicking on vx2cleaner_inst.exe.
______________________________
Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.phpCreate a folder named C:\Reg for it and unzip into that folder.
______________________________
Reboot your computer in
Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
______________________________
Double-click the icon for
RegSearch.exe in the C:\reg folder to launch the program.
Enter
contextplus to search for and click "OK".
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same folder location as RegSearch.exe. I will need that file later on.
______________________________
Run HijackThis, click on
None of the above, just start the program, click on
Scan. Put a
check in the box on the left side of the following items if still present.
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpA89.tmp
O4 - HKLM\..\Run: [SpyAxe] C:\Programmer\SpyAxe\spyaxe.exe /h
Close
ALL windows and browsers
except HijackThis and click
Fix Checked.
______________________________
Open the smitRem Folder, then double-click the
RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named
smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Navigate to
C:\Windows\PrefetchClick
Edit, click
Select All, press the DELETE key, and then click
Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to
C:\Windows\TempClick
Edit, click
Select All, press the DELETE key, and then click
Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to
C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\TempClick
Edit, click
Select All, press the DELETE key, and then click
Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your
Temporary Internet files. Procede like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Next Click
Start, click
Control Panel and then double-click
Display. Click on the
Desktop tab, then click the
Customize Desktop button. Click on the
Web tab. Under
Web Pages you should see an checked entry called
Security info or something similar. If it is there, select that entry and click the
Delete button. Click
Ok then
Apply and
Ok.
Empty the Recycle Bin by right-clicking the
Recycle Bin icon on your Desktop, and then clicking
Empty Recycle Bin.
______________________________
Close
ALL open Windows / Programs / Folders. Please start
Ewido Security Suite, and run a full scan.
- Click on Scanner
- Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says
Perform action on all infections, then choose clean and click Ok.
Once the scan has completed, there will be a button located on the bottom of the screen named
Save Report.
- Click Save Report button
- Save the report to your Desktop
Close Ewido.
______________________________
Start Ad-Aware SE- Click on Add-ons
- Select the VX2 Cleaner plug-in and click Run Tool
- If your computer isn’t infected, click Close.
OR - If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
- Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
- Reboot your computer
- Run Ad-Aware and Click on the Scan Now Button
- Choose Perform Full System Scan
- DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.
Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Repeat this until the VX2 Cleaner reports
System clean. Press
Close to exit.
Run Ad-Aware one more time and perform a
Perform Full System Scan of your computer to make sure VX2 has been found and removed. Reboot in
Normal Mode______________________________
Run
Panda's ActiveScan and perform a full system scan.
- Once you are on the Panda site click the Scan your PC button.
- A new window will open...click the big Check Now button.
- Enter your Country.
- Enter your State/Province.
- Enter your e-mail address.
- Select either Home User or Company.
- Click the big Scan Now button.
- Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
- Click on Local Disks to start the scan.
Upon scan completion, if anything malicious is detected, click
See Report, then click
Save Report and save it to your Desktop.
______________________________
Please do an online scan with
Kaspersky Online ScannerClick on
Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click
Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
______________________________
Please post :
- The results from the RegSearch.exe
- c:\smitfiles.txt
- Ewido log
- ActiveScan results
- Kaspersky results
- a new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
Make sure that wordwrap is turned off in Notepad when posting the logs please.
Kim