Windows XP/2K (includes Ewido)
You may want to print out or make a copy of these
instructions before starting, because you will not be able
to connect to the internet during most of this fix.
Please download smithrem.zip and save it to your desktop
http://216.122.228.48/downloads/smithrem.zip
Right click on the file and extract it to its own folder on
the desktop.
Please download, install, and update the free version of
Ewido Security Suite:
When installing, under "Additional Options" uncheck "Install
background guard" and "Install scan via context menu"
http://216.122.228.48/downloads/ewidosetup.exe .
From the main Ewido screen, click on update in the left
menu, then click the Start update button.
After the update finishes, the status bar at the bottom will
display "Update successful"
Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed,
download
http://216.122.228.48/downloads/aawsepersonal.exe
Again, do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the
following: Restart your computer
After hearing your computer beep once during startup, but
before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT
http://216.122.228.48/downloads/HijackThis1.zip and place a
checkmark next to each of the following items if available:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http:://
www.quicknavigate.com/search.php?qq=%1 R1 -
HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:://
www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http:://
www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http:://
www.quicknavigate.com/search.php?qq=%1 R1 -
HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http:://
www.quicknavigate.com/search.php?qq=%1 R1 -
HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http:://
www.quicknavigate.com/search.php?qq=%1 R0 -
HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page =http:://
www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http:://
www.startsearches.net/search.php?qq=%1 R1 -
HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:://
www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http:://
www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http:://
www.startsearches.net/search.php?qq=%1 R1 -
HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http:://
www.startsearches.net/search.php?qq=%1 R1 -
HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http:://
www.startsearches.net/search.php?qq=%1 R0 -
HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http:://
www.startsearches.net/
O2 - BHO: VMHomepage Class -
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
C:\WINDOWS\System32\hp6DD8.tmp O4 - HKCU\..\Run: [WindowsFY]
c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security
iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program
Files\PSGuard\PSGuard.exe O9 - Extra button: Microsoft
AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} -
C:\WINDOWS\System32\wldr.dll O9 - Extra 'Tools' menuitem:
Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} -
C:\WINDOWS\System32\wldr.dll O9 - Extra button: Microsoft
AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} -
C:\WINDOWS\System32\wldr.dll (HKCU) O9 - Extra 'Tools'
menuitem: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} -
C:\WINDOWS\System32\wldr.dll (HKCU)
Delete any other malware files not associated with the
smitfraud variants and SpySheriff.
Open the smithrem folder, then double click the RunThis.bat
file to start the tool. Follow the prompts on screen. Your
desktop and
icons will disappear and then reappear again ---this is
normal.
Wait for the tool to complete and Disk Cleanup to finish ---
this may take a while; please be patient.
Next, run Ad-aware and perform a full scan. Remove
everything found.
Now open Ewido Security Suite
Click on Scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of
false positives. You will need to step through the process of
cleaning files
one-by-one. If ewido detects a file you KNOW to be
legitimate, select none as the action. DO NOT select "Perform
action on all infections"
When the scan is finished, click the Save report button at
the bottom of the screen.
Save the report to your desktop
Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop
-> Customize Desktop -> Web -> Uncheck "Security Info" if
present.
Restart your computer in normal mode.
Run Panda's online virus scan and perform a full system scan
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
. Make sure the Autoclean box is checked!
Finally, restart your computer once more, and please post a
new HijackThis log as well as the log from the Ewido scan and
the log from
the smitRem tool, which will be located at C:\smitfiles.txt.
Let me know if any problems persist.
Nick said:
Hi,
My computer was infected with spyware, I already use
microsoft anti-spyware and ad-adware. But still not able
to remove the problem with my wallpaper as well as my
homepage. when I tried to change the wallpaper on my
desktop, it didn't even give me that option. I cannot
click on anything to change it. Please help. thank you.
nick