Scorpex

AMD802,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.


Do Not turn off System Restore unless you are told to do so! Once your HijackThis log is confirmed as clean, further instructions will be given.



Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.


Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.



Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.
You may need to modify the default Windows XP search settings (if you haven’t already). When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.



*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out.
*Copy all the file names below to the clipboard by highlighting them all and pressing Control-C:



*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the "Delete File" button (red circle with a white X).
*Click "Yes" at the Delete on Reboot prompt.
*Click "No" at the Pending Operations prompt.



Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Delete these folders if they exist (in blue):

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\LogFiles\
C:\Program Files\Security iGuard\



Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB803.tmp
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 <-- Do you know if these are from your ISP, if they’re not delete
O17 - HKLM\System\CS1\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38<-- Do you know if these are from your ISP, if they’re not delete

Please remember to close all other windows, including browsers then click Fix checked.


Close HijackThis.

Restart your computer.


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/
(Alternate Link if main link doesn't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.



Please download Adaware SE and install it (if you don't have it already).
- Make sure it's the newest version and check for any updates before running it.
- Go to this Site to get the plug-in for fixing VX2 variants.
- Also make sure to Customize the settings in Adaware for better scan results.
- Run the scan now and fix everything that it finds.


Download Spybot 1.3 and install it (if you don't have it already).
- update the definitions file and run a scan now. Fix all the entries, which are indicated in RED.


Download CWShredder
(If you already have CWShredder on your PC – Open it and click the update button first)
Click on Fix now (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.


Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.


4SG