Next step....
Download
Hoster http://www.greyknight17.com/spy/Hoster.exe
Download and install
CleanUp http://cleanup.stevengould.org/
Download the attachment I posted here
DANGER: SPYWARE...Smart Security 59.95$ called
fixsec.txt. Save it to your desktop. Now rename it to
fixsec.reg.
DO NOT run it yet.
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.
Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Now locate and delete the following files...
**Note** You may not have all these...but check for each.
C:\WINDOWS2\winpos.exe
C:\WINDOWS2\System32\vbsys2.dll
c:\WINDOWS\Aja.html
c:\WINDOWS\Cjr.exe
c:\WINDOWS\desktop.html
c:\WINDOWS\popup.html
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _46.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _48.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _50.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _52.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _54.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _56.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _57.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _58.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _60.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _62.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _64.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _66.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _68.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _70.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _72.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _73.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _74.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _75.xml
c:\WINDOWS\system32\Hcc.exe
c:\WINDOWS\PCHEALT <--folder
FDI.EXE <--locate and delete that one!!
Open the hoster file and run the program and select
"Restore hosts file".
(If XP) Navigate to the
C:\Windows\Prefetch folder and delete
all files in that folder
Run the cleanup utility and reboot/logoff when prompted.
Reboot back to normal mode. Now double click that
fixsec.reg file we made and merge it into the registry. If it asks you..say
YES to merge.
Once thats merged...Reboot the PC.
Now..once your back to normal windows..right click on the desktop..select
properties...
desktop..
customize desktop...
web..and uncheck anything listed. Now highlight and delete any entry that says security..or anything other then the default
"My Current Homepage". Leave that entry be.
Run the cleanup utility again...Reboot. Once back to normal windows post another hijackthis log. If those 04 entrys are back...repeat the process as you missed a file for deletion. You
MUST get them all..otherwise this thing reinstalls itself.
**Note** The fixsec.reg file MUST be run as this restores the entry keys that this hijacker disables. You can also review the fix I did at the post were the fixsec.reg file has been attached