Ok...lets try to correct this..
First, download and install
CleanUp! but
do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Download the file located here..
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
Open
Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "
Options..."
*Move the arrow down to "
Custom CleanUp!"
*Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click
OK
Press the
CleanUp! button to start the program. Reboot/logoff when prompted.
Reboot into safe mode
Run hijackthis and fix the following entrys..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Now run that
smitfraud.reg file I had you download. Allow it to merge into the registry.
C:\Program Files\Common Files\
SearchUpgrader <--delete that folder
C:\Program Files\
RXToolBar <--delete that folder
Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says
"Delete on Reboot" and checkmark the box
"Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say
YES and when the next box opens prompting you to reboot now...click
NO...and proceed with the next file. Once you get to the last one click
YES and it will reboot.
C:\WINDOWS\cdmxtras
C:\Documents and Settings\Owner\Application Data\tvm*.dll
C:\WINDOWS\inf\alchem.in?
C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
C:\WINDOWS\inf\alchem.inf
**Note** After we run this pass I want you to check the Application Data folder. Delete anything that begins with tvm I also need you to search for any of the following files and delete them as well..
alchem.cab
ALCHEM.EXE
alchem.inf
ALCHEM.INI
Again..delete anything that begins with
alchem
Once back to normal windows....run the
smitfraud.reg file again.
Next go to
Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "
Security Info" if present.
Then post another Panda scan log and an Ewido log..and let me know if you can change your desktop background and post the log from the following tool.
Download
Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.