Hello rachsrib
Please read through the instructions carefully before starting the fix.
Go to
http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.
===============================================
Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.
Download
CleanUp!.exe - Install
Download
CoolWebShredder
1. Open CWShredder and click - I AGREE
2. Click - Check For Update
3. Close CWShredder after updating
Download
About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.
Download
HSFix.zip We will use this later
If you have not already installed
Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Download
Ewido Security Suite- Install Ewido Security Suite
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to
manually update Ewido
When you have finished updating,
EXIT Ewido.
===============================================
'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING
This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.
If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.
IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.
===============================================
If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
- Tick - Show hidden files and folder
- Untick - Hide file extensions for known types
- Untick - Hide protected operating system files
Click Yes to confirm & then click OK
===============================================
When doing the fix, you shall be viewing these instructions from Notepad.
Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy
• FILE DELETION LIST
C:\WINDOWS\msed32.exe
C:\WINDOWS\niuks.dll
C:\WINDOWS\netgc.dll
C:\WINDOWS\sysou32.dll
Launch KillBox.exe
1. Go to the File menu, and choose 'Paste from Clipboard' * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
2. Select/tick the following:
o Delete on Reboot
o End Explorer Shell While Killing File
o Unregister dlll Before deleting * if it's not grayed out
3. Click the
RED X button.
4. Click Yes at the 'Delete on Reboot' prompt.
5. Click Yes at the 'Pending Operations prompt'.
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run
missingfilesetup.exe Then try Killbox again.
===============================================
Next, reboot your computer in
SafeMode :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
===============================================
Click Start->Run - type
SERVICES.MSC & then click on the OK button
- Locate the service - Workstation NetLogon Service ( 11Fßä�#·ºÄÖ`I)
- Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
- Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
- In the popup box that appears, type in "Service name" & then click on the OK button
===============================================
Unzip HSfix.zip & double-click on
HSfix.reg. Answer Yes when prompted to merge into the registry.
===============================================
CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS
Run a scan with HiJackThis & select/tick the following & click "Fix checked" :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\niuks.dll/sp.html#10001
(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll
O2 - BHO: (no name) - {DC98992B-F1C3-69CF-38DE-E4D2A0FB2B61} - C:\WINDOWS\sysou32.dll
O4 - HKLM\..\Run: [msed32.exe] C:\WINDOWS\msed32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crqt.exe
Please remember to close all other windows, including browsers then click Fix checked.
===============================================
If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
- Tick - Show hidden files and folder
- Untick - Hide file extensions for known types
- Untick - Hide protected operating system files
Click Yes to confirm & then click OK
===============================================
Run
Cleanup! with the following configuration:
1. Click Options...
2. Move the arrow down to
Custom CleanUp!
3. Put a check next to the following:
o Empty Recycle Bins
o Delete Cookies
o Delete Prefetch files (Windows XP only)
o [color=red[X][/color]Scan local drives for temporary files (Please
uncheck this option)
o Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup
===============================================
Run
CWShredder & click on Fix.
Run About Buster and click OK. Click Start > OK and then follow the prompts to scan (Choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. ONLY save the log file and post it here if About Buster does not fix all the problems.
Open
Ad-aware and do a full scan. Remove all it finds.
Run
Ewido with it's updated definitions:(...it's important that all windows must be closed)
- Click Scanner
- Click Complete System Scan to begin scanning.
- Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
- "Perform action on all infections"
- .Choose clean and click OK.
Once finished, click the
Save report button & save the report to your desktop
** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.
===============================================
REBOOT TO NORMAL MODE
Perform an online scan with Internet Explorer with
Panda ActiveScan- Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
- Click Scan Now
- Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting
My Computer- If it finds any malware, it will offer you a report.
- Click on see report. Then click Save report
Post the contents of the report in your next reply
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
===============================================
Download
Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
- Double-click the tmas-web-scan.exe icon
- It will say "Loading TrendMicro definitions".
- Click "Start Scan"
After it's done scanning, click "
Scan Results"
- Make sure all items found have a check next to them, then click "Clean Threats Now".
- Click Exit.
Reboot your computer. I then need you to
repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.
In place of the TrendMicro icon will be a text file called "
Antispyware.log", please double-click that log and copy the entire contents and paste them here.
===============================================
In your next post, please include fresh logs from:
- HiJackThis
- About Buster
- Ewido
- Online scan
- Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
Regards
alba