Hello PPGB and welcome to TSF,
This fix may take a few rounds as you have one of the more difficult CoolWebSearch infections.
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.
Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
Download the following programs and tools. Please do not run them until directed to do so.
Ewido Security Suite- Install Ewido Security Suite
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to
manually update Ewido
When you have finished updating,
EXIT Ewido.
HSFix
About Buster - Unzip to a new folder. Update About Buster & exit the program once that is completed.
CWShredder - Save it to Desktop.
- Open CWShredder and click [I AGREE]
- Click [Check For Update]
- Close CWShredder after updating
Download
CleanUp! (
Alternate Link if main link doesn't work) and install it.
Do not run it yet.
---------------------------
S& D Spybot's Tea Timer
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
- In the File menu click "Exit" to exit Spybot Search & Destroy.
Microsoft AntiSpyware
Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.
- Right click the Microsoft AntiSpyware icon located in the system tray
- Click on Security Agents Status (Enabled)
- Click on Disable Real-time Protection
---------------------------
Go to
My Computer->[b]Tools[b]->
Folder Options->
View tab:
* Under the Hidden files and folders heading:
*
select Show hidden files and folders.
*
Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
---------------------------
Click Start->Run - type
SERVICES.MSC & then click on the OK button
*Locate the service -
Network Security Service
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the
Stop button.
*Change the Startup type to
Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...>
Delete an NT service...
*In the popup box that appears, copy/paste
11Fßä�#·ºÄÖ`I (**please note there is a space before the 11, make sure to include it.) Click on the OK button
---------------------------
Next, please reboot your computer in
Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
---------------------------
Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pvreb.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pvreb.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pvreb.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3AF7AF61-E9EC-FF85-4730-D2B5711A9B30} - C:\WINDOWS\ipqv32.dll
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\Colleen\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [sdkaz.exe] C:\WINDOWS\system32\sdkaz.exe
O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\Colleen\LOCALS~1\Temp\A.tmp.exe
O16 - DPF: Yahoo! Bingo -
O16 - DPF: Yahoo! Chat -
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkek32.exe
Click
'Fix Checked' and close HijackThis.
---------------------------
Delete the following
Files if they still exist.
C:\WINDOWS\
pvreb.dll
C:\WINDOWS\
ipqv32.dll
C:\WINDOWS\system32\
sdkaz.exe
C:\WINDOWS\system32\
sdkek32.exe
---------------------------
Run CWShredder & click on [Fix].
Run About Buster and click
Begin Removal. Once that's done, just hit the OK button. Open up the
'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.
Double-click on
HSfix.reg & answer
YES when prompted to merge into the registry.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "
Options..."
*Move the arrow down to "
Standard CleanUp!"
*
Uncheck the following:
-
Delete Newsgroup cache
-
Delete Newsgroup Subscriptions
-
Scan local drives for temporary files
Click
OK
Press the CleanUp! button to start the program.
Do NOT reboot/logoff when prompted.
Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!
---------------------------
Run Ewido:
*Click [
Scanner]
*Click [
Complete System Scan] to begin scanning.
*Click [
OK] when prompted to clean files
With the first file it prompts to clean, select the option - "
Perform action on all infections" - & choose
clean and click [
OK].
Once finished, click the [
Save report] button
Save the report to your desktop
Close Ewido
---------------------------
Reboot into Normal Mode.
Please
run an online scan at
http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the
"Free Online Virus Scan" in the upper right hand corner of the page under the
Free use Activescan header. We do
NOT want the default
spyXposer scan.
- Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
- Click On 'Scan Now'
- Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
- Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
- If it finds any malware, it will offer you a report. Click on see report
- Then click Save report
- Post the contents of the report in your next reply along with a new HijackThis log.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
So I need the following logs:
Ewido Results
Ab LogFile.txt
Panda ActiveScan
HijackThis