We're making progress, but this machine has been seriously infected.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
------------------------------------------
See
this page for instructions on how to clear java's cache.
------------------------------------------
I have attached a file to this post -
sskplus.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.
------------------------------------------
Download
smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop. We'll use it later.
*Note* Alternet download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe
http://www.bleepingcomputer.com/file...ar/smitRem.exe
------------------------------------------
Download L2mfix from one of these two locations:
http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe
Save the file to your desktop and double click
l2mfix.exe. Click the
Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Close any programs you have open since this step requires a reboot.
From the
l2mfix folder on your desktop, double click
l2mfix.bat and select option #
2 for
Run Fix by typing 2 and then pressing enter. It will process then start. Do NOT depress any keys on your keyboard until the tool requests you to "press any key to reboot" Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log.txt does not open double click on it in the l2mfix folder and post that log.
------------------------------------------
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinosai.exe
------------------------------------------
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.
------------------------------------------
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found:
MyWay
MyWebSearch
SurfSideKick 3
------------------------------------------
Open the
smitRem folder, then double click the
RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named
smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
------------------------------------------
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.
------------------------------------------
Delete these files/folders if present:
C:\Documents and Settings\Lori Deaton\Application Data\Sskcwrd.dll
C:\messanger.ini
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uniq
C:\PROGRAM FILES\FunWebProducts
C:\PROGRAM FILES\MyWebSearch
C:\PROGRAM FILES\WinAntiVirus Pro 2006
C:\Program Files\Common Files\Companion Wizard
C:\Program Files\Yazzle Sudoku
C:\Program Files\SurfSideKick 3
C:\WINDOWS\system32\owinosai.exe
------------------------------------------
Reboot into normal mode.
------------------------------------------
Establish an internet connection & perform an online scan with Internet Explorer at
Kaspersky Online Scanner
Answer Yes, when prompted to install an ActiveX component.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded click on NEXT
- Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK & have it scan My Computer
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
------------------------------------------
Run a new scan with HJT, save the log and post it here.
------------------------------------------
How is the system behaving now, please?
------------------------------------------
Please return with results from:
L2Mfix
smitfiles.txt
Kaspersky online scan
HJT