Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Download
Ewido Security Suite- Install Ewido Security Suite
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to
manually update Ewido
When you have finished updating,
EXIT Ewido.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download
CleanUp! (
Alternate Link if main link doesn't work) and install it.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.
Now, please disconnect from the internet.
Ad-Aware's AdWatch
Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:
- Open AdAware SE.
- Go to AdWatch User Interface.
- Go to Tools and Preferences.
- At the bottom of the screen you will see 2 options Active and Automatic.
- Active: This will turn Ad-Watch On\Off without closing it
- Automatic: Suspicious activity will be blocked automatically
- Uncheck both options. You can enable these after resolving your problem.
- Unless they are turned off they could interfere with the fix by HijackThis.
Webroot SpySweeper
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper Shields
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
- Click Browser Add-Ons and uncheck all items.
- Exit Spysweeper.
Run
Cleanup! using the following configuration:
1. Click Options...
2. Set the slider to
Standard CleanUp!
3.
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
- Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.
Run
Ewido with it's updated definitions:(...it's important that all windows must be closed)
- Click Scanner
- Click Complete System Scan to begin scanning.
- Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
- "Perform action on all infections"
- Choose clean and click OK.
Once finished, click the
Save report button & save the report to your desktop
** Ewido scan would require at least an hour.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.
Delete the following
Files/
Folders if they exist:
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\SYSTEM32\msupdate32.dll
Restart in normal mode.
Establish an internet connection & perform an online scan with Internet Explorer at
Kaspersky Online Scanner
Answer Yes, when prompted to install an ActiveX component.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded click on NEXT
- Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK & have it scan My Computer
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Run a new HijackThis scan. Save the log file and post it here.
Please return with logs from:
Ewido
Kaspersky
HJT