Ried

Hi aloholoh,

We're almost there.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

As before, it is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

*************************************************

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

*************************************************

Please disable the following program(s) as they may interfere with the fixes below. You may re-enable them when we are through:

Windows Defender:

• Open Windows Defender.
• Click on Tools, Options.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

Ewido Guard

• Open Ewido by double-clicking the orange icon in the system tray.
• In the 'Your Computer's Securitysection, toggle the Ewido Guard Resident Shield 'off' by clicking Change state which will then change the protection status to 'inactive'.

*************************************************

Reboot into Safe Mode.

-------------------------------------

Delete the following files:

C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\jwefjibj.exe
C:\WINDOWS\system32\vdyuwtiv.exe

-------------------------------------

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake.

• Now navigate to the following keys by clicking the + sign next to each category to expand them.
• Continue doing so until you've reached the file/folder/entry I highlighted in RED
• You will see the entry in the right hand panel. Right click the entry in that panel and select 'delete'.

hkey_local_machine\system\currentcontrolset\services\DP1112


If the above registry key is giving you problems deleting:

• Right click on it and click on Permissions.
• Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK.
• Now try deleting the entry again.

Once you're done, close the Registry Editor.

-------------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.


A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

______________________________

Reboot into Normal Mode.

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Once you reboot......I'd like to try a different online scanner as a second opinion.

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

______________________________

Run combofix.exe again.


Question: Where did you download Ace Utilities from? It's showing as infected.

Please include the following in your next reply:

rapport.txt
Kaspersky results
combofix.log
New HijackThis log