[POADB]

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Place a shortcut to Panda ActiveScan on your desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Download KillBox v2.0.0.175 - Save to desktop.

Download & Install CleanUp!

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

If you have not already installed Ad-Aware SE 1.06, download and update Ad-Aware SE Setup. Don't run it yet!


~~~~~~~~~~~~~~

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

• PSGuard

~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\System32\intel32.exe
  C:\WINDOWS\System32\ddmh.dll

Start KillBox.

1. Go to the [File] menu, and choose [Paste from Clipboard].
   Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

~~~~~~~~~~~~~~

Reboot to SafeMode

• Shut Windows down, and then turn off the computer.
• Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
• As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
  [Windows Advanced Options] menu appears.
• Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O2 - BHO: (no name) - {35262CA2-D9B2-42D6-A587-2149DD662E79} - C:\WINDOWS\System32\ddmh.dll (file missing)
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter: text/html - {1E29A8BC-5B64-4B54-8CEB-9E02ACF2A735} - C:\WINDOWS\System32\ddmh.dll
O18 - Filter: text/plain - {1E29A8BC-5B64-4B54-8CEB-9E02ACF2A735} - C:\WINDOWS\System32\ddmh.dll


~~~~~~~~~~~~~~

Enable the viewing of Hidden files

1. Open Windows Explorer
2. Go to Tools>Folder Options>View tab.
3. enable the option for `Show hidden files and folder´
4. disable the option for `Hide file extensions for known types´
5. disable the option for `Hide protected operating system files´
6. click "Yes" to confirm & then click "OK"

Locate and delete the following folder(s), if present:

C:\Program Files\PSGuard\ ​

Locate and delete the following file(s), if present:

C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\ddmh.dll ​

~~~~~~~~~~~~~~

Run Cleanup! & configure the program up as follows:

• Click Options...
• Move the arrow down to Custom CleanUp!
• Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
• Click OK
• Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


~~~~~~~~~~~~~~

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

~~~~~~~~~~~~~~

Open Ad-aware and close ALL other windows.

• Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
  • In the [General] window make sure the following are selected in green:
    • Under [Safety]:
      • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under [Definitions]:
    • Prompt to update outdated definitions - set the number of days = 7
• Click on the [Scanning] button on the left and select in green:
  • Under [Driver, Folders & Files]:
    • Scan Within Archives
  • Under [Select drives & folders to scan]:
    • choose all hard drives
  • Under [Memory & Registry]: all green
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
• Click on the [Advanced] button on the left and select in green:
  • Under [Shell Integration]:
    • Move deleted files to recycle bin
  • Under [Logfile Detail Level]: all green
    • include addtional object information
    • DeSelect - include negligible objects information
    • include environment information
  • Under [Alternate Data Streams]:
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
• Click the [Tweak] button and select in green:
  • Under [Scanning Engine]:
    • Unload recognized processes during scanning
    • Scan registry for all users instead of current user only
  • Under [Cleaning Engine]:
    • Let Windows remove files in use at next reboot
  • Under [Log Files]:
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Please DeSelect: Include Module list in logfile
• Click on [Proceed] to save the settings.
• Click [Start]
• Choose [Perform Full System Scan]
• DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
• Click [Next] and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
• If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  
• Right-click on the list and choose Select All
• Click the [Next] button to finish removing the items that were found

~~~~~~~~~~~~~~

Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the Save report button
• Save the report to your desktop

Close Ewido


~~~~~~~~~~~~~~

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, smitfiles.txt and the Ewido Log.
Let us know if any problems persist.