Hello and Welcome to TSF!
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.
CleanUp!.exe - Install
About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.
CWShredder.exe
Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
ro.txt
Download it & rename it "ro.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as ro.reg.txt (double extensions)
'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING
This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.
If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.
IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Next, reboot your computer in SafeMode :
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Double-click on ro.REG & answer YES when prompted to merge into the Registry
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS
Run a scan with HiJackThis & select/tick the following & click "Fix checked" :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vrehg.dll/sp.html#10001
(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E13F3FF4-7686-8A2F-D80E-02A8DFA5DCF6} - C:\WINDOWS\addqy.dll
O4 - HKLM\..\Run: [mfcvs32.exe] C:\WINDOWS\mfcvs32.exe
O4 - HKLM\..\Run: [apivv32.exe] C:\WINDOWS\apivv32.exe
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run Cleanup! using the following configuration:
1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run CWShredder & click on Fix.
Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run Ewido with it's updated definitions
...it's important that all windows must be closed)
** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
REBOOT TO NORMAL MODE
Perform an online scan with Internet Explorer with Panda ActiveScan
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
In your next post, please include fresh logs from:
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.
CleanUp!.exe - Install
About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.
CWShredder.exe
- Open CWShredder and click - I AGREE
- Click - Check For Update
- Close CWShredder after updating
Ewido Security Suite
- Install Ewido Security Suite
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- Double-click the icon on Desktop to launch Ewido
- On the left hand side of the main screen click update.
- Then click on Start Update.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
ro.txt
Download it & rename it "ro.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as ro.reg.txt (double extensions)
'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING
This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.
If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.
IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Next, reboot your computer in SafeMode :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Double-click on ro.REG & answer YES when prompted to merge into the Registry
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS
Run a scan with HiJackThis & select/tick the following & click "Fix checked" :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vrehg.dll/sp.html#10001
(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E13F3FF4-7686-8A2F-D80E-02A8DFA5DCF6} - C:\WINDOWS\addqy.dll
O4 - HKLM\..\Run: [mfcvs32.exe] C:\WINDOWS\mfcvs32.exe
O4 - HKLM\..\Run: [apivv32.exe] C:\WINDOWS\apivv32.exe
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
- Checkmark/tick - "Ignore Safe System Info Streams"
- Click the "Scan" button
- When it has finished scanning, checkmark/tick all that it found
- Click the "remove selected" button
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run Cleanup! using the following configuration:
1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
- Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run CWShredder & click on Fix.
Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run Ewido with it's updated definitions
- Click Scanner
- Click Complete System Scan to begin scanning.
- Click OK when prompted to clean files
- "Perform action on all infections"
- .Choose clean and click OK.
** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
REBOOT TO NORMAL MODE
Perform an online scan with Internet Explorer with Panda ActiveScan
- Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
- Click [Scan Now]
- Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
- If it finds any malware, it will offer you a report.
- Click on see report. Then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
- Double-click the tmas-web-scan.exe icon
- It will say "Loading TrendMicro definitions".
- Click "Start Scan"
- Make sure all items found have a check next to them, then click "Clean Threats Now".
- Click Exit.
In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
In your next post, please include fresh logs from:
- HiJackThis
[*] Online scan
[*] Antispyware.log
[*] About Buster
[*] Ewido