Download
Ewido Security Suite (trial) from
http://www.ewido.net/en/download/
When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via context menu".
Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
On the main screen, click on
Update in the left menu, then click the
Start Update button.
After the Update finishes, the status bar at the bottom will display "Update successful".
Now
close the program,
don't scan yet!
If you have problems updating see here:
http://www.ewido.net/en/download/updates/
==================================================================================
Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Now run the
Ewido scan. Let the program delete what it finds.
You may have to reboot after Ewido is finished.
If so,
re-boot in Safe Mode and continue from here.
Several of the following nasties may have gone already!
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
othb.exe
??erinit.exe
AutoUpdate.exe
filwdu.exe
bebivqj.exe
SAcc.exe
UWFX5LP_0001_0614NetInstaller.exe
qwidecod.exe
Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\ipee\othb.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe
C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\
ipee\othb.exe
C:\WINDOWS\system32\
??erinit.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://by24fd.bay24.hotmail.msn.com...d89e2b9d93eb80133bdaf681a&_lang=EN&country=US
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll (file missing)
O2 - BHO: (no name) - {958A92C2-795C-26F0-54F4-55D0585977E5} - C:\WINDOWS\system32\
lblocc.dll
O2 - BHO: (no name) - {9C8A92B4-7929-22F3-54F7-59D0575477E5} - C:\WINDOWS\system32\lblocc.dll
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\
AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [8ejZRn2AJ] C:\WINDOWS\
filwdu.exe
O4 - HKLM\..\Run: [bebivqj] C:\WINDOWS\
bebivqj.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\
SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\
CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKCU\..\Run: [J0sERXJ8V]
qwidecod.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\
Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs:
MsgPlusLoader.dll
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
...................................................................................................
Now click on the
Fix Checked button in HJT.
When done, from between the above dotted lines, delete the highlighted
bold files.
When a \
directory-name\ is
bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
You had (or still have) the
DownloadWare - autoupdate.exe infection.
The worst may have been removed by Ewido and my instructions above.
What Does it Do?
DownloadWare is scum of nearly every variety! It's adware, downloader, toolbar, search hijacker AND a trojan all rolled into one. This is installed using ActiveX by a number of questionable sites. It will download and install a number of various applications from its advertisers which will further mess up your system. There is truly no reason why you'll ever want to leave this trash on your system. Remove it NOW!
To remove it, FOLLOW THESE INSTRUCTIONS FROM: http://www.iamnotageek.com/a/393-p1.php
When you are done, boot normal. When all OK, switch System Restore back on.
GOOD LUCK