Download as TXT-file at the bottom!

Last update 21/7/06

Also look at the other Read: How to ... posts!

=========================================================================== =================
Download & install each program in its OWN directory, NOT on your DESKTOP or in TEMP!

HijackThis from www.tomcoyote.org/hjt/ (current version 1.99.1)
-- HJT MUST have its own directory to make Backups of all 'fixes', so you can 'undo' a wrong fix!
Spybot S&D from www.safer-networking.org: during install let it immunise your PC!
Adaware Personal SE from www.lavasoftusa.com.
AdAware VX2 plug-in from http://www.lavasoftusa.com/software/...2cleaner.shtml
-- To run VX2, go into Adaware->Add-ons and select VX2 Cleaner. Click Run Tool and OK to start it.
-- If it does not say 'Status System Clean', click the Clean button to remove the VX2 infection.
CWshredder from http://www.intermute.com/products/cwshredder.html.
CoolWWWSearch.SmartKiller from http://www.majorgeeks.com/download4113.html.
-- Some CWS-versions prevent anti-spyware apps from opening. In that case run SmartKiller first.
AboutBuster from http://www.spychecker.com/program/aboutbuster.html.
ATF Cleaner from http://www.atribune.org/content/view/25/1/ -- WinXP and Win2K only

Run the tools below.

SmitFraudFix from http://siri.geekstogo.com/SmitfraudFix.php -- Take note of the message at the bottom of the page, along with the rest of the page.
Vundofix from http://www.atribune.org/content/view/24/2/
Look2me Destroyer from http://www.atribune.org/content/view/28/1/
VirtumundoBeGone from http://secured2k.home.comcast.net/to...undoBeGone.exe
rdrivrem.zip from http://www.atribune.org/content/view/26/0/
^This will remove the sdbot infection.

Before running these programs (now OR later), always make sure you have the LATEST program versions and definitions!

=========================================================================== =================
REBOOT in SAFE MODE (press F8 a few times when booting or see how here).

XP/ME only: DISABLE SYSTEM RESTORE, see how here.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.

Run SmitFraudFix first.
Next run Vundofix
Next run VirtumundoBeGone
Next run Look2me Destroyer.
Next run AboutBuster.
Next run CWShredder. If needed, run SmartKiller first.
Next run AdAware, click 'Start', UNcheck 'Scan for negligible risk entries',
select 'Perform full system scan' and click 'Next'.
Let AdAware remove anything it finds.

Next, run Spybot and let it remove anything it finds.

=========================================================================== =================
Reboot again in Safe Mode.
Run HijackThis with NO other programs open!
Fix means: put a tick-mark in the square in front of that line, when found.

I M P O R T A N T
Open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, and keep that open!
For EVERY xxx.EXE file that is listed underneath, and that also shows in your HJT-log,
select the Process with that name (if there) and click End Process for it.

Most Running Processes are repeated as O4 - HKxx further down, some are not.
Fix ANY of these:
CHKINIT.EXE
DCOMCFG.EXE
DLLHOST.EXE
DLLSERV.EXE
MSSEARCHNET.EXE
NVCTRL.EXE
REGSERV.EXE
RMCTRL.EXE (UNLESS you have PowerDVD XP)
RUNDLL.EXE
SMSSU.EXE
SPOOISV.EXE <<== mind SPELLING
TMNTSRV32.EXE

Fix ANY programs running from
C:\Documents and Settings\[username]\Local Settings\Temp\WHATEVER.EXE

R0 & R1
Fix ALL if you have an XXXsearch problem
Fix ALL ending with: = about:blank
Fix ALL if listed with undesirable pages.

R3:
Fix ANY with (no name) AND either (no file) or (file missing)
Default URLSearchHook is missing

F2 - REG:
system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe[/b], see AURORA note below.

O1 - Hosts:
Fix ALL

O2 - BHO:
Fix ANY with (no name) AND either (no file) or (file missing)
C:\WINDOWS\SYSTEM\DSKTRF.DLL
C:\WINDOWS\SYSTEM32\hpXXXX.tmp (where x is a random letter - four random letters after "hp" exactly)
C:\WINDOWS\SYSTEM32\winb2s32.dll
C:\WINDOWS\multimpp.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\xxxx.tmp
C:\WINDOWS\System32\yyyy.tmp

O3 - Toolbar:
Begin2Search.com Bar - {clsid-number} - C:\WINDOWS\SYSTEM\WINB2S32.DLL

O4 - HKxx\..\Run [something]: -> look for the .EXE files <-
RUNDLL32 AUNPS2.DLL,_Run@16
"C:\Program Files\AutoUpdate\AutoUpdate.exe"
bcvsrv32.exe
RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun <<== delete ONLY cfgmgr52.dll
C:\WINDOWS\conscorr.exe
internat.exe
loadqm.exe
C:\WINNT\mmups.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\MsUpdate\MsUpdate.exe
oddtreg.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
updatesp2.exe
C:\WINDOWS\system32\svc.exe
C:\Program Files\TV Media\Tvm.exe
C:\WINDOWS\System32\twink64.exe blabla..
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
C:\Program Files\Winamp\winampA.exe <-- Spelling!
C:\Program Files\Windows ControlAd\WinCtlAd.exe and/or WinCtlAdALT.EXE
winlog.exe
C:\WINDOWS\winupdate.exe
C:\WINDOWS\winupdates.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
..\Web Offer\WO.EXE
..\WildTangent\ANYTHING......

'Google' suspicious names like these. Fix if not found or <100 results.
[jmruplg] C:\WINDOWS\Lmddwz.exe
[Rxagik] C:\WINDOWS\Meruoq.exe

O4 - HKLM\..\RunServices:
[Bcvsrv32] bcvsrv32.exe
[sp2update] updatesp2.exe
[] winlog.exe

I M P O R T A N T
If you have any of the above RunServices, click Start/Run, type services.msc and click OK.
Doubleclick it if there, click Stop if it's running, and change the Startup type to Disabled.

O4 - Global Startup:
Reboot.exe
WHATEVER.lnk = ?

O4 - Startup:
PowerReg Scheduler V3.exe

O9 - Extra button:
Fix ANY with (file missing)
WeatherBug - {clsid-number} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O10:
For these see LSPFIX note below.
Broken Internet access because of LSP provider 'xxxx.dll' missing
Unknown file in Winsock LSP: .....

For this O10 see NEW.NET note below.
Hijacked Internet access by New.Net / WebHancer / CommonName

O14 - IERESET.INF:
SEARCH_PAGE_URL= [blank]
START_PAGE_URL= [blank]

O15 - Trusted Zone:
Fix ALL, no matter WHAT names they have

O16 - DPF:
Fix ALL, no matter WHAT names they have, except for Microsoft/Windows entries.

O17 - HKLM...
Fix ALL if IP-addresses are NOT from YOUR ISP.

O23 - Service:
If you find SvcProc.exe, see AURORA note below.

After HJT is finished, while still in Safe Mode, delete any of these bold directories if you have them:
Found in C:\Program Files\
\AutoUpdate
\AWS
\MessengerPlus! 3
\MsMovies
\MsUpdate
\TV Media
\Viewpoint
\Web Offer
\WildTangent
\Windows ControlAd
\winupdate
\winupdates
\Common Files\WinTools
C:\WINDOWS\System32\P2P Networking
C:\WINDOWS\System32\vidctrl

Then delete all individual files/programs that were fixed.

Delete ALL files and folders from:
C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL users!

For XP or 2000, run ATF Cleaner, select all, and clean, and then do the same for the firefox tab.

For other versions of windows, In Internet Explorer, click on Tools/Internet Options and
empty your Temporary Internet Files, all Offline content and delete Cookies.
In Firefox, click on Tools/Options and Clear Cache and Clear Cookies.
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).

Finally, boot in normal mode and see how the PC behaves. Run a full AV-scan.
XP/ME-users, ENable System Restore or see here.

Stop using IE, except for Windows-updates.
Get Firefox instead!


NOTES:
LSPFIX
See Broken Internet access with xxx.dll.

NEW.NET
Click Start/Control Panel/Add/Remove Programs and uninstall: New.net Application or New.net Domains
If neither is listed, download and run this: www.new.net/support/uninstall6_38.exe

AURORA
Read: How to remove Aurora/Nailfix

Attached Files

Websearch-removal.txt (8.6 KB, 580 views)