View Single Post

**Buzz1927** · 12-22-2005, 09:41 PM

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main Ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes, the status bar at the bottom will display "Update successful"
Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.orzrriuaraf.com/EWaLCsOgJ...TOtLm06ftu.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {9A4095B2-1BDD-8270-CE97-BE6F19BC02B5} - C:\DOCUME~1\mohamed\APPLIC~1\TITLER~1\seekbeep.exe (file missing)
O4 - HKCU\..\Run: [Mediabird] C:\DOCUME~1\mohamed\APPLIC~1\GPLREC~1\plancake.exe
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\hgpcnfnj.dll (file missing)

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite

Click on Scanner
Click on Complete System Scan and the scan will begin.
If ewido finds anything, it will pop up a notification. Select "Remove" and "Perform action on all Infections" and "Create encrypted backup".
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer once more, and please post a new HijackThis log
Let us know if any problems persist.

12-22-2005, 09:41 PM	#4 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,734	You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix. Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Please download, install, and update the free version of Ewido Security Suite: When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main Ewido screen, click on update in the left menu, then click the Start update button. After the update finishes, the status bar at the bottom will display "Update successful" Exit Ewido. DO NOT run a scan yet. If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates: Ad-Aware SE Setup Again, do NOT run a scan yet. Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Now scan with HJT and place a checkmark next to each of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.orzrriuaraf.com/EWaLCsOgJ...TOtLm06ftu.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: (no name) - {9A4095B2-1BDD-8270-CE97-BE6F19BC02B5} - C:\DOCUME~1\mohamed\APPLIC~1\TITLER~1\seekbeep.exe (file missing) O4 - HKCU\..\Run: [Mediabird] C:\DOCUME~1\mohamed\APPLIC~1\GPLREC~1\plancake.exe O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\hgpcnfnj.dll (file missing) Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal. Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient. Next, run Ad-aware and perform a full scan. Remove everything found. Now open Ewido Security Suite Click on Scanner Click on Complete System Scan and the scan will begin. If ewido finds anything, it will pop up a notification. Select "Remove" and "Perform action on all Infections" and "Create encrypted backup". When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present. Restart your computer in normal mode. Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm - Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Finally, restart your computer once more, and please post a new HijackThis log Let us know if any problems persist. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!