You got some strange entries, but I think those are some Vundo variants and some in the smitfraud family... Download VundoFix: http://www.filepedia.com/desktop_software/desktop_security/vundofix.cfm Download SmitFraudFix: http://siri.geekstogo.com/SmitfraudFix.php Download SUPERAntiSpyware: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE - Update, install, do not run scan yet Instructions (copy and paste insructions onto notepad if you want): You will need to boot into safe mode, instructions here: http://www.computerhope.com/issues/chsafe.htm Once in safe mode, run VundoFix, choose [bold]Scan for Vundo[/bold]. This may take some time...If it detects anything, choose [bold]Remove Vundo[/bold]... After that, unzip the folder of SmitFraudFix, run [bold]smitfraudfix.cmd[/bold]. A blue screen with options will appear: Now, choose option #2, hit "enter". You will be prompted: Do you want to clean the registry? Answer [bold]Y[/bold] (yes) and hit "Enter" in order to remove the Desktop background and clean registry keys associated with the infection The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file... A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at [bold]C:\rapport.txt[/bold] If you are prompted to reboot, go ahead and do so, but boot into [bold]Safe Mode[/bold] again... Now, (assuming you are back in safe mode), run [bold]SUPERAntiSpyware[/bold] and click on [bold]Preferences[/bold], click on the tab: [bold]Scanning Control[/bold], click to check-mark everything under: [bold]Scanner Options[/bold]. Click "Close". Now, click on [bold]Scan your Computer...[/bold]. Check-mark hard drive(s). Enable [bold]Perform Complete Scan[/bold]. Click "Next." It may take a while to scan your entire computer... We will fix some of the entries later with Hijack This... Post logs from VundoFix, SmitFraudFix (rappport.rxt), SUPERAntipsyware and Hijack This in your next response. To copy and paste the log from superantispyware, run SAS, click on Preferences, click on the tab: Statistics/Logs, choose the one was saved recently, click on "View Log..." This will pop-up and this will allow you to copy and paste...
Looking good, let's finish getting rid of the nasties... It seems as though some are saved in your system restore. To clear those: [bold]Turning off System Restore[/bold] 1) On the Windows task bar, click [bold]Start[/bold] 2) Right-click [bold]My Computer[/bold], and then click [bold]Properties[/bold] 3) On the [bold]System Restore[/bold] tab, check "Turn off System Restore" or "Turn off System Restore on all drives" [bold]**[/bold]If you do not see the System Restore tab, you are not logged on to Windows as an Administrator[bold]**[/bold] 4) Click "Apply" 5) When you see the confirmation message, click Yes 6) Click OK [bold]Turning System Restore back on[/bold] 1) On the Windows task bar, click [bold]Start[/bold] 2) Right-click [bold]My Computer[/bold], and then click [bold]Properties[/bold] 3) On the [bold]System Restore[/bold] tab, uncheck "Turn off System Restore" or "Turn off System Restore on all drives" 4) Click "Apply" 5) When you see the confirmation message, click Yes 6) Click OK Now, run Hijack This (Do a system scan only), remove these entries, if they exist: [bold] R3 - URLSearchHook: (no name) - {77CB09BF-CC75-9F8B-7D56-BACE6599EBC9} - C:\WINDOWS\system32\tlr.dll (file missing) O2 - BHO: (no name) - {1A11A399-C54D-4386-FEF5-02FFE18EA978} - C:\WINDOWS\system32\jklzpuf.dll (file missing) O2 - BHO: (no name) - {77CB09BF-CC75-9F8B-7D56-BACE6599EBC9} - C:\WINDOWS\system32\tlr.dll (file missing) O4 - HKCU\..\Run: [Sdx] C:\Documents and Settings\user\Application Data\?dobe\w?crtupd.exe O4 - Startup: PowerReg Scheduler V3.exe O20 - Winlogon Notify: winhfn32 - winhfn32.dll (file missing)[/bold] Download CWShredder: http://www.trendmicro.com/cwshredder/ After removing those entries using Hijack This, restart your computer... Run CWShredder, accept the license agreement, click "Fix" Update McAfee for the latest virus definitions and update SUPERAntiSpyware... Run full system scans for both McAfee and SAS... Post new logs of McAfee (if there is one), SAS, Hijack This
Did McAfee detect and remove any viruses/trojans? Let's use BitDefender to clean up what McAfee may have missed: http://www.bitdefender.com/scan8/ie.html - You will need to use Internet Explorer to use this online scanner. Follow the instructions and accept the license agreement and do a full system scan and be sure to save a log (if it lets you)... Download CCleaner (clears out files in your temp folder and other unnecessary files): http://majorgeeks.com/download.php?det=4191 Run CCleaner, click on [bold]Options[/bold] (on the left side), click on "Advanced", uncheck [bold] Only delete in Windows Temp foldes older than 48 hours[/bold]...click on [bold]Cleaner[/bold], click on [bold]Run Cleaner[/bold] (on the bottom right).... This may take some time depending on how much stuff you may have accumulated... Run CCleaner first, then use BitDefender's online scanner... After you are done, post logs from BitDefender and Hijack This
