- Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
- Double click the Smitrem.exe icon on your Desktop.
- Then click Run>Start and a Smitrem folder will apear on your desktop also.
- Place a shortcut to Panda ActiveScan on your desktop.
- Download the trial version of Ewido Security Suite
- Please read Ewido Setup Instructions
- Install the program
- Update the definitions to the newest files.
- DO NOT RUN IT YET
- Install Ad-Aware SE 1.06, follow these download and setup instructions.
- Ad-Aware SE Setup
- Update the definitions
- DO NOT RUN IT YET
- REBOOT your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- Now open HJT, click SCAN and place a checkmark next to each of the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.savewealt...e6/welcome.html
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\arqaol.exe reg_run
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [csrs] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [sman] C:\DOCUME~1\OWNER~1.GAR\LOCALS~1\Temp\app16A.tmp
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\RunServices: [Popup Blocker System8 Monitoring] PopUpBlocker8.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB26457-72EE-4AB8-924B-A1DE99CD386B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{319FD73E-7772-43DF-B532-61250E07309A}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7DAA016-D679-400B-849A-3DF6CC30747B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE710E87-41E5-4C12-8645-525C0A141282}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: csrs - csrs.dll (file missing)
O23 - Service: iTunes MusicService - Unknown owner - C:\WINDOWS\usbbay.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe
- Click the Fix Checked box and EXIT HJT
- Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:
C:\WINDOWS\System32\arqaol.exe
C:\WINDOWS\System32\vidctrl<===Folder
C:\Program Files\BearShare<===Folder
C:\WINDOWS\System32\intel32.exe
C:\winstall.exe
C:\WINDOWS\System32\mousecrm.exe
C:\Program Files\Visual Networks
C:\WINDOWS\System32\csrs.exe
C:\DOCUME~1\OWNER~1.GAR\LOCALS~1\Temp\app16A.tmp
C:\WINDOWS\System32\yaemu.exe
PopUpBlocker8.exe<===Search for it
csrs.dll <===You will have to search for this one
C:\WINDOWS\usbbay.exe
C:\WINDOWS\winmon.exe
- Open the smitRem folder
- Double click the RunThis.bat file to start the tool.
- Follow the prompts on screen.
- Wait for the tool to complete and disk cleanup to finish.
- Open Ad-aware and do a full scan. Remove all it finds.
- Run Ewido:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
- Close Ewido
- Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
- REBOOT back into Normal Mode
- Click the Panda ActiveScan shortcut
- Do a full system scan.
- Make sure the autoclean box is checked!
- Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Regards,
Trevuren