Welcome obm to Geeks to Go!
Thank you for your patience, the forum is very busy.
Download and Save Spywadfix to your computer from this link:
http://www.thespykil...s/spywadfix.exe.
It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.
If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run.
It is not malicious.
It will open an Input box. Paste this line into the box
C:\WINDOWS\System32\Qvp.exe
The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.
The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.
It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your windows default desktop and context menu functions.
It will restart Explorer.
** Script Does not remove the orphaned run entries.
Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as posted in my next post.
If hijackthis doesn't start, run it manually.
Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ssr] C:\WINDOWS\Eab.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Vor.exe
O4 - HKLM\..\Run: [Sih] C:\WINDOWS\Erh.exe
O4 - HKLM\..\Run: [Iko] C:\WINDOWS\Psb.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Rku] C:\WINDOWS\Doc.exe
O4 - HKLM\..\Run: [Reb] C:\WINDOWS\System32\Qvp.exe
O4 - HKLM\..\Run: [Ddb] C:\WINDOWS\System32\Gjk.exe
O4 - HKLM\..\Run: [Rml] C:\WINDOWS\System32\Fer.exe
O4 - HKLM\..\Run: [Gdf] C:\WINDOWS\Tvo.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Pjn.exe
O4 - HKLM\..\Run: [Ibq] C:\WINDOWS\System32\Uei.exe
O4 - HKLM\..\Run: [Qjd] C:\WINDOWS\System32\Und.exe
O4 - HKLM\..\Run: [Urc] C:\WINDOWS\Sjj.exe
O4 - HKLM\..\Run: [Udf] C:\WINDOWS\Hlv.exe
O4 - HKLM\..\Run: [Qvi] C:\WINDOWS\System32\Keu.exe
O4 - HKLM\..\Run: [Dba] C:\WINDOWS\Tre.exe
O4 - HKLM\..\Run: [Vcr] C:\WINDOWS\Bit.exe
O4 - HKLM\..\Run: [Rlv] C:\WINDOWS\Aop.exe
O4 - HKLM\..\Run: [Amk] C:\WINDOWS\System32\Hhc.exe
O4 - HKLM\..\Run: [Qdc] C:\WINDOWS\Jsn.exe
O4 - HKLM\..\Run: [Ngo] C:\WINDOWS\Qom.exe
O4 - HKLM\..\Run: [Ent] C:\WINDOWS\System32\Chi.exe
O4 - HKLM\..\Run: [Hfu] C:\WINDOWS\System32\Bmi.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Qju.exe
O4 - HKLM\..\Run: [Thi] C:\WINDOWS\System32\Trc.exe
O4 - HKLM\..\Run: [Frq] C:\WINDOWS\Aom.exe
O4 - HKLM\..\Run: [Nbv] C:\WINDOWS\Dbq.exe
O4 - HKLM\..\Run: [Qeo] C:\WINDOWS\Ncs.exe
O4 - HKLM\..\Run: [Asd] C:\WINDOWS\System32\Iif.exe
O4 - HKLM\..\Run: [Qgs] C:\WINDOWS\System32\Irr.exe
O4 - HKLM\..\Run: [Frh] C:\WINDOWS\System32\Llq.exe
O4 - HKLM\..\Run: [Rtd] C:\WINDOWS\System32\Fsc.exe
O4 - HKLM\..\Run: [Bst] C:\WINDOWS\System32\Mbl.exe
O4 - HKLM\..\Run: [Uom] C:\WINDOWS\Rup.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\Egr.exe
O4 - HKLM\..\Run: [Ior] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Vpa] C:\WINDOWS\System32\Dhe.exe
O4 - HKLM\..\Run: [Qar] C:\WINDOWS\System32\Obh.exe
O4 - HKLM\..\Run: [Pkr] C:\WINDOWS\Fiv.exe
O4 - HKLM\..\Run: [Nvi] C:\WINDOWS\Nbo.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\Mbo.exe
O4 - HKLM\..\Run: [Kno] C:\WINDOWS\Obv.exe
O4 - HKLM\..\Run: [Ukp] C:\WINDOWS\System32\Qqo.exe
O4 - HKLM\..\Run: [Tdg] C:\WINDOWS\Tpp.exe
O4 - HKLM\..\Run: [Vql] C:\WINDOWS\Pko.exe
O4 - HKLM\..\Run: [Aos] C:\WINDOWS\Oni.exe
O4 - HKLM\..\Run: [Kmf] C:\WINDOWS\Onr.exe
O4 - HKCU\..\Run: [Ssr] C:\WINDOWS\Eab.exe
O4 - HKCU\..\Run: [Pdo] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Sih] C:\WINDOWS\Erh.exe
O4 - HKCU\..\Run: [Iko] C:\WINDOWS\Psb.exe
O4 - HKCU\..\Run: [Rku] C:\WINDOWS\Doc.exe
O4 - HKCU\..\Run: [Reb] C:\WINDOWS\System32\Qvp.exe
O4 - HKCU\..\Run: [Ddb] C:\WINDOWS\System32\Gjk.exe
O4 - HKCU\..\Run: [Rml] C:\WINDOWS\System32\Fer.exe
O4 - HKCU\..\Run: [Gdf] C:\WINDOWS\Tvo.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Pjn.exe
O4 - HKCU\..\Run: [Ibq] C:\WINDOWS\System32\Uei.exe
O4 - HKCU\..\Run: [Qjd] C:\WINDOWS\System32\Und.exe
O4 - HKCU\..\Run: [Urc] C:\WINDOWS\Sjj.exe
O4 - HKCU\..\Run: [Udf] C:\WINDOWS\Hlv.exe
O4 - HKCU\..\Run: [Qvi] C:\WINDOWS\System32\Keu.exe
O4 - HKCU\..\Run: [Dba] C:\WINDOWS\Tre.exe
O4 - HKCU\..\Run: [Vcr] C:\WINDOWS\Bit.exe
O4 - HKCU\..\Run: [Rlv] C:\WINDOWS\Aop.exe
O4 - HKCU\..\Run: [Amk] C:\WINDOWS\System32\Hhc.exe
O4 - HKCU\..\Run: [Qdc] C:\WINDOWS\Jsn.exe
O4 - HKCU\..\Run: [Ngo] C:\WINDOWS\Qom.exe
O4 - HKCU\..\Run: [Ent] C:\WINDOWS\System32\Chi.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Bmi.exe
O4 - HKCU\..\Run: [Hhc] C:\WINDOWS\Qju.exe
O4 - HKCU\..\Run: [Thi] C:\WINDOWS\System32\Trc.exe
O4 - HKCU\..\Run: [Frq] C:\WINDOWS\Aom.exe
O4 - HKCU\..\Run: [Nbv] C:\WINDOWS\Dbq.exe
O4 - HKCU\..\Run: [Qeo] C:\WINDOWS\Ncs.exe
O4 - HKCU\..\Run: [Asd] C:\WINDOWS\System32\Iif.exe
O4 - HKCU\..\Run: [Qgs] C:\WINDOWS\System32\Irr.exe
O4 - HKCU\..\Run: [Frh] C:\WINDOWS\System32\Llq.exe
O4 - HKCU\..\Run: [Rtd] C:\WINDOWS\System32\Fsc.exe
O4 - HKCU\..\Run: [Bst] C:\WINDOWS\System32\Mbl.exe
O4 - HKCU\..\Run: [Uom] C:\WINDOWS\Rup.exe
O4 - HKCU\..\Run: [Unm] C:\WINDOWS\Egr.exe
O4 - HKCU\..\Run: [Ior] C:\WINDOWS\System32\Ieq.exe
O4 - HKCU\..\Run: [Vpa] C:\WINDOWS\System32\Dhe.exe
O4 - HKCU\..\Run: [Qar] C:\WINDOWS\System32\Obh.exe
O4 - HKCU\..\Run: [Pkr] C:\WINDOWS\Fiv.exe
O4 - HKCU\..\Run: [Nvi] C:\WINDOWS\Nbo.exe
O4 - HKCU\..\Run: [Itp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Kno] C:\WINDOWS\Obv.exe
O4 - HKCU\..\Run: [Ukp] C:\WINDOWS\System32\Qqo.exe
O4 - HKCU\..\Run: [Tdg] C:\WINDOWS\Tpp.exe
O4 - HKCU\..\Run: [Vql] C:\WINDOWS\Pko.exe
O4 - HKCU\..\Run: [Aos] C:\WINDOWS\Oni.exe
O4 - HKCU\..\Run: [Kmf] C:\WINDOWS\Onr.exe
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe
Click on Fix Checked when finished and exit HijackThis
--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.
If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.
Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.
I have included another vbs to do this. It is named Other Profiles Regfix.vbs
Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs
Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.
Then run hijackthis and remove the entries as directed.
You will need to do this step for every user account
To reset your wallpaper, open Display Properties > Desktop Tab. Choose a Wallpaper and apply. Close Display Properties. To see the change, click on the desktop and press F5.
Hope to hear from you soon.