Fixes for Specific Infections

The problem:

Windows XP and ME have a tool called System Restore, which works by making automatic scheduled backups ("restore points") of critical Windows components, including the registry. That way, if your system becomes corrupted you can ideally "roll back" to a previous, working configuration. The backup files for these restore points are kept in the C:\System Volume Information\_restore folder, which is a hidden system folder.

Unfortunately, if your system is already infected at the time when Windows takes a given restore "snapshot," the infected files get backed up along with everything else. Obviously, this also means that the infections will be reinstalled with everything else if you choose to restore from that snapshot point.

Because the Restore folder is a protected system folder, most anti-virus and anti-spyware programs don't have permission to delete the infected files stored there. To erase the contents of the _restore folder, you need to turn off the System Restore function. When you turn off System Restore, Windows will automatically delete the contents of the _restore folder.

Note that because disabling System Restore deletes all data in the restore folder, you'll want to re-enable System Restore once you're sure that your system is clean.

The Fix

For Windows XP:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

5. Run another full scan with your anti-virus/anti-spyware programs to verify that the infected files have been deleted.

Once your system is clean: reactivate System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.

For Windows ME:

1. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

2. On the Performance tab, click File System.

3. Click "OK" twice, and then click "Yes" when you are prompted to restart the computer.

4. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the "Disable System Restore" check box.

(Link to original post -- http://www.daniweb.com/techtalkforums/thread13362.html)

Scan with HiJackThis and look for a line similar to this:

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load

Place a check in the box to the left, click Fix checked, and see if that resolves the issue.

If the entry is also in an 02 line of the
HhijackThis log, you may need to go to C:\WINDOWS\system32 & delete the file manually as well. At the least, go there to see if it is still there.
___________________________________________________________

BEFORE POSTING A HiJackThis LOG, PLEASE REVIEW THE FOLLOWING LINK:

http://www.2-spyware.com/file-bridge-dll.html

Bridge.dll is related to WinFavorites, which apparently is spyware. The above link tells you exactly what to do to resolve the issue. If this doesn't fix your problem, THEN AND ONLY THEN should you ask for help. Also, you should only post an HJT log if asked for one.

HiJackThis is an excellent tool, but only in the hands of a user skilled enough to interpret the results. It is unfair just to post an HJT log and basically say, "fix it!". These posts don't contribute anything to the community we're trying to build here, and it indicates a lack of initiative on the part of the original poster, basically showing that the user isn't interested in learning anything, only having their problem fixed. That's not the type of user we want to foster here...

(Link to original post -- http://www.daniweb.com/techtalkforums/thread7370-bridge.dll+before.html)

This fix may work for any of the following infestations:
Cassandra
Desktophijack
Error Message 317
HotOffers
Joke.Smitfraudoid
NEWGENLOOK
SmitFraud
Specialgoods
Searchmiracle

In order to view some of the files and folders mentioned here, you will need to set your system to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Download, install, update, and run CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix any R0 or R1 entries similar to this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
(hotoffers may be substituted with specialgoods, newgenlook, or searchmiracle)

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

The infection should now be gone. If remnants of it still remain, please follow these instructions:

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Navigate to and delete the following subkeys:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"

Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""

Exit the Registry Editor.

If these steps fail to remove your infection, you can find links to other removal tools and instructions here:
http://www.techzonez.com/forums/showthread.php?t=15689

Now, close any open browser windows, scan with HijackThis, and post a log in the Virus forum please, to verify your system is clean.

This fix should work for the Aurora / Nail infection.

You will need to be disconnecting from the internet, so you may wish to print these instructions.

If you don’t already have HijackThis, please download the self-extracting version of it from here (in line 2):
http://www.malwareremoval.com/downloads.html

Download Ewido Security Suite from here (XP users only):
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido; during the scan it will prompt you to clean files, click OK. (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, Double-click on the Hijackthis.exe icon that is on your desktop; scan with HijackThis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

A gibberish O4 entry the ends with the letter 'r', similar to this one:
O4 - HKLM\..\Run: [wuntkqh] c:\windows\system32\ssxzrmh.exe r

And
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close any open windows, other then HijackThis, and click on Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\the gibberish file in the O4 entry above

Do a search for these files and delete any instances found:

commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe

If any of these files are located, but cannot be deleted, follow the Delete on reboot instructions:

Open HijackThis, and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) the file name into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Allow your computer to reboot normally.

Empty your Recycle Bin.

Close any open browser windows, scan with Hijackthis, and post the log along with the Ewido log in the Virus forum to verify your system is clean.

This post covers the removal of:

About:blank
CoolWebSearch
CoolWwwSearch
Home Search Assistant
Search Extender
Shopping Assistant
Shopping Wizard
White-Pages.ws
YouFindAll

You will need to disconnect from the internet, so you may wish to print these instructions.

Download, install, and update these utilities, and then close the programs (don't scan yet):

Ewido Security Suite (XP users only) -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.besttechie.net/tools/AboutBuster.zip
HSRemove (XP users only) -- http://www.majorgeeks.com/download4286.html
Sp.html-Se.dll Hijack Fix (Windows 2000 & XP only) -- http://www.majorgeeks.com/Sp.html-Se.dll_Hijack_Fix_2000XP_d4617.html
or
SpSeHjfix -- http://www.derbilk.de/SpSeHjfix112.zip (save it to the Desktop, and then right-click in a blank area of Desktop, select New, Folder, and name it spfix; unzip the file into that folder.

Disconnect from the net and reboot into Safe Mode.

Now run the utilities:

about:Buster

HSRemove

Sp.html-Se.dll Hijack Fix or SpSeHjfix (click on Start Disinfection. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Note: if it doesn't find any of the SE files or any hidden reinstallers, it will say System clean and not go on to next stage).

CWShredder

Ewido; during the scan it will prompt you to clean files, click OK (note: you will be posting the log from this scan later).

Scan with HijackThis and have it fix any entries similar to the following:

Any R0 or R1 entries that have an "sp.html" in them, like:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpkrr.dll/sp.html#28129

Any R0 or R1 entries that have about:blank in them:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

Any R0 or R1 entries that have SearchAssistant:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rpkrr.dll/sp.html#28129

Any R0 or R1 entries that have "index.php" in them:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php

R3 - Default URLSearchHook is missing

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste home search assistant, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the 'Find' instructions for search extender, shopping wizard, and shopping assistant.

Close the Registry Editor.

Reboot normally, close any open browser windows, scan with HijackThis, and post the log in the Virus forum along with the Ewido log.

Uninstall Messenger Plus as it comes bundled with LOP. You can reinstall Messenger Plus without the sponsor.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer

You may be given a code to insert, do so and reboot when done.

If none of these are listed, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

Reboot , close any open browser windows, scan with HJT, and post a log to verify your system is clean.

You can find complete instructions for removing Smitfraud and SpySheriff here:
http://www.bleepingcomputer.com/forums/How_to_remove_SpySheriff_Winstallexe_Spysheriffexe-t22402.html

And this will work for AntiVirusGold, Smitfraud, and SpySheriff:
http://forums.techguy.org/showthread.php?t=376692&page=1

Dsr/Dinst removal.

==

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.

==

Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.

• Download DSRFIX from HERE onto your Desktop.
  • Unzip and EXTRACT the files to your Desktop.
  • The program creates and names the new folder to house the files.
  • DO NOT RUN IT YET
• Download Cleanup from Here (Alternate site if the above is not working Go Here)
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET
• CLOSE INTERNET EXPLORER, if it is open
• Open the folder dsrfix
  • Double click on the dsrfix batch file( the one with the little gear in it )
  • Once dsrfix has completed it will close on its own
• Please restart HJT, put a checkmark next to the following items, and with all windows closed except for HJT, click “Fix Checked and EXIT the program.

  Insert the 04 dsr and dinst entries here

• Run Cleanup
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
• REBOOT your system.
• Please restart HJT and post back a fresh HJT log for review.

Win-eto.

Download and install Ad-Aware SE.

Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

Once the update is finished close Adaware.

Reboot into safe mode following the instructions here.

Start Adaware and run a full scan. Remove all that is found, close Adaware and reboot normally.

If you still have problems with win-eto, post an hijackthis log.

Newdotnet, New.net removal.

Go to Start>Control Panel>add/remove programs and remove(ununstall) the Newdotnet entry from there, or go here and scroll down to the uninstall tool.

Collected.5.L Trojan.

Click here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\(file name following Shell=Explorer.exe, from the F2 line in hijackthis)
C:\WINDOWS\System32\msdirectx.sys

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of the following items.

F2 - REG:system.ini: Shell=Explorer.exe,random.exe

Close all windows except HijackThis and click Fix checked:

Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

Doubleclick the file you made and confirm you want to merge it with the registry.
Reboot once more and post a new log.

PurityScan is an adware program that downloads and displays advertisements on a computer. To stop the ads, run the uninstaller found here:

http://www.purityscan.com/uninstall.html

First, you need to be sure your system is set to 'Show hidden files and folders.' Open Windows Explorer, go to Tools, and then Folder Options; when the Folder Options window opens, click on the View tab. You should find these entries in the list under Advanced settings:
Select Show hidden files and folders
Deselect (uncheck) Hide protected operating system files.

If you're getting any popup messages, don't click on them, not even the 'X' to close them; either right-click and select Close, or use Task Manager (Ctrl-Alt-Del) and End Task.

Download CleanUp from here:
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

Install it, but don't run it yet.

Download LQfix.exe from one of the following locations:
http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe

Install it, but do NOT run it yet (you will need to boot into Safe Mode first).
Installation and running notes --

• To install, double-click LQfix.exe and click Next, then Next, and then Install.
  When you run it:
• Leave the default settings, if you change them, the fix will Fail!
• You will need an active internet connection, so make sure your you're not blocking any connection now.
• Make sure the "Launch LQfix" box is checked.
• Click the Finish button to start the fix.
• Follow the on-screen prompts.
• Your system will reboot afterwards.
• Please be patient after the reboot, there is a script running in the background that needs to complete.

Reboot into Safe Mode and run LQfix.bat.

When it's finished (after your system reboots), scan with HijackThis, and have it fix the following entries:

Note: This first entry should have elite followed by three letters and the number 32 -- and the second entry should have pokapoka followed by two numbers as in these examples:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterdj32.exe
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
And
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe

Close any open windows, other then HijackThis, and hit Fix checked.

With HijackThis still open, click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Copy and paste (the elite entry from your log, similar to this) -- C:\windows\system32\eliterdj32.exe into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes and boot into Safe Mode again.

Repeat the 'delete on reboot' instructions for C:\WINDOWS\etb\pokapoka62.exe, again rebooting into Safe Mode.

Then go to the following locations and delete the highlighted file and folder (if present):

C:\windows\system32\eliterdj32.exe (again, whatever elite file showed in your log)

C:\WINDOWS\etb

Empty your Recycle Bin and reboot normally.

Now run CleanUp!; click the Options... button and then move the Quick Setup slider to the Thorough Cleanup position. If you have any bookmarks, Uncheck the option Delete Favorites/Bookmarks. Click OK to return to the main window and click CleanUp! to start cleaning. When it's finished, click Close, and then No (to avoid logging off).

Close any open browser windows, scan with HJT, and post a log in the Virus forum.

(This fix obtained from http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42143)

Boot/reboot into Safe Mode

Go to Add/Remove Programs in the Control Panel and remove:
MyWay (or MyWaySA)

If you get a window to "Remove Share Component", click "Yes to All"

If you get a window to "Remove Share File", click "Yes to All"

Do NOT restart the computer when asked

Go to Start, Find (or Search), Files or Folders; Look In should say Local Hard Drives
Type MyWay (or MyWaySA) and hit Enter -- delete any instances found.

Go to Start, Run, and type in (or copy and paste) MsiExec.exe /X{78d944d7-a97b-4004-ab0a-b5ad06839940}

Click OK and follow the prompts to remove MyWay

Go to Start, Run, type in regedit, and hit Enter

Highlight My Computer

Click Edit, Find, type in MyWay, and hit Enter. Delete anything found, press F3 to continue searching, deleting any/all found until the search is complete.

Close all windows when finished and reboot normally.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.

If you still require help, post an hijackthis log in the Viruses, Spyware & other Nasties forum.