My Anti Spyware

AntiSpywareMaster and RegistryGreat | How to remove

AntiSpywareMaster looks like AntiSpywareExpert, AntispywareDeluxe.
The program reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Usuallly, rogue antispyware infects systems via misleading advertising on free download, warez and porn websites, trojans and browser security holes.

Hijackthis shows infection:

O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe

AntiSpywareMaster Files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
%UserProfile%\Desktop\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk
%ProgramFiles%\AntiSpywareMaster\asm.exe

RegistryGreat
The program may then give a report of exaggerated registry errors on the computer.

Hijackthis shows infection:

O4 - HKLM\..\Run: [RegistryGreat] C:\Program Files\RegistryGreat\RegistryGreat.exe

RegistryGreat files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Registry Easy.lnk
%UserProfile%\Desktop\Registry Great.lnk
%UserProfile%\Local Settings\Temp\Perflib_Perfdata_e04.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great Help.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great on the Web.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Uninstall Registry Great.lnk
%ProgramFiles%\Registry Great\Code
%ProgramFiles%\Registry Great\errorlist.txt
%ProgramFiles%\Registry Great\GreatHelp.chm
%ProgramFiles%\Registry Great\RegGreatUpdate.exe
%ProgramFiles%\Registry Great\RegistryGreat.exe
%ProgramFiles%\Registry Great\RegistryGreat.url
%ProgramFiles%\Registry Great\ScanResult
%ProgramFiles%\Registry Great\unins000.dat
%ProgramFiles%\Registry Great\unins000.exe
%ProgramFiles%\Registry Great\Update.ini

How to remove
Download and install SuperAntiSpyware.

Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum

How to remove new rogue antispywares Malware Bell and IE Antivirus

S!Ri.URZ and Bharath’s Security Blog reported about new rogue antispywares: Malware Bell and IE Antivirus.

Malware Bell is a new version of IE Defender.

VirusTotal shows Malware Bell installer:

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.MalwareBell.F
DrWeb 4.44.0.09170 2008.04.26 Trojan.Fakealert.525
Fortinet 3.14.0.0 2008.04.26 Misc/MalwareBell
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.MalwareBell.F
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.MalwareBell.f
NOD32v2 3057 2008.04.26 Win32/Adware.IeDefender.NDG
Prevx1 V2 2008.04.26 Generic.Malware
Sophos 4.28.0 2008.04.26 Troj/FakeVir-AY
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.MalwareBell.F

It display alert message:

Your system is infected with dangerous virus!
Note: Strongly recommend to install antispyware program to clean your system and
avoid total crash of your computer!

IE Antivirus looks like: IE Defender, Files Secure, Malware Bell.

VirusTotal shows IE Antivirus installer:

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.IeDefender.CJ
Fortinet 3.14.0.0 2008.04.26 Misc/IeDefender
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.IeDefender.CJ
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.IeDefender.cj
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.IeDefender.CJ

Home sites for these rogue apps:

Site Name: MalwareBellAgreement.com
Site Name: IEAntiAVDownload.com
IP Address: 89.149.227.195

Sample URL’s:

malwarebellagreement(dot)com/mb.exe
malwarebellagreement(dot)com/ieav.exe
ieantiavdownload(dot)com/ieav.exe
ieantiavdownload(dot)com/mb.exe

Use SmitfraudFix to remove them.

If you are still having problems with spyware after using SmitfraudFix, then ask help on Spyware help forum.

How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar

Softwarereferral infection is a hijacker. If your computer was infected, you got many popups, Internet Explorer start page changed to softwarereferral.com, blinking stopsign with X in system tray, continual system alert popups.

Download HijackThis and double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Combofix.
Download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items (if exists):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: GNX Bingo - {B2DCA34E-9D1C-4EDA-A1BE-C24D1B4AAE55} - C:\WINDOWS\kdftlboepta.dll
O2 - BHO: GNX Rolex - {CD6DCA54-AE70-4562-BD9E-0C0A32F01347} - C:\WINDOWS\drnpfdxsnp.dll
O3 - Toolbar: etlrlws - {13F5AE57-486D-41B6-BA43-806EA7CCAE14} - C:\WINDOWS\etlrlws.dll
O4 - HKCU\..\Run: [awedpedp] C:\WINDOWS\system32\naxgxwbu.exe
O4 - HKLM\..\Policies\Explorer\Run: [bZ76ULmU0g] C:\Documents and Settings\All Users\Application Data\titkpyhg\vyzwdszw.exe
O21 - SSODL: bokpkov - {919071FA-540C-4492-BE14-79F7E72B24A1} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {360925C8-9CA2-4D10-9C9D-4DA09A5840FB} - C:\WINDOWS\altvxvm.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Note: SSODL modules can have random name(blue color) and some different clsid(red color), use google for check them.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If everything seems to be good - pop ups are gone, no any redirects, then you should make a new restore point.Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, maybe you have another version of the infection, then please follow the steps: How to use Spyware Removal Forum.

How to uninstall combofix

Combofix by sUBs very good free anti spyware program.
But after using, you may uninstall it from your PC.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u

Press Enter.

This command will:

• Delete the following:
  

  ComboFix and its associated files and folders.
  VundoFix backups, if present
  The C:\Deckard folder, if present
  The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Found new rogue antispyware programs

Sunbelt blog reported, found some new rogue antispyware programs.

unigray.com
spymaxx.com
spywatche.com
pcprivacytool.com
thelastdefender.com
thespybot.com
spywareisolator.com
pc-cleaner.com
pc-antispyware.com
MalwareWar.com
DataHealer.com

These can all be removed with the free trial version of CounterSpy.

How to remove braviax.exe/cru629.dat/users32.dat malware

braviax.exe is an malware that also installs rogue security applications and display false alert on compromised computer. If your computer infected, then you have a red circle with a white X in your taskbar that is constantly telling you, that you have a virus

Your computer is infected!…

HijackThis shows it:

O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O20 - AppInit_DLLs: cru629.dat

Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
Download combofix.

Open the SDFix folder and double-click RunThis.bat.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Close any open browsers.
Double click on combofix.exe and follow the prompts.

Note 1: Can`t run anti spyware programs ? rename them and try again.

Note 2: Some variants of braviax very difficult for removing from PC.
If in a combofix log you have found Win32.Agent.zb header with list of infected files, then you should remove and install these apps again.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

VirusHeat rogue antispyware - How To Remove

VirusHeat is the fake anti-spyware, or rogue antispyware program. This program uses deceptive means for installation and purpose, may display fake scan results. This program usually installed itself onto your PC without your permission, through Zlob Trojan, Virus, fake audio/video codecs.

Symptoms:
Add/Remove Programs control panel entry: VirusHeat 3.9, VirusHeat 4.3
The hijackthis shows:

O4 - HKLM\..\Run: [VirusHeat 3.9] “C:\Program Files\VirusHeat 3.9\VirusHeat 3.9.exe” /h
O4 - HKLM\..\Run: [VirusHeat 4.3] “C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe” /h

For fix your problems, make follow steps:

Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: VirusHeat 3.9, VirusHeat 4.3

Download virusheat_fix.reg and save file to your Desktop.

Right clicking on the link and selecting Save Link As or Save File as, depending on your browser.

Double-click on the virusheat_fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

Fresh updates to Ad-Aware and SpyBot-search & Destroy

0052.0000 is now available, new definition file for Ad-Aware 2007.

New definitions:
====================
Adware.E404 +2
Win32.Trojan.Srizbi

Updated definitions:
====================
AdvancedCleaner
Adware.Agent +4
Adware.VapSup
Adware.Websearch +3
AdwareAlert +4
AntiSpyKit
AntivirusPCSuite
AntiVirusPro
BraveSentry +2
Densmail
ErrClean +3
FakeAlert +2
IROffer
Lop
MalwareAlarm +2
MalwareCore +3
PCPrivacyTool +2
PerfectCleaner +2
PerformanceOptimizer
SpyAway +3
SpyShredder +4
SystemDefender
Toolbar.Softo
Ultimate Defender +5
Win32.Backdoor.Agent +3
Win32.Backdoor.Agobot
Win32.Backdoor.Bifrose
Win32.Backdoor.Delf +22
Win32.Backdoor.EggDrop
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot +3
Win32.Backdoor.IRCZapchast +2
Win32.Backdoor.Kbot
Win32.Backdoor.Padodor
Win32.Backdoor.RBot +18
Win32.Backdoor.SDBot +2
Win32.Backdoor.Shark +3
Win32.Backdoor.VanBot +5
Win32.Backdoor.WootBot
Win32.Dialer.Trojan +10
Win32.Generic.PWS +3
Win32.Generic.Worm
Win32.Hoax.Renos +8
Win32.Rootkit.Agent +3
Win32.SpamTool.Agent
Win32.Trojan.Agent +35
Win32.Trojan.BAT
Win32.Trojan.BHO +2
Win32.Trojan.Buzus +5
Win32.Trojan.Delf +8
win32.Trojan.Dnschanger
Win32.Trojan.Inject +2
Win32.Trojan.Obfuscated
Win32.Trojan.Pakes +14
Win32.Trojan.Qhost +7
Win32.Trojan.SDBot
Win32.Trojan.Small +3
Win32.Trojan.Spy
Win32.Trojan.Tibs +30
Win32.Trojan.Vaklik +3
Win32.Trojan.VB +3
Win32.Trojan.Wublu
Win32.TrojanClicker +5
Win32.TrojanClicker.Costrat
Win32.TrojanClicker.Delf
Win32.TrojanClicker.VB +2
Win32.TrojanDownloader.Adload +7
Win32.TrojanDownloader.Agent +51
Win32.TrojanDownloader.Banload +13
Win32.TrojanDownloader.BHO +9
Win32.TrojanDownloader.ConHook +2
Win32.TrojanDownloader.Dadobra +2
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Diehard +8
Win32.TrojanDownloader.Dirat
Win32.TrojanDownloader.Hmir +2
Win32.TrojanDownloader.IEDefender +2
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.NewMedia +21
Win32.TrojanDownloader.Obfuscated
Win32.TrojanDownloader.Small +11
Win32.TrojanDownloader.Tibs +3
Win32.TrojanDownloader.Tiny +5
Win32.TrojanDownloader.VB +8
Win32.Trojandownloader.Zlob +12
Win32.TrojanDropper +6
Win32.Trojan-Dropper.MuDrop
Win32.TrojanDropper.Small
Win32.TrojanDropper.VB
Win32.TrojanProxy.Agent.dl +6
Win32.TrojanProxy.Jaber
Win32.TrojanProxy.Saturn +2
Win32.TrojanProxy.Small
Win32.TrojanProxy.Xorpix
Win32.Trojan-PSW.Delf +4
Win32.Trojan-PSW.Nilage +2
Win32.Trojan-PSW.Sinowal +2
Win32.TrojanPWS.LdPinch +4
Win32.TrojanPWS.OnlineGames +120
Win32.TrojanPWS.QQPass +2
Win32.TrojanPWS.WOW +3
Win32.TrojanSpy.Banker +43
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Delf +5
Win32.TrojanSpy.Goldun
Win32.TrojanSpy.VB +3
Win32.TrojanSpy.Zbot +8
Win32.Virus.Delf
Win32.Virus.Parite
Win32.Virus.Trats +2
Win32.Virus.VB
Win32.Virus.Virut +8
Win32.Worm.Allaple +4
Win32.Worm.Autorun +6
Win32.Worm.Delf +2
Win32.Worm.Doomber
Win32.Worm.Downloader +2
Win32.Worm.Kolab +5
Win32.Worm.Warezov +4
Win32.Worm.Zhelatin +35
WinSpyKiller +2
WinZix +5
Virtumonde +11
VirusProtect
XPAntivirus +2
XPDefender +2

Download Ad-aware

Updates to SpyBot-search & Destroy
Dialer
+ Maxadult
Keylogger
+ HellzLittleSpy + Ardamax + SpyLantern
Malware
+ Win32.Alphabet.ap + Clickspring.Outerinfo + ErrorSweeper
Spyware
+ SpyMail
Trojan
+ Zlob.Downloader.se + Smitfraud-C.MSVPS + Win32.Delf.aoa + Win32.Expiro + Tibiabot.pk + Win32.Sohanad.t + Hupigon + Win32.Bifrose.LA + Win32.RJump.c + QQ-Pass + Win32.Delf.dch + Win32.Small.azl

Download SpyBot-search & Destroy

How to remove core.cache.dsk and parportt.sys

If your computer was infected, you got popups everywhere, the popups were appearing in Internet Explorer as well as Firefox and all popup blockers were not stopping the invasion.
The popups had several ad networks:

url.cpvfeed.com
upspiral.com
searchlocal.ws
xads.zedo.com
aavalue.com

Spybot found Smitfraud-c.core and and cant remove it, file core.cache.dsk. comes back every time when you reboot.

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download Combofix by sUBs and save to your desktop.
Download CCleaner. Double click on the file for install.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O20 - Winlogon Notify: ****** -******.dll (file missing)

Where ****** is random chars, agggdbc for example (google this dll for confirm)

Close all browser and other windows except for HijackThis. Click “Fix Checked”.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run Combofix.

Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Download and install SuperAntiSpyware Home Edition Free Version.

Now Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum
Include into your post follow logs:

smitfraudfix log (can be found at the root of the system drive, usually at C:\rapport.txt)
combofix log
superantispyware log

How to remove CID popups

Symptoms:
1. Popup with words CiD in upper left of title bar appears when starting IE.
2. Popup re-appears every few minutes. If you leave the machine and come back later, will be many popups on the screen.
3. Adaware, spybot shows nothing.

The CiD pop-up is an optional sponsor for Windows Live! Plus! (messenger addon). Upon installation it will ask you if you whould show your support by allowing it to install intergrated sponsor support.

If you have this installed on your PC just go to Control Panel - add/remove programs - and select Microsoft Live Plus and you’ll get the option of removing the sponsor support only.

Download NoLop.exe to your desktop.
Download CCleaner. Double click on the file for install.
Download and install SuperAntiSpyware Home Edition Free Version.

Launch SuperAntiSpyware and click on ‘Check for updates’. Once the updates have been installed,exit SuperAntiSpyware. Do not run it just yet.

Uninstall these programs because they are bundled with the CID malware. Go to Start, then Control Panel and then Add/Remove Programs. Click Remove on any of the following:

CiD Help
CiD Manager
DivoCodec
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger plus or messenger plus and client
Download Plugin for Internet Explorer
Bitdownload
Zone Media
WinZix
Search Plugin
Window Search
Window Searching
Bitgrabber
BitRol
Bitdownload
Browser Enhancer
Netpumper
Torrent101
W3player
Ultimate Browser Enhancer

Note: if you’re asked for a Verification code, please enter the numbers that appear in the window.
Reboot your computer.

Close any other programs you have running as this will require a reboot. Double click NoLop.exe to run it.

1. Click the button labelled “Search and Destroy”.
2. When scanning is finished you will be prompted to reboot only if infected,click ‘OK’.
3. Now click the “REBOOT” Button.

A Message should popup from NoLop, if not,double click the program again and it will finish.

Note:

If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download mscomctl.ocx package,run for install. After that rerun the program.

Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

Now download Combofix by sUBs and save to your desktop.
Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Now Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum. Post the content of the deljob log (file logit.txt on your desktop) in your post.

How To Remove cyberstoll.com, search-daily.com hijacker and WebHancer spyware

Symptom:
When you do a Google search, you got a search results, but if you click on one of the results, you got redirect to cyberstoll.com or search-daily.com

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download LspFix and extract the content to your desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: WebHancer.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 - BHO: (no name) - {F71D25F6-E9F6-401B-AD3D-AB9F7D36E6C7} - C:\WINDOWS\system32\dinpu.dll

Close all browser and other windows except for HijackThis. Click “Fix Checked”.

Reboot your PC.

Run LSPFix.exe

Check the I know what I’m doing box.
In the Keep box, select the webhdll.dll (Protocol handler) and move it to the Remove box by clicking the >> button.
When you are done click Finish>>.
When LSP-Fix is done removing the LSP you will see a summary box. At this point the LSP has been removed and you can press OK to shutdown LSP-Fix.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
sc stop gzncfggw
sc delete gzncfggw
exit

Save this as fix.bat to your Desktop (remember to select Save as file type: All files in Notepad.).Double-click on the fix.bat.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum

How to remove Video Add-on and antispyware/security toolbar 7.1

Security Toolbar 7.1 is an adware program that also installs rogue security applications and display false alert on compromised computer.

A few things you may do prior to cleaning.

Download and install HijackThis.
Download Avenger and unzip to your desktop.
Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Disable your Anti-Spyware Program, once your PC is clean you can re-enable.

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8249E69-A809-4544-832F-64EB65747A92}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
“{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[-HKEY_CLASSES_ROOT\clsid\{efaf6ea3-615d-4f83-8748-2f7a576fcea6}]

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Start HijackThis. Click “Do a system scan only.” and check the boxes next to all the entries listed below:

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{54D4F041-4839-4858-A10E-F62F0AB1AD05}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O22 - SharedTaskScheduler: caribi - {8b87dcc7-9b89-4205-aa82-076b2a1edfe0} - (no file)

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Reboot your PC.
Open the SDFix folder and double-click RunThis.bat.

* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Folders to delete:
C:\Program Files\Video Add-on
C:\Program Files\Helper
C:\Program Files\Winamp Toolbar\

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After that you need to check your system clean run these free malware scanners.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

Trojan Vundo/Virtumonde turns a good file into a Trojan-Dropper

VirusList posted about new variant Trojan Vundo/Virtumonde. Vundo Authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.

Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn’t always work. There are samples of already infected files being re-infected and the host file then won’t run. However, re-infection doesn’t prevent Virtumonde itself from running.

Read more: Virtumonde/Vundo goes file infector

How to make Internet Explorer more secure

Follow these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

• Next press the Apply button and then the OK to exit the Internet Properties page.

Read more:
How to use “Internet Zone Settings”
How to disable Active Scripting support
How to drop rights for safe surf

New updates to Ad-Aware and SpyBot-search & Destroy

0038.0000 is now available, new definition file for Ad-Aware 2007.

SE1R207 03.12.2007 is now available, new definition file for Ad-Aware SE.

New definitions:
====================
DrProtection +2
ErrorDigger +3
Win32.Trojan.AdClicker +2
Win32.TrojanDropper.Frijoiner +19

Updated definitions:
====================
ABetterInternet.Aurora
AdvancedCleaner +5
Adware.2Search +3
Adware.Agent +30
Adware.BHO(generic) +10
Adware.CasClient
Adware.Dropper
Adware.LoopAd
Adware.TTC
Adware.VapSup
Adware.WebBuying +3
AntiVermins +2
AntivirusPCSuite +4
AntiVirusPro
Awola
BPS SpywareRemover +4
BraveSentry
DeusCleaner +3
Dialer +4
FakeAlert +10
PCPrivacyTool
PurityScan
Redirected hostfile entry
Scam.AdwareRemoverGold +4
SpyShredder
SystemDefender +3
Toolbar.Softo
UltimateCleaner +4
Win32.Backdoor.Agent +12
Win32.Backdoor.Agobot
Win32.Backdoor.Bifrose
Win32.Backdoor.Delf +7
Win32.Backdoor.Haxdoor +4
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot +7
Win32.Backdoor.Nepoe
Win32.Backdoor.Padodor
Win32.Backdoor.PcClient
Win32.Backdoor.RBot +7
Win32.Backdoor.SDBot +3
Win32.Backdoor.VB +3
Win32.Dialer.Trojan
Win32.Generic.PWS +4
Win32.Generic.Worm +3
Win32.Rootkit.Agent +6
Win32.Trojan.Agent +28
Win32.Trojan.BHO
Win32.Trojan.Delf
win32.Trojan.Dnschanger +5
Win32.Trojan.Downloader +2
Win32.Trojan.KillAV +3
Win32.Trojan.MatrixHasYou +10
Win32.Trojan.Pakes +6
Win32.Trojan.Pushdo +2
Win32.Trojan.Qhost +3
Win32.Trojan.Small +5
Win32.Trojan.Spambot
Win32.Trojan.Spy +10
Win32.TrojanClicker +7
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent +30
Win32.TrojanDownloader.Alphabet +9
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Delf +17
Win32.TrojanDownloader.NewMedia +30
Win32.TrojanDownloader.Nurech +4
Win32.TrojanDownloader.Obfuscated +6
Win32.TrojanDownloader.QQHelper +4
Win32.TrojanDownloader.SecMediaOnline
Win32.TrojanDownloader.Small +13
Win32.TrojanDownloader.Tiny
Win32.TrojanDownloader.VB +5
Win32.Trojandownloader.Zlob +7
Win32.TrojanDropper +10
Win32.TrojanProxy.Agent.dl +9
Win32.TrojanProxy.Bobax
Win32.Trojan-PSW.Delf +5
Win32.Trojan-PSW.Lineage +4
Win32.Trojan-PSW.Sinowal +2
Win32.TrojanPWS.LdPinch +7
Win32.TrojanPWS.Lmir +2
Win32.TrojanPWS.OnlineGames +79
Win32.TrojanPWS.WebMoner +2
Win32.TrojanSpy.Banker +20
Win32.TrojanSpy.Broker +2
Win32.TrojanSpy.BZub +10
Win32.TrojanSpy.Goldun +5
Win32.TrojanSpy.Peed
Win32.TrojanSpy.Zbot +14
Win32.Worm.Autorun +2
Win32.Worm.Feebs +2
Win32.Worm.LockSky +4
Win32.Worm.Zhelatin
WinPerformance
Virtumonde +19
XPAntivirus +2

Download Ad-aware

Updates to SpyBot-search & Destroy

Hijacker
+ IESearchToolbarHelper.vbs
Keylogger
+ Perfect Keylogger
Malware
+ Awola.Anti-Spyware + BPS Spyware Cops + BPS Spyware Remover + BPS SpywareStriker + BPS.SpywareZapper + IEDefender + SecureMyPC + SpyLax + SpyStriker + SpyViper + SpywareAnnihilatorPro + TrustCleaner + Vcodec.eMedia + WiperWizard
PUPS
+ Maxion.MaxnetShield
Security
+ Microsoft.Windows.RedirectedHosts
Trojan
+ Bancos.Qhost.tu + DropAgent.rtk + FakeMSUpdate.ede + Smitfraud-C.MSVPS + Virtumonde.ddc + Zlob.Downloader + Zlob.Downloader.iec + Zlob.Downloader.oid + Zlob.Downloader.vcd + Zlob.Downloader.vdt + Zlob.VideoActiveXObject

Download SpyBot-search & Destroy

How to remove webcry.com hijacker

Symptom: When you do any kind of search, the search results come up like normal, however when you click on a link under the results the page goes blank and you keep getting re-directed to webcry.com

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 - BHO: (no name) - {4A4CB994-9A38-DF0F-2760-0708BFE8F63A} - C:\Program Files\****\****.dll
O2 - BHO: (no name) - {52EA2AED-161F-45A5-EBAC-0293CA8C771C} - C:\Program Files\****\****.dll
O4 - HKLM\..\Run: [*****] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\*****.dll”

Note: Where **** is a random chars, as ‘utgboudx’,’mgfaejew’

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: Spyware removal - Read this before posting

Found first Christmas malware

F-Secure reported about malware runs using fake Christmas Cards as the lure.
Example:

A Dear friend has sent you an ecard from http://www.123Greetings.com
Your ecard will be available with us the next 30 days.
…
To view your card,CLICK HERE
…

After run this ecard file x-mas.exe you got Zapchast mIRC-based backdoor.

Read more: Merry Christmas and so on

Found some new fake codecs

Sunbelt blog reported about some new fake codecs:

codechq - codechq(dot)net
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechq(dot)net/download/codechq(dot)dmg; Windows: codechq(dot)net/download/codechq(dot)exe.

vplprocedure - vplprocedure(dot)com
Sample binary vplprocedure(dot)com/download.php?id=10581

codectime - codectime(dot)com
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codectime(dot)com(dot)/download/codectime(dot)dmg; Windows: codectime(dot)com(dot)/download/codectime(dot)exe

If you cannot remove fake codecs follow the steps in the topic Spyware removal - Read Before Posting.

Cannot View Hidden Files And Folders. How to fix

If you need show hidden files, then follow tutorial - How to show hidden files in Windows
If the tutorial don`t work for you or you have not Folder Options in the Tools menu, then

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoFolderOptions”=-

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
“NoBrowserOptions”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue”=dword:00000001

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Reboot your PC.

After that, try tutorial How to show hidden files in Windows

Hijacker will not let me download anti spyware program - how to fix

If you can`t download an antispyware software, open an anti virus vendors sites, then try Hosts Xpert - Free hosts file manager for restore Windows HOSTS file.

• Download Hosts Xpert
• Extract to your Desktop.
• Run Hosts Xpert
• Click “Restore MS Hosts File”
• Reboot your PC

After these simple steps you should to get access to all blocked sites, if you still have a problem, then create a free forum account, and create a new topic with your more information about problem.