My Anti Spyware

AntiSpywareMaster and RegistryGreat | How to remove

AntiSpywareMaster looks like AntiSpywareExpert, AntispywareDeluxe.
The program reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Usuallly, rogue antispyware infects systems via misleading advertising on free download, warez and porn websites, trojans and browser security holes.

Hijackthis shows infection:

O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe

AntiSpywareMaster Files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
%UserProfile%\Desktop\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk
%ProgramFiles%\AntiSpywareMaster\asm.exe

RegistryGreat
The program may then give a report of exaggerated registry errors on the computer.

Hijackthis shows infection:

O4 - HKLM\..\Run: [RegistryGreat] C:\Program Files\RegistryGreat\RegistryGreat.exe

RegistryGreat files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Registry Easy.lnk
%UserProfile%\Desktop\Registry Great.lnk
%UserProfile%\Local Settings\Temp\Perflib_Perfdata_e04.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great Help.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great on the Web.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Uninstall Registry Great.lnk
%ProgramFiles%\Registry Great\Code
%ProgramFiles%\Registry Great\errorlist.txt
%ProgramFiles%\Registry Great\GreatHelp.chm
%ProgramFiles%\Registry Great\RegGreatUpdate.exe
%ProgramFiles%\Registry Great\RegistryGreat.exe
%ProgramFiles%\Registry Great\RegistryGreat.url
%ProgramFiles%\Registry Great\ScanResult
%ProgramFiles%\Registry Great\unins000.dat
%ProgramFiles%\Registry Great\unins000.exe
%ProgramFiles%\Registry Great\Update.ini

How to remove
Download and install SuperAntiSpyware.

Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum

How to remove new rogue antispywares Malware Bell and IE Antivirus

S!Ri.URZ and Bharath’s Security Blog reported about new rogue antispywares: Malware Bell and IE Antivirus.

Malware Bell is a new version of IE Defender.

VirusTotal shows Malware Bell installer:

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.MalwareBell.F
DrWeb 4.44.0.09170 2008.04.26 Trojan.Fakealert.525
Fortinet 3.14.0.0 2008.04.26 Misc/MalwareBell
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.MalwareBell.F
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.MalwareBell.f
NOD32v2 3057 2008.04.26 Win32/Adware.IeDefender.NDG
Prevx1 V2 2008.04.26 Generic.Malware
Sophos 4.28.0 2008.04.26 Troj/FakeVir-AY
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.MalwareBell.F

It display alert message:

Your system is infected with dangerous virus!
Note: Strongly recommend to install antispyware program to clean your system and
avoid total crash of your computer!

IE Antivirus looks like: IE Defender, Files Secure, Malware Bell.

VirusTotal shows IE Antivirus installer:

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.IeDefender.CJ
Fortinet 3.14.0.0 2008.04.26 Misc/IeDefender
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.IeDefender.CJ
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.IeDefender.cj
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.IeDefender.CJ

Home sites for these rogue apps:

Site Name: MalwareBellAgreement.com
Site Name: IEAntiAVDownload.com
IP Address: 89.149.227.195

Sample URL’s:

malwarebellagreement(dot)com/mb.exe
malwarebellagreement(dot)com/ieav.exe
ieantiavdownload(dot)com/ieav.exe
ieantiavdownload(dot)com/mb.exe

Use SmitfraudFix to remove them.

If you are still having problems with spyware after using SmitfraudFix, then ask help on Spyware help forum.

How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar

Softwarereferral infection is a hijacker. If your computer was infected, you got many popups, Internet Explorer start page changed to softwarereferral.com, blinking stopsign with X in system tray, continual system alert popups.

Download HijackThis and double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Combofix.
Download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items (if exists):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: GNX Bingo - {B2DCA34E-9D1C-4EDA-A1BE-C24D1B4AAE55} - C:\WINDOWS\kdftlboepta.dll
O2 - BHO: GNX Rolex - {CD6DCA54-AE70-4562-BD9E-0C0A32F01347} - C:\WINDOWS\drnpfdxsnp.dll
O3 - Toolbar: etlrlws - {13F5AE57-486D-41B6-BA43-806EA7CCAE14} - C:\WINDOWS\etlrlws.dll
O4 - HKCU\..\Run: [awedpedp] C:\WINDOWS\system32\naxgxwbu.exe
O4 - HKLM\..\Policies\Explorer\Run: [bZ76ULmU0g] C:\Documents and Settings\All Users\Application Data\titkpyhg\vyzwdszw.exe
O21 - SSODL: bokpkov - {919071FA-540C-4492-BE14-79F7E72B24A1} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {360925C8-9CA2-4D10-9C9D-4DA09A5840FB} - C:\WINDOWS\altvxvm.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Note: SSODL modules can have random name(blue color) and some different clsid(red color), use google for check them.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If everything seems to be good - pop ups are gone, no any redirects, then you should make a new restore point.Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, maybe you have another version of the infection, then please follow the steps: How to use Spyware Removal Forum.

How to remove braviax.exe/cru629.dat/users32.dat malware

braviax.exe is an malware that also installs rogue security applications and display false alert on compromised computer. If your computer infected, then you have a red circle with a white X in your taskbar that is constantly telling you, that you have a virus

Your computer is infected!…

HijackThis shows it:

O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O20 - AppInit_DLLs: cru629.dat

Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
Download combofix.

Open the SDFix folder and double-click RunThis.bat.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Close any open browsers.
Double click on combofix.exe and follow the prompts.

Note 1: Can`t run anti spyware programs ? rename them and try again.

Note 2: Some variants of braviax very difficult for removing from PC.
If in a combofix log you have found Win32.Agent.zb header with list of infected files, then you should remove and install these apps again.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

VirusHeat rogue antispyware - How To Remove

VirusHeat is the fake anti-spyware, or rogue antispyware program. This program uses deceptive means for installation and purpose, may display fake scan results. This program usually installed itself onto your PC without your permission, through Zlob Trojan, Virus, fake audio/video codecs.

Symptoms:
Add/Remove Programs control panel entry: VirusHeat 3.9, VirusHeat 4.3
The hijackthis shows:

O4 - HKLM\..\Run: [VirusHeat 3.9] “C:\Program Files\VirusHeat 3.9\VirusHeat 3.9.exe” /h
O4 - HKLM\..\Run: [VirusHeat 4.3] “C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe” /h

For fix your problems, make follow steps:

Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: VirusHeat 3.9, VirusHeat 4.3

Download virusheat_fix.reg and save file to your Desktop.

Right clicking on the link and selecting Save Link As or Save File as, depending on your browser.

Double-click on the virusheat_fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

How to remove core.cache.dsk and parportt.sys

If your computer was infected, you got popups everywhere, the popups were appearing in Internet Explorer as well as Firefox and all popup blockers were not stopping the invasion.
The popups had several ad networks:

url.cpvfeed.com
upspiral.com
searchlocal.ws
xads.zedo.com
aavalue.com

Spybot found Smitfraud-c.core and and cant remove it, file core.cache.dsk. comes back every time when you reboot.

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download Combofix by sUBs and save to your desktop.
Download CCleaner. Double click on the file for install.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O20 - Winlogon Notify: ****** -******.dll (file missing)

Where ****** is random chars, agggdbc for example (google this dll for confirm)

Close all browser and other windows except for HijackThis. Click “Fix Checked”.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run Combofix.

Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Download and install SuperAntiSpyware Home Edition Free Version.

Now Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum
Include into your post follow logs:

smitfraudfix log (can be found at the root of the system drive, usually at C:\rapport.txt)
combofix log
superantispyware log

How to remove CID popups

Symptoms:
1. Popup with words CiD in upper left of title bar appears when starting IE.
2. Popup re-appears every few minutes. If you leave the machine and come back later, will be many popups on the screen.
3. Adaware, spybot shows nothing.

The CiD pop-up is an optional sponsor for Windows Live! Plus! (messenger addon). Upon installation it will ask you if you whould show your support by allowing it to install intergrated sponsor support.

If you have this installed on your PC just go to Control Panel - add/remove programs - and select Microsoft Live Plus and you’ll get the option of removing the sponsor support only.

Download NoLop.exe to your desktop.
Download CCleaner. Double click on the file for install.
Download and install SuperAntiSpyware Home Edition Free Version.

Launch SuperAntiSpyware and click on ‘Check for updates’. Once the updates have been installed,exit SuperAntiSpyware. Do not run it just yet.

Uninstall these programs because they are bundled with the CID malware. Go to Start, then Control Panel and then Add/Remove Programs. Click Remove on any of the following:

CiD Help
CiD Manager
DivoCodec
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger plus or messenger plus and client
Download Plugin for Internet Explorer
Bitdownload
Zone Media
WinZix
Search Plugin
Window Search
Window Searching
Bitgrabber
BitRol
Bitdownload
Browser Enhancer
Netpumper
Torrent101
W3player
Ultimate Browser Enhancer

Note: if you’re asked for a Verification code, please enter the numbers that appear in the window.
Reboot your computer.

Close any other programs you have running as this will require a reboot. Double click NoLop.exe to run it.

1. Click the button labelled “Search and Destroy”.
2. When scanning is finished you will be prompted to reboot only if infected,click ‘OK’.
3. Now click the “REBOOT” Button.

A Message should popup from NoLop, if not,double click the program again and it will finish.

Note:

If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download mscomctl.ocx package,run for install. After that rerun the program.

Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

Now download Combofix by sUBs and save to your desktop.
Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Now Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum. Post the content of the deljob log (file logit.txt on your desktop) in your post.

How To Remove cyberstoll.com, search-daily.com hijacker and WebHancer spyware

Symptom:
When you do a Google search, you got a search results, but if you click on one of the results, you got redirect to cyberstoll.com or search-daily.com

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download LspFix and extract the content to your desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: WebHancer.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 - BHO: (no name) - {F71D25F6-E9F6-401B-AD3D-AB9F7D36E6C7} - C:\WINDOWS\system32\dinpu.dll

Close all browser and other windows except for HijackThis. Click “Fix Checked”.

Reboot your PC.

Run LSPFix.exe

Check the I know what I’m doing box.
In the Keep box, select the webhdll.dll (Protocol handler) and move it to the Remove box by clicking the >> button.
When you are done click Finish>>.
When LSP-Fix is done removing the LSP you will see a summary box. At this point the LSP has been removed and you can press OK to shutdown LSP-Fix.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
sc stop gzncfggw
sc delete gzncfggw
exit

Save this as fix.bat to your Desktop (remember to select Save as file type: All files in Notepad.).Double-click on the fix.bat.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum

How to remove Video Add-on and antispyware/security toolbar 7.1

Security Toolbar 7.1 is an adware program that also installs rogue security applications and display false alert on compromised computer.

A few things you may do prior to cleaning.

Download and install HijackThis.
Download Avenger and unzip to your desktop.
Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Disable your Anti-Spyware Program, once your PC is clean you can re-enable.

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8249E69-A809-4544-832F-64EB65747A92}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
“{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[-HKEY_CLASSES_ROOT\clsid\{efaf6ea3-615d-4f83-8748-2f7a576fcea6}]

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Start HijackThis. Click “Do a system scan only.” and check the boxes next to all the entries listed below:

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{54D4F041-4839-4858-A10E-F62F0AB1AD05}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O22 - SharedTaskScheduler: caribi - {8b87dcc7-9b89-4205-aa82-076b2a1edfe0} - (no file)

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Reboot your PC.
Open the SDFix folder and double-click RunThis.bat.

* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Folders to delete:
C:\Program Files\Video Add-on
C:\Program Files\Helper
C:\Program Files\Winamp Toolbar\

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After that you need to check your system clean run these free malware scanners.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

How to make Internet Explorer more secure

Follow these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

• Next press the Apply button and then the OK to exit the Internet Properties page.

Read more:
How to use “Internet Zone Settings”
How to disable Active Scripting support
How to drop rights for safe surf

How to remove webcry.com hijacker

Symptom: When you do any kind of search, the search results come up like normal, however when you click on a link under the results the page goes blank and you keep getting re-directed to webcry.com

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 - BHO: (no name) - {4A4CB994-9A38-DF0F-2760-0708BFE8F63A} - C:\Program Files\****\****.dll
O2 - BHO: (no name) - {52EA2AED-161F-45A5-EBAC-0293CA8C771C} - C:\Program Files\****\****.dll
O4 - HKLM\..\Run: [*****] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\*****.dll”

Note: Where **** is a random chars, as ‘utgboudx’,’mgfaejew’

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: Spyware removal - Read this before posting

How to fix shell.exe, spoolvs.exe problem

Symptoms:

• Start > Settings -> Control panel is missing
• Task bar icons informing you of an infection and taking you to legit looking security panel
• System pop ups and IE pop ups
• When you start PC, you can get a message: “Windows cannot find ‘C:\Windows\shell.exe’ Make sure you typed the file name correctly….”

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Download VundoFix and save the file to your desktop.
Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Boot your PC in Safe Mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode

Open the SDFix folder and double-click RunThis.bat.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard).

Double-click VundoFix.exe to run it.

• When VundoFix opens, click the Scan for Vundo button.
• Once it’s done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
  Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Reboot in SafeMode again.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

• Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
• You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
• The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Backup Your Registry with ERUNT

After that you should post your logs:

• hijackthis log
• smitfraudfix log (can be found at the root of the system drive, usually at C:\rapport.txt)
• sdfix log (usually at C:\sdfix\logReport.txt)
• vundofix log (usualy at C:\vundofix.txt )

to spyware help forum and wait answer (before you should create a free forum account).

How to remove beautyscreens.com/jokes.php popups

Symptoms:

• IE pop-up windows, mostly to a sites www.beautyscreens.com/jokes.php, winantivirus.com, www.winantiviruspro.com, winantispyware.com, partypoker.com.
• SpyBot found Smitfraud-C.Toolbar888, SearchClickAds, Win32.Small.dp

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\Ofb1.dll
O4 - HKLM\..\Run: [setup] rundll32.exe “C:\WINDOWS\system32\****.dll”,realset
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\YOUR_USER_NAME\LOCALS~1\Temp\winlogon.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

Where **** is a random chars, as ‘utgboudx’, YOUR_USER_NAME - your windows username
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting

How to remove savetheinformation.com and secirityonpage.com hijackers

Symptoms:

• IE pop-up windows, mostly to a site called www.savetheinformation.com but also to some other sites
• Yellow baloons from taskbar prompting to download antispyware software.
• Grey pop-ups, like error messages, also prompting to download antivirus/spyware software.
• 2 programs added to start menu program list: online security guide and live safety center
• when you open an IE window it goes to www.savetheinformation.com

Download VundoFix and save the file to your desktop.
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.

Disable your Anti-Spyware Program, once your PC is clean you can re-enable.

Double-click VundoFix.exe to run it.

When VundoFix opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

If you still have a problems, the follow steps:

Download FixSTI.reg to your desktop.

Double-click on the FixSTI. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Run HijackThis, Close all programs leaving only HijackThis running. Place a check against each of the following if found, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {33BF7E26-185B-46C7-87FB-A8F94C7E696C} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {5a2e9fa3-5acd-4013-961b-aae311cdb902} - C:\WINDOWS\system32\****.dll (file missing)
O2 - BHO: (no name) - {60D97635-E582-E002-F541-EA2B589ED998} - C:\WINDOWS\system32\****.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\****.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\****.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\****.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\****.dll
O20 - Winlogon Notify: **** - C:\WINDOWS\SYSTEM32\****.dll

Where **** a random chars, for example: xjegktl, nuyix, ldbvcpwu, khcmkrws …

Now close all others windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If you still have a problems with your PC or cannot remove hijackers follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting.
savetheinformationcom & secirityonpagecom-hijackers

Don`t forget, we want help you, make logs and post to spyware removal forum!

How to remove Pcsecuritylab.com Hijacker

Pcsecuritylab.com is a browser hijacker.
It may also change desktop wallpaper, shows message:

Warning! SpyWare Threat Detected on Your PC!

You will also periodically get fake security warning:

Your Security and Privacy are at risk: Spyware has been detected. Click HERE to remove it.

It automatically runs on every Windows startup. Pcsecuritylab.com is a very high security risk threat and should be removed immediately as to prevent harm to your computer and your privacy.

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e690500e-1dd1-11b2-a943-9ecd016314d0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
“Userinit”=”C:\\WINDOWS\\system32\\userinit.exe,”

Save this as Fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the Fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar…p=ZJxdm186NJUS

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\ace16win.dll

Folders to delete:
C:\WINDOWS\system32\Mz15r
C:\WINDOWS\PerfInfo
C:\WINDOWS\McAfee.com
C:\Program Files\LimeWire
C:\WINDOWS\system32\acespy

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting

How to remove xlavra (Trojan-Downloader.Win32.Agent) and Wintools adware

WinTools is an adware that adds a toolbar to your browser and generating annoying popups and balloon dialogs.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: WinTools, WhenU, SearchUpgrader

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482E-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open notepad and then copy and paste the lines below into it.

@echo off
sc stop WinToolsSvc
sc delete WinToolsSvc

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
Double-click on fixes.bat file to execute it.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\WINDOWS\xlavba3.exe
C:\WINDOWS\system32\sulimo.dat

Folders to delete:
C:\Program Files\Common files\SearchUpgrader\
C:\Program FilesVVSN\
C:\PROGRA~1\COMMON~1\WinTools\

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Boot your PC in Safe Mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting

How to remove IE Defender

IE Defender a rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove. Also IE Defender installed in your Internet Explorer browser that hijacks searches you input into the Google and Yahoo search engines. When infected your Internet Explorer opens Google or Yahoo and make search request you will see a hijacked search result listing. You will also periodically get fake message:

Google Error
Your computer is infected! Some of your search results were changed by spyware
You have to clean your PC and we recommendto use our ANTISPYWARE!

For remove IE Defender spyware, make follow steps:

Download FixIED.reg and save the file to your desktop.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: IE Defender

On your desktop find and double-click on the FixIED.reg file that you just downloaded. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\Windows\System32\bDivX.dll
C:\Windows\System32\bDivX.dll.bak
C:\WINDOWS\system32\IR9V0_QCX.dll
C:\WINDOWS\system32\IR9V0_QCX.dll.bak
C:\Windows\System32\Video32.dll
C:\Windows\System32\Video32.dll.bak
C:\WINDOWS\system32\IntelVideo.dll
C:\WINDOWS\system32\IntelVideo.dll.bak
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll.bak
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll.bak
C:\Windows\System32\dx50codec.dll
C:\Windows\System32\dx50codec.dll.bak
C:\Windows\System32\a3gpcodec.dll
C:\Windows\System32\a3gpcodec.dll.bak
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\aDivX.dll.bak
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\mp3avi.dll.bak
C:\Windows\System32\VideoMP3.dll
C:\Windows\System32\VideoMP3.dll.bak

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Boot your PC in Safe Mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

How to remove safenavweb.com hijacker

Symptoms: system keeps popping up warning messages & launching Internet Explorer & directing it to safenavweb.com

For fix safenavweb.com malware, make follow steps:

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download CCleaner. Double click on the file for install.
Download and unzip Avenger to your desktop.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspkfxt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: The htunistock - {C58A4487-4C2E-45E4-9E3A-52B3A23CC396} - C:\WINDOWS\htunistock.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O21 - SSODL: hostctrl - {20D7F2C0-86AB-4F63-88E4-E3F4887E0CC1} - C:\WINDOWS\hostctrl.dll
O21 - SSODL: hstsys - {44195BC8-06C2-4D25-81E9-1607B1313715} - C:\WINDOWS\hstsys.dll

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\WINDOWS\ntspkfxt.dll
C:\WINDOWS\htunistock.dll
C:\WINDOWS\hostctrl.dll
C:\WINDOWS\hstsys.dll

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Boot your PC again in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Download the HostsXpert 3.7 - Hosts File Manager.

# Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
# Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
# Click “Make Hosts Writable?” in the upper right corner (If available).
# Click Restore Microsoft’s Hosts file and then click OK.
# Click the X to exit the program.
# Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topics linked below

Help | How to remove safenavweb.com hijacker
Spyware removal - Read Before Posting

How to remove trojan dns/changer

Trojan DNSChanger (both Windows and Mac versions) hijacking your DNS settings and then redirecting you to malicious websites, stealing personal identities, killing your dog and even crank-calling your grandmother with naughty messages.

Read more A little bit of de-fudding on the DNS changing Trojan

The HijackThis shows trojan dns/changer:

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer = 85.255.116.86,85.255.112.157

For remove the infection, please follow these instructions step by step:

Please download FixWareout.
Save it to your desktop and run it. Click Next, then Install, then make sure “Run fixit” is checked and click Finish. The fix will begin, follow the prompts.
You will be asked to reboot your computer, please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Open C:\fixwareout\report.txt, if Fixwareout found infection you found some lines:
…
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
“nameserver”=”85.255.116.86 85.255.112.157″ value cleared.
…

It`s ok.

Also this trojan can download another malware, for check you PC and remove scam, download and run Smitfraudfix

Your computer should now be free of the infection.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below Spyware removal - Read Before Posting.

Automatic removal HaxDoor trojan

This trojan allows others to access the computer, drops more malware, installs itself in the Registry.

For check your PC, Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Now you need to run HijackThis and click “Do a system scan only”. If your found any simulat entry

O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

then you have HaxDoor trojan infection!

For remove the serious infection, please follow these instructions step by step.

Download haxfix.exe. Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark “Create a desktop icon”.
Click “Next”.
When the installation is completed, make sure that the checkmark “Launch HaxFix” is placed.
Click “Finish”.
A red “dos window” (dos box) will open.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you’ll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.

Haxdoor can drops more malware, also if you are still having problems with your PC , then please follow the steps outlined in the topic linked below Spyware removal - Read Before Posting