Symptoms:
- IE pop-up windows, mostly to a sites www.beautyscreens.com/jokes.php, winantivirus.com, www.winantiviruspro.com, winantispyware.com, partypoker.com.
- SpyBot found Smitfraud-C.Toolbar888, SearchClickAds, Win32.Small.dp
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:
O2 – BHO: ofb1 – {3E1500AC-87A5-416b-A211-82E848649DA9} – C:\PROGRA~1\Ofb1\Ofb1.dll
O4 – HKLM\..\Run: [setup] rundll32.exe “C:\WINDOWS\system32\****.dll”,realset
O4 – HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\YOUR_USER_NAME\LOCALS~1\Temp\winlogon.exe
O20 – AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
Where **** is a random chars, as ‘utgboudx’, YOUR_USER_NAME – your windows username
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Reboot your PC.
Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal – Read Before Posting
when i click “Do a system scan only.” i don’t find in the list
O4 – HKLM\..\Run: [setup] rundll32.exe “C:\WINDOWS\system32\****.dll”,realset
O4 – HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\YOUR_USER_NAME\LOCALS~1\Temp\winlogon.exe
O20 – AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
David, probably you have another version of ‘beautyscreens’ infection, If you want to get help, please read topic