Please do not open Internet Explorer during any portion of this process. Please print out the directions listed below. If you open IE during any part of this process, all the file names will morph, and we will have to start over.
Please also make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Step 1:
Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the service to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.
Step 2:
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
The name of the file from the service above
C:\WINDOWS\system32\sdkvm32.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\jxnfed.exe
gwcya.dll
C:\WINDOWS\atldq32.dll
Step 3:
I now need you to delete the following files:
The name of the file from the service above
C:\WINDOWS\system32\sdkvm32.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\jxnfed.exe
gwcya.dll
C:\WINDOWS\atldq32.dll
Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other. If you are using explorer to search for these files, make sure that you check the option to search hidden files and folders, otherwise you won't find them. If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Step 4:
Then run hijackthis and fix these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = no
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwcya.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gwcya.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwcya.dll/index.html#27063
O2 - BHO: (no name) - {29DA78D1-B9B4-67A0-5BB2-59403A46FD87} - C:\WINDOWS\atldq32.dll
O4 - HKLM\..\Run: [cvwcfiebhydgk] C:\WINDOWS\System32\jxnfed.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/23ea10f...ip/RdxIE601.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) -
http://www.imagestation.com/common/...ion=4,3,2,20802
Step 5:
In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.
Go to Start>Run and type regedit.
Press enter.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
Step 6:
Restore files deleted by this malware.
- Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
- If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
- If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
Boot into SAFE MODE by tapping the f8 key during boot up.