You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.
Sounds like you've been infected heavily. One of the first things to run is HiJackThis
. Download the file, unzip it and then do a Scan and Log. Post it in AO's Spyware forum for help interpreting it.
1) Download the trial version of Ewido Anti-Malware from here
and save it to your Desktop.
When the download has finished, locate ewido-setup.exe and double click it to begin installation.
** If you already have Ewido installed, update it and go to 2) **
In the 'Additional Options' window, uncheck: 'Install required for automatic updates (background guard)'.
When installation is complete, you will need to update Ewido to the latest definition files.
To do this:
1. Double click the Ewido Desktop icon.
2. In the main screen, on the left hand side, click Update.
3. In the following screen, click Start Update
A progress bar will show how the update is going. When it has finished updating, close it.
If you have problems with the updater, you can manually update Ewido. Click here, and save ewido-signatures-full-current.exe to your Desktop. All you need to do then is to double-click it, click Install and then, when it has finished, Close.
Ewido Anti-Malware is designed to be used to both scan for and remove malicious files and also to run alongside, but not replace, your existing anti-virus program to give an added layer of protection.
However, as the real-time protection may interfere with the fixing of your PC, this function will have been disabled as long as you followed the installation instructions correctly. At the end of the trial period, Ewido will revert to a stand-alone scanner which you can keep and update for free and use in a similar way to Ad-Aware SE Personal. (I've found recently that Ewido is better than Ad-Aware SE).
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now online button.
Then download SmitFraudFix
and unzip it in the C: drive.
2) You will need to know how to boot into Safe Mode.
You do this by:
1. Restarting your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.
5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.
3) Log off from the internet and disconnect your modem cable for the duration of the fix.
1) Boot into Safe Mode.
2) Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "2" and then <ENTER> to start the cleaning process.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then <ENTER>.
* The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then <ENTER>.
Your PC now needs to be rebooted. If this does not happen automatically, you will need to do so manually. Either way, your PC will need to be booted back INTO SAFE MODE. (go back to the Safe Mode instructions above)
3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
4) Navigate to C:\Documents and Settings\<Username>\Local Settings\Temp and delete all the files that you find there. Do this for all Usernames on your system (replace username with the actual name of the users that log into the Windows system)
5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.
6) Go to Start > Control Panel > Display.
Select the Desktop Tab, click on Customise Desktop... and then select the Web Tab.
Under Web pages: you should see a checked entry called Security info - or similar. Highlight this entry and then click the Delete button. Finally click OK > Apply > OK.
7) Empty the Recycle Bin.
8) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido.
* Click on Scanner and then Settings.
* Ensure that all the boxes are checked and that under What to scan?, "Scan every file" is selected and then click OK.
* Click on Complete System Scan and the scan will begin.
* While the scan is in progress you will be prompted to clean files, click OK.
* When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action with all infections" and also in the box next to "Create encrypted backup" then choose clean and click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen called Save report - click it.
* Save the report.txt file to your desktop.
* This may take some time to run so let it run and do something else
You can now close Ewido Anti-Malware.
Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!
9) Reboot/Restart into Normal Mode.
10) Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "3" and then <ENTER> to delete the "Trusted Zone".
When prompted "Restore Trusted Zone ?", press "Y" and then <ENTER>.
* Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection *
This will likely fix it.
One last note/edit: if at all possible, avoid using Internet Explorer. Try a browser like Firefox as IE is the gateway for 75% of all spyware infections (the remaining portion comes from "phished" emails -- where people pretend to be others and get you to download unsafe software)