Hi again, we'll continue
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
- Go to My Computer
- Select the Tools menu and click Folder Options
- Click the View tab.
- Checkmark the "Display the contents of system folders"
- Under the Hidden files and folders select "Show hidden files and folders"
- Uncheck "Hide protected operating system files"
- Click Apply and then the OK and close My Computer.
==================
Backup Your Registry with ERUNT:
Note: to restore your registry, go to the backup folder and start ERDNT.exe
- Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip- Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
- Inside the new folder, double-click ERUNT.exe to start the program
- OK all the prompts to back up your registry to the default location.
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
Make sure there are NO blank lines before REGEDIT4REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\arpl.exe
Restart your computer.
Open "My Computer" and delete the following files (if present):
C:\WINDOWS\system32\arpl.exe
C:\23100247.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\ntsystem.exe
Use the Windows search BE CAREFUL WITH THE FILENAMESCheckmark these options:
- Start
- Search
- All files and folders
- More advanced options
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"
- Search for this and delete if found: ntoskrnl.dll
- Search for this and delete if found: xlibgfl254.dll
- Search for this and delete if found: append.dll
Run ATF CleanerIf you use Firefox browser
- Under Main choose: Select All
Click the Empty Selected button.If you use Opera browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
- Restart your computer
- Start tapping the F8 key when the computer restarts.
- When the start menu opens, choose Safe mode
- Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, you should now mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found
- If so, click it and then click the next icon right below and select Move incurable
- After the scan, in the menu, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot the computer in Normal Mode,
- Post the Cure-it report and a fresh HijackThis log