* Download
Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking
BFU.exe
Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture:
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:
http://metallica.geekstogo.com/alcanshorty.bfu
Click Ok.
Then click
execute in Brute Force Uninstaller.
Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.
Wait for the
complete script execution box to popup and press
OK.
Press
exit to terminate the BFU program
* Please download
SmitfraudFix (by
S!Ri)
Extract the content (a folder named
SmitfraudFix) to your Desktop.
Don't use it yet.
Please download
VundoFix.exe to your C:\.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, Right click the list box (white box) in the main VundoFix window.
- Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
- In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\khfggfd.dll
- Copy and paste next in the second field: C:\WINDOWS\system32\pmkkh.dll
- Copy and paste next in the third field: C:\WINDOWS\SYSTEM32\winier32.dll
- Click the “Add Files” button.
- Click the "Close Window" button.
- Click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following
if still present:
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865************3A} - blank (file missing)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\khfggfd.dll
O2 - BHO: (no name) - {EDE3AAE4-19C7-412C-A2B4-D3986CBEE954} - C:\WINDOWS\system32\pmkkh.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865************3A} - blank (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: khfggfd - C:\WINDOWS\SYSTEM32\khfggfd.dll
O20 - Winlogon Notify: pmkkh - C:\WINDOWS\system32\pmkkh.dll
O20 - Winlogon Notify: winier32 - C:\WINDOWS\SYSTEM32\winier32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
*
Clean your Cache and Cookies in IE:
- Close all instances of Outlook Express and Internet Explorer
- Go to Control Panel > Internet Options > General tab
- Click the "Delete Cookies" button
- Next to it, Click the "Delete Files" button
- When prompted, place a check in: "Delete all offline content", click OK
*
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
- Go to Tools > Options.
- Click Privacy in the menu on the left side of the Options window.
- Click the Clear button located to the right of each option (History, Cookies, Cache).
- Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
*
Clean other Temporary files + Recycle bin
- Go to start > run and type: cleanmgr and click ok.
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Press OK to remove them.
* Open the
SmitfraudFix folder and double-click
smitfraudfix.cmd
Select option #2 -
Clean by typing
2 and press "
Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing
Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if
wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing
Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; I need that log afterwards.
The report can also be found at the root of the system drive, usually at
C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Post a new hijackthislog together with the contents of
rapport.txt which is present on your Homedrive (C:\ in most cases), the log from Vundofix (
C:\vundofix.txt ).