Corretion on my original post: It should say I can't enable McAfee Virus Scan

daclueguy,

We cannot use HijackThis yet until you move it to a folder of its own.
Rightclick on an empty space on your desktop and choose New > Folder
Name it HijackThis (HJT, or whatever)
Rightclick HijackThis.exe, choose Cut.
Doubleclick (to open) the folder you created.
Rightclick inside and choose Paste.

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, unselect the Turn on real-time protection check box
* Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please run these 3 scans:
Please download, install, and scan with Ad-Aware SE 1.06 Personal.
http://lavasoft.element5.com/support/download/

If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

* General Button > Safety & Settings: Check (Green) all three.
* Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.

3) To start the scan, Click > "Scan Now" at left

4) Run a full system scan with Ad-Aware SE
Select the objects you want to add to the ignore list in the Scan Summary, Critical Objects, or Negligible Objects lists on the Scanning Results screen.
**You are running McAfee. Any McAfee entries listed need to be added to the ignore list!

Right click and select "Add selected to ignore list"
A pop-up window showing the number of objects that will be added to the ignore list opens. Click "OK" to continue.

The object is now added to the Ignore List. Run a new scan to select the remaining objects to be quarantined.

* Click Next to remove the objects selected, and click OK at the prompt.
* Restart the computer.

Download, install and scan with Spybot S&D 1.4.
http://www.safer-networking.org/en/index.html

(If you have an older version, let me know, and do not uninstall the old version until I can give you instructions for doing so.)
1. When you install Spybot 1.4 be sure to UNCHECK TeaTimer when presented with the option to install.
2. Run Spybot, go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
3. Click the button "Search for Updates".
4. If any updates are found, install them by placing a checkmark next to each one and clicking "Download Updates".
5. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
6. Click the button "Check for Problems".
7. When Spybot is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
8. Make certain there is a check mark beside all of the RED entries ONLY.
9. Choose "Fix Selected Problems" and allow Spybot to fix the RED entries.
10. REBOOT to complete the scan and clear memory.

Note: After Windows loads, Spybot may run again to clean some files that it could not clean during the prior session. Follow the same procedure.


Please Download and Install Ewido --

1. Download Ewido security suite from http://download.ewido.net/ewido-setup.exe
2. After the download is complete, double click on the file to launch the install process.
3. During installation under the Additional Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
4. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
5. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.

Once the updates are installed do the following:

Please reboot into Safe Mode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

When your computer is booted into Safe Mode, then continue.

6. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
7. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
8. On the main screen, please select 'Complete System Scan' and the scan should begin.
9. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to 'Perform action on all infections' in the the box. Doing this, enables the scan to proceed automatically until its completion. Click OK.
10. When the scan is complete, click "Save Report".
Your scan results will be saved in a textfile. Please submit that with your next post.

If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:

1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days that is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Finally, please post your report from Ewido and a fresh HijackThis log.

Do not install Spybot 1.4 until I have a chance to post the uninstall for 1.3 or you will have more problems. I'll be back in a few minutes!

Okay, here we go...

To uninstall Spybot-S&D 1.3:
Go into Spybot > Immunize
Click "Undo" button (at the top)
Uncheck (if checked) the following:
"Enable permanent blocking of bad addresses in Internet Explorer"

Go into Spybot > Mode > Advanced Mode > Tools > Resident
Uncheck (if checked) the following:
Resident "TeaTimer" (Protection of over-all system settings) Active.

Go into Spybot > Mode > Advanced Mode > Tools > IE Tweaks.
Uncheck (if checked) any of the following "Miscellaneous locks":
Lock Hosts file read-only as protection against hijackers
Lock IE start page setting against user changes (current user)
Lock IE control panel against opening from within IE (current user)


Go into Spybot > Mode > Advanced Mode > Tools > Hosts file
Click the "Remove Spybot S&D hosts list" button (at the top)

Exit Spybot-S&D
Make sure that TeaTimer is not running by checking for the TeaTimer System Tray Icon. If the icon is there:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident. TeaTimer should close.

Go to Windows > Control panel > Add or Remove Programs > Locate "Spybot – Search & Destroy 1.3" > Remove.
Using Windows explorer, verify that the following folder has been deleted. If not, delete it:C:\Program Files\Spybot - Search & Destroy

Reboot.
Now install version 1.4 :)
Do not change the default installation path of:C:\Program Files\Spybot - Search & Destroy

I have and am running Ad-Aware with the settings you mentioned. I also have Spybot but it is version 1.3; please advise on proper uninstall. Do I download new version first or uninstall first?

I have located same symptoms in a MS forum concerning blank dialog boxes:

http://support.microsoft.com/?kbid=831430

As soon as you advise on Spybot, I'll complete that scan.

Thanks in advance.

Sorry... I already downloaded and ran Version 1.4; 1.3 seems to have disappeared. Can't locate it in Add/Remove area of control panel. Also, I apparently have a Smitfraud-C infection that Spybot can't delete. Let it run again upon restart and still can't get rid of it. 27 items. I'll wait for further instructions.

Thanks for your help.

You did not include a report from Ewido as I requested, so I assume you did not download Ewido, and we still cannot do anything with HijackThis until I can see a HijackThis log so I can verify that it is in the correct location.

Please follow these instructions EXACTLY:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Desktop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Please download the trial version of Ewido anti-malware from here:
http://www.ewido.net/en/download/

* Install Ewido anti-malware.
* When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
* When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
* The program will prompt you to update. Click the Ok button.
* The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

* On the left-hand side of the main screen click the Update Button.
* Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido. This time, do not run a scan yet.

If you are having problems with the updater, you can use this link to manually update Ewido: http://www.ewido.net/en/download/updates/
Make sure to close Ewido before installing the update.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
Please post that log along with a fresh HijackThis log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

When your unzipping program asks where you want to extract the files to, browse to the desktop and select that location.
(You are using an "evaluation copy" of WinZip? XP should be able to do that without having to install an unzipping program.)

I'm confused here... I'm not sure what you by extracting the files to my desktop. Also, when I unzip the files then...?????? Keep in mind I'm working through Mozilla so I'm not exactly sure what I'm supposed to be doing.

If the files were unzipped to your desktop, you will have a folder created that we will work from.
Don't worry about McAfee. It just doesn't recognize those files. Ignore McAfee.

Message Edited by Bugbatter on 04-17-200606:25 PM

Perhaps McAfee removed it.
Delete SmitfraudFix and redownload it. Go offline. Disable McAfee. Most likely it is a right-click on the McAfee icon in your systray by the clock >then Disable (or something similar)
Unzip ALL the files again and see if smitfraudfix.cmd is in there.
Reboot and make sure McAfee is running again.

Then proceed with the instructions.

These fixes need to be done step-by-step exactly as written, or they may not work. Once we start, do not try to go online unless instructed to, or we may have to start all over again.

How do I unzip to desktop? I'm feeling like such an idiot here

I got the SmitfraudFix on my desktop and then installed Ewido. When I click on Smitfraud I get the winzip window. Try to open using evaluation version but keep getting McAfee warning of suspect file and suggests a scan (which I can'y do anyhow). Any suggestions or what am I doing wrong here?

Okay, I've got folder on desktop but when I open there is nothing in it with cmd.

I can't disable McAfee.. I really think this is the root of my problem. I downloaded smitfraudfix, "turned off" McAfee, went offline, and then unzipped to my desktop; no file with cmd. To make matters worse, I keep getting the McAfee warning of suspect file. The whole problem began after the McAfee tray icon went to black (indicating something was not enabled) and I couldn't get it back to red despite clicking on the "enable" for the virus scan. Obviously it is still working despite my attempts to turn it off. I even tried to uninstall yesterday but it indicates the uninstall can't be done.

As I mentioned a few posts ago, I see where someone else is experiencing the same problem. (The post, with my reply, is located at Forum Home > Software > Windows XP > Blank dialogue boxes and messed up IE, WMP ).

I realize I also apparently have a smitfraud problem, but I'm beginning to wonder if I shouldn't just nuke the hard drive.