Hi
Lets get rid of theses two infections first


Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually..
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with your next reply and a new HJT log.


Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. Click the "Scan for Vundo" button.
3. Once it's done scanning, click the "Remove Vundo" button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, VundoFix will prompt that it will shutdown your computer; click "OK".
7. Turn your computer back on.
8. Please post the contents of C:\vundofix.txt and a new HiJackThis log.

I still cant get Safe mode to work.

The same thing is happening as what I wrote earlier.

I press F8 but the screen just goes blank.

I have a feeling something is stopping me from entering it.

Any Ideas?

Do you keep tapping F8 or do it just once...See how you go by doing the fix in normal mode ...

I was tapping it repeatedly.

I will try the fix and get back to you!

Ok here are the log files from the first stage of that fix.

Good new is that my Homepage doesnt seem to be hi-jacked anymore.

I will proceed with stage two of the fix, and keep checking back here.

The folder Win32 opned again on startup?

Attached Files

	rapport.txt (2.2 KB, 1 views)
	hijackthis.log (5.6 KB, 1 views)

Looks like we have fixed the main infection so just a bit to clean up now..


Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com



Open Windows Explorer and delete the following highlighted file/s

C:\WINDOWS\system32\hvcycg.dll