Dozens of explorer windows opening unexpectedly

Essex Hammer · 05-25-2006

I have four xp users on my pc. Three of them are fine generally but my wife's session has a major problem :

If she clicks on a link in Outlook OR if she clicks on a link in our preferred web browser (Mozilla) the computer freezes for a few minutes and then anything from 55 to 65 Internet Explorer windows open !

Hengis · 05-26-2006

Welcome to the forum

I think it's a good idea for you to click on the [Pre-Work] link below in my signature and follow the instructions in there.

Essex Hammer · 05-27-2006

Originally Posted by Hengis

Welcome to the forum

I think it's a good idea for you to click on the [Pre-Work] link below in my signature and follow the instructions in there.

Thank you so much for all of those links in the prework tab. It always amazes me how much rubbish has found it's way on to my pc.

I can confirm that after a reboot I went into an email on my wife's Outlook session and clicked alink to unsubscribe to a web site and the same thing happened as has been happening......55 Internet Explorer windows opened and the computer froze

I'll post all the logs as requested and wait for you to tell me what to do next

joe5 · 05-27-2006

Hya Essex Hammer.

I see you have two AV's running at the same time , that can cause performence and conflict problems to have more then one running realtime. I would uninstall or disable one of them.

And to make sure the SpyFalcon infection that Spysweeper detected is fully removed please follow these instructions:

NOTES:

Even if you do not find some (or all) of the files mentioned or you do not see SpywareQuake (or SpyFalcon....etc) in Add/Remove programs or the folder for it, just continue with ALL steps thru to the end.
In the below instructions the %System32% text is an abbreviation for your either c:\Windows\System32 or c:\Winnt\System32 It depends on how/where you installed your Windows OS. Thus %System32%\stickrep.dll means either C:\Windows\System32\stickrep.dll or C:\Winnt\System32\stickrep.dll
Some of the items being deleted by this procedure are not Smitfraud family related but the fit into the area for removal.

Now copy the contents of the below Quote Box to Notepad. Then click File and then Save
As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later
after a reboot into safe mode.

Code:

REGEDIT4
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{0c7416f0-dd23-420f-97f5-aae352ea2bf1}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{336ec37f-54bf-4f13-8237-03f64fa591e7}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{786C369D-409A-456f-A13C-971EADA850C6}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{87A3E824-A726-4CF4-8A66-6314B11BDA0C}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}]

[-HKEY_CURRENT_USER\CLSID\{786c369d-409a-456f-a13c-971eada850c6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0c7416f0-dd23-420f-97f5-aae352ea2bf1}"=-
"{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}"=-
"{336ec37f-54bf-4f13-8237-03f64fa591e7}"=-
"{35A88E51-B53D-43E9-B8A7-75D4C31B4676}"=- 
"{5bc82bdb-bc03-4671-9a78-3ef2b68449de}"=-
"{64ba30a2-811a-4597-b0af-d551128be340}"=-
"{786C369D-409A-456f-A13C-971EADA850C6}"=-
"{87A3E824-A726-4CF4-8A66-6314B11BDA0C}"=-
"{89aef01d-d237-49c7-84dc-4e1904c1fd31}"=-
"{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}"=-
"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"=-
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=-
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"=-
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"=-
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=-
"{e04408db-4812-4478-8d4d-e46edcffd3b6}"=-
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"=-
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareQuake"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyFalcon"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"dcomcfg.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareQuake.com]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5C70510-5A01-B2A5-CF84-D6DC13859967}]

[-HKEY_CLASSES_ROOT\CLSID\{0c7416f0-dd23-420f-97f5-aae352ea2bf1}]
[-HKEY_CLASSES_ROOT\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{336ec37f-54bf-4f13-8237-03f64fa591e7}]
[-HKEY_CLASSES_ROOT\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CLASSES_ROOT\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}]
[-HKEY_CLASSES_ROOT\CLSID\{{64ba30a2-811a-4597-b0af-d551128be340}]
[-HKEY_CLASSES_ROOT\CLSID\{786C369D-409A-456f-A13C-971EADA850C6}]
[-HKEY_CLASSES_ROOT\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}]
[-HKEY_CLASSES_ROOT\CLSID\{87A3E824-A726-4CF4-8A66-6314B11BDA0C}]
[-HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}]
[-HKEY_CLASSES_ROOT\CLSID\{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}]
[-HKEY_CLASSES_ROOT\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}] 
[-HKEY_CLASSES_ROOT\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}]
[-HKEY_CLASSES_ROOT\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}] 
[-HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}] 
[-HKEY_CLASSES_ROOT\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}] 
[-HKEY_CLASSES_ROOT\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6}]

Now download smitRem.exe written by noahdfear and save the file to your Desktop.
Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop.
(this should be the default selection). Do not run anything else related to the program yet!
Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary
because you must not have any browers open and must not connect to the internet while following the below steps.
Now disconnect your cable to the internet (physically unplug it).
After saving the instructions, reboot into Safe mode
Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake and/or SpyFalcon (if they are found).
Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to
the Desktop) and when it prompts to Add in to the registry, say yes.
Run Windows Explorer by right clicking Start & Select Explore
Navigate to your %System32% folder C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.)
Look for the following files based upon where you have Windows installed:
- %System32%\__delete_on_reboot__stickrep.dll
- %System32%\dvdcap.dll
- %System32%\dxmpp.dll
- %System32%\fyhhxw.dll
- %System32%\ginuerep.dll
- %System32%\oerucu.dll
- %System32%\oqipt.dll
- %System32%\reglogs.dll
- %System32%\sbnudh.dll
- %System32%\sivudro.dll
- %System32%\stickrep.dll
- %System32%\suprox.dll
- %System32%\twain32.dll
- %System32%\wfkduei.dll
- %System32%\xenadot.dl

When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename xenadot.dll to xenadot.DDD We will fully delete the files later.

Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis
.bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe
mode.
The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg;
Local Disk C: or partition where your operating system is installed. Upload this file later after reboot.
Now reboot your system into normal mode.
Now after reboot relocate the DLL files we renamed with a DDD extension in the above step and delete them. If you have a
problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, make sure you tell us later.
Also delete the below files and folders if found:
- C:\Program Files\AdwareSheriff
- C:\Program Files\Spyware Quake
- C:\Program Files\SpywareQuake.com
- C:\Program Files\SpyFalcon
- C:\Windows\System\1024 (or C:\Winnt\System\1024 )
- %System32%\1024
- %System32%\appmagr.dll
- %System32%\autodisc32.dll <--- this is TX 4 BrowserAd adware
- %System32%\atmclk.exe
- %System32%\barseek.dll
- %System32%\biasfardihuy.dll
- %System32%\birdasfihuy32.dll
- %System32%\dcomcfg.exe
- %System32%\dfrgsrv.exe
- %System32%\hp????.tmp ( where ???? is any 4 random characters)
- %System32%\ld???? .tmp ( where ???? is any 4 random characters)
- %System32%\mssearchnet.exe
- %System32%\msvol.tlb
- %System32%\ncompat.tlb
- %System32%\nvctrl.exe
- %System32%\ot.ico
- %System32%\regperf.exe
- %System32%\shdocvn.dll
- %System32%\simpole.tlb
- %System32%\stdole3.tlb
- %System32%\svcnt32.exe
- %System32%\ts.ico
- C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User
  Account] is the actual user account name you are logged into.
Reconnect your cable to the internet.
Now attach your smitfiles.txt log to a post here.

And could you post the Ewido scanning log aswell?

Essex Hammer · 05-28-2006

Hiya Joe
1) my apologies for attaching the wrong scan

2) none of the dll files were found in the system32 folder
3) none of the other files listed were found either
4) the disk cleanup lasted two seconds (can that be right ?)
5) Can I confirm that you think I have AVG and Symantec running ? Which one would you recommend that I keep please ?

SMitfiles scan attached to this reply but Ewido scan is apprently too big (?!) so I'll send it in a separate reply

Good night for now. I will donate some money when this is finished but until then ......just a big...THANKS !

Essex Hammer · 05-28-2006

Here is the Ewido Scan in three parts

Hengis · 05-28-2006

Thanks, I am sure that Joe will be right back onto this as soon as he comes online

05-25-2006	#1
Essex Hammer Bronze Member Join Date: May 2006 Location: Essex,England Posts: 35	Dozens of explorer windows opening unexpectedly I have four xp users on my pc. Three of them are fine generally but my wife's session has a major problem : If she clicks on a link in Outlook OR if she clicks on a link in our preferred web browser (Mozilla) the computer freezes for a few minutes and then anything from 55 to 65 Internet Explorer windows open !

05-26-2006	#2
Hengis PCHF Founder & Owner Join Date: Jan 2004 Location: The PCHF Bunker Posts: 14,069 PC Experience: Microsoft Certified Professional	Welcome to the forum I think it's a good idea for you to click on the [Pre-Work] link below in my signature and follow the instructions in there. __________________ Pre-Work / System File Checker / Promote PCHF!

05-27-2006	#4
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Hya Essex Hammer. I see you have two AV's running at the same time , that can cause performence and conflict problems to have more then one running realtime. I would uninstall or disable one of them. And to make sure the SpyFalcon infection that Spysweeper detected is fully removed please follow these instructions: NOTES: Even if you do not find some (or all) of the files mentioned or you do not see SpywareQuake (or SpyFalcon....etc) in Add/Remove programs or the folder for it, just continue with ALL steps thru to the end. In the below instructions the %System32% text is an abbreviation for your either c:\Windows\System32 or c:\Winnt\System32 It depends on how/where you installed your Windows OS. Thus %System32%\stickrep.dll means either C:\Windows\System32\stickrep.dll or C:\Winnt\System32\stickrep.dll Some of the items being deleted by this procedure are not Smitfraud family related but the fit into the area for removal. Now copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later after a reboot into safe mode. Code: REGEDIT4 [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{0c7416f0-dd23-420f-97f5-aae352ea2bf1}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{336ec37f-54bf-4f13-8237-03f64fa591e7}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{786C369D-409A-456f-A13C-971EADA850C6}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{87A3E824-A726-4CF4-8A66-6314B11BDA0C}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}] [-HKEY_CURRENT_USER\CLSID\{786c369d-409a-456f-a13c-971eada850c6}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{0c7416f0-dd23-420f-97f5-aae352ea2bf1}"=- "{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}"=- "{336ec37f-54bf-4f13-8237-03f64fa591e7}"=- "{35A88E51-B53D-43E9-B8A7-75D4C31B4676}"=- "{5bc82bdb-bc03-4671-9a78-3ef2b68449de}"=- "{64ba30a2-811a-4597-b0af-d551128be340}"=- "{786C369D-409A-456f-A13C-971EADA850C6}"=- "{87A3E824-A726-4CF4-8A66-6314B11BDA0C}"=- "{89aef01d-d237-49c7-84dc-4e1904c1fd31}"=- "{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}"=- "{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"=- "{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=- "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"=- "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"=- "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=- "{e04408db-4812-4478-8d4d-e46edcffd3b6}"=- "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"=- "{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpywareQuake"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpyFalcon"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] "dcomcfg.exe"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareQuake.com] [-HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake.com] [-HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5C70510-5A01-B2A5-CF84-D6DC13859967}] [-HKEY_CLASSES_ROOT\CLSID\{0c7416f0-dd23-420f-97f5-aae352ea2bf1}] [-HKEY_CLASSES_ROOT\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}] [-HKEY_CLASSES_ROOT\CLSID\{336ec37f-54bf-4f13-8237-03f64fa591e7}] [-HKEY_CLASSES_ROOT\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}] [-HKEY_CLASSES_ROOT\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}] [-HKEY_CLASSES_ROOT\CLSID\{{64ba30a2-811a-4597-b0af-d551128be340}] [-HKEY_CLASSES_ROOT\CLSID\{786C369D-409A-456f-A13C-971EADA850C6}] [-HKEY_CLASSES_ROOT\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}] [-HKEY_CLASSES_ROOT\CLSID\{87A3E824-A726-4CF4-8A66-6314B11BDA0C}] [-HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}] [-HKEY_CLASSES_ROOT\CLSID\{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}] [-HKEY_CLASSES_ROOT\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}] [-HKEY_CLASSES_ROOT\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}] [-HKEY_CLASSES_ROOT\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}] [-HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}] [-HKEY_CLASSES_ROOT\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}] [-HKEY_CLASSES_ROOT\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6}] Now download smitRem.exe written by noahdfear and save the file to your Desktop. Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop. (this should be the default selection). Do not run anything else related to the program yet! Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary because you must not have any browers open and must not connect to the internet while following the below steps. Now disconnect your cable to the internet (physically unplug it). After saving the instructions, reboot into Safe mode Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake and/or SpyFalcon (if they are found). Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes. Run Windows Explorer by right clicking Start & Select Explore Navigate to your %System32% folder C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.) Look for the following files based upon where you have Windows installed: %System32%\__delete_on_reboot__stickrep.dll %System32%\dvdcap.dll %System32%\dxmpp.dll %System32%\fyhhxw.dll %System32%\ginuerep.dll %System32%\oerucu.dll %System32%\oqipt.dll %System32%\reglogs.dll %System32%\sbnudh.dll %System32%\sivudro.dll %System32%\stickrep.dll %System32%\suprox.dll %System32%\twain32.dll %System32%\wfkduei.dll %System32%\xenadot.dl When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename xenadot.dll to xenadot.DDD We will fully delete the files later. Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis .bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe mode. The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed. Upload this file later after reboot. Now reboot your system into normal mode. Now after reboot relocate the DLL files we renamed with a DDD extension in the above step and delete them. If you have a problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, make sure you tell us later. Also delete the below files and folders if found: C:\Program Files\AdwareSheriff C:\Program Files\Spyware Quake C:\Program Files\SpywareQuake.com C:\Program Files\SpyFalcon C:\Windows\System\1024 (or C:\Winnt\System\1024 ) %System32%\1024 %System32%\appmagr.dll %System32%\autodisc32.dll <--- this is TX 4 BrowserAd adware %System32%\atmclk.exe %System32%\barseek.dll %System32%\biasfardihuy.dll %System32%\birdasfihuy32.dll %System32%\dcomcfg.exe %System32%\dfrgsrv.exe %System32%\hp????.tmp ( where ???? is any 4 random characters) %System32%\ld???? .tmp ( where ???? is any 4 random characters) %System32%\mssearchnet.exe %System32%\msvol.tlb %System32%\ncompat.tlb %System32%\nvctrl.exe %System32%\ot.ico %System32%\regperf.exe %System32%\shdocvn.dll %System32%\simpole.tlb %System32%\stdole3.tlb %System32%\svcnt32.exe %System32%\ts.ico C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User Account] is the actual user account name you are logged into. Reconnect your cable to the internet. Now attach your smitfiles.txt log to a post here. And could you post the Ewido scanning log aswell? __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

05-28-2006	#7
Hengis PCHF Founder & Owner Join Date: Jan 2004 Location: The PCHF Bunker Posts: 14,069 PC Experience: Microsoft Certified Professional	Thanks, I am sure that Joe will be right back onto this as soon as he comes online __________________ Pre-Work / System File Checker / Promote PCHF!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode