Hi,
Here we go.. please print this off, as it will be easier to follow.
You’ve been hijacked by CoolWebSearch. Please go
here and download, unzip and then open CoolWebShredder (stand alone version). Then click on the
Updates button and follow the prompts. Next, run the program by clicking on the
Fix-> button.
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. (Some may no longer be present after running the above) Next, close
all browser windows and click the
Fix checked button…
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartfinder.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartfinder.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartfinder.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartfinder.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartfinder.us/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartfinder.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartfinder.us/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartfinder.us/
O4 - HKLM\..\Run: [FontsLoader] C:\WINDOWS\Fonts\ldfnt32.hta
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [httpd] C:\WINDOWS\msgaol.exe /i
O4 - HKLM\..\Run: [QTSvc] C:\WINDOWS\shman.exe /i
O4 - HKLM\..\Run: [Windows Sound System] sndsys.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [System Configurati0n] SysCgfig.exe
O4 - HKLM\..\Run: [Auto CD-ROM Startup] cdaccess.exe
O4 - HKLM\..\RunServices: [Windows Sound System] sndsys.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [System Configurati0n] SysCgfig.exe
O4 - HKLM\..\RunServices: [Auto CD-ROM Startup] cdaccess.exe
O4 - HKLM\..\RunOnce: [System Configurati0n] SysCgfig.exe
O4 - HKCU\..\Run: [System Configurati0n] SysCgfig.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Auto CD-ROM Startup] cdaccess.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [System Configurati0n] SysCgfig.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
Next, please double click on the
My Computer icon on the desktop. Go to
Tools | Folder Options, click on the
View tab and make sure that
Show hidden files and folders is checked. Also uncheck
Hide protected operating system files. Now click
Apply to all folders, then click
Apply then
OK.
Next please find and delete the following
bolded files...
C:\WINDOWS\Fonts\
ldfnt32.hta
C:\WINDOWS\
csrss.exe
C:\WINDOWS\
msgaol.exe
C:\WINDOWS\
shman.exe
C:\WINDOWS\System32\
sndsys.exe
C:\WINDOWS\System32\
winproxy.exe
C:\WINDOWS\System32\
SysCgfig.exe
C:\WINDOWS\System32\
cdaccess.exe
C:\WINDOWS\System32\
smsss.exe
(
Please check the file path and spelling for each very carefully before deleting. They are spelt like this in order to make them look legit.)
If you have rebooted since posting this, then there is a chance that some/all of the file names have morphed in the meantime.. but that's life. We'll just start again.. at least it won't be as difficult to spot them next time.. :)
Then boot into safe mode, (see
here for info if needed) and delete the entire contents of the C:\Windows\
Temp (or C:\WINNT\
Temp) folder, but
not the folder itself.
Then please boot back into normal mode and download AdAware SE from
here.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed
3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot
5. Click on Proceed to save the settings.
6. Click Start and on the next screen choose:
· Use Custom Scanning Options
7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Next, please reboot again and download Spybot - Search & Destroy 1.3 from
here: if you haven't already got the program.
Click on
Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click
Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in
RED.
Next reboot and go
here, and run the online virus scan; choosing the
Autoclean option just before clicking the
Scan button. Then please post a new log for a final once over.
I'm odff out this evening, but I'll check up on your progress later on. :)
Cheers
Liam