The fixes listed here in this forum are fixes which relate to a specific fix, and only to a specific fix. Be warned these infections rarely come as one, but rather include any number of lessor or more vicious infections.

Users are advised to seek help in Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.

Look2Me Infection ComboFix now targets this infection
Symptoms:

Fix by Atribune
**********************************************************************************************
Please download Look2Me-Destroyer to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from this link and place it in your C:\Windows\System32 Directory.

SmitFraudFix By S!Ri WIN2K\XP
Symptoms:

This infection is also called 'Zlob'.
***********************************************
Option 1: Search
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Option 2: Fix
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

Please download Malwarebytes' Anti-Malware from here and save it to your desktop. If you're using IE7 you may get prompted to allow the download, please do so.

• Double-click mbam-setup.exe icon: and when the download dialog box appears, please tick the 'Launch Malwarebytes' Anti-Malware when download completes' as displayed:
• Select your language when this option is displayed.
• Follow default installation instructions
• Decide if you would like a 'Start Menu' folder created when this option is displayed
• Choose your options of preference on the 'Select Additional Tasks' screen
• Review your choices at the 'Ready To Install' screen
• At the end, be sure a checkmark is placed next to 'Update Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware' as displayed here:
• Then click the button
• Please read the information box when it appears and click the button
• Please allow access via your firewall if an alert is presented to you
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform full scan' as displayed here:
• Then click button
• When the scan is complete, you will be presented with a message as such, click the button then click the Show Results' button
• Be sure that each item has its box ticked, and click 'Remove Selected'.
• When completed, a log will open in Notepad. Please save it to your desktop for easy access. Copy the contents of the file and paste it back into your thread for review. The log is also default saved to the following location: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the MBAM report and a new HijackThis log.

Warning : running option #2 on a non infected computer will remove your Desktop background

VUNDO FIX BY WIN2K\XP ATRIBUNE
Symptoms:

***********************************************

Please download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button" when VundoFix appears at reboot.

Sometimes VundoFix does not get all the files, in these instances you need to manually add them for removal:
ADD FILES
Double click the Vundofix.exe to run it.

• Right click in the vundofix white window and click 'Add more files?'
• Enter the following file path(s) to be deleted and click the [Add Files] button, then hit the [Close Window] button:
• Click the [Remove Vundo] button and let Vundofix run.

Once it has run, reboot and post a fresh HJT log please.

Wareout Fix by LonnyJones Win2K\XP
Symptoms:


**********************************************************************************************
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.

Nail/epolvy/dsr bundle by Lavasoft
Symptoms:
**********************************************************************************************
BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
6. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

ComboFix By Subs & Tutorial by Bleeping Computer

Bleeping ComboFix tutorial
Run ComboFix:

SDFix by AndyManchesta

Tis tool targets a huge list of files numbered in the hundreds and covers so many variants of bots, spam bots, proxies, back doors that it's too long to list here. Instead you can view the change log

The tool fixes several registry entries which get changed, such as disabling any of the following tasks:

• Task manager
• Registry editor
• Run command

===============================================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

No LOP, LOP infection removal tool.

While this infection does not pop up too often, the newer variants are tricky. This tool looks in the right places to delete the proper files.

Please Download NoLop.exe to your desktop.

• First close any other programs you have running as this will require a reboot
• Double click NoLop.exe to run it
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the "REBOOT" Button.
• A Message should popup from NoLop if not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

Note:If you receive the error, that mscomctl.ocx or one of its dependencies are not correctly registered, please download this file to your system32 folder then rerun the program: http://www.boletrice.com/downloads/mscomctl.ocx

Soemtimes No LOP can't get the jobs listed in task scheduler folder, then we need to run this tool below:
Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new HijackThis log.
===============================================