adware punisher...helpp!!!

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Also run this and attach the smitfiles.txt log: SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal





After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

Just run all the steps including something I just added to the steps below and we will get it fixed.

 

Well then in reality you did not do the steps.

You need to get the SmitRem program mentioned in the SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal thread onto the PC some how and run the steps. Download it onto another PC (a friends etc) and copy to CD, flashdirve, floppy disk (whatever you can get) and run it on the infected system.

 

Make sure you have unplugged the cable to the internet before trying. Also boot into safe mode and kill all unnecessary processes before running.

But the key file you need now is not in the normal READ ME. You need the SmitRem.exe program from the SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal link.

 

Huh???? Could you rewrite that more clearly?

It does not tell you to use Panda to look for any EXE files. The Panda scan is done after you are finished deleting files using Windows Explorer.

Are you trying to tell me you don't know what Windows Explorer is?????? Your kidding right!

Here is one way to open Windows Explorer: Right click Start and select Explore

 

You need to post the smitfiles.txt log!

The step after Panda is:

Now please attach the smitfiles.txt and PandaActiveScanlog to your next reply. And also tell us how things are working.

 

It's possible! But if we find all the files maybe it will not be as bad.

Here are a few of the problems (and will will have to add these to that link I gave you to be fixed/deleted while running SmitRem):
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\SYSTEM32\intxt.exe
C:\WINDOWS\adw.htm

We will fix these below!

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\EmpirePoker\EmpirePoker.exe
C:\WINDOWS\system32\shell386.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\SYSTEM32\intxt.exe
C:\WINDOWS\adw.htm
C:\Program Files\EmpirePoker <-- the folder
C:\Program Files\MyWaySA <-- the folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: winapi32.MyBHO - {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} - C:\WINDOWS\system32\winapi32.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MyWaySA <--- delete the whole folder if still there
C:\WINDOWS\system32\winapi32.dll

Additional step to delete intxt.exe:
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\SYSTEM32
attrib -r -h -s intxt.exe
del intxt.exe
attrib -r -h -s stoprunning.exe
del stoprunning.exe
exit


Let me know how these deletions go!
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay but have we resolved your issues with AdwarePunisher?

 

That's why I had it in the procedure to be deleted!

Windows Task Manager is not very useful in displaying all running processes. It also does not tell you where the file is running from (the path to the file). That is why we use the one in HijackThis. An even better one is Process Explorer

You should work thru the below link:

How to Protect yourself from malware!