And Another....

Please do not use the paper clip to make attachments go inline. Just attach them without selecting inline.

Notice how I changed your attachments now.

 

Run this Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

And attach the smitfiles.txt log.

Why did you put the below in your hosts file:
O1 - Hosts: 194.130.106.133 lilthas01
O1 - Hosts: 194.130.106.134 qa.gb-en.music36.ioko.com
O1 - Hosts: 194.130.106.134 qa.ca-en.music36.ioko.com
O1 - Hosts: 194.130.106.134 qa.ca-fr.music36.ioko.com
O1 - Hosts: 194.130.106.134 qa.mx-es.music36.ioko.com
O1 - Hosts: 194.130.106.134 qa.sv-se.music36.ioko.com
O1 - Hosts: 194.130.106.135 gb-en.music36.ioko.com
O1 - Hosts: 194.130.106.135 ca-en.music36.ioko.com
O1 - Hosts: 194.130.106.135 ca-fr.music36.ioko.com
O1 - Hosts: 194.130.106.135 mx-es.music36.ioko.com

If still having problems afterwards, please describe them.

 

Look in Add/Remove programs and uninstall SpywareStrike . It is a rogue tool the will hijack your desktop.

 

Okay then download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

 

Do you know what the below is:
C:\Documents and Settings\Ciro Paradiso\Desktop\Access Members Area.exe


For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp897E.tmp
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe

After clicking Fix, exit HJT.
Run Windows Explorer and try to delete:
C:\Program Files\SpywareStrike <--- the whole folder


If it cannot be delete, boot in safe mode and kill the process again with HJT (if it is running) and then delete the C:\Program Files\SpywareStrike folder.

Also look for and delete the below:
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@www.spysheriff[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@xmts[2].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@112.2o7[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@ad.yieldmanager[2].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@burstnet[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@com[2].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@i.screensavers[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@tribalfusion[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@www.burstbeacon[1].txt
C:\Documents and Settings\Ciro Paradiso\Cookies\ciro paradiso@xmts[2].txt

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SpywareStrike
C:\Documents and Settings\Ciro Paradiso\Desktop\Access Members Area.exe

Also delete and icons on your Desktop for SpywareStrike. If you cannot see the above in safe mode, delete them in normal boot mode.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Download WinPFind

• Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program.
• Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
• When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.

 

Also run the below to disable Windows Messenger which can cause popups.

Disable/Remove Windows Messenger

 

Okay post a new HJT log. Also note, if things are coming back. Do not do anything on your own to work trying to fix them. I need to be able to see everything in order to help you work on this. If you work off line, I may not see what I need to see.

This is a new form of the Smitfraud, SpyAxe, Spysheriff family and there may be some new hidden procedures we need to locate in order to fix.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Then get a new WinPfind log and attach it. Also let me know if there is any change in status.

 

On what list?

 

Can't you just delete them? If it is in the Start Menu, just right click on it and select delete. If it is in C:\Program Files\SpywareStrike just delete the folder.

You should also run the below and post the Ewido log:

Running Ewido Security Suite

 

Please also check to see if the below file exists:

c:\windows\system32\newwrap.dll

Make sure you have viewing of hidden & system files enable per the READ ME.

 

Note the tool has been updated too. DO the steps in the below again and MAKE sure you re-download the smitrem.exe file (delete the old stuff first so you do not get confused).

Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

 

Don't delete the prefetch folder? Just either delete the files in it.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!