AdwarePunisher – rogue antispyware (1, 2)
uses flawed, inadequate detection scheme; same app as AdwareBazooka, AdwarePunisher, HitSpy, RemedyAntiSpy, SystemStable, & The SpyGuard.
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: AdwarePunisher
Then using Windows Explorer, delete the following folder: C:\Program Files\AdwarePunisher
Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.
Download Killbox and unzip to your desktop.
Next, Download, install, and update the free version of Ewido trojan scanner:
1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido — When you run it for the first time, you may get a warning “Database could not be found!”. Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.
If you can`t download Ewido trojan scanner, then please download and run HOSTER.ZIP
unpack the hoster.zip
Press ‘Restore Original Hosts’ and press ‘OK’
Exit Program.
If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.
Again, do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 – REG:system.ini: Shell=explorer.exe “c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”
O2 – BHO: winapi32.MyBHO – {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} – C:\WINDOWS\System32\winapi32.dll
O4 – HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O4 – HKLM\..\Run: [winsysban] C:\windows\winsysban4.exe
O4 – HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 – HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe
O4 – HKLM\..\Run: [Win32.Exploit.A] C:\WINDOWS\system32\exa32.exe
Delete these files: (if can`t remove, then try KillBox)
use your real path to window directory
c:\WINDOWS\loadadv728.exe
c:\WINDOWS\loader138.exe
c:\WINDOWS\SYSTEM32\iasada.dll
c:\WINDOWS\temp.000.exe
c:\WINDOWS\SYSTEM32\intxt.exe
c:\WINDOWS\SYSTEM32\mswinb32.dll
c:\WINDOWS\SYSTEM32\mswinb32.exe
c:\WINDOWS\SYSTEM32\shell386.exe
C:\WINDOWS\System32\winapi32.dll
c:\WINDOWS\is-6QGD9.exe
C:\windows\winsysupd4.exe
C:\windows\winsysban4.exe
c:\windows\myupdates.exe
c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Next, run Ad-aware and perform a full scan. Remove everything found.
Run Ewido
1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.
Finally, restart your computer normally.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Removal procedures worked very well, although Hijack This! did not show any of the programs mentioned in the removal procedure. Thanks!
Highjack only had 3 of the 9 and could only delete 7 of the 14 files. However it seems to have cured the proble ans I am very grateful to you and your team.
Many thanks
Nice. Got rid of this annoying problem. Thanks a lot!
Thank you for this – spot on – got rid of it.. I think deleting the temp.000.exe file was the fix for me – I had tried a lot of similar things to the above which I found on other sites but none mentioned this particular file and it kept coming back after cleaning….
Many thanks – very much appreciated…
hey thanks a lot for the solution…it really works…i got rid of the malware as soon as i did what u said..