Symptoms:
- Homepage hijacked and you got redirect to guardupdate.com, startupguarduptodate.com, guarduptodate.com.
- Many more popups.
- Yelloe triangle pops up in the bottom of the task bar flashing and saying that your PC have infected.
Print out these instructions as we will need to close every window that is open later in the fix.
Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.
Download and unzip Avenger to your desktop.
Download CCleaner.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, Download, install, and update the free version of Ewido security suite:
1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.
Run Avenger. Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following bold text:
Files to delete:
C:\WINDOWS\system32\intell321.exe
C:\windows\SYSTEM32\winrlo32.dll
Then click on ‘Done’. Click the Traffic Light icon to start the program. Then press OK at the prompts to reboot your PC.
Next, please reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):
R3 – Default URLSearchHook is missing
O2 – BHO: Nothing – {b0398eca-0bcd-4645-8261-5e9dc70248d0} – D:\windows\system32\hp****.tmp
O3 – Toolbar: (no name) – {BA52B914-B692-46c4-B683-905236F6F655} – (no file)
O4 – HKLM\..\Run: [rock] rock.exe
O4 – HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O20 – Winlogon Notify: winrlo32 – D:\windows\SYSTEM32\winrlo32.dll
(where **** random letters)
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 – Clean by typing 2 and press “Enter” to delete infected files.
You will be prompted : “Registry cleaning – Do you want to clean the registry ?”; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.
Restart your PC. Boot again in safe Mode.
Run Ewido
1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.
Run CCleaner.
Reboot your computer.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below