Make sure that you're disconnected/unplugged from the Internet when you do this.
---------------
Do a HijackThis scan & place a check next to these items and select "Fix checked":
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {621CB9E4-F0B2-47DF-833C-F4CDAA925184} - C:\Program Files\MSN Gaming Zone\meso2.dll (file missing)
O2 - BHO: (no name) - {68DFA3C0-332B-19FA-7C02-4DB67F3DF0CD} - (no file)
O2 - BHO: 0 - {8B3C74D6-15DB-48C7-B19D-91A04343B657} - C:\Program Files\Windows NT\qufaxy.dll (file missing)
O2 - BHO: (no name) - {C525B337-45F3-4F8E-A69F-908DA829A5B5} - C:\Program Files\MSN Gaming Zone\meso4444.dll (file missing)
O2 - BHO: (no name) - {F9D8BB38-3C69-4A70-8953-8C47DEB2CDF6} - C:\Program Files\MSN Gaming Zone\meso83122.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [irdmelt] 4E7.tmp (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'NETWORK SERVICE')
O20 - Winlogon Notify: efcddbc - efcddbc.dll (file missing)
O21 - SSODL: FyLIyVw - {583CE3E0-F296-494A-40FA-ADC075B474C2} - C:\WINDOWS\system32\kha.dll (file missing)
This other entry from your Hijackthis log appears to be a customised entry. If you know it to be legit, leave it. If not add it to be fixed.
O4 - Global Startup: NETWORKLOGON.BAT
---------------
Open
notepad and copy/paste the text in the quotebox below into it:
Code:
@echo off
>nul ( copy /y /b C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys %systemroot%\system32\drivers
copy /y /b C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys %systemroot%\system32\dllcache ) 2>&1
echo.Done!! &echo.Run ComboFix with CFscript now.
nircmd wait 7000
del %0
Save this as
fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run
---------------
Open
notepad and copy/paste the text in the quotebox below into it:
Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/172679-help.html
Collect::
C:\WINDOWS\system32\ipsaaykr.exe
C:\WINDOWS\system32\nbkdms.exe
C:\WINDOWS\system32\schehwcq.exe
C:\WINDOWS\system32\seconijl.exe
File::
C:\WINDOWS\jugjuygbt.exe
C:\WINDOWS\tahtyemkme.exe
C:\WINDOWS\hntrguytr_exe.vir
C:\WINDOWS\esagtrhtr.exe
C:\WINDOWS\lipjnawA.exe
C:\WINDOWS\system32\WinCore32.exe
C:\Windows\xpupdate.exe
c:\windows\system32\lsdsregr.exe
C:\WINDOWS\system32\cncersh.exe
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\g4356cbvy63
C:\WINDOWS\lipjnawA.exe
C:\WINDOWS\system32\kernelwind32.exe
C:\WINDOWS\system32\jdnems.exe
C:\WINDOWS\system32\schlfuot.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{621CB9E4-F0B2-47DF-833C-F4CDAA925184}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68DFA3C0-332B-19FA-7C02-4DB67F3DF0CD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B3C74D6-15DB-48C7-B19D-91A04343B657}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C525B337-45F3-4F8E-A69F-908DA829A5B5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9D8BB38-3C69-4A70-8953-8C47DEB2CDF6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"FyLIyVw"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcddbc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SERVICE DIRECTOR^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SERVICE DIRECTOR^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blwquest]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\certds]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cseswp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dsiknd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g4356cbvy63]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irdmelt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ismdoc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsispsl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lipjnawA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tyld]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCore32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CE-E3-3D-DF-ZN}]
Save this as "
CFScript"
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Additonally, ComboFix will generate a zipped file on your Desktop, called Submit [Date Time].zip
Please submit this file to:
http://www.bleepingcomputer.com/subm....php?channel=4
The file must be uploaded before proceeding to the next step.
---------------
Click here perform an online scan >>
Online Scanner
---------------
In your next post, please include fresh logs from:
- Fresh Hijackthis log taken just before replying
- Online scan
- ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps &
update us on how the computer behaves now
__________________
Question - what have you done for the community today?