Hi again
Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.
Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your log is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.
If there is anything you don't understand, please ask BEFORE proceeding with the fixes.
Please ensure that you follow the instructions in the order I have them listed.
IMPORTANT!
The infection on your system is designed to steal information. This includes all passwords, log ins to Forums such as this one, e-mail details and any online Banking passwords. It is therefore vital that, once cleaned, you contact your Bank or financial institution and inform them that your details have most likely been stolen. You should also find a clean PC and use it to change all passwords.
P2P - I see you have
P2P software (i.e. XXX) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. Although the P2P application itself may be 'clean', the files you download may well contain malware. P2P is often used as a method of distributing malware.
This page will give you further information.
Downloads
Please
Download NoLop to your
desktop from
here or
here- First close any other programs you have running as this will require a reboot
- Double click NoLop.exe to run it
- Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
- When scanning is finished you will be prompted to reboot only if infected, Click OK
- Now click the "REBOOT" Button.
- A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --
Combofix
- Close any open browsers.
- Open notepad and copy/paste the text in the box below into it:
Code:
File::
C:\windows\system32\sgaaghmh.dll
C:\windows\system32\qcmobqkx.ini
C:\windows\system32\blvnuywu.exe
C:\windows\system32\hiotoytu.dll
C:\windows\system32\jxocxnbi.exe
C:\windows\system32\enbeexia.exe
C:\windows\system32\kxmrvxbo.ini
C:\windows\system32\pwllkroe.ini
C:\windows\system32\krfswwxw.dll
C:\windows\system32\ixemyies.exe
C:\windows\system32\pavas.ico
C:\windows\system32\Help.ico
C:\windows\system32\c40b8941
C:\windows\system32\hmelblbl.ini
C:\windows\system32\lblblemh.dll
C:\windows\system32\fvqetudd.dll
C:\windows\system32\lcbscxor.dll
C:\windows\system32\olveadem.ini
C:\windows\system32\medaevlo.dll
C:\windows\system32\bqirdjtw.exe
C:\windows\system32\nnnmnkj.dll
C:\windows\system32\jgbuqvrt.dll
C:\Documents and Settings\Dan the Man\x.dat
C:\Documents and Settings\Dan the Man\z.dat
C:\windows\system32\SET3C.tmp
C:\windows\system32\SET3D.tmp
C:\n.bat
C:\z.dat
C:\x.dat
C:\windows\Fonts\a.zip
C:\windows\Fonts\svchost.exe
Folder::
C:\windows\Fonts\zia03516
Looking at the image below as an example
Save this as
CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at
"C:\ComboFix.txt"
Do not mouseclick combofix's window whilst it's running. This may cause it to stall.
Please post the log
C:\ComboFix.txt along with a fresh
HijackThis Log for further review.
Logs required
C:\NoLop.log
C:\Combofix.txt
HijackThis Log