Hi and Welcome to TSF!
Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".
It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.
Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.
- From Windows Explorer, Click on drive C:
- Click on File>New>Folder
- Call it HJT, or any other name of your choice.
- Move all files to the newly created folder
~~~~~~~~~~~~~~
Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :
- ISTbar
Ebates_MoeMoneyMaker
WebSavings_from_Ebates
~~~~~~~~~~~~~~
Reboot to SafeMode
- Shut Windows down, and then turn off the computer.
- Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
- As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
[Windows Advanced Options] menu appears.
- Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.
~~~~~~~~~~~~~~
Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0 .exe"
O4 - HKLM\..\Run: [Zhktov] C:\Program Files\Wggmbmc\Gixwwp.exe
O4 - HKLM\..\Run: [¢‰¸K09¿Ì*�ÀaîžaaûY�§C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tewuqlhi.exe
O4 - HKLM\..\Run: [¢‰¸K09¿Ì*�ÀaîžaîžaaîC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tewuqlhi.exe
O4 - HKLM\..\Run: [È Ý8¿Ì*û]Mú*�ÀaîžaaûC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tewuqlhi.exe
O4 - HKLM\..\Run: [-
�] C:\WINDOWS\tewuqlhi.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\tewuqlhi.exe
O4 - HKLM\..\Run: [rodcxcb] C:\WINDOWS\rodcxcb.exe
O4 - HKLM\..\Run: [wtqr] C:\WINDOWS\wtqr.exe
O4 - HKLM\..\Run: [ifsr] C:\WINDOWS\ifsr.exe
O4 - HKLM\..\Run: [93doep69] C:\WINDOWS\system32\93doep69.exe
O4 - HKLM\..\Run: [jepav] C:\WINDOWS\jepav.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [uemzlhm] c:\windows\system32\uemzlhm.exe
O4 - Global Startup: Attack Shield.lnk = C:\Program Files\Sana Security\Attack Shield\AttackShield.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: Sametime Meeting Room Client ST25PF1 - https://scmtg02e.national.com/samet...gRoomClient.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...bridge-c283.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15d3e183490265...ip/RdxIE601.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/powertools.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A16ADC7} - file://C:\WINDOWS\system32\SearchBar\zpprf1sh.exe
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - https://scmtg02e.national.com/samet...STJNILoader.cab
~~~~~~~~~~~~~~
Enable the viewing of Hidden files
- Open Windows Explorer
- Go to Tools>Folder Options>View tab.
- enable the option for `Show hidden files and folder´
- disable the option for `Hide file extensions for known types´
- disable the option for `Hide protected operating system files´
- click "Yes" to confirm & then click "OK"
Locate and delete the following folder(s), if present:
- C:\Program Files\Ebates_MoeMoneyMaker\
c:\Program Files\Ftk\
C:\Program Files\WebSavings_from_Ebates\
C:\Program Files\Wggmbmc\
C:\Program Files\ISTsvc\
C:\program files\tvs\
Locate and delete the following file(s), if present:
- C:\WINDOWS\tewuqlhi.exe
C:\WINDOWS\rodcxcb.exe
C:\WINDOWS\wtqr.exe
C:\WINDOWS\ifsr.exe
C:\WINDOWS\system32\93doep69.exe
C:\WINDOWS\jepav.exe
C:\Program Files\Common Files\Java\ftkcpy.exe
c:\windows\system32\uemzlhm.exe
~~~~~~~~~~~~~~
Reboot to
NormalMode.
Do an online scan at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.[/list]
In your next post, please include fresh copies of:
1. Copy of HiJackThis log
2. List of files that online scans failed to disinfect
Please provide details of any problems you encountered whilst performing the above steps.
Update us on how your computer behaves now
__________________
Question - what have you done for the community today?