Please print out or copy this page to
Notepad in order to assist you when carrying out the following instructions.
Your log appears to show multiple antivirus programs running. Multiple antivirus programs running at the same time can cause conflicts so it is recommended you uninstall all but one.
Go to
My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the
Hide protected operating system files option.
Please download
AproposFix
Save it to your desktop but do
NOT run it yet.
Please download
Ewido Security Suite.
1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.
The Temp folders must be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download
Cleanup! (
Alternate Link) and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.
Download
KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)
Launch
KillBox.exe & select the following
options:
Select all the filenames below & then right-click & select Copy
- C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\yjjhccl\glcstxep.exe
C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\system32\afwdd\ggtued.exe
C:\WINDOWS\Q2Fyb2xpbmUA\command.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\absw\whto.exe
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\exe82.exe
C:\WINDOWS\xsyuvhn.exe
C:\WINDOWS\system32\ngvnsru\mmnhfi.exe
C:\WINDOWS\system32\ukkpdsk\ygvam.exe
C:\WINDOWS\system32\cvgnpijd\rktjotv.exe
C:\WINDOWS\system32\rcetogy\wwrxnvxw.exe
C:\WINDOWS\system32\opr.exe
C:\WINDOWS\system32\Yunguyo.exe
C:\WINDOWS\glcpadaj.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
C:\Program Files\Common Files\mc-58-12-0000119.exe
* Go to the File menu, and choose
Paste from Clipboard
* Click the
RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).
Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click
“Kill process” for each one
(If they still exist, don’t worry if they don’t)(You must kill them one at a time).
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\yjjhccl\glcstxep.exe
C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\system32\afwdd\ggtued.exe
C:\WINDOWS\Q2Fyb2xpbmUA\command.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\absw\whto.exe
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
ContextPlus<<< Don’t worry if this is not present
Open Hijack This and click on Scan. Check the following entries
(make sure you do not miss any)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [xsyuvhn] C:\WINDOWS\xsyuvhn.exe
O4 - HKLM\..\Run: [mmnhfi] C:\WINDOWS\system32\ngvnsru\mmnhfi.exe
O4 - HKLM\..\Run: [ygvam] C:\WINDOWS\system32\ukkpdsk\ygvam.exe
O4 - HKLM\..\Run: [rktjotv] C:\WINDOWS\system32\cvgnpijd\rktjotv.exe
O4 - HKLM\..\Run: [glcstxep] C:\WINDOWS\system32\yjjhccl\glcstxep.exe
O4 - HKLM\..\Run: [wwrxnvxw] C:\WINDOWS\system32\rcetogy\wwrxnvxw.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [ggtued] C:\WINDOWS\system32\afwdd\ggtued.exe
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\system32\Yunguyo.exe
O4 - HKLM\..\Run: [glcpadaj] C:\WINDOWS\glcpadaj.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pagttr.exe reg_run
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [Rup] "C:\Program Files\absw\whto.exe" -vt rbnd
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...MARKETING32.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/224/installer.exe
O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/with-re...g/bannerads.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c...c2c1002_sp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
Please remember to close all other windows, including browsers then click Fix checked.
Delete the following Files indicated in
RED and Folders indicated in
BLUE if they still exist.
C:\WINDOWS\system32\
yjjhccl
C:\WINDOWS\system32\
afwdd
C:\WINDOWS\
Q2Fyb2xpbmUA
C:\Program Files\
absw
C:\WINDOWS\system32\
ngvnsru
C:\WINDOWS\system32\
ukkpdsk
C:\WINDOWS\system32\
cvgnpijd
C:\WINDOWS\system32\
rcetogy
Now open Ewido and do a scan on your system.
* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.
Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.
please double-click
aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run
RunThis.bat. Follow the prompts.
Open
Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:
Click
Options
Move the slider button down to
Custom CleanUp!
Check the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
Uncheck the following :
- Scan local drives for temporary files
Click
OK, Press the
CleanUp! button to start the program and reboot(Normal Mode) when prompted.
There will be a file called
log.txt in the
Aproposfix folder, please copy the contents of that file here.
Please run a Scan at
Panda ActiveScan
Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here
In your next post please include:
- Ewido log
- Aproposfix log.txt
- Panda Activescan Log
- A new Hijackthis! Log