Hello evangelion1010 and welcome to the HijackThis forum,
Quote:
|
you guys are busy over here in the dark forest
|
Please copy this page to
Notepad since you will not have any browsers open while you are carrying out these instructions.
Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
---------------------------
Download
CleanUp! (
Alternate Link if main link doesn't work) and install it.
Do not run it yet.
Right click on this link
DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites.
Download
CWShredder and run it. Click on 'I Agree' button if you agree and check for updates. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.
---------------------------
Go to
My Computer->
Tools->
Folder Options->
View tab:
* Under the Hidden files and folders heading:
*
select Show hidden files and folders.
*
Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside
Hide file extensions for known file types.
* Click OK.
Next, please reboot your computer in
Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
---------------------------
Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {A7C98604-64CA-407F-817D-E65DEB2294DC} - C:\WINDOWS\system32\msgh.dll (file missing)
O4 - HKLM\..\Run: [Microsoft IT Updated] C:\WINDOWS\system32\msgh.dll
O4 - HKLM\..\Run: [Windows Client/Server Runtime Server] csrs.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updated] srss.exe
O4 - HKLM\..\RunServices: [Windows Client/Server Runtime Server] csrs.exe
O4 - HKCU\..\Run: [Windows Client/Server Runtime Server] csrs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B75B0A3-E235-4728-8C69-7BBF72941DD8}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{72950ED0-925F-48D0-B16C-45EFDCEBD538}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FAA1656-9DD6-41C7-9256-4B784FC9151E}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B75B0A3-E235-4728-8C69-7BBF72941DD8}: NameServer = 69.50.166.94,69.31.80.244
Click
'Fix Checked' and close HijackThis.
---------------------------
Delete the following
Files if they still exist.
C:\WINDOWS\system32\
msgh.dll
Do a search via Start>Search for these 2 files and delete.
Careful of the spelling, make sure it is exactly as shown below:
csrs.exe
srss.exe
---------------------------
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "
Options..."
*Move the arrow down to "
Standard CleanUp!"
*
Uncheck the following:
-
Delete Newsgroup cache
-
Delete Newsgroup Subscriptions
-
Scan local drives for temporary files
Click
OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note:
CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility
---------------------------
Reboot into Normal Mode.
---------------------------
Perform an online scan using Internet Explorer with
Panda ActiveScan
**
click on "Free use ActiveScan" located on the top right hand corner - Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
- Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting
My Computer- If it finds any malware, it will offer you a report.
- Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
- Click on see report. Then click Save report
Please post that log in your next reply along with a new HijackThis log.
__________________
Member of ASAP since 2005
Member of UNITE since 2006
"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."