Please print out or copy this page to
Notepad in order to assist you when carrying out the following instructions.
I see you have disabled some startup entries using MSConfig. This makes it diffcult for us to see all the infections present on your system because they are hidden from Hijackthis.
- Please click Start>Run and type "msconfig".
- On the "General" tab please click "Normal Startup- load all device drivers and services" and click OK.
- Restart when prompted and then post a new Hijackthis log here.
Downloads(make sure to save these in a permanent location)
Please
download the
Killbox by Option^Explicit.
Note:
In the event you already have Killbox, this is a new version that I need you to download.
Save it to your
desktop.
Download and use this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Brute Force Uninstaller to your desktop.
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download
Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Please go to Start > My Computer and navigate to the C:\BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Behind the scriptline to execute field click the folder icon
and select alcanshorty.bfu
- Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\wintcc.exe
C:\Program Files\ecurit~1
C:\WINDOWS\ssloop.exe
C:\Program Files\Common Files\sstem3~1
C:\WINDOWS\appwiz64.exe
C:\WINDOWS\System32bez6n4r21.exe
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\imageaccess.exe
C:\WINDOWS\system32\winreg32.dll
C:\WINDOWS\system32\dfgdisp.dll
C:\Program Files\Xijajb
C:\WINDOWS\system32\icfgdiag.exe
C:\WINDOWS\system32\VSL03.exe
C:\doejo3k.exe
C:\WINDOWS\omotpedd.exe
C:\Documents and Settings\Alfredo\Application Data\racle~1
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\win32085824710882006.exe
C:\WINDOWS\876056.exe
C:\WINDOWS\pf78.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddegv.exe
C:\Documents and Settings\Alfredo\Local Settings\Application Data\8a3ba9d3.exe
C:\dfndref_7.exe
C:\WINDOWS\System32\dxvwmpti.exe
C:\WINDOWS\System32\mptft.exe
C:\PROGRA~1\COMMON~1\fzzk\fzzkm.exe
C:\WINDOWS\System32\kvrfpr.exe
C:\WINDOWS\System32\ssn6tuu.exe\
C:\Program Files\Internet Optimizer
C:\\kybrdef_7.exe
C:\\nwnmac_6.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\System32\testtestt.ex e
C:\Program Files\Common Files\svchostsys
C:\WINDOWS\SYSC00.exe
C:\Program Files\Xijajb
C:\WINDOWS\SYSCFG16.EXE
c:\windows\system32\_zskwrkni05creci y_^nsujsqa^.exe
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\System32\javaw.dll
C:\Documents and Settings\Alfredo\My Documents\crosof~1
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Go to Start > Run
Type:
Click OK.
- On the leftside, click to highlight My Computer at the top.
- Go up to "File > Export"
- Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
- Choose to save it to C:\
- Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Open Notepad and copy and paste everything from the box below.
Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"=-
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"=-
Click on File, Save it to your desktop, in file name save as
Filename.reg
click OK.
Next go to your desktop and double click on Filename.reg, allow it to merge to the registry. It should give you a prompt "sucessfully merged".
HijackThis!
Open Hijack This and click on Scan. Check the following entries
(make sure you do not miss any)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R3 - URLSearchHook: (no name) - {C23F9E8B-053F-01B9-1876-2910962377C7} - C:\WINDOWS\System32\bgk.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Semr] "C:\PROGRA~1\aDOBE\dllhost.exe" -vt yazr
O4 - HKCU\..\Run: [Vjrva] C:\Documents and Settings\Alfredo\My Documents\??crosoft.NET\w?nspool.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\javaw.dll
Please remember to close all other windows, including browsers then click Fix checked.
Run a new scan with Hijackthis and post the log here.