Hello and Welcome to TSF!
Your computer is very SICK!! It's likely that we'll need several runs to get it working again.
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.
Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:
1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\
I require your next HJT log to be from this newer version
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.
CleanUp! - Install.
KillBox v2.0.0.175
Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host
CWShredder.exe
Process Explorer
vundo.txt - Right click the file you downloaded ..and rename it to "vundo.reg".
'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING
This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.
If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.
IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Double click on vundo.reg & answer Yes when prompted to merge.
Run CWShredder & click on Fix.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS
Run a scan with HiJackThis & select/tick the following & click "Fix checked" :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-sear...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e59...tzip/RdxIE2.cab
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run Cleanup! using the following configuration:
1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Launch KillBox.exe & select the following options:
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.
Perform an online scan with Internet Explorer with Panda ActiveScan
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
In your next post, please include fresh logs from:
Your computer is very SICK!! It's likely that we'll need several runs to get it working again.
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.
Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:
1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\
I require your next HJT log to be from this newer version
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.
CleanUp! - Install.
KillBox v2.0.0.175
Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host
CWShredder.exe
- Open CWShredder and click - I AGREE
- Click - Check For Update
- Close CWShredder after updating
Process Explorer
vundo.txt - Right click the file you downloaded ..and rename it to "vundo.reg".
'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING
This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.
If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.
IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Double click on vundo.reg & answer Yes when prompted to merge.
Run CWShredder & click on Fix.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS
Run a scan with HiJackThis & select/tick the following & click "Fix checked" :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.scourweb.net/nph-sear...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-sear...look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: eroptimizer.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: fferoptimizer.com
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\yeksmw.dat
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\fy81.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\vrsbk.dat (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\cbdodrah.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\nupa.dat (file missing)
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Jessica\LOCALS~1\Temp\app117.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*cap] C:\WINDOWS\java\CLASSES\cap.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\Web\dllms.exe
O4 - HKLM\..\Run: [*asiis] C:\WINDOWS\asiis.exe
O4 - HKLM\..\Run: [*infow] C:\WINDOWS\msagent\infow.exe
O4 - HKLM\..\Run: [*mp3win] C:\WINDOWS\Config\mp3win.exe
O4 - HKLM\..\Run: [*caburl] C:\WINDOWS\repair\caburl.exe
O4 - HKLM\..\Run: [*accfont] C:\WINDOWS\system32\Com\accfont.exe
O4 - HKLM\..\Run: [*netexp] C:\WINDOWS\repair\netexp.exe
O4 - HKLM\..\Run: [*unmfc] C:\WINDOWS\inf\unmfc.exe
O4 - HKLM\..\Run: [*playiis] C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
O4 - HKLM\..\Run: [*comole] C:\WINDOWS\AppPatch\comole.exe
O4 - HKLM\..\Run: [*dosutil] C:\WINDOWS\Web\dosutil.exe
O4 - HKLM\..\Run: [*xmlw] C:\WINDOWS\repair\xmlw.exe
O4 - HKLM\..\Run: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe
O4 - HKLM\..\RunOnce: [*wmskey] C:\WINDOWS\Web\PRINTERS\wmskey.exe rerun
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0473ddf5570e59...tzip/RdxIE2.cab
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Run Cleanup! using the following configuration:
1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
- Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Launch KillBox.exe & select the following options:
- delete on Reboot
- end Explorer shell while killing file
- unregister dlll before deleting * if it's not grayed out
-
C:\WINDOWS\Web\PRINTERS\wmskey.exe
C:\WINDOWS\SYSTEM32\fy81.dll
C:\WINDOWS\java\CLASSES\cap.exe
C:\WINDOWS\java\CLASSES\cap.exe
C:\WINDOWS\Web\dllms.exe
C:\WINDOWS\asiis.exe
C:\WINDOWS\msagent\infow.exe
C:\WINDOWS\Config\mp3win.exe
C:\WINDOWS\repair\caburl.exe
C:\WINDOWS\system32\Com\accfont.exe
C:\WINDOWS\repair\netexp.exe
C:\WINDOWS\inf\unmfc.exe
C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\playiis.exe
C:\WINDOWS\AppPatch\comole.exe
C:\WINDOWS\Web\dosutil.exe
C:\WINDOWS\repair\xmlw.exe
C:\Program Files\Common Files\updater\wupdater.exe
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Perform an online scan with Internet Explorer with Panda ActiveScan
- Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
- Click [Scan Now]
- Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
- If it finds any malware, it will offer you a report.
- Click on see report. Then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
- Double-click the tmas-web-scan.exe icon
- It will say "Loading TrendMicro definitions".
- Click "Start Scan"
- Make sure all items found have a check next to them, then click "Clean Threats Now".
- Click Exit.
In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
In your next post, please include fresh logs from:
- HiJackThis
- Online scan