Hi Amy - this forum is where to post HJT logs. Also, please do not attach them, just copy and paste any and all logs into your reply. It makes it easier for us all to review.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop. Do not run it yet.
Open Ewido and update it's definitions. Do NOT scan yet.
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply
Open Ad-aware again. Run a scan and remove all it finds.
Run Ewido:
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
Security iGuard
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [kjur] C:\WINDOWS\kjur.exe
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O16 - DPF: {0220435C-EB5D-49AE-DD1F-48312A97686C} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {12C4EEC6-EB0C-3C5E-3C6D-15857AACAB5A} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c7.cab
O16 - DPF: {1B2B17DC-2FE5-7443-B70A-107B26A208BD} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {2D589CC3-882A-4F12-27CD-52B1566864D5} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {3273567D-265E-61DB-1D25-1BAF35E2C9F5} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {34E89AE0-BCA6-4A1A-FB0E-3C5A3741EC8B} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3A5DFD56-CABC-612D-DD60-2B2662B2CF7E} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3F37245C-790F-74B6-003F-201F7E8CD460} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {4B70F7B5-B9BA-10E7-EB09-38122C937171} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {4D251604-D00B-0377-70D0-69BB21ABA755} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {51A26082-687E-2A15-6A9D-79C213B962A4} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {775B6C68-853F-1885-333C-5A45271464E9} - http://69.50.182.94/1/rdgUS1733.exe
O20 - AppInit_DLLs: sysmain.dll
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\Program Files\Security iGuard
C:\WINDOWS\kjur.exe
C:\WINDOWS\System32\sysbho.exe
sysmain.dll<<<<find this via Start>Search
Restart and run a new HijackThis scan. Save the log file and post it here.
Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer
So I need logs from:
smitfiles.txt
Ewido
HJT
Panda ActiveScan
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
- Ad-Aware® SE Personal Edition
*Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
- Spybot Search & Destroy
- CWShredder
Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop. Do not run it yet.
Open Ewido and update it's definitions. Do NOT scan yet.
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply
Open Ad-aware again. Run a scan and remove all it finds.
Run Ewido:
- Click [Scanner]
- Click [Complete System Scan] to begin scanning.
- Click [OK] when prompted to clean files
- With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
- Once finished, click the [Save report] button
- Save the report to your desktop
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
Security iGuard
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [kjur] C:\WINDOWS\kjur.exe
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O16 - DPF: {0220435C-EB5D-49AE-DD1F-48312A97686C} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {12C4EEC6-EB0C-3C5E-3C6D-15857AACAB5A} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c7.cab
O16 - DPF: {1B2B17DC-2FE5-7443-B70A-107B26A208BD} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {2D589CC3-882A-4F12-27CD-52B1566864D5} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {3273567D-265E-61DB-1D25-1BAF35E2C9F5} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {34E89AE0-BCA6-4A1A-FB0E-3C5A3741EC8B} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3A5DFD56-CABC-612D-DD60-2B2662B2CF7E} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {3F37245C-790F-74B6-003F-201F7E8CD460} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {4B70F7B5-B9BA-10E7-EB09-38122C937171} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {4D251604-D00B-0377-70D0-69BB21ABA755} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {51A26082-687E-2A15-6A9D-79C213B962A4} - http://69.50.182.94/1/rdgUS1733.exe
O16 - DPF: {775B6C68-853F-1885-333C-5A45271464E9} - http://69.50.182.94/1/rdgUS1733.exe
O20 - AppInit_DLLs: sysmain.dll
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\Program Files\Security iGuard
C:\WINDOWS\kjur.exe
C:\WINDOWS\System32\sysbho.exe
sysmain.dll<<<<find this via Start>Search
Restart and run a new HijackThis scan. Save the log file and post it here.
Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer
- Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
- Click On 'Scan Now'
- Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
- Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. - If it finds any malware, it will offer you a report. Click on see report
- Then click Save report
- Post the contents of the report in your next reply
So I need logs from:
smitfiles.txt
Ewido
HJT
Panda ActiveScan