Go to Add or Remove Programs and uninstall:
- Ask Toolbar
- Viewpoint Media Player
.
----------
Open HijackThis and select
Do a system scan onlyPlace a check mark next to the following entries: (if there)
- O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] C:\Documents and Settings\moore family\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\WinFixerScannerInstall[1].exe -nag
.
- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
- O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
- O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
.
Important: Close all open windows except for HijackThis and then click
Fix checked.
Once completed, exit HijackThis.
----------
Download
OTM by OldTimer to your desktop.
Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose
Run As Administrator.
*
Save it to your
Desktop.
* Double-click
OTM.exe to run it.
*
Copy the lines in the codebox below to the clipboard by highlighting
ALL of them and
pressing CTRL + C (or, after highlighting, right-click and choose
Copy)
:Processes
explorer.exe
:services
LiveUpdate Scheduler
Automatic GameConsoleService
:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"NI.UWFX5_0001_N56M0311"=-
"avast5"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe]
:files
C:\commy.exe
C:\commy.exe28948c
C:\found.000
C:\Program Files\Symantec
C:\Program Files\Messenger
C:\WINDOWS\system32\1024
C:\Documents and Settings\moore family\Desktop\Blackpudding.bat.exe
:Commands
[resethosts]
[purity]
[createrestorepoint]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]
* Return to OTM, right click in the
"Paste Instructions for Items to be Moved" window
(under the yellow bar) and choose
Paste.
* Click the red
Moveit! button.
*
Copy everything in the Results window (under the green bar) to the clipboard by highlighting
ALL of them and
pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
* Close
OTMNote: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose
Yes. If not, reboot anyway.
----------
Suspicious file scanPlease go to
Jotti's malware scan(If more than one file needs scanned they must be done separately and logs posted for each one)* Copy the file path in the below Code box:
C:\WINDOWS\system32\drivers\cxxqtr.sys
* At the upload site, click once inside the window next to
Browse.
* Press
Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click
Submit file* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
*
Important: Wait for all of the scanning engines to complete.
*
Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
Also scan these two files and post the link to the results.
C:\WINDOWS\system32\drivers\rewac.sys
C:\WINDOWS\system32\drivers\sdfsaevy.sys
----------
Next post please add the OTM log and the 3 links to the files that were scanned at Jotti.