Once we start, you won't have access to this post anymore, so I recommend that you
print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
O1 - Hosts: 94.247.2.216 www.google.com
O1 - Hosts: 94.247.2.216 search.yahoo.com
O2 - BHO: Dictionary.com BHO - {14998b0b-2671-4adb-a005-dde2fb18eb35} - mscoree.dll (file missing)
O2 - BHO: (no name) - {D032570A-5F63-4812-A094-87D007C23012} - C:\Windows\system32\InternetExplorer.dll (file missing)
O3 - Toolbar: Dictionary.com - {bf2aa568-0085-423c-ba01-69b6705a9a96} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [shell] C:\Windows\system\rundll32.exe 00004
O4 - HKLM\..\Run: [se] C:\Windows\system\se.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: debcfbfacbecc - C:\Windows\system32\debcfbfacbecc.dll (file missing)
O21 - SSODL: ieModule - {048D10A3-04DF-4D13-A265-352E2720044A} - C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {8B158EC7-D70B-43B2-8770-13085FC22EB1} - C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\cuxxyynqoz.dllNow, close
all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...
Spyware Guard 2008Please note any other programs that you dont recognize in that list in your next response.Follow this next set of instructions...
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your systemDelete these files/folders, as follows:
1. Go to
Start >
Run > type
Notepad.exe and click
OK to open Notepad.
It
must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing
Ctrl+CKillAll::
Folder::
C:\Program Files\Spyware Guard 2008
File::
C:\Windows\system32\InternetExplorer.dll
C:\Windows\system\rundll32.exe
C:\Windows\system\se.exe
C:\Windows\system\dop.exe
C:\Windows\system32\debcfbfacbecc.dll
C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\cuxxyynqoz.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"se"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\system\\rundll32.exe"=-
"c:\\Windows\\system\\dop.exe"=-
"c:\\Windows\\system\\se.exe"=-
3. Go to the Notepad window and click
Edit >
Paste4. Then click
File >
Save5. Name the file
CFScript.txt - Save the file to your Desktop
6. Then drag the
CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below.
Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.Note:
Do not click ComboFix's window while it is running. That may cause your system to freezeAlso, I found this file on your computer:
c:\program files\Game.exeDo you know what this is? Some infections use this name in the same location, but you have some game-related files in that same folder, so I'm not quite sure what to make of it. If you don't know what it is, you should upload it to
VirusTotal and post back with the results.