Hi, next time, you need not pm me anymore. I was prompt in my reply (within a day). FYI, I don't work here and I don't get paid. In fact, all of the helpers here are all volunteers and we use up our free time to help you guys. Of course we also have our own lives so please understand that sometimes, we can't reply as fast as you want us to.
However, it would help to pm me if I haven't replied to you for 3-5 days.
===
*A few optionals that I would recommend be uninstalled.
Shareaza version 2.2.5.0
Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.
Viewpoint Media Player
is a Viewpoint component which is installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.
*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.
Delete the following folders if you uninstalled their corresponding programs:
C:\progam files\shareaza
C:\program files\viewpoint
_____
*You need To disable Spyware Guard temporarily, it can stop our fix. Please Re-enable it after your system is clean.
1.Right-click on the SG icon in your System Tray and SpywareGuard should open.
2.Click "Options" and then uncheck these options under the "General" tab:
- Enable Real-Time Scanning
- Enable Download Protection
- Enable Browser Hijack Protection
3.Click "Save Settings."
*Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.
To disable Ad-Watch in Ad-Aware 2007:
1. Left-click on the Ad-Watch icon in the system tray to open the program
2. Click the Settings button on the left side of the window.
- Click the button to the left of "Load Ad-Watch on Start up" to change the green check mark to a red x.
3. Click the Status button on the left side of the window.
- Under Protection Status, uncheck all the items to be sure they are a red X (instead of a green checkmark)
4. Close or minimize the Ad-Watch window (either will minimize it to the System Tray.
5. Right-Click on the Ad-Watch icon in the System Tray and select "Close Ad-Watch".
6. Click "Yes" in the Confirm Shutdown window.
7. Remember to restart your protection after your system has been cleaned.
*You need To disable Windows Defender temporarily, it can stop our fix. Please Re-enable it after your system is clean.
- Open Microsoft Windows Defender. Click Start > Programs > Windows Defender
- Click on Tools > General Settings
- Under Real-time Protection options, unselect the turn on real-time protection check box.
- Click Save
After all of the fixes are complete it is very important that you enable Real-time Protection again.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - {219A9FAD-3F42-4DCC-9526-037DC452974C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - {B087E708-1E0B-4386-9E1C-47CBB3617347} - (no file)
O2 - BHO: (no name) - {DE014C37-AE6C-4C4C-B82C-BE1E8D680713} - (no file)
O2 - BHO: (no name) - {E7C2CA7E-9730-4555-F2BE-38E70B23662C} - (no file)
O3 - Toolbar: (no name) - {90222687-F593-4738-B738-FBEE9C7B26DF} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Audiodev] C:\WINDOWS\SVCHOST.exe audiodev
O4 - HKCU\..\Run: [Audiodev] C:\WINDOWS\SVCHOST.exe audiodev
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} -
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O20 - Winlogon Notify: efcdaba - C:\WINDOWS\
O20 - Winlogon Notify: gebcy - C:\WINDOWS\
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 4: (no name) - (no file)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______
Configure your machine to view hidden files:
Windows XP
- Click Start.
- Open My Computer..
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the "Hidden files and folders" heading select Show hidden files and folders.
- Uncheck the Hide Protected Operating System Files Option.
- Click Yes to confirm.
- Click OK.
Using windows explorer, delete the following files:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to WINDOWXP.exe.LNK
C:\WINDOWS\pss\Shortcut to WINDOWXP.exe.LNK
Empty your recycle bin.
______
Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.
Code:
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Audiodev]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to WINDOWXP.exe.LNK]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Close notepad. Make sure that all windows are closed.
Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.
______
I would like you to scan a file for me.
Please go HERE. Copy and paste the following file path in to the box.
C:\WINDOWS\system32\afff3_g.dll
Then click submit.
Please post the results to your next reply.
If Jotti is too busy, you can go HERE and do the same as above.
_______
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Archives
Scan Mail Bases
- Click OK
- Now under select a target to scan:
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
On your next reply, please include a
- Fresh HijackThis log.
- kaspersky scan log
- jotti results
UPDATED: Virtumonde.generic and Mailskinner.rtk please help me to remove
