OK, let’s do a little work.
EDIT: I just notice that HijackThis v1.99.1 is running from your desktop while v 2.02 is in a temp folder. You should move these to their own folders before proceeding as backups of the things we fix will be made. We don’t want to risk deleting those backups. We really only need v1.99.1 for this - make the fixes below using this version.
After relocatiing HJT and if you haven’t already, download OTMoveIt by OldTimer and save it to your desktop. Don’t do anything with this just yet.
Now download NoLop to your desktop from
http://www.spywareedge.net/nolop/NoLop.exe
Close any other programs you have running as this may require a reboot
Double click NoLop.exe to run it
Now click the button labeled “Search and Destroy”
<>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the “REBOOT” Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish.
–If you receive an error, “mscomctl.ocx or one of its dependencies are not correctly registered,” please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx
A log will be produced which you should include in your next response.
Next, open OTMoveIt and copy the file paths below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\laf2.dll
C:\WINDOWS\system32\jrpkmgh.dll
Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now open HijackThis and click to Do a System Scan Only. When complete, place a check mark next to these lines:
[b]
O4 - HKCU..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O22 - SharedTaskScheduler: haruspicy - {60dea04c-9817-4309-bfa2-f8a1766c3cd1} - (no file)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg
[/b]
Note that the line in red above is adware but many people choose to keep it on their computer. Fixing this line is optional - do not check it if you wish to keep Weather Bug.
Now make sure all other windows are closed, including your browser, and click Fix Checked.
When that’s finished closed HJT and boot to safe mode. Uninstall the following in Add/Remove Programs (if found)
AntiVirGear
And, optionally,
Weather Bug
Still in safe mode delete the following folder (if found)
C:\ProgramFiles\AntiVirGear 3.7
Reboot to normal mode and Download Deckard’s System Scanner (DSS) to your desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don’t have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !
Now post the following:
NoLOP log
OTMoveit results
DSS log
Finally, upload this file to Virus Total and post the results of the scans
C:/DOCUMENTS AND SETTING/ADMINISTRATOR/LOCAL SETTINGS/Temp/msohtmlclip1/01/clip_image001.jpg
Hi Joe :