heh my bad, I apolegize.
You're pretty infected, but we can fix all of it. Let's do this.
Open Program Files (My Computer > Local Disc (C: ) > Program Files).
When ya open it, right click, and create a new folder here. Name it 'HJT'.
Now, drag the HJT program icon into this new folder.
__________________________
NOTE: Some of this process will be done while in safe mode. Save them to a Notepad file, as you will not be able to access the internet while in Safe Mode.
After doing this, follow up by downloading CCleaner , and specifically choosing the most recent version.
Then, follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):
C:\Windows\Temp
C:\Temp
C:\Documents and Settings\\Local Settings\Temp
C:\Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\\History
C:\Documents and Settings\\Cookies
C:\Windows\Prefetch
After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.
Now close the program.
____________________
Please download the Killbox .
Unzip it to the desktop but do NOT run it yet.
______________________
Now, follow by downloading Ewido Security Suite . Install ewido security suite
When installing, under "Additional Options" uncheck.. Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files. On the left hand side of the main screen click Update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"
Close the program.
____________
Now, restart the computer.
Go to the Add/Remove Programs list (inside the Control Panel) and uninstall 'PartyPoker'
Open Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Now, open HJT, and place checks by the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\mscfg.dll
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O20 - Winlogon Notify: gdiwxp - gdiwxp.dll (file missing)
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
After placing a check by these entries, close EVERY OTHER WINDOW (including this one) and hit 'Fix Checked'.
Now, reboot into Safe Mode. To do this, repeatedly click F8 while your computer is starting up.
Once in Safe Mode, please run Killbox.
1) Select "Delete on Reboot".
2) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system32\nvsvcd.exe
3) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
4) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.
Now, reboot into safe mode again.
1) Once in Safe Mode, please run Killbox.
2) Select "delete on reboot" and put a check in the "unregister dll.
3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\mscfg.dll
4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.
Now, run HJT again and save the log.
Post back here with the following:
1) Ewido scan log
2) New HJT log
3) results on how the Killbox worked
Thanks.
