Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
WinBuildThatNoun
SpyHunter
road draw
user32.dll
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
Image ActiveX Access
4SeekWinBuild / WinBuildThatNoun
SpyHunter
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Image ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [WinBuildThatNoun] C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\build dupe.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [road draw] C:\DOCUME~1\WILLIA~1\APPLIC~1\FORDER~1\DVD OPTION START.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Image ActiveX Access\iesmn.exe
O9 - Extra button: Golden Palace Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\GOLDEN~1\client.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) -
http://www.tvkoo.com/update/KooPlayer.ocx
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} -
http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2205CE7-9CCA-4668-8A0D-F285A7B0E69C}: NameServer = 205.188.146.145
< fix this if you do not recognise the domain to be from your ISP
O22 - SharedTaskScheduler: equiparant - {25b7d2fd-4f71-46d1-801a-7de323e4ec82} - C:\WINDOWS\system32\indwvm.dll
Close HJT.
Navigate in Windows Explorer and delete the following
files and
folders in
bold.
C:\WINDOWS\system32\
indwvm.dll
C:\Program Files\
Image ActiveX Access\
C:\Documents and Settings\All Users\Application Data\
4SeekWinBuild\
C:\Program Files\
Enigma Software Group\
C:\DOCUME~1\WILLIA~1\APPLIC~1\
Ford Error Hide
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. The utilities can be obtained from the links in my signature.
Also let me know the results of the AVG Antirootkit scan
Regards,
Your friendly Momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.