Go to
Start >
My Computer
Go to
Tools >
Folder Options
Click on the
View tab
Untick the following:
*
Hide extensions for known file types
*
Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click
Yes
Make sure this option is selected:
*
Show hidden files and folders
Click
Apply and then click
OK
--------------------
You will not be able to see this page in safe mode.
You should print these instructions before continuing or copy and paste them to notepad and save it to the desktop.
(from here to where it says Restart the computer to Normal Boot Mode)
--------------------
1. Go to
Start >
Turn off computer >
Restart.
2. Lightly tap
F8 until the menue screen appears.
3. Using the arrow keys, highlight
Safe Mode option, then press
Enter.
4. Log in with your usual account name.
--------------------
Open HijackThis and select
Do a system scan only then place a check mark next to:
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
O20 - Winlogon Notify: hggdeby - hggdeby.dll (file missing)
Close all windows except HijackThis and click
fix checked
Close HijackThis and continue in
Safe Mode.
--------------------
Double click the
My Computer icon on your Desktop.
Double click on
Local Disc (C:\)
Double click on the
Program Files folder.
Right click on
SecCenter and from the menu that appears, click on
Delete
Next, repeat the steps but go to
C: >
Windows >
System32 > and delete
bkhibkh.dll
--------------------
Restart the computer to
Normal Boot Mode
--------------------
Go to
Start >
Run and type in
Services.msc then click
OK
Click the
Extended tab.
Scroll down until you find
FFI
Right click on the service and choose
Stop
Right-Click on the service again.
Click on
'Properties'
Select the
'General' tab
Click the Arrow-down tab on the right-hand side on the
'Start-up Type' box
From the drop-down menu, click on
'Disabled'
Click the
'Apply' tab, then click
'OK'
--------------------
Please open HijackThis and select
Open the Misc Tools section
Then choose
Delete an NT service
In the Delete window, type
FFI and press
OK
OK any prompts, close HijackThis.
Restart your computer.
--------------------
Delete these files/folders, as follows:
* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
File::
C:\WINDOWS\system32\tmp.reg
C:\oaif.exe
C:\Install
C:\kcfcnacj.exe
C:\1B4.tmp
C:\rsdqve.exe
C:\1BC.tmp
C:\138579547
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdeby]
hggdeby.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
* Save this as
CFScript on the desktop.
* Then drag the
CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below.
Important: Perform this instruction carefully!
* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note:
Do not mouseclick combofix's window while it is running. That may cause your system to hang
--------------------
Please download ATF Cleaner by Atribune.
ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.
NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose:
Select All
* Click the
Empty Selected button.
If you use
Firefox browser
* Click Firefox at the top and choose:
Select All
* Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use
Opera browser
* Click
Opera at the top and choose:
Select All
* Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
Click
Exit on the Main ATF Cleaner menu to close the program.
--------------------
Next post please attach
Combofix.txt log
NEW HijackThis log