Ok please follow the steps below
- Please go to VirSCAN.org FREE on-line scan service
- Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\WINNT\eHome\MCAgen.exe
- Click on the Upload button
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply.
-----------------------------------------------------------
We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
Code:
@echo off
sc stop Viewpoint Corporation
sc delete Viewpoint Corporation
del service.cmd and exit
Save it to your desktop as File name: service.cmd
Save as type: All Files
Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.
-----------------------------------------------------------
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O3 - Toolbar: Gwinnett Tech Browser Toolbar - {F3A2858F-30A5-445C-A604-46B25A7AA8BF} - C:\Program Files\GTCBrowserToolbar\Gwinnett Tech Browser Toolbar\GwinnettechToolBar.dll
O3 - Toolbar: fdkowvbp - {54EF0797-AF80-4CF5-AB0C-7E87CCEC3E0B} - C:\WINNT\fdkowvbp.dll
O4 - HKLM\..\Run: [lphc7elj0e753] C:\WINNT\system32\lphc7elj0e753.exe
O4 - HKLM\..\Run: [SMrhc3elj0e753] C:\Program Files\rhc3elj0e753\rhc3elj0e753.exe
O4 - HKLM\..\Run: [4443684d] rundll32.exe "C:\WINNT\system32\gcvlvsnp.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzed055DIUS_ZN
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O21 - SSODL: wnslvxtf - {FF119E9A-3F23-49B8-B0A4-268168B9D0CD} - C:\WINNT\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {4C80C046-C152-4C98-A647-A70455B3DBAC} - C:\WINNT\eqvwamkl.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
Now
close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please go to Start > Control Panel >
Add/Remove Programs and remove the following (if present):
GTCBrowserToolbar
rhc3elj0e753
Viewpoint
Ebates_MoeMoneyMaker
--------------------------------------------------------------
Please
download the
OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
C:\Program Files\GTCBrowserToolbar
C:\WINNT\fdkowvbp.dll
C:\WINNT\system32\lphc7elj0e753.exe
C:\Program Files\rhc3elj0e753
C:\WINNT\system32\gcvlvsnp.dll
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINNT\wnslvxtf.dll
C:\WINNT\eqvwamkl.dll
C:\Program Files\Viewpoint\
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
- Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose
Yes.
After that, Reboot, and post a new HijackThis log here in a reply