Alright well that took out a chunk. Couldn't have asked for more.
We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
Code:
@echo off
sc stop PlugPlayRPC
sc delete PlugPlayRPC
del service.cmd and exit
Save it to your desktop as File name:
service.cmd
Save as type:
All Files
Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.
--------------------------------------------------------------------------------
Tools to download but don't run yet
Download CWShredder
here to its own folder.
Download
Malwarebytes' Anti-Malware to your desktop, run the setup and make sure to check for updates, but don't scan yet.
Download
ATF Cleaner by Atribune to your desktop.
Download
OTMoveIt2 by OldTimer to your desktop
--------------------------------------------------------------------------------
You may want to print from here down - or copy and paste it into notepad and save it to the desktop, because you wont be able to see it in safe mode
Step 1
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Step 2
Remove bad HijackThis entries
- Run HijackThis
- Click on the System Scan Only button
- Put a check beside all of the items listed below (if present):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\system32\blank.htm
O2 - BHO: targetedbanner browser optimizer - {22676a24-3652-b38b-1d04-22a5496c67a8} - C:\WINDOWS\system32\incbphrdav.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {A07E3945-CED6-40A0-AA3B-8F367508DC36} - C:\WINDOWS\system32\hgGvuUoO.dll
O2 - BHO: (no name) - {FA609613-29FB-7C02-F94F-7BA293991AC9} - C:\WINDOWS\system32\lwxueh.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [{c47602e6-7b9d-3db7-49cf-e289026b1cb9}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\incbphrdav.dll" DllStart
- Close all open windows and browsers/email, etc...
- Click on the "Fix Checked" button
- When completed, close the application.
Step 3
OTMoveit2 by OldTimer
- Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
[b]purity
c:\windows\system32\blank.htm
C:\WINDOWS\system32\incbphrdav.dll
C:\Program Files\BChanger /s
C:\WINDOWS\system32\hgGvuUoO.dll
C:\WINDOWS\system32\lwxueh.dll
C:\WINDOWS\portsv.exe[/b]
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
- Make sure it looks just like in this post then Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose
Yes.then boot back into safe mode
Step 4
While still in Safe mode
CWShredder
Now run CWShredder. Click
I Agree, then Fix and then Next, let it fix everything it asks about.
Step 5
Download and Run ATF Cleaner
Double-click
ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the
Empty Selected button.
Firefox or Opera:
Click
Firefox or
Opera at the top and choose:
Select All
Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
NO at the prompt.
Click
Exit on the
Main menu to close the program.
Step 6
Malwarebytes' Anti-Malware
- Launch Malwarebytes
- Once the program has loaded, select Perform full scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please attach this log with your reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Reboot to Normal Mode and attach here:
1)OTMoveit2 log
2)MBAM log
3)Fresh Hijackthis ran after booting to normal mode