Follow these instructions
EXACTLY and put
HijackThis in e.g
C:\Program Files\HJT and
NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties
Then
Read: How to post your Hijackthis log-files as an attachment.
You also need to look after this lot:
Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing
CTRL+ALT+DELETE.
Click the
Processes tab, select the process (if there) and click
End Process for:
LimeWire.exe as well as
ALL the xxx.EXE files in the
O4 - HKLM/HKCU group underneath
Next, click on Start/Run and type in (followed by press Enter):
regsvr32 /u C:\Program Files\DNS\Catcher.dll
Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\DNS\Catcher.dll
Next, click Start/Run and type
services.msc and click OK. Look for the service:
scvhost.exe <<== watch the Spelling!
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://webct.darton.edu/webct/ticke...nt_login&request_uri=/webct/homearea/homearea
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB - (no file)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\
DNS\Catcher.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [4IqmYAL] C:\documents and settings\nick\local settings\temp\4IqmYAL.exe
O4 - HKLM\..\Run: [GIv] C:\documents and settings\nick\local settings\temp\GIv.exe
O4 - HKLM\..\Run: [h] C:\documents and settings\nick\local settings\temp\h.exe
O4 - HKLM\..\Run: [CEe7Q] C:\documents and settings\nick\local settings\temp\CEe7Q.exe
O4 - HKLM\..\Run: [tZs8Kv] C:\windows\system32\
tZs8Kv.exe
O4 - HKLM\..\Run: [qQpZ.exe] c:\windows\system32\
qQpZ.exe
O4 - HKLM\..\Run: [ms-update]
scvhost.exe <<== watch the Spelling!
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe <<== watch the Spelling!
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\
mc-58-12-0000140.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
Fix ALL O16 - DPF: entries
...................................................................................................
Now click on the
Fix Checked button in HJT. Exit HJT.
When done, from between the above dotted lines, delete the highlighted
bold files.
When a \
directory-name\ is
bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on
Delete Cookies, and
Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.