It is likely that you will have to reinstall MSN Messenger after we are done.
Delete these files/folders, as follows:
* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
File::
C:\WINDOWS\system32\fukvdoxrwgwl.exe
C:\WINDOWS\system32\estmmsmejuad.exe
Folder::
C:\VundoFix Backups
* Save this as
CFScript on the desktop.
* Then drag the
CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below.
Important: Perform this instruction carefully!
* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note:
Do not mouseclick combofix's window while it is running. That may cause your system to hang
----------
Install ATF Cleaner by Atribune.
ATF Cleaner.exe (don't use it yet)
----------
Enable Viewing Of Hidden System Files & Folders
1. Right Click
Start.
2. Select
Control Panel.
3. Select the
Tools menu and click
Folder Options.
4. Select the
View Tab.
5. Under the Hidden files and folders heading select
Show hidden files and folders.
6.
Uncheck the Hide extensions for known file types option.
7.
Uncheck the Hide protected operating system files (recommended) option.
8. Click
Apply.
9. Click
OK.
----------
Go to
Start > Run and type in
Services.msc then click
OK
Click the
Extended tab.
Scroll down until you find the service.
Print Spooler Service (ciau0y9ebo2i)
Click once on the service to highlight it.
Click
Stop (to the upper left)
Right-Click on the service.
Click on
'Properties'
Select the
'General' tab
Click the Arrow-down tab on the right-hand side on the
'Start-up Type' box
From the drop-down menu, click on
'Disabled'
Click the
'Apply' tab, then click
'OK'
The service is now stopped and disabled.
----------
Press the
ctrl+alt+delete keys (all at the same time) to bring up Task Manager. Click the Processes tab and find the below entry. Right Click on it and choose End Process.
estmmsmejuad.exe
----------
Open HijackThis and select
Do a system scan only and place a check mark next to:
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [estmmsmejuad] C:\WINDOWS\system32\estmmsmejuad.exe
O4 - HKLM\..\RunServices: [estmmsmejuad] C:\WINDOWS\system32\estmmsmejuad.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O23 - Service: Print Spooler Service (ciau0y9ebo2i) - Unknown owner - C:\WINDOWS\system32\estmmsmejuad.exe
----------
Double click My Computer on the desktop to locate and delete the following files/folders. (in bold)
C:\WINDOWS\system32\
estmmsmejuad.exe
----------
Run ATF Cleaner
Make sure that
all browser windows are closed.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose:
Select All and
UNCHECK Cookies.
* Click the
Empty Selected button.
If you use Firefox browser
* Click Firefox at the top and choose:
Select All and
UNCHECK Cookies.
* Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
* Click
Opera at the top and choose:
Select All and
UNCHECK Cookies.
* Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
Click
Exit on the Main ATF Cleaner menu to close the program.
----------
Please download the trial version of
SpySweeper (2 week trial) You can uninstall this when we are done.
* Run the installer. Choosing to only install SpySweeper
* It will prompt you to update to the latest definitions, choose
Yes (recommended) and click
Next
* Once the definitions are installed, click
I accept the agreement and then
Next
* Choose
Typical Installation then click
Next
* Enter your email address then click
Next
Important Uncheck the box
Install the Webroot Ask toolbar Search Assistant, I agree to the terms above before clicking
Next
* Click
Install.
* Choose
Yes, restart my computer now (recommended) then click
Finish (the computer will restart)
* Once restarted open SpySweeper.
* Click the
Options tab. (lower left)
* Under
Options >
Sweep Tab >
Sweep Type choose
Full Sweep (Recommended)
* Click the
Always Apply tab and use the dropdown menu to select
Always Quarantine
* Click the
Home tab and choose
Start Full sweep
* When it's done scanning, Make sure
everything has a check next to it, then click the
Quarantine Selected button.
* It will quarantine all of the items found.
* Click
View Session Log in the upper right corner.
* Click the
Save To File button.
* Click
Desktop for the location.
* Next to the
Save as type: be sure it is set to
Text Document (.txt) and then click
Save
*
Attach the SpySweeper Session Log in your next reply.
Also post a new Hijack This log.
----------
Next post please attach
combofix.txt log
SpySweeper Session Log
New HijackThis log