Hya Nessn12.
Ewido did a great job and removed lots , but the Panda scan proved to be quite useless this time. It didn't find anything really , im abit suprised about that.
O well , we'll get it clean anyway.
First uninstall these in add/remove programs if present:
QuickSearch Search Bar
MySearch
WildTangent
MyWebSearch
MyWebSearch Email Plugin
Then boot in safemode and fix these entrys with hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=w...D/YOx16Q+SeWch vZea9ZweIyWoh7r9pTss0AIFl7akl+Yi8Njb2fNIvC7SOpwSzC 3OtXCwLicbLo2qXQXx5swLFmsApBg3 Q0r+qUYHlMfrU+5LOp+04yAOpRxzwT6p4S7ypMY2Sqm7/KUpca3CwhLbACgeFz5DUR14JANcblJGkE=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\
QuickSearch\QuickSearchBar1_27.dll (file missing)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\
MySearch\bar\1.bin\S4BAR.DLL (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\
WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\
hostdll.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\
MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\RunOnce: [SVCHOST] C:\WINDOWS\
SPOOLSV.EXE Load
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\baldy\MYDOCU~1\RACLE~1\
wuauboot.exe" -vt yax
O4 - HKCU\..\Run: [Crnprr] C:\Program Files\Common Files\
?icrosoft\m?hta.exe
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/We.../bridge-c9.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache...consFWBInitial Setup1.0.0.8-2.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -
http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) -
http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} -
http://85.255.114.166/1/rdgUS2404.exe
And then manually delete all the files/folders marked in bold.
After that i would also disable the Windows Messenger service:
Please download
Shoot The Messenger
Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state — running or disabled — that you desire.
If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.
Originally Posted by Nessn12
now i am getting this unicode or wingdings stuff when I login
Wingdings is a font afaik , but have a look how it goes after all the malware is gone. If it is still there then please describe a little better what happens and what errors you get.
When done please post a new
hjt log to check.
[Resolved] Exe and INK registry goes missing
Linear Mode
