Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Please download the Killbox by Option^Explicit. ( Save it to your desktop. )
Note: In the event you already have Killbox, this is a new version that I need you to download.
You have a CoolWebSearch infection.
Download CWShredder here to its own folder.
Update CWShredder
- Open CWShredder and click I AGREE
- Click Check For Update
- Close CWShredder
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {1BF0A83A-6F8A-630F-D8AC-1363031EDBEA} - C:\WINDOWS\System32\yzyzpqa.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {1FA6A83C-6ADA-3F0F-8FAC-1363031E80B8} - C:\WINDOWS\System32\fifoviva.dll (file missing)
O2 - BHO: (no name) - {1FA6A83C-6ADA-3F0F-8FAC-1363031E80B8} - C:\WINDOWS\System32\fifoviva.dll (file missing)
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\irun4.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Pqmp] C:\PROGRA~1\FNTS~1\XPLORE~1.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\pwinqqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\ZICORN003.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp0.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\r8p8li7u18.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWxleGFuZGVy\command.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.
Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Using Windows Explorer delete the following folders (if present): (To get into Windows Explorer, right click the START button and select "explore.")
C:\WINDOWS\QWxleGFuZGVy
C:\Program Files\FNTS~1
C:\WINDOWS\SKS~1
Run Killbox:
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Windows\winlog.exe
C:\WINDOWS\System32\irun4.exe
C:\WINDOWS\SYSTEM32\pwinqqez.exe
C:\WINDOWS\SYSTEM32\ZICORN003.exe
C:\WINDOWS\System32\dmonwv.dll
C:\WINDOWS\System32\x3cqp0.dll
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Reboot into Normal Mode.
In your next reply please include the following:
- A new HijackThis log.