Hello rlnsccrref and welcome to Geeks to Go.
Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!
Once again, my apologies for the tardiness of this response; the forum has been ultra busy of late. Now if you are ready, let’s get fixing!
To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:
CCleanerYour HJT log shows that you either have a backdoor Trojan/Virus, or have had, and some of the remnants are remaining. To be on the safe side, I would recommend that you visit
Trend Housecall for an online scan.
Please re-open
HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vroomsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
O2 - BHO: (no name) - {82A38405-1ECD-651C-B3DC-176400DB18E6} - C:\WINDOWS\system32\maiqto.dll
O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINDOWS\system32\siq.dll
O4 - HKLM\..\Run: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [33og33V] chcrm.exe
O4 - HKLM\..\Run: [MucydYAA] C:\WINDOWS\jepvtg.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} (iiittt Class) - http://tb.searchitqu...com/v30/siq.cab
Now
close all windows other than HiJackThis, then click
Fix Checked. Please now reboot into safe mode. Here's how:
Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.Please remove these entries from
Add/Remove Programs in the Control Panel (if present):
(click Start>Settings>Control Panel)
Elitebar
Windupdates
Please notify me of any other programmes that you don’t recognise in that list in your next responsePlease set your system to show all files;
please see here if you're unsure how to do this.
Please delete this
folder (if present) using Windows Explorer:
C:\Program Files\
Media AccessPlease delete these
files (if present) using Windows Explorer:
C:\WINDOWS\
ALCMTR.EXEC:\WINDOWS\
jepvtg.exeC:\WINDOWS\system32\
gah95on6.exeC:\WINDOWS\system32\
maiqto.dllC:\WINDOWS\system32\
siq.dllSINSTANTM.EXE use search to find this one and the one belowchcrm.exeClose Windows Explorer and
Reboot normally.
Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.
There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run
CCleaner. Install it, update it, check the default setting in the left-hand pane,
Analyze, Run Cleaner. You may be fairly surprised by how much it finds.
Post back a fresh
HijackThis log and also an
Uninstall Log:
Open HijackThis, click
Config, click
Misc ToolsClick "
Open Uninstall Manager"
Click
Save List (generates uninstall_list.txt)
Click
Save, copy and paste the results in your next post.
and we will take another look.