- We need to make sure all hidden files are showing so please:
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
- Please RUN HijackThis, click the SCAN button to produce a log.
- Place a check mark beside each one of the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ampmsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ampmsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\lldgsd.exe reg_run
O4 - HKLM\..\Run: [hfqbrjm] C:\WINNT\system32\liuvoy\hfqbrjm.exe
O4 - HKLM\..\Run: [hwvgg] C:\WINNT\system32\jkykw\hwvgg.exe
O4 - HKLM\..\Run: [lucw] C:\WINNT\system32\oklwqfnv\lucw.exe
O4 - HKLM\..\Run: [mqxgmkec] C:\WINNT\system32\lgthv\mqxgmkec.exe
O4 - HKLM\..\Run: [pjpb] C:\WINNT\system32\uvgqapd\pjpb.exe
O4 - HKLM\..\Run: [wmfmidv] C:\WINNT\system32\cscoiyec\wmfmidv.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\lldgsd.exe reg_run
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {136459A0-FFA8-4345-83D1-BBDE11EBAEB7} - C:\WINNT\system32\loghours1095k.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {23D1FF34-48E2-4CD0-ADD0-728F709994BB} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ecwfrjcs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {22FB8D7E-0524-42D6-B84D-7F3ABE2B5487} - http://hhm04ntfs/AffinityGUIM2.CAB
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0031.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...nnerInstall.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: mqxgmkeclgthv - Unknown owner - C:\WINNT\system32\lgthv\mqxgmkec.exe (file missing)
- Now with all the items selected, and all windows closed except for HJT, DELETE them by clicking the FIX checked button and EXIT the program.
- Place a check mark beside each one of the following items:
- Reboot Your System in Safe Mode
How To Start To Safe Mode In Windows 2000- Turn the computer on
- When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key.
- The Windows 2000 Advanced Options Menu will appear.
- Choose the Safe mode option. (it is usually the first item in the list).
- Use the arrow keys to select it if it is not selected by default.
- Press Enter. The computer will start in Safe mode.
- When finished troubleshooting, close all programs and restart the computer as you normally would.
- Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):
C:\WINNT\system32\lyncusb.exe
C:\WINNT\system32\liuvoy<==Folder
C:\WINNT\system32\jkykw<===Folder
C:\WINNT\system32\oklwqfnv<===Folder
C:\WINNT\system32\uvgqapd<==Folder
C:\WINNT\system32\cscoiyec<===Folder
C:\WINNT\system32\Searchx.htm
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\lldgsd.exe
C:\WINNT\system32\lgthv<==Folder
C:\WINNT\system32\loghours1095k.dll
C:\Program Files\Ebates_MoeMoneyMaker<==Folder
C:\Program Files\Internet Explorer\ecwfrjcs.exe
c:\counter.cab
- Exit Explorer, and REBOOT BACK INTO NORMAL MODE
- Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Trevuren