Sponsored By

alsocom

Members
  • Content Count

    16
  • Joined

  • Last visited

About alsocom

  • Rank
    HijackThis Team
  • Birthday 07/24/1973

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Michigan
  • Interests
    Have a DVD collection of over 800.<br>Spend a lot of time watching movies and playing PC games.<br>Work Receiving at a large food-service company.
  1. alsocom

    Hjtlog

    Hello Donna. It looks like TeaTimer added the 016 entry back in the log again. We'll need to shut it down and run a .bat file to clear it. Step 1 I'll need you to turn off TeaTimer once again to remove these entries. Open Spybot S&D in advanced mode, click Tools > Resident, and remove the check from "Resident Tea-Timer". Download ResetTeaTimer.zip. Unzip the file to your desktop. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. I need you to disable SpywareGuard as it will interfere with the registry changes we will need to do. Right click the running icon of Spywareguard, it will open the program. Then go to Menu, file, exit. Then confirm the program is closed. Step 2 Open HijackThis, run a scan, then check the following: O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - Optional items: Fix if you or an administrator did not set this restriction in Internet Explorer or a program such as Spybot S&D wasn't used to set it. O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present With all other programs and browsers closed, click fix checked. Step 3 Reboot normally and scan with HijackThis. Post the new log as a reply to this thread. Please let us know of any complications you had and how the computer is behaving.
  2. alsocom

    Hijackthis Log

    Closed due to Inactivity. If you need this topic reopened, please request this by sending a PM to a member of the HJT team with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  3. alsocom

    Hjtlog

    Hello Digidave. Step 1 You have Spybot S&D's Teatimer running which is good, but we need you to disable it for the remainder of the fix as it will interfere with the registry changes being made. Open Spybot S&D in advanced mode, click Tools > Resident, and remove the check from "Resident Tea-Timer". Be sure to re-enable this option again once the computer is clean. I need you to disable SpywareGuard as it will interfere with the registry changes we will need to do. Right click the running icon of Spywareguard, it will open the program. Then go to Menu, file, exit. Then confirm the program is closed. Step 2 Open HijackThis, run a scan, then check the following: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [bhldyacv] C:\Program Files\Bktmg\Iksi.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab With all other programs and browsers closed, click fix checked. Step 3 Please set your computer to show all files. Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. You will need to reverse this process when all steps are done. Step 4 Please delete the following files/folders: C:\WINDOWS\ALCXMNTR.EXE << File Only C:\Program Files\Bktmg << Whole Folder C:\Program Files\VVSN << Whole Folder If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again. Step 5 Reboot normally and scan with HijackThis. Post the new log as a reply to this thread. Please let us know of any complications you had and how the computer is behaving.
  4. I see ZoneAlarm in the new log which is great but don't forget to get an antivirus program also. In these days on the Internet, an antivirus program running in the background is crucial to a clean computer. Your new log appears clean. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) 1. Right-click My Computer, and then click Properties. 2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box. 3. Click OK, and then click Yes. 4. Restart the computer. 5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'. I suggest that you download these programs to help keep the computer clean: Spyware Blaster - Blocks bad ActiveX items from installing on your computer. Spyware Blaster runs silently in the background. ie-spyad - Puts over 12,000 bad URLs into your restricted sites for Internet Explorer. Google Toolbar - Blocks many unwanted pop-ups in Internet Explorer. Firefox - 'Safer' alternative to the Internet Explorer web browser. Update these regularly. You may also want to read "So how did I get infected in the first place" to learn how to better secure your computer. Be sure to keep Windows and your Anti-virus updated.
  5. Hello LWB and welcome to BestTechie. I see no signs of a Firewall or Antivirus program on your computer. I recommend downloading and installing the following free programs: ZoneAlarm Firewall AVG7 Antivirus. Be sure to check for updates after installation. Step 1 Open HijackThis, run a scan, then check the following: O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe O4 - HKLM\..\Run: [Windows Proxy Admin] winproxy32.exe O4 - HKLM\..\RunServices: [Windows Proxy Admin] winproxy32.exe With all other programs and browsers closed, click fix checked. Step 2 Please set your computer to show all files. Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. You will need to reverse this process when all steps are done. Step 3 Please delete the following files/folders: C:\WINDOWS\system32\winproxy32.exe C:\WINDOWS\system32\syslog32.exe If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again. Step 4 Download and run Stinger Download Stinger and save it to your desktop. Reboot into safe mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter'). Double-click on Stinger.exe to open the tool. Choose your entire hard drive to scan. Choose Scan Now. Stinger will fix anything that it finds. Step 5 Reboot normally and scan with HijackThis. Post the new log as a reply to this thread. Please let us know of any complications you had and how the computer is behaving.
  6. alsocom

    Hijackthis Log

    Hello pipeslayer420420. Download Blockrem from HERE Unzip it to its own folder on your desktop. Boot your computer to safe mode by rebooting and tapping the F8 button repeatedly until it brings up a boot menu. From that menu, select Safe Mode by using the arrow keys to highlight it then pressing enter. Once in safe mode open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it. Once it is running please follow the onscreen instructions. Reboot and post a fresh HijackThis log as a reply to this thread. Please post the Uninstall List from HijackThis Open Hijackthis and click None of the above, just start the program. Click Config... < Misc Tools < Open Uninstall Manager. Click Save list... and save the file as uninstall_list.txt to a location of your choice. Copy/Past the results of this file in your next reply.
  7. alsocom

    Hijack Log

    Your welcome. Glad to help out.
  8. alsocom

    Hijack Log

    Other than those two items, your new log appears clean. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) 1. Right-click My Computer, and then click Properties. 2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box. 3. Click OK, and then click Yes. 4. Restart the computer. 5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'. I suggest that you get these programs to help keep the computer clean: Spyware Blaster - Blocks bad ActiveX items from installing on your computer. Spyware Blaster runs silently in the background. ie-spyad - Puts over 12,000 bad URLs into your restricted sites for Internet Explorer. Firefox - 'Safer' alternative to the Internet Explorer web browser. AVG AntiVirus - Free antivirus program if you currently are not using one. ZoneAlarm - Free firewall program if you currently are not using one. Here are two very good and free malware scanners: Spybot Search and Destroy 1.4 AdAware SE v1.06 Set-up Instructions for Spybot S&D and Adaware SE If you have them already, check to make sure that they are the newest version. Update these regularly. You may also want to read "So how did I get infected in the first place" to learn how to better secure your computer. Be sure to keep Windows and your Anti-virus updated.
  9. alsocom

    Hijack Log

    You didn't state whether you installed those programs or not. Please let me know. For the MSN Messenger problem, it was showing in the HijackThis log that a file was missing. You may need to reinstall the program or check to make sure you have the latest version.
  10. alsocom

    Room Mate Screwed Up Cpu Again

    Hello chewy. You have several items on your computer which are better removed with automated scanners. First, we'll remove a couple of programs. Step 1 Go to Add/Remove Programs and remove New.Net or NewDotNet. If there is no listing for it, use the uninstaller at newdotnet.com Use procedure 4 to remove it. It requires that an internet connection be active while doing it. Go here and follow the instructions on removal for TvMedia. Reboot when finished removing. Step 2 Please download the trial version of Ewido security suite. Install and Update Ewido: Download and install Ewido security suite. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch Ewido, there should be an icon on your desktop for it to double-click.The program will prompt you to update, click the OK button. The program will now go to the main screen. [*]You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Click on Start Update. The update will start and a progress bar will show the updates being installed. [*]Once the updates are installed, close the program. Scanning With Ewido: Reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter'). Launch Ewido again.Click on scanner Click on Complete System Scan and the scan will begin. While the scan is in progress you will be prompted to clean files, click OK When it asks if you want to clean the first file, put a check in the lower left corner of the boxes that say "Perform action on all infections"and "Create encrypted backup" then choose clean and click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop. [*]Now close ewido security suite. Step 3 Please download and install Ad-Aware SE and Spybot S&D according to the following instructions. If you already have these programs, please make sure they are the latest version (Ad-Aware SE Personal 1.06, Spybot Search and Destroy 1.4), than run scans as described below. Scanning with Spybot S&D: Downloaded and Install Spybot S&D accepting the Default Settings. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it. Close ALL windows except Spybot S&D. Click the button to ‘Search for Updates’ then download and install the Updates. Next click the button ‘Check for Problems’ When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window. Make certain there is a check mark beside all of the RED entries ONLY. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries. REBOOT to complete the scan and clear memory. Do not enable Tea Timer until the log is clean as it will prevent the fix from working. Scanning with Ad-Aware SE: Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan. Close ALL windows except Ad-Aware SE. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window.In the ‘General’ window make sure the following are selected in green:Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) [*]Under Definitions: Prompt to udate outdated definitions - set the number of days [*]Click on the ‘Scanning’ button on the left and select in green : Under Driver, Folders & Files:Scan Within Archives [*]Under Select drives & folders to scan - choose all hard drives [*]Under Memory & Registry: all green [*]Scan active processes [*]Scan registry [*]Deep-scan registry [*]Scan my IE favorites for banned URLs [*]Scan my Hosts file [*]Click on the ‘Advanced’ button on the left and select in green: Under Shell Integration:Move deleted files to recycle bin [*]Under Logfile Detail Level: (all green) include addtional object information DESELECT - include negligible objects information include environment information [*]Under Alternate Data Streams: Don't log streams smaller than 0 bytes Don't log ADS with the following names: CA_INOCULATEIT [*]Click the ‘Tweak’ button and select in green: Under the ‘Scanning Engine’:Unload recognized processes during scanning Scan registry for all users instead of current user only [*]Under the ‘Cleaning Engine’: Always try to unload modules before deletion During removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot [*]Under the Log Files: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Create logfile for removal operations. Please do not check or make green: Include Module list in logfile [*]Click on ‘Proceed’ to save the settings. [*]Click ‘Start’ Choose:'Perform Full System Scan' DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. [*]Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. [*]If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window, click "Next". [*]The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?". [*]Save the logfile when asked. [*]REBOOT to complete the removal of what Ad-Aware SE found. Step 4 Please post the Uninstall List from HijackThis Open Hijackthis and click None of the above, just start the program. Click Config... < Misc Tools < Open Uninstall Manager. Click Save list... and save the file as uninstall_list.txt to a location of your choice. Copy/Past the results of this file in your next reply. Step 5 Prepare your reply Scan with HijackThis and post the new log as a reply to this thread. Post the Ewido report. Post the results of uninstall_list.txt.
  11. alsocom

    Hijack Log

    Hello goman87. You don't have much bad on your computer. There are a couple of questionable programs on your computer that I need to alert you to. If you did not intentionally install these than I can give you instructions on removing them. 007 Spy Software Password Cracker Step 1 We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. Open Microsoft AntiSpyware. Click on Options, Settings. In the left pane, click on Real-time Protection. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended). Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended). After you uncheck these, click on the Save button and close Microsoft AntiSpyware. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware. After the computer is clean, it is very important that you enable Real-time Protection again. Step 2 Open HijackThis, run a scan, then check the following: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) With all other programs and browsers closed, click fix checked. Step 3 Reboot normally and scan with HijackThis. Post the new log as a reply to this thread. Let me know about the two questionable programs. Please let us know of any complications you had and how the computer is behaving.
  12. alsocom

    Spyware Removal <ab>

    Step 1 Download this file to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf Right-click on the deldomains.inf file and select Install. Note : Since the Domains are deleted SpywareBlaster protection must be re-enabled, Spybot's Immunize feature must be used again, and you'll also have to re-install IE-SpyAd if installed. Step 2 Click Here to download Killbox by Option^Explicit. Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program. In the killbox program, select the Delete on Reboot option. In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!): C:\WINDOWS\system32\mszc32.dll C:\WINDOWS\system32\netmp32.exe C:\WINDOWS\iezf32.exe C:\WINDOWS\javaml.exe C:\WINDOWS\system32\ipya32.exe C:\WINDOWS\system32\iplx.exe C:\WINDOWS\system32\winrc.exe C:\WINDOWS\mfciq32.exe C:\WINDOWS\system32\iens.exe C:\WINDOWS\system32\mfcaa.exe C:\WINDOWS\system32\iefc32.exe C:\WINDOWS\system32\addkg.exe C:\WINDOWS\system32\d3pa.exe C:\WINDOWS\sdkxz.exe C:\WINDOWS\atlcu.exe C:\WINDOWS\system32\ntlu.exe C:\WINDOWS\mseq.exe C:\WINDOWS\system32\sdkod.exe C:\WINDOWS\system32\atltg32.exe C:\WINDOWS\system32\ipkn32.exe C:\WINDOWS\sysst32.exe C:\WINDOWS\system32\javaxn.exe C:\WINDOWS\system32\mfccr.exe C:\WINDOWS\system32\javaxp32.exe C:\WINDOWS\addgv.exe C:\WINDOWS\system32\crly32.exe C:\WINDOWS\ieqc.exe C:\WINDOWS\system32\mszc32.exe C:\WINDOWS\d3nz32.exe C:\WINDOWS\ipsv32.exe C:\WINDOWS\msnh32.exe C:\WINDOWS\system32\winsl.exe C:\WINDOWS\ipwv.exe C:\WINDOWS\ipvf32.exe C:\WINDOWS\apiof32.exe C:\WINDOWS\system32\msla32.exe C:\WINDOWS\system32\ieti.exe C:\WINDOWS\system32\ipjm.exe C:\WINDOWS\system32\mfcws.exe C:\WINDOWS\system32\addep.exe C:\WINDOWS\d3jr32.exe C:\WINDOWS\sysvh32.exe C:\WINDOWS\system32\crlx32.exe C:\WINDOWS\system32\d3tf32.exe C:\WINDOWS\system32\apppw32.exe C:\WINDOWS\atlwe.exe C:\WINDOWS\system32\appxf.exe C:\WINDOWS\ipnu32.exe C:\WINDOWS\crlb32.exe C:\WINDOWS\system32\sdkgn.exe Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually. Step 3 Scan with HijackThis and check the following: O2 - BHO: Class - {FEDF758B-DA6A-9E13-D256-1A83178C70DC} - C:\WINDOWS\system32\mszc32.dll O4 - HKLM\..\Run: [netmp32.exe] C:\WINDOWS\system32\netmp32.exe O4 - HKLM\..\Run: [iezf32.exe] C:\WINDOWS\iezf32.exe O4 - HKLM\..\RunOnce: [javaml.exe] C:\WINDOWS\javaml.exe O4 - HKLM\..\RunOnce: [ipya32.exe] C:\WINDOWS\system32\ipya32.exe O4 - HKLM\..\RunOnce: [iplx.exe] C:\WINDOWS\system32\iplx.exe O4 - HKLM\..\RunOnce: [winrc.exe] C:\WINDOWS\system32\winrc.exe O4 - HKLM\..\RunOnce: [mfciq32.exe] C:\WINDOWS\mfciq32.exe O4 - HKLM\..\RunOnce: [iens.exe] C:\WINDOWS\system32\iens.exe O4 - HKLM\..\RunOnce: [mfcaa.exe] C:\WINDOWS\system32\mfcaa.exe O4 - HKLM\..\RunOnce: [iefc32.exe] C:\WINDOWS\system32\iefc32.exe O4 - HKLM\..\RunOnce: [addkg.exe] C:\WINDOWS\system32\addkg.exe O4 - HKLM\..\RunOnce: [d3pa.exe] C:\WINDOWS\system32\d3pa.exe O4 - HKLM\..\RunOnce: [sdkxz.exe] C:\WINDOWS\sdkxz.exe O4 - HKLM\..\RunOnce: [atlcu.exe] C:\WINDOWS\atlcu.exe O4 - HKLM\..\RunOnce: [ntlu.exe] C:\WINDOWS\system32\ntlu.exe O4 - HKLM\..\RunOnce: [mseq.exe] C:\WINDOWS\mseq.exe O4 - HKLM\..\RunOnce: [sdkod.exe] C:\WINDOWS\system32\sdkod.exe O4 - HKLM\..\RunOnce: [atltg32.exe] C:\WINDOWS\system32\atltg32.exe O4 - HKLM\..\RunOnce: [ipkn32.exe] C:\WINDOWS\system32\ipkn32.exe O4 - HKLM\..\RunOnce: [sysst32.exe] C:\WINDOWS\sysst32.exe O4 - HKLM\..\RunOnce: [javaxn.exe] C:\WINDOWS\system32\javaxn.exe O4 - HKLM\..\RunOnce: [mfccr.exe] C:\WINDOWS\system32\mfccr.exe O4 - HKLM\..\RunOnce: [javaxp32.exe] C:\WINDOWS\system32\javaxp32.exe O4 - HKLM\..\RunOnce: [addgv.exe] C:\WINDOWS\addgv.exe O4 - HKLM\..\RunOnce: [crly32.exe] C:\WINDOWS\system32\crly32.exe O4 - HKLM\..\RunOnce: [ieqc.exe] C:\WINDOWS\ieqc.exe O4 - HKLM\..\RunOnce: [mszc32.exe] C:\WINDOWS\system32\mszc32.exe O4 - HKLM\..\RunOnce: [d3nz32.exe] C:\WINDOWS\d3nz32.exe O4 - HKLM\..\RunOnce: [ipsv32.exe] C:\WINDOWS\ipsv32.exe O4 - HKLM\..\RunOnce: [msnh32.exe] C:\WINDOWS\msnh32.exe O4 - HKLM\..\RunOnce: [winsl.exe] C:\WINDOWS\system32\winsl.exe O4 - HKLM\..\RunOnce: [ipwv.exe] C:\WINDOWS\ipwv.exe O4 - HKLM\..\RunOnce: [ipvf32.exe] C:\WINDOWS\ipvf32.exe O4 - HKLM\..\RunOnce: [apiof32.exe] C:\WINDOWS\apiof32.exe O4 - HKLM\..\RunOnce: [msla32.exe] C:\WINDOWS\system32\msla32.exe O4 - HKLM\..\RunOnce: [ieti.exe] C:\WINDOWS\system32\ieti.exe O4 - HKLM\..\RunOnce: [ipjm.exe] C:\WINDOWS\system32\ipjm.exe O4 - HKLM\..\RunOnce: [mfcws.exe] C:\WINDOWS\system32\mfcws.exe O4 - HKLM\..\RunOnce: [addep.exe] C:\WINDOWS\system32\addep.exe O4 - HKLM\..\RunOnce: [d3jr32.exe] C:\WINDOWS\d3jr32.exe O4 - HKLM\..\RunOnce: [sysvh32.exe] C:\WINDOWS\sysvh32.exe O4 - HKLM\..\RunOnce: [crlx32.exe] C:\WINDOWS\system32\crlx32.exe O4 - HKLM\..\RunOnce: [d3tf32.exe] C:\WINDOWS\system32\d3tf32.exe O4 - HKLM\..\RunOnce: [apppw32.exe] C:\WINDOWS\system32\apppw32.exe O4 - HKLM\..\RunOnce: [atlwe.exe] C:\WINDOWS\atlwe.exe O4 - HKLM\..\RunOnce: [appxf.exe] C:\WINDOWS\system32\appxf.exe O4 - HKLM\..\RunOnce: [ipnu32.exe] C:\WINDOWS\ipnu32.exe O4 - HKLM\..\RunOnce: [crlb32.exe] C:\WINDOWS\crlb32.exe O4 - HKLM\..\RunOnce: [sdkgn.exe] C:\WINDOWS\system32\sdkgn.exe With all other programs and browsers closed, click fix checked. Step 4 Scan with HijackThis and post a new log as a reply to this thread.
  13. alsocom

    Spyware Removal <ab>

    It appears from the RAV Online Virus Scanner that the trojans you have on your computer have overwritten many valid files. This is one of those case where you may be better off to save what you can and reformat the computer. I will give you a fix but can not guarantee how well/or if the computer will be operational afterwards. Download the free trojan scanner A2 Squared, update and run a scan with it. Fix anything found then reboot when completed. Reconfigure Windows XP to show hidden files:Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. [*]Disable the offending service. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called : Remote Procedure Call (RPC) Helper << There are 2 similar named services, be sure to remove the correct one. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps. Boot into Safe Mode: Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would. Run CWShredder:Double-click on CWShredder.exe. Click "Fix ->" and click "OK" at the prompt. CWShredder will scan and clean your system of CWS files. Click "Next->" and then "Exit". [*]Remove the offending service: Double-click on cwsserviceremove.reg you downloaded earlier. When it asks you to merge the information to the registry click "Yes". [*]Run AboutBuster and save the logs: Browse to where you saved AboutBuster and run AboutBuster.exe. Click OK at the directions prompt. Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams. Click Yes to allow it to shutdown explorer.exe. It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so. When it has finished, click Save Log. Make sure you save it as I need a copy of it. [*]Fix with Hijackthis: Open Hijackthis, Run a scan and check the following: (Many of these may have been removed by A2) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pqxvx.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pqxvx.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pqxvx.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pqxvx.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pqxvx.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pqxvx.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {FBF77D9B-CA17-A517-257C-C38A16C5AD4F} - C:\WINDOWS\mfcae32.dll O4 - HKLM\..\Run: [netmp32.exe] C:\WINDOWS\system32\netmp32.exe O4 - HKLM\..\RunOnce: [javaml.exe] C:\WINDOWS\javaml.exe O4 - HKLM\..\RunOnce: [ipya32.exe] C:\WINDOWS\system32\ipya32.exe O4 - HKLM\..\RunOnce: [sysbj.exe] C:\WINDOWS\sysbj.exe O4 - HKLM\..\RunOnce: [appsm.exe] C:\WINDOWS\system32\appsm.exe O4 - HKLM\..\RunOnce: [apiif.exe] C:\WINDOWS\apiif.exe O4 - HKLM\..\RunOnce: [winmq.exe] C:\WINDOWS\system32\winmq.exe O4 - HKLM\..\RunOnce: [msfq.exe] C:\WINDOWS\system32\msfq.exe O4 - HKLM\..\RunOnce: [ntks32.exe] C:\WINDOWS\system32\ntks32.exe O4 - HKLM\..\RunOnce: [javafp32.exe] C:\WINDOWS\system32\javafp32.exe O4 - HKLM\..\RunOnce: [mfclj.exe] C:\WINDOWS\system32\mfclj.exe O4 - HKLM\..\RunOnce: [wingj32.exe] C:\WINDOWS\system32\wingj32.exe O4 - HKLM\..\RunOnce: [apiqf32.exe] C:\WINDOWS\apiqf32.exe O4 - HKLM\..\RunOnce: [winea.exe] C:\WINDOWS\winea.exe O4 - HKLM\..\RunOnce: [d3am.exe] C:\WINDOWS\system32\d3am.exe O4 - HKLM\..\RunOnce: [mfcxm.exe] C:\WINDOWS\system32\mfcxm.exe O4 - HKLM\..\RunOnce: [mslj.exe] C:\WINDOWS\system32\mslj.exe O4 - HKLM\..\RunOnce: [appvf32.exe] C:\WINDOWS\system32\appvf32.exe O4 - HKLM\..\RunOnce: [winql32.exe] C:\WINDOWS\winql32.exe O4 - HKLM\..\RunOnce: [crvn.exe] C:\WINDOWS\crvn.exe O4 - HKLM\..\RunOnce: [appuu.exe] C:\WINDOWS\appuu.exe O4 - HKLM\..\RunOnce: [sdkgr32.exe] C:\WINDOWS\system32\sdkgr32.exe O4 - HKLM\..\RunOnce: [mfcml.exe] C:\WINDOWS\mfcml.exe O4 - HKLM\..\RunOnce: [javagz.exe] C:\WINDOWS\system32\javagz.exe O4 - HKLM\..\RunOnce: [winkj32.exe] C:\WINDOWS\winkj32.exe O4 - HKLM\..\RunOnce: [crpl32.exe] C:\WINDOWS\system32\crpl32.exe O4 - HKLM\..\RunOnce: [d3pt32.exe] C:\WINDOWS\system32\d3pt32.exe O4 - HKLM\..\RunOnce: [netcv.exe] C:\WINDOWS\system32\netcv.exe O4 - HKLM\..\RunOnce: [ipwh32.exe] C:\WINDOWS\system32\ipwh32.exe O4 - HKLM\..\RunOnce: [addcj32.exe] C:\WINDOWS\system32\addcj32.exe O4 - HKLM\..\RunOnce: [ntkj.exe] C:\WINDOWS\system32\ntkj.exe O4 - HKLM\..\RunOnce: [javakx32.exe] C:\WINDOWS\javakx32.exe O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\apipr32.exe O4 - HKLM\..\RunOnce: [sysuv32.exe] C:\WINDOWS\sysuv32.exe O4 - HKLM\..\RunOnce: [javazp.exe] C:\WINDOWS\system32\javazp.exe O4 - HKLM\..\RunOnce: [iesq.exe] C:\WINDOWS\iesq.exe O4 - HKLM\..\RunOnce: [ntxk.exe] C:\WINDOWS\system32\ntxk.exe O4 - HKLM\..\RunOnce: [sdkdh32.exe] C:\WINDOWS\system32\sdkdh32.exe O4 - HKLM\..\RunOnce: [mfcqb.exe] C:\WINDOWS\mfcqb.exe O4 - HKLM\..\RunOnce: [winmn.exe] C:\WINDOWS\system32\winmn.exe O4 - HKLM\..\RunOnce: [crzh32.exe] C:\WINDOWS\system32\crzh32.exe O4 - HKLM\..\RunOnce: [apilj32.exe] C:\WINDOWS\system32\apilj32.exe O4 - HKLM\..\RunOnce: [sysyd.exe] C:\WINDOWS\system32\sysyd.exe O4 - HKLM\..\RunOnce: [ieec32.exe] C:\WINDOWS\ieec32.exe O4 - HKLM\..\RunOnce: [sdkjw.exe] C:\WINDOWS\system32\sdkjw.exe O4 - HKLM\..\RunOnce: [atlie32.exe] C:\WINDOWS\system32\atlie32.exe O4 - HKLM\..\RunOnce: [javaxs32.exe] C:\WINDOWS\system32\javaxs32.exe O4 - HKLM\..\RunOnce: [appxa.exe] C:\WINDOWS\appxa.exe O4 - HKLM\..\RunOnce: [sysbe.exe] C:\WINDOWS\system32\sysbe.exe O4 - HKLM\..\RunOnce: [mfcqu32.exe] C:\WINDOWS\mfcqu32.exe O4 - HKLM\..\RunOnce: [ntgb32.exe] C:\WINDOWS\system32\ntgb32.exe O4 - HKLM\..\RunOnce: [netbn.exe] C:\WINDOWS\system32\netbn.exe O4 - HKLM\..\RunOnce: [mfcfo.exe] C:\WINDOWS\mfcfo.exe O4 - HKLM\..\RunOnce: [ntjs32.exe] C:\WINDOWS\ntjs32.exe O4 - HKLM\..\RunOnce: [netsb.exe] C:\WINDOWS\netsb.exe O4 - HKLM\..\RunOnce: [netyp32.exe] C:\WINDOWS\netyp32.exe O4 - HKLM\..\RunOnce: [netnm32.exe] C:\WINDOWS\system32\netnm32.exe O4 - HKLM\..\RunOnce: [winrj32.exe] C:\WINDOWS\winrj32.exe O4 - HKLM\..\RunOnce: [iehm32.exe] C:\WINDOWS\iehm32.exe O4 - HKLM\..\RunOnce: [appft.exe] C:\WINDOWS\appft.exe O4 - HKLM\..\RunOnce: [addpr.exe] C:\WINDOWS\system32\addpr.exe O4 - HKLM\..\RunOnce: [croh32.exe] C:\WINDOWS\croh32.exe O4 - HKLM\..\RunOnce: [sdkjl.exe] C:\WINDOWS\system32\sdkjl.exe O4 - HKLM\..\RunOnce: [ipeu32.exe] C:\WINDOWS\system32\ipeu32.exe O4 - HKLM\..\RunOnce: [apihy.exe] C:\WINDOWS\apihy.exe O4 - HKLM\..\RunOnce: [wingo32.exe] C:\WINDOWS\wingo32.exe O4 - HKLM\..\RunOnce: [netcx32.exe] C:\WINDOWS\system32\netcx32.exe O4 - HKLM\..\RunOnce: [javaaf.exe] C:\WINDOWS\system32\javaaf.exe O4 - HKLM\..\RunOnce: [iewj32.exe] C:\WINDOWS\iewj32.exe O4 - HKLM\..\RunOnce: [crgr.exe] C:\WINDOWS\system32\crgr.exe O4 - HKLM\..\RunOnce: [d3tg32.exe] C:\WINDOWS\d3tg32.exe O4 - HKLM\..\RunOnce: [crid32.exe] C:\WINDOWS\system32\crid32.exe O4 - HKLM\..\RunOnce: [ieiq.exe] C:\WINDOWS\ieiq.exe O4 - HKLM\..\RunOnce: [crxy.exe] C:\WINDOWS\crxy.exe O4 - HKLM\..\RunOnce: [nethq32.exe] C:\WINDOWS\system32\nethq32.exe O4 - HKLM\..\RunOnce: [syswt32.exe] C:\WINDOWS\syswt32.exe O4 - HKLM\..\RunOnce: [syskq32.exe] C:\WINDOWS\system32\syskq32.exe O4 - HKLM\..\RunOnce: [sdkhm32.exe] C:\WINDOWS\sdkhm32.exe O4 - HKLM\..\RunOnce: [ipfh.exe] C:\WINDOWS\ipfh.exe O4 - HKLM\..\RunOnce: [addep32.exe] C:\WINDOWS\addep32.exe O4 - HKLM\..\RunOnce: [winnn32.exe] C:\WINDOWS\system32\winnn32.exe O4 - HKLM\..\RunOnce: [msxo.exe] C:\WINDOWS\msxo.exe O4 - HKLM\..\RunOnce: [ieck32.exe] C:\WINDOWS\ieck32.exe O4 - HKLM\..\RunOnce: [apilq.exe] C:\WINDOWS\apilq.exe O4 - HKLM\..\RunOnce: [crbf32.exe] C:\WINDOWS\system32\crbf32.exe O4 - HKLM\..\RunOnce: [winle32.exe] C:\WINDOWS\winle32.exe O4 - HKLM\..\RunOnce: [addtk.exe] C:\WINDOWS\addtk.exe O4 - HKLM\..\RunOnce: [addnd32.exe] C:\WINDOWS\system32\addnd32.exe O4 - HKLM\..\RunOnce: [d3bn32.exe] C:\WINDOWS\d3bn32.exe O4 - HKLM\..\RunOnce: [addkg32.exe] C:\WINDOWS\addkg32.exe O4 - HKLM\..\RunOnce: [javako.exe] C:\WINDOWS\system32\javako.exe O4 - HKLM\..\RunOnce: [netoa.exe] C:\WINDOWS\system32\netoa.exe O4 - HKLM\..\RunOnce: [mfcyy.exe] C:\WINDOWS\mfcyy.exe O4 - HKLM\..\RunOnce: [apphz32.exe] C:\WINDOWS\system32\apphz32.exe O4 - HKLM\..\RunOnce: [appnw.exe] C:\WINDOWS\appnw.exe O4 - HKLM\..\RunOnce: [appbs.exe] C:\WINDOWS\system32\appbs.exe O4 - HKLM\..\RunOnce: [netmr32.exe] C:\WINDOWS\netmr32.exe O4 - HKLM\..\RunOnce: [crwk32.exe] C:\WINDOWS\system32\crwk32.exe O4 - HKLM\..\RunOnce: [mfces32.exe] C:\WINDOWS\mfces32.exe O4 - HKLM\..\RunOnce: [javazd32.exe] C:\WINDOWS\system32\javazd32.exe O4 - HKLM\..\RunOnce: [msdi.exe] C:\WINDOWS\system32\msdi.exe O4 - HKLM\..\RunOnce: [crmi32.exe] C:\WINDOWS\system32\crmi32.exe O4 - HKLM\..\RunOnce: [apigz.exe] C:\WINDOWS\system32\apigz.exe O4 - HKLM\..\RunOnce: [msak.exe] C:\WINDOWS\system32\msak.exe O4 - HKLM\..\RunOnce: [javaqz.exe] C:\WINDOWS\javaqz.exe O4 - HKLM\..\RunOnce: [msvc.exe] C:\WINDOWS\system32\msvc.exe O4 - HKLM\..\RunOnce: [javazo.exe] C:\WINDOWS\javazo.exe O4 - HKLM\..\RunOnce: [winod32.exe] C:\WINDOWS\system32\winod32.exe O4 - HKLM\..\RunOnce: [iesm32.exe] C:\WINDOWS\iesm32.exe O4 - HKLM\..\RunOnce: [sysdy.exe] C:\WINDOWS\system32\sysdy.exe O4 - HKLM\..\RunOnce: [atlhc32.exe] C:\WINDOWS\system32\atlhc32.exe O4 - HKLM\..\RunOnce: [addqc.exe] C:\WINDOWS\system32\addqc.exe O4 - HKLM\..\RunOnce: [sdkri.exe] C:\WINDOWS\sdkri.exe O4 - HKLM\..\RunOnce: [mfcqy32.exe] C:\WINDOWS\system32\mfcqy32.exe O4 - HKLM\..\RunOnce: [ntjw32.exe] C:\WINDOWS\system32\ntjw32.exe O4 - HKLM\..\RunOnce: [sdkci32.exe] C:\WINDOWS\sdkci32.exe O4 - HKLM\..\RunOnce: [apibv32.exe] C:\WINDOWS\system32\apibv32.exe O4 - HKLM\..\RunOnce: [sysyr32.exe] C:\WINDOWS\system32\sysyr32.exe O4 - HKLM\..\RunOnce: [netbd.exe] C:\WINDOWS\system32\netbd.exe O4 - HKLM\..\RunOnce: [javazy32.exe] C:\WINDOWS\javazy32.exe O4 - HKLM\..\RunOnce: [netmi.exe] C:\WINDOWS\system32\netmi.exe O4 - HKLM\..\RunOnce: [nteq.exe] C:\WINDOWS\nteq.exe O4 - HKLM\..\RunOnce: [crwr32.exe] C:\WINDOWS\system32\crwr32.exe O4 - HKLM\..\RunOnce: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe O4 - HKLM\..\RunOnce: [iewx.exe] C:\WINDOWS\iewx.exe O4 - HKLM\..\RunOnce: [ntum32.exe] C:\WINDOWS\ntum32.exe O4 - HKLM\..\RunOnce: [mfctc32.exe] C:\WINDOWS\system32\mfctc32.exe O4 - HKLM\..\RunOnce: [sdkpe32.exe] C:\WINDOWS\sdkpe32.exe O4 - HKLM\..\RunOnce: [syset.exe] C:\WINDOWS\syset.exe O4 - HKLM\..\RunOnce: [appda.exe] C:\WINDOWS\system32\appda.exe O4 - HKLM\..\RunOnce: [apinb.exe] C:\WINDOWS\apinb.exe O4 - HKLM\..\RunOnce: [sysmj32.exe] C:\WINDOWS\sysmj32.exe O4 - HKLM\..\RunOnce: [netby32.exe] C:\WINDOWS\system32\netby32.exe O4 - HKLM\..\RunOnce: [appsl32.exe] C:\WINDOWS\appsl32.exe O4 - HKLM\..\RunOnce: [d3wh32.exe] C:\WINDOWS\d3wh32.exe O4 - HKLM\..\RunOnce: [atlzt32.exe] C:\WINDOWS\atlzt32.exe O4 - HKLM\..\RunOnce: [netex32.exe] C:\WINDOWS\system32\netex32.exe O4 - HKLM\..\RunOnce: [netzp32.exe] C:\WINDOWS\netzp32.exe O4 - HKLM\..\RunOnce: [sdkxw.exe] C:\WINDOWS\sdkxw.exe O4 - HKLM\..\RunOnce: [ieta32.exe] C:\WINDOWS\system32\ieta32.exe O4 - HKLM\..\RunOnce: [crdb.exe] C:\WINDOWS\system32\crdb.exe O4 - HKLM\..\RunOnce: [mfclh.exe] C:\WINDOWS\system32\mfclh.exe O4 - HKLM\..\RunOnce: [iekw32.exe] C:\WINDOWS\system32\iekw32.exe O4 - HKLM\..\RunOnce: [javaam.exe] C:\WINDOWS\javaam.exe O4 - HKLM\..\RunOnce: [apizt32.exe] C:\WINDOWS\apizt32.exe O4 - HKLM\..\RunOnce: [winxj32.exe] C:\WINDOWS\system32\winxj32.exe O4 - HKLM\..\RunOnce: [sysbs.exe] C:\WINDOWS\sysbs.exe O4 - HKLM\..\RunOnce: [atlxw32.exe] C:\WINDOWS\atlxw32.exe O4 - HKLM\..\RunOnce: [wingx.exe] C:\WINDOWS\wingx.exe O4 - HKLM\..\RunOnce: [sdkpd.exe] C:\WINDOWS\system32\sdkpd.exe O4 - HKLM\..\RunOnce: [atlot32.exe] C:\WINDOWS\system32\atlot32.exe O4 - HKLM\..\RunOnce: [sysea.exe] C:\WINDOWS\sysea.exe O4 - HKLM\..\RunOnce: [msik.exe] C:\WINDOWS\msik.exe O4 - HKLM\..\RunOnce: [addeo32.exe] C:\WINDOWS\system32\addeo32.exe O4 - HKLM\..\RunOnce: [ipqy32.exe] C:\WINDOWS\system32\ipqy32.exe O4 - HKLM\..\RunOnce: [netcd32.exe] C:\WINDOWS\system32\netcd32.exe O4 - HKLM\..\RunOnce: [appgn.exe] C:\WINDOWS\appgn.exe O4 - HKLM\..\RunOnce: [ntsx.exe] C:\WINDOWS\ntsx.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaml.exe" /s (file missing) With all other programs and browsers closed, click fix checked. [*]Clean out temporary files: Start | Run | type cleanmgr | OK Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Click "OK" to remove them. Click "Yes" to confirm the deletion. [*]Restart your computer normally to return to normal mode. [*]Free online antivirus scans: Run at least two of the following online virus scans making sure to reboot in between each one. Allow them to fix anything they find. You need to use Internet Explorer or Netscape browsers. Bitdefender Pandasoftware Trend Micro << Click Auto Clean Symantec Security Check << click scan for viruses RAV Online Virus Scanner << Enter your e-mail address and click on To continue without subscribing McAfee [*]Reset Trusted/Restricted Sites Download DelDomains.inf file to your desktop. Right-click on the deldomains.inf file and select Install. Note : Since the Domains are deleted SpywareBlaster protection must be re-enabled, Spybot's Immunize feature must be used again, and you'll also have to re-install IE-SpyAd if installed. [*]Prepare your reply: Please post a fresh HijackThis log as a reply to this thread. Please post the AboutBuster log. Please note any complications you had.
  14. alsocom

    Spyware Removal <ab>

    To be honest with you, I am not entirely sure where the infection comes from. Many people have been infected that have not been to porn sites. The folder called backups on the desktop was created by Hijackthis. It stores everything fixed just in case they may be needed later. The service in step 5 was successfully removed. Boot into Safe Mode: Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would. Run CWShredder:Double-click on CWShredder.exe. Click "Fix ->" and click "OK" at the prompt. CWShredder will scan and clean your system of CWS files. Click "Next->" and then "Exit". [*]Run AboutBuster and save the logs: Browse to where you saved AboutBuster and run AboutBuster.exe. Click "OK" at the directions Read: Important! prompt. Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams. Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe. Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so. When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it. Click "Exit" and "Exit" again to exit AboutBuster. [*]Clean out temporary files: Start | Run | type cleanmgr | OK Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Click "OK" to remove them. Click "Yes" to confirm the deletion. [*]Restart your computer normally to return to normal mode. [*]Free online antivirus scans: Run at least two of the following online virus scans making sure to reboot in between each one. Allow them to fix anything they find. You need to use Internet Explorer or Netscape browsers. Bitdefender Pandasoftware Trend Micro << Click Auto Clean Symantec Security Check << click scan for viruses RAV Online Virus Scanner << Enter your e-mail address and click on To continue without subscribing McAfee [*]Prepare your reply: Please post a fresh HijackThis log as a reply to this thread. Please post the AboutBuster log. Please note any complications you had.
  15. alsocom

    Spyware Removal <ab>

    Hello Rick and welcome to BestTechie. You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Prepare CWShredder for use:Download CWShredder. Save CWShredder.exe to a convenient location. Please do not do anything with it yet. [*]Prepare AboutBuster for use: Download AboutBuster. Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created. Navigate to the AboutBuster directory and double-click on AboutBuster.exe. Click "OK" at the prompt with instructions. Click "Update" and then "Check For Update" to begin the update process. If any updates exist please download them by clicking "Download Update". You should not run the program yet so click "Exit". [*]Prepare cwsserviceremove.reg for use: Download cwsserviceremove.zip. Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop. Delete the cwsserviceremove.zip folder. Please do not do anything with it yet. [*]Reconfigure Windows XP to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. [*]Disable the offending service. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called : Workstation NetLogon Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps. Boot into Safe Mode: Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would. Run CWShredder:Double-click on CWShredder.exe. Click "Fix ->" and click "OK" at the prompt. CWShredder will scan and clean your system of CWS files. Click "Next->" and then "Exit". [*]Remove the offending service: Double-click on cwsserviceremove.reg you downloaded earlier. When it asks you to merge the information to the registry click "Yes". [*]Run AboutBuster and save the logs: Browse to where you saved AboutBuster and run AboutBuster.exe. Click OK at the directions prompt. Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams. Click Yes to allow it to shutdown explorer.exe. It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so. When it has finished, click Save Log. Make sure you save it as I need a copy of it. [*]Fix with Hijackthis: Open Hijackthis, Run a scan and check the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556 R3 - Default URLSearchHook is missing O2 - BHO: Class - {B784881A-C236-6F52-D86B-285DC0FC4011} - C:\WINDOWS\syskb32.dll O4 - HKLM\..\Run: [appvy.exe] C:\WINDOWS\system32\appvy.exe O4 - HKLM\..\RunOnce: [ipju32.exe] C:\WINDOWS\system32\ipju32.exe O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntsg32.exe (file missing) With all other programs and browsers closed, click fix checked. [*]Delete the following files: C:\WINDOWS\system32\appvy.exe C:\WINDOWS\system32\ipju32.exe C:\WINDOWS\system32\ntsg32.exe [*]Clean out temporary files: Start | Run | type cleanmgr | OK Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Click "OK" to remove them. Click "Yes" to confirm the deletion. [*]Restart your computer normally to return to normal mode. [*]Free TrendMicro Housecall scan: You'll need to use Internet Explorer or Netscape browsers to run this scan. Vist the TrendMicro Housecall website. Select your country from the drop-down list and click "Go". Choose "Yes" at the ActiveX Security Warning prompt. Please wait while the Housecall engine is updated. Select the drives to be scanned by placing a check in their respective boxes. Check the "Auto Clean" box. Click "SCAN" in order to begin scanning your system. Please be patient while Housecall scans your system for malicious files. If not auto-cleaned, remove anything it finds. Click "Close" to exit the Housecall scanner. Choose "Yes" at the HouseCall message prompt. [*]Prepare your reply: Please post a fresh HijackThis log as a reply to this thread. Please post the AboutBuster log. Please note any complications you had.