# Solved: TROJ_STARTPAG.RE, PSGuard, desktop hijack



## nv13 (Aug 21, 2005)

Hello,
I contracted this spyware on my computer. I use Trend Micro AV.

Everytime I start/restart my computer, IE opens by itself and Trend Micro

shows me a message regarding quarantine of "TROJ_STARTPAG.RE". Also, my

desktop has been hijacked. When I try to access it through the conttrol

panel, it does not show me the Desktop tab. The desktop background is black

with a warning that my "Computer is infected.....etc, etc". I also used

Micosoft Antispyware, but it does not detect anything. Trend Micro detects

"ADW_SEARChAIS.A". 
I will appreciate if someone could help me get rid of this annoying

background.

Thank You.

ps: here is the logfle from Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 3:53:07 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MotorolaDAP.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\ipvi32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Nirav Vora\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mfigg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mfigg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ubtwy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ubtwy.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ubtwy.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D800AD07-3198-4760-E8A4-33F3BB42B482} - C:\WINDOWS\appbf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SC3300CC] C:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
O4 - HKLM\..\Run: [USBPNP] C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O4 - HKLM\..\Run: [ipvi32.exe] C:\WINDOWS\ipvi32.exe
O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\system32\mscz.exe
O4 - HKLM\..\RunOnce: [atlsr.exe] C:\WINDOWS\atlsr.exe
O4 - HKLM\..\RunOnce: [sdknp.exe] C:\WINDOWS\system32\sdknp.exe
O4 - HKLM\..\RunOnce: [winwv32.exe] C:\WINDOWS\system32\winwv32.exe
O4 - HKLM\..\RunOnce: [javacy32.exe] C:\WINDOWS\javacy32.exe
O4 - HKLM\..\RunOnce: [ntuw32.exe] C:\WINDOWS\system32\ntuw32.exe
O4 - HKLM\..\RunOnce: [netsp.exe] C:\WINDOWS\system32\netsp.exe
O4 - HKLM\..\RunOnce: [netpy32.exe] C:\WINDOWS\netpy32.exe
O4 - HKLM\..\RunOnce: [d3cv.exe] C:\WINDOWS\d3cv.exe
O4 - HKLM\..\RunOnce: [appzt32.exe] C:\WINDOWS\system32\appzt32.exe
O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\system32\d3en.exe
O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\ippe32.exe
O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
O4 - HKLM\..\RunOnce: [ietx32.exe] C:\WINDOWS\system32\ietx32.exe
O4 - HKLM\..\RunOnce: [ntyr.exe] C:\WINDOWS\ntyr.exe
O4 - HKLM\..\RunOnce: [crdw32.exe] C:\WINDOWS\system32\crdw32.exe
O4 - HKLM\..\RunOnce: [addxu.exe] C:\WINDOWS\system32\addxu.exe
O4 - HKLM\..\RunOnce: [ipbl.exe] C:\WINDOWS\ipbl.exe
O4 - HKLM\..\RunOnce: [appgf32.exe] C:\WINDOWS\system32\appgf32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Netscape\Netscape Browser\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mscz.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe


----------



## Flrman1 (Jul 26, 2002)

Hi nv13

Welcome to TSG! 

* *Click here* to download smitRem.exe. 
Save the file to your desktop. 
It is a self extracting file.
Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop. 
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Download the trial version of Ewido Security Suite *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan and the ewido scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
Thank you for yor prompt reply. I did everything that you advised me to do. I couldn't get "ewido" to work properly. It would start the scanning and started giving me messages regarding removing the componentsand I hit ok everytime. It did that for sometime and then it just stopped working and the window closed. I repaeated it to get the same result. However I went ahead and ran the active scan. Also, when I clicked on the "web" tab after selecting the "cutomize desktop" option, I found a "My current Homepage" option but couldn't delete it. I still have TROJ_STARTPAG.RE on my computer, although I could change the desktop background. So the annoying background is gone now.
I would really appreciate if you could inform me on how to get rid of the virus.

Thank you,
nv13

ps: here are the log files from Hijackthis and Activescan

*From Activescan:*

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\SDKIC32.EXE 
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkbu32.exe 
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry 
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Nirav Vora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\GetAccess.class-7fd0ed0-603705e4.class 
Spyware:Spyware/Petro-Line No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C7D6389E-45C3-4653-A7F6-EC16DC\CC72FA8C-CFCB-4325-BC7C-865712 
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Downloaded Program Files\inst2.inf 
Virus:Trj/Downloader.DMC Disinfected C:\WINDOWS\msfo.exe 
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.old

*From Hijackthis*

Logfile of HijackThis v1.99.1
Scan saved at 8:52:45 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Documents and Settings\Nirav Vora\Desktop\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MotorolaDAP.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ipvi32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Nirav Vora\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D800AD07-3198-4760-E8A4-33F3BB42B482} - C:\WINDOWS\appbf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SC3300CC] C:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
O4 - HKLM\..\Run: [USBPNP] C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O4 - HKLM\..\Run: [ipvi32.exe] C:\WINDOWS\ipvi32.exe
O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\system32\mscz.exe
O4 - HKLM\..\RunOnce: [atlsr.exe] C:\WINDOWS\atlsr.exe
O4 - HKLM\..\RunOnce: [sdknp.exe] C:\WINDOWS\system32\sdknp.exe
O4 - HKLM\..\RunOnce: [winwv32.exe] C:\WINDOWS\system32\winwv32.exe
O4 - HKLM\..\RunOnce: [javacy32.exe] C:\WINDOWS\javacy32.exe
O4 - HKLM\..\RunOnce: [ntuw32.exe] C:\WINDOWS\system32\ntuw32.exe
O4 - HKLM\..\RunOnce: [netsp.exe] C:\WINDOWS\system32\netsp.exe
O4 - HKLM\..\RunOnce: [netpy32.exe] C:\WINDOWS\netpy32.exe
O4 - HKLM\..\RunOnce: [d3cv.exe] C:\WINDOWS\d3cv.exe
O4 - HKLM\..\RunOnce: [appzt32.exe] C:\WINDOWS\system32\appzt32.exe
O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\system32\d3en.exe
O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\ippe32.exe
O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
O4 - HKLM\..\RunOnce: [ietx32.exe] C:\WINDOWS\system32\ietx32.exe
O4 - HKLM\..\RunOnce: [ntyr.exe] C:\WINDOWS\ntyr.exe
O4 - HKLM\..\RunOnce: [crdw32.exe] C:\WINDOWS\system32\crdw32.exe
O4 - HKLM\..\RunOnce: [addxu.exe] C:\WINDOWS\system32\addxu.exe
O4 - HKLM\..\RunOnce: [ipbl.exe] C:\WINDOWS\ipbl.exe
O4 - HKLM\..\RunOnce: [appgf32.exe] C:\WINDOWS\system32\appgf32.exe
O4 - HKLM\..\RunOnce: [addnm.exe] C:\WINDOWS\addnm.exe
O4 - HKLM\..\RunOnce: [apiro.exe] C:\WINDOWS\system32\apiro.exe
O4 - HKLM\..\RunOnce: [addqb.exe] C:\WINDOWS\addqb.exe
O4 - HKLM\..\RunOnce: [sysxr.exe] C:\WINDOWS\sysxr.exe
O4 - HKLM\..\RunOnce: [ipii32.exe] C:\WINDOWS\system32\ipii32.exe
O4 - HKLM\..\RunOnce: [sysqz32.exe] C:\WINDOWS\sysqz32.exe
O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\msdq32.exe
O4 - HKLM\..\RunOnce: [winhv.exe] C:\WINDOWS\system32\winhv.exe
O4 - HKLM\..\RunOnce: [d3oa32.exe] C:\WINDOWS\d3oa32.exe
O4 - HKLM\..\RunOnce: [msor.exe] C:\WINDOWS\msor.exe
O4 - HKLM\..\RunOnce: [ietn32.exe] C:\WINDOWS\ietn32.exe
O4 - HKLM\..\RunOnce: [msic32.exe] C:\WINDOWS\msic32.exe
O4 - HKLM\..\RunOnce: [ipng32.exe] C:\WINDOWS\ipng32.exe
O4 - HKLM\..\RunOnce: [ieis32.exe] C:\WINDOWS\system32\ieis32.exe
O4 - HKLM\..\RunOnce: [addvw.exe] C:\WINDOWS\system32\addvw.exe
O4 - HKLM\..\RunOnce: [sysvx32.exe] C:\WINDOWS\system32\sysvx32.exe
O4 - HKLM\..\RunOnce: [syskt32.exe] C:\WINDOWS\system32\syskt32.exe
O4 - HKLM\..\RunOnce: [sdkpq32.exe] C:\WINDOWS\system32\sdkpq32.exe
O4 - HKLM\..\RunOnce: [winkb32.exe] C:\WINDOWS\winkb32.exe
O4 - HKLM\..\RunOnce: [atlog.exe] C:\WINDOWS\atlog.exe
O4 - HKLM\..\RunOnce: [addxg32.exe] C:\WINDOWS\addxg32.exe
O4 - HKLM\..\RunOnce: [addmd32.exe] C:\WINDOWS\addmd32.exe
O4 - HKLM\..\RunOnce: [crqz.exe] C:\WINDOWS\crqz.exe
O4 - HKLM\..\RunOnce: [ntul.exe] C:\WINDOWS\system32\ntul.exe
O4 - HKLM\..\RunOnce: [mska32.exe] C:\WINDOWS\mska32.exe
O4 - HKLM\..\RunOnce: [addai32.exe] C:\WINDOWS\system32\addai32.exe
O4 - HKLM\..\RunOnce: [appzk32.exe] C:\WINDOWS\system32\appzk32.exe
O4 - HKLM\..\RunOnce: [ntsh32.exe] C:\WINDOWS\ntsh32.exe
O4 - HKLM\..\RunOnce: [d3ab.exe] C:\WINDOWS\d3ab.exe
O4 - HKLM\..\RunOnce: [mfcvn.exe] C:\WINDOWS\system32\mfcvn.exe
O4 - HKLM\..\RunOnce: [d3kc.exe] C:\WINDOWS\system32\d3kc.exe
O4 - HKLM\..\RunOnce: [d3zx32.exe] C:\WINDOWS\d3zx32.exe
O4 - HKLM\..\RunOnce: [netmr.exe] C:\WINDOWS\netmr.exe
O4 - HKLM\..\RunOnce: [d3bg32.exe] C:\WINDOWS\system32\d3bg32.exe
O4 - HKLM\..\RunOnce: [iphj.exe] C:\WINDOWS\iphj.exe
O4 - HKLM\..\RunOnce: [ipmi.exe] C:\WINDOWS\system32\ipmi.exe
O4 - HKLM\..\RunOnce: [msfe32.exe] C:\WINDOWS\msfe32.exe
O4 - HKLM\..\RunOnce: [apiqr32.exe] C:\WINDOWS\apiqr32.exe
O4 - HKLM\..\RunOnce: [sdkic32.exe] C:\WINDOWS\system32\sdkic32.exe
O4 - HKLM\..\RunOnce: [netnk.exe] C:\WINDOWS\netnk.exe
O4 - HKLM\..\RunOnce: [addam32.exe] C:\WINDOWS\addam32.exe
O4 - HKLM\..\RunOnce: [atlcz.exe] C:\WINDOWS\atlcz.exe
O4 - HKLM\..\RunOnce: [iept32.exe] C:\WINDOWS\system32\iept32.exe
O4 - HKLM\..\RunOnce: [mswq32.exe] C:\WINDOWS\mswq32.exe
O4 - HKLM\..\RunOnce: [ntjs.exe] C:\WINDOWS\ntjs.exe
O4 - HKLM\..\RunOnce: [ntph32.exe] C:\WINDOWS\system32\ntph32.exe
O4 - HKLM\..\RunOnce: [atluj.exe] C:\WINDOWS\system32\atluj.exe
O4 - HKLM\..\RunOnce: [javadp.exe] C:\WINDOWS\system32\javadp.exe
O4 - HKLM\..\RunOnce: [apijj32.exe] C:\WINDOWS\system32\apijj32.exe
O4 - HKLM\..\RunOnce: [ntrd.exe] C:\WINDOWS\ntrd.exe
O4 - HKLM\..\RunOnce: [mslj.exe] C:\WINDOWS\system32\mslj.exe
O4 - HKLM\..\RunOnce: [ieqc32.exe] C:\WINDOWS\ieqc32.exe
O4 - HKLM\..\RunOnce: [ntve.exe] C:\WINDOWS\ntve.exe
O4 - HKLM\..\RunOnce: [mfcou32.exe] C:\WINDOWS\system32\mfcou32.exe
O4 - HKLM\..\RunOnce: [ieup.exe] C:\WINDOWS\system32\ieup.exe
O4 - HKLM\..\RunOnce: [netdv32.exe] C:\WINDOWS\system32\netdv32.exe
O4 - HKLM\..\RunOnce: [cril32.exe] C:\WINDOWS\system32\cril32.exe
O4 - HKLM\..\RunOnce: [ntyf.exe] C:\WINDOWS\ntyf.exe
O4 - HKLM\..\RunOnce: [atlbg.exe] C:\WINDOWS\atlbg.exe
O4 - HKLM\..\RunOnce: [apiao.exe] C:\WINDOWS\system32\apiao.exe
O4 - HKLM\..\RunOnce: [atlex.exe] C:\WINDOWS\system32\atlex.exe
O4 - HKLM\..\RunOnce: [sdkpm32.exe] C:\WINDOWS\sdkpm32.exe
O4 - HKLM\..\RunOnce: [sysdl.exe] C:\WINDOWS\sysdl.exe
O4 - HKLM\..\RunOnce: [ieym.exe] C:\WINDOWS\system32\ieym.exe
O4 - HKLM\..\RunOnce: [atlla32.exe] C:\WINDOWS\system32\atlla32.exe
O4 - HKLM\..\RunOnce: [ntew.exe] C:\WINDOWS\ntew.exe
O4 - HKLM\..\RunOnce: [ntwz32.exe] C:\WINDOWS\ntwz32.exe
O4 - HKLM\..\RunOnce: [atljt.exe] C:\WINDOWS\atljt.exe
O4 - HKLM\..\RunOnce: [addcd32.exe] C:\WINDOWS\addcd32.exe
O4 - HKLM\..\RunOnce: [netuz.exe] C:\WINDOWS\system32\netuz.exe
O4 - HKLM\..\RunOnce: [crzh32.exe] C:\WINDOWS\system32\crzh32.exe
O4 - HKLM\..\RunOnce: [addsd.exe] C:\WINDOWS\addsd.exe
O4 - HKLM\..\RunOnce: [javajl32.exe] C:\WINDOWS\javajl32.exe
O4 - HKLM\..\RunOnce: [sdksj.exe] C:\WINDOWS\system32\sdksj.exe
O4 - HKLM\..\RunOnce: [mslk32.exe] C:\WINDOWS\mslk32.exe
O4 - HKLM\..\RunOnce: [d3jb32.exe] C:\WINDOWS\system32\d3jb32.exe
O4 - HKLM\..\RunOnce: [javaem.exe] C:\WINDOWS\javaem.exe
O4 - HKLM\..\RunOnce: [apijh32.exe] C:\WINDOWS\apijh32.exe
O4 - HKLM\..\RunOnce: [appwo.exe] C:\WINDOWS\appwo.exe
O4 - HKLM\..\RunOnce: [iphl.exe] C:\WINDOWS\system32\iphl.exe
O4 - HKLM\..\RunOnce: [ntaw32.exe] C:\WINDOWS\system32\ntaw32.exe
O4 - HKLM\..\RunOnce: [atlfy.exe] C:\WINDOWS\atlfy.exe
O4 - HKLM\..\RunOnce: [atlxi32.exe] C:\WINDOWS\atlxi32.exe
O4 - HKLM\..\RunOnce: [d3gu32.exe] C:\WINDOWS\system32\d3gu32.exe
O4 - HKLM\..\RunOnce: [iplw.exe] C:\WINDOWS\system32\iplw.exe
O4 - HKLM\..\RunOnce: [netzn32.exe] C:\WINDOWS\system32\netzn32.exe
O4 - HKLM\..\RunOnce: [addfp.exe] C:\WINDOWS\system32\addfp.exe
O4 - HKLM\..\RunOnce: [ntnx.exe] C:\WINDOWS\system32\ntnx.exe
O4 - HKLM\..\RunOnce: [appts32.exe] C:\WINDOWS\system32\appts32.exe
O4 - HKLM\..\RunOnce: [ierh.exe] C:\WINDOWS\ierh.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\sdkwb32.exe
O4 - HKLM\..\RunOnce: [appbi.exe] C:\WINDOWS\appbi.exe
O4 - HKLM\..\RunOnce: [mshc32.exe] C:\WINDOWS\mshc32.exe
O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\atlvr.exe
O4 - HKLM\..\RunOnce: [sdkfz.exe] C:\WINDOWS\system32\sdkfz.exe
O4 - HKLM\..\RunOnce: [atleh32.exe] C:\WINDOWS\system32\atleh32.exe
O4 - HKLM\..\RunOnce: [appnf32.exe] C:\WINDOWS\appnf32.exe
O4 - HKLM\..\RunOnce: [sysxg.exe] C:\WINDOWS\system32\sysxg.exe
O4 - HKLM\..\RunOnce: [wincc32.exe] C:\WINDOWS\wincc32.exe
O4 - HKLM\..\RunOnce: [ipmj.exe] C:\WINDOWS\ipmj.exe
O4 - HKLM\..\RunOnce: [msby32.exe] C:\WINDOWS\system32\msby32.exe
O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\system32\winrf.exe
O4 - HKLM\..\RunOnce: [mfcvj32.exe] C:\WINDOWS\system32\mfcvj32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Netscape\Netscape Browser\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mscz.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Nirav Vora\Desktop\security suite\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe


----------



## Flrman1 (Jul 26, 2002)

I'm sorry it took me so long to reply, but I had a very long hard day at work. I need you to rescan with Hijack This and post a new log. 

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions. 

I will be online tonight until around midnight. If you can't get it posted tonight in the next two hours, you may as well wait and post it tomorrow evening after 6pm Eastern time. I will not be back online until then.


----------



## nv13 (Aug 21, 2005)

flrman1,
I am attaching the Hijackthis log file with this message. Thank you in anticipation.
nv13


----------



## Flrman1 (Jul 26, 2002)

** First you need to download the following tools and have them ready to run. *Do not* run any of them until instructed to do so:

* Click here to download cwsserviceremove.zip and unzip it to your desktop.

*Download Cleanup from *Here* 
If that link is down, you can get Cleanup *Here*.

Save the Cleanup40 file to your desktop.
 On your desktop, click on *Cleanup40.exe* icon.
 Then, click *RUN* and place a checkmark beside "*I Agree*"
 Then click *NEXT* followed by *START* and *OK.*
 A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
 Click* OK*
 *DO NOT RUN IT YET*

* I am attaching a delete.zip file to this post. Download the file and unzip it to extract the *delete.bat* file it contains and have it ready to run later in safe mode.

* *Click here* to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. *Do Not* run it yet.

* Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

* Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

* *Click here* for info on how to boot to safe mode if you don't already know how.

***After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Network Security Service (NSS)*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgxse.dll/sp.html#44768

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {40F96ECF-F256-A2FB-6BF0-5B6FD5678995} - C:\WINDOWS\system32\apigh.dll

O2 - BHO: Class - {7ABEDA97-ADE8-D564-C19A-4D6D0E15F0CE} - C:\WINDOWS\sdkdr.dll

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll (file missing)

O2 - BHO: Class - {F9538E86-36EE-4A7E-6596-B6F8EAA229D9} - C:\WINDOWS\system32\mssk32.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [ipvi32.exe] C:\WINDOWS\ipvi32.exe
O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\system32\mscz.exe
O4 - HKLM\..\RunOnce: [atlsr.exe] C:\WINDOWS\atlsr.exe
O4 - HKLM\..\RunOnce: [javacy32.exe] C:\WINDOWS\javacy32.exe
O4 - HKLM\..\RunOnce: [d3cv.exe] C:\WINDOWS\d3cv.exe
O4 - HKLM\..\RunOnce: [appzt32.exe] C:\WINDOWS\system32\appzt32.exe
O4 - HKLM\..\RunOnce: [crdw32.exe] C:\WINDOWS\system32\crdw32.exe
O4 - HKLM\..\RunOnce: [appgf32.exe] C:\WINDOWS\system32\appgf32.exe
O4 - HKLM\..\RunOnce: [sysxr.exe] C:\WINDOWS\sysxr.exe
O4 - HKLM\..\RunOnce: [sysqz32.exe] C:\WINDOWS\sysqz32.exe
O4 - HKLM\..\RunOnce: [winhv.exe] C:\WINDOWS\system32\winhv.exe
O4 - HKLM\..\RunOnce: [msic32.exe] C:\WINDOWS\msic32.exe
O4 - HKLM\..\RunOnce: [syskt32.exe] C:\WINDOWS\system32\syskt32.exe
O4 - HKLM\..\RunOnce: [addxg32.exe] C:\WINDOWS\addxg32.exe
O4 - HKLM\..\RunOnce: [d3qe.exe] C:\WINDOWS\system32\d3qe.exe
O4 - HKLM\..\RunOnce: [addyv32.exe] C:\WINDOWS\system32\addyv32.exe
O4 - HKLM\..\RunOnce: [wingw.exe] C:\WINDOWS\system32\wingw.exe
O4 - HKLM\..\RunOnce: [sdkoc.exe] C:\WINDOWS\sdkoc.exe
O4 - HKLM\..\RunOnce: [addjl.exe] C:\WINDOWS\system32\addjl.exe
O4 - HKLM\..\RunOnce: [crof32.exe] C:\WINDOWS\system32\crof32.exe
O4 - HKLM\..\RunOnce: [syshe32.exe] C:\WINDOWS\system32\syshe32.exe
O4 - HKLM\..\RunOnce: [mfcaa32.exe] C:\WINDOWS\system32\mfcaa32.exe
O4 - HKLM\..\RunOnce: [apixz32.exe] C:\WINDOWS\apixz32.exe
O4 - HKLM\..\RunOnce: [ielu32.exe] C:\WINDOWS\system32\ielu32.exe
O4 - HKLM\..\RunOnce: [sdkyw.exe] C:\WINDOWS\system32\sdkyw.exe
O4 - HKLM\..\RunOnce: [d3jp32.exe] C:\WINDOWS\system32\d3jp32.exe
O4 - HKLM\..\RunOnce: [ntwz.exe] C:\WINDOWS\system32\ntwz.exe
O4 - HKLM\..\RunOnce: [crhy.exe] C:\WINDOWS\system32\crhy.exe
O4 - HKLM\..\RunOnce: [ieod32.exe] C:\WINDOWS\ieod32.exe
O4 - HKLM\..\RunOnce: [ntlh32.exe] C:\WINDOWS\ntlh32.exe
O4 - HKLM\..\RunOnce: [msyr32.exe] C:\WINDOWS\msyr32.exe
O4 - HKLM\..\RunOnce: [ntdu32.exe] C:\WINDOWS\system32\ntdu32.exe
O4 - HKLM\..\RunOnce: [iegd.exe] C:\WINDOWS\iegd.exe
O4 - HKLM\..\RunOnce: [sysma.exe] C:\WINDOWS\system32\sysma.exe
O4 - HKLM\..\RunOnce: [creb32.exe] C:\WINDOWS\system32\creb32.exe
O4 - HKLM\..\RunOnce: [crnj.exe] C:\WINDOWS\crnj.exe
O4 - HKLM\..\RunOnce: [wincg32.exe] C:\WINDOWS\system32\wincg32.exe
O4 - HKLM\..\RunOnce: [mfctn.exe] C:\WINDOWS\system32\mfctn.exe
O4 - HKLM\..\RunOnce: [crcu.exe] C:\WINDOWS\system32\crcu.exe
O4 - HKLM\..\RunOnce: [atlqq32.exe] C:\WINDOWS\system32\atlqq32.exe
O4 - HKLM\..\RunOnce: [netgy.exe] C:\WINDOWS\system32\netgy.exe
O4 - HKLM\..\RunOnce: [ievd32.exe] C:\WINDOWS\system32\ievd32.exe
O4 - HKLM\..\RunOnce: [mssy.exe] C:\WINDOWS\mssy.exe
O4 - HKLM\..\RunOnce: [sysxc.exe] C:\WINDOWS\system32\sysxc.exe
O4 - HKLM\..\RunOnce: [winlz32.exe] C:\WINDOWS\winlz32.exe
O4 - HKLM\..\RunOnce: [javaws32.exe] C:\WINDOWS\javaws32.exe
O4 - HKLM\..\RunOnce: [atlei.exe] C:\WINDOWS\system32\atlei.exe
O4 - HKLM\..\RunOnce: [mfchh32.exe] C:\WINDOWS\mfchh32.exe
O4 - HKLM\..\RunOnce: [ntsg32.exe] C:\WINDOWS\ntsg32.exe
O4 - HKLM\..\RunOnce: [mfcqv32.exe] C:\WINDOWS\system32\mfcqv32.exe
O4 - HKLM\..\RunOnce: [ieju32.exe] C:\WINDOWS\ieju32.exe
O4 - HKLM\..\RunOnce: [netyz.exe] C:\WINDOWS\netyz.exe
O4 - HKLM\..\RunOnce: [winsq32.exe] C:\WINDOWS\winsq32.exe
O4 - HKLM\..\RunOnce: [sdkuq.exe] C:\WINDOWS\sdkuq.exe
O4 - HKLM\..\RunOnce: [d3iq.exe] C:\WINDOWS\system32\d3iq.exe
O4 - HKLM\..\RunOnce: [javaae32.exe] C:\WINDOWS\system32\javaae32.exe
O4 - HKLM\..\RunOnce: [atluv.exe] C:\WINDOWS\system32\atluv.exe
O4 - HKLM\..\RunOnce: [apiuj.exe] C:\WINDOWS\apiuj.exe
O4 - HKLM\..\RunOnce: [mfcdj.exe] C:\WINDOWS\system32\mfcdj.exe
O4 - HKLM\..\RunOnce: [mfcxb.exe] C:\WINDOWS\mfcxb.exe
O4 - HKLM\..\RunOnce: [crgb.exe] C:\WINDOWS\crgb.exe
O4 - HKLM\..\RunOnce: [javatv32.exe] C:\WINDOWS\system32\javatv32.exe
O4 - HKLM\..\RunOnce: [javavy.exe] C:\WINDOWS\javavy.exe
O4 - HKLM\..\RunOnce: [apiaa32.exe] C:\WINDOWS\apiaa32.exe
O4 - HKLM\..\RunOnce: [sysus.exe] C:\WINDOWS\sysus.exe
O4 - HKLM\..\RunOnce: [sdkhu32.exe] C:\WINDOWS\sdkhu32.exe
O4 - HKLM\..\RunOnce: [iejm32.exe] C:\WINDOWS\system32\iejm32.exe
O4 - HKLM\..\RunOnce: [sdkwo32.exe] C:\WINDOWS\system32\sdkwo32.exe
O4 - HKLM\..\RunOnce: [d3hn.exe] C:\WINDOWS\system32\d3hn.exe
O4 - HKLM\..\RunOnce: [javaxu.exe] C:\WINDOWS\system32\javaxu.exe
O4 - HKLM\..\RunOnce: [apipn32.exe] C:\WINDOWS\apipn32.exe
O4 - HKLM\..\RunOnce: [ntup.exe] C:\WINDOWS\system32\ntup.exe
O4 - HKLM\..\RunOnce: [mfcyb.exe] C:\WINDOWS\system32\mfcyb.exe
O4 - HKLM\..\RunOnce: [javaor32.exe] C:\WINDOWS\javaor32.exe
O4 - HKLM\..\RunOnce: [msbz32.exe] C:\WINDOWS\system32\msbz32.exe
O4 - HKLM\..\RunOnce: [appro.exe] C:\WINDOWS\system32\appro.exe
O4 - HKLM\..\RunOnce: [crfl32.exe] C:\WINDOWS\crfl32.exe
O4 - HKLM\..\RunOnce: [d3ye32.exe] C:\WINDOWS\system32\d3ye32.exe
O4 - HKLM\..\RunOnce: [ntpr32.exe] C:\WINDOWS\ntpr32.exe
O4 - HKLM\..\RunOnce: [atlun32.exe] C:\WINDOWS\atlun32.exe
O4 - HKLM\..\RunOnce: [addsi32.exe] C:\WINDOWS\addsi32.exe
O4 - HKLM\..\RunOnce: [mfciq.exe] C:\WINDOWS\mfciq.exe
O4 - HKLM\..\RunOnce: [winhd.exe] C:\WINDOWS\system32\winhd.exe
O4 - HKLM\..\RunOnce: [mfclh.exe] C:\WINDOWS\mfclh.exe
O4 - HKLM\..\RunOnce: [ntvi32.exe] C:\WINDOWS\system32\ntvi32.exe
O4 - HKLM\..\RunOnce: [atloz32.exe] C:\WINDOWS\atloz32.exe
O4 - HKLM\..\RunOnce: [atlvw32.exe] C:\WINDOWS\system32\atlvw32.exe
O4 - HKLM\..\RunOnce: [apicb.exe] C:\WINDOWS\apicb.exe
O4 - HKLM\..\RunOnce: [apprq.exe] C:\WINDOWS\apprq.exe
O4 - HKLM\..\RunOnce: [mscj32.exe] C:\WINDOWS\system32\mscj32.exe
O4 - HKLM\..\RunOnce: [sysnu.exe] C:\WINDOWS\sysnu.exe
O4 - HKLM\..\RunOnce: [crmi.exe] C:\WINDOWS\system32\crmi.exe
O4 - HKLM\..\RunOnce: [sysqm.exe] C:\WINDOWS\system32\sysqm.exe
O4 - HKLM\..\RunOnce: [atlan32.exe] C:\WINDOWS\system32\atlan32.exe
O4 - HKLM\..\RunOnce: [ietd32.exe] C:\WINDOWS\ietd32.exe
O4 - HKLM\..\RunOnce: [msia32.exe] C:\WINDOWS\system32\msia32.exe
O4 - HKLM\..\RunOnce: [ntnw32.exe] C:\WINDOWS\system32\ntnw32.exe
O4 - HKLM\..\RunOnce: [ieii.exe] C:\WINDOWS\system32\ieii.exe
O4 - HKLM\..\RunOnce: [atlgd32.exe] C:\WINDOWS\atlgd32.exe
O4 - HKLM\..\RunOnce: [mfcgl32.exe] C:\WINDOWS\mfcgl32.exe
O4 - HKLM\..\RunOnce: [ntqm32.exe] C:\WINDOWS\system32\ntqm32.exe
O4 - HKLM\..\RunOnce: [addqu.exe] C:\WINDOWS\addqu.exe
O4 - HKLM\..\RunOnce: [ieuy.exe] C:\WINDOWS\system32\ieuy.exe
O4 - HKLM\..\RunOnce: [iphd.exe] C:\WINDOWS\iphd.exe
O4 - HKLM\..\RunOnce: [atlgi.exe] C:\WINDOWS\system32\atlgi.exe
O4 - HKLM\..\RunOnce: [ntjo32.exe] C:\WINDOWS\system32\ntjo32.exe
O4 - HKLM\..\RunOnce: [appch32.exe] C:\WINDOWS\system32\appch32.exe
O4 - HKLM\..\RunOnce: [netgj32.exe] C:\WINDOWS\system32\netgj32.exe
O4 - HKLM\..\RunOnce: [apiip32.exe] C:\WINDOWS\apiip32.exe
O4 - HKLM\..\RunOnce: [appzq.exe] C:\WINDOWS\appzq.exe
O4 - HKLM\..\RunOnce: [atlfn32.exe] C:\WINDOWS\atlfn32.exe
O4 - HKLM\..\RunOnce: [apptj32.exe] C:\WINDOWS\system32\apptj32.exe
O4 - HKLM\..\RunOnce: [mfctp.exe] C:\WINDOWS\mfctp.exe
O4 - HKLM\..\RunOnce: [appie.exe] C:\WINDOWS\appie.exe
O4 - HKLM\..\RunOnce: [iemi.exe] C:\WINDOWS\iemi.exe
O4 - HKLM\..\RunOnce: [appim32.exe] C:\WINDOWS\appim32.exe
O4 - HKLM\..\RunOnce: [crrq.exe] C:\WINDOWS\system32\crrq.exe
O4 - HKLM\..\RunOnce: [sysvu32.exe] C:\WINDOWS\system32\sysvu32.exe
O4 - HKLM\..\RunOnce: [msfv.exe] C:\WINDOWS\system32\msfv.exe
O4 - HKLM\..\RunOnce: [mskr32.exe] C:\WINDOWS\system32\mskr32.exe
O4 - HKLM\..\RunOnce: [mszo32.exe] C:\WINDOWS\mszo32.exe
O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\system32\sysyu.exe
O4 - HKLM\..\RunOnce: [d3oj.exe] C:\WINDOWS\d3oj.exe
O4 - HKLM\..\RunOnce: [ipyc.exe] C:\WINDOWS\ipyc.exe
O4 - HKLM\..\RunOnce: [javame.exe] C:\WINDOWS\javame.exe
O4 - HKLM\..\RunOnce: [ipfi.exe] C:\WINDOWS\ipfi.exe
O4 - HKLM\..\RunOnce: [iezu.exe] C:\WINDOWS\system32\iezu.exe
O4 - HKLM\..\RunOnce: [atljk32.exe] C:\WINDOWS\atljk32.exe
O4 - HKLM\..\RunOnce: [javaew.exe] C:\WINDOWS\system32\javaew.exe
O4 - HKLM\..\RunOnce: [netii32.exe] C:\WINDOWS\netii32.exe
O4 - HKLM\..\RunOnce: [appgy.exe] C:\WINDOWS\system32\appgy.exe
O4 - HKLM\..\RunOnce: [iplh.exe] C:\WINDOWS\iplh.exe
O4 - HKLM\..\RunOnce: [creg.exe] C:\WINDOWS\system32\creg.exe
O4 - HKLM\..\RunOnce: [apphq.exe] C:\WINDOWS\system32\apphq.exe
O4 - HKLM\..\RunOnce: [addmj32.exe] C:\WINDOWS\system32\addmj32.exe
O4 - HKLM\..\RunOnce: [sdkuj.exe] C:\WINDOWS\sdkuj.exe
O4 - HKLM\..\RunOnce: [adddp32.exe] C:\WINDOWS\adddp32.exe
O4 - HKLM\..\RunOnce: [ienw32.exe] C:\WINDOWS\system32\ienw32.exe
O4 - HKLM\..\RunOnce: [javald.exe] C:\WINDOWS\javald.exe
O4 - HKLM\..\RunOnce: [mfckt32.exe] C:\WINDOWS\mfckt32.exe
O4 - HKLM\..\RunOnce: [crky.exe] C:\WINDOWS\system32\crky.exe
O4 - HKLM\..\RunOnce: [addhn32.exe] C:\WINDOWS\addhn32.exe
O4 - HKLM\..\RunOnce: [d3sd32.exe] C:\WINDOWS\system32\d3sd32.exe
O4 - HKLM\..\RunOnce: [d3ga32.exe] C:\WINDOWS\d3ga32.exe
O4 - HKLM\..\RunOnce: [netlx32.exe] C:\WINDOWS\system32\netlx32.exe
O4 - HKLM\..\RunOnce: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
O4 - HKLM\..\RunOnce: [addoz32.exe] C:\WINDOWS\addoz32.exe
O4 - HKLM\..\RunOnce: [apieh.exe] C:\WINDOWS\apieh.exe
O4 - HKLM\..\RunOnce: [netsl.exe] C:\WINDOWS\netsl.exe
O4 - HKLM\..\RunOnce: [ipxi32.exe] C:\WINDOWS\ipxi32.exe
O4 - HKLM\..\RunOnce: [netmf32.exe] C:\WINDOWS\netmf32.exe
O4 - HKLM\..\RunOnce: [sdklk.exe] C:\WINDOWS\system32\sdklk.exe
O4 - HKLM\..\RunOnce: [netba.exe] C:\WINDOWS\system32\netba.exe
O4 - HKLM\..\RunOnce: [addts.exe] C:\WINDOWS\system32\addts.exe
O4 - HKLM\..\RunOnce: [d3el32.exe] C:\WINDOWS\d3el32.exe
O4 - HKLM\..\RunOnce: [iepe32.exe] C:\WINDOWS\system32\iepe32.exe
O4 - HKLM\..\RunOnce: [ntub32.exe] C:\WINDOWS\system32\ntub32.exe
O4 - HKLM\..\RunOnce: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
O4 - HKLM\..\RunOnce: [crty32.exe] C:\WINDOWS\crty32.exe
O4 - HKLM\..\RunOnce: [iprg.exe] C:\WINDOWS\system32\iprg.exe
O4 - HKLM\..\RunOnce: [apivp32.exe] C:\WINDOWS\apivp32.exe
O4 - HKLM\..\RunOnce: [atlqt.exe] C:\WINDOWS\atlqt.exe
O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\iepj32.exe
O4 - HKLM\..\RunOnce: [javafy32.exe] C:\WINDOWS\system32\javafy32.exe
O4 - HKLM\..\RunOnce: [javang.exe] C:\WINDOWS\system32\javang.exe
O4 - HKLM\..\RunOnce: [addiy32.exe] C:\WINDOWS\addiy32.exe
O4 - HKLM\..\RunOnce: [appqg.exe] C:\WINDOWS\appqg.exe
O4 - HKLM\..\RunOnce: [winrg.exe] C:\WINDOWS\system32\winrg.exe
O4 - HKLM\..\RunOnce: [netov32.exe] C:\WINDOWS\netov32.exe
O4 - HKLM\..\RunOnce: [javaed32.exe] C:\WINDOWS\javaed32.exe
O4 - HKLM\..\RunOnce: [ipap.exe] C:\WINDOWS\ipap.exe
O4 - HKLM\..\RunOnce: [appze32.exe] C:\WINDOWS\appze32.exe
O4 - HKLM\..\RunOnce: [msfc.exe] C:\WINDOWS\msfc.exe
O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\system32\atlvr.exe
O4 - HKLM\..\RunOnce: [winkg.exe] C:\WINDOWS\system32\winkg.exe
O4 - HKLM\..\RunOnce: [d3vz32.exe] C:\WINDOWS\d3vz32.exe
O4 - HKLM\..\RunOnce: [apijc32.exe] C:\WINDOWS\system32\apijc32.exe
O4 - HKLM\..\RunOnce: [sysdt.exe] C:\WINDOWS\system32\sysdt.exe
O4 - HKLM\..\RunOnce: [netxe32.exe] C:\WINDOWS\system32\netxe32.exe
O4 - HKLM\..\RunOnce: [javanm32.exe] C:\WINDOWS\system32\javanm32.exe
O4 - HKLM\..\RunOnce: [ntip.exe] C:\WINDOWS\ntip.exe
O4 - HKLM\..\RunOnce: [apphf32.exe] C:\WINDOWS\apphf32.exe
O4 - HKLM\..\RunOnce: [iefu.exe] C:\WINDOWS\system32\iefu.exe
O4 - HKLM\..\RunOnce: [sdkek32.exe] C:\WINDOWS\system32\sdkek32.exe
O4 - HKLM\..\RunOnce: [apiva32.exe] C:\WINDOWS\apiva32.exe
O4 - HKLM\..\RunOnce: [netci32.exe] C:\WINDOWS\system32\netci32.exe
O4 - HKLM\..\RunOnce: [d3gr32.exe] C:\WINDOWS\system32\d3gr32.exe
O4 - HKLM\..\RunOnce: [msgh.exe] C:\WINDOWS\system32\msgh.exe
O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\d3hi.exe
O4 - HKLM\..\RunOnce: [addex32.exe] C:\WINDOWS\system32\addex32.exe
O4 - HKLM\..\RunOnce: [apiue32.exe] C:\WINDOWS\system32\apiue32.exe
O4 - HKLM\..\RunOnce: [atlpi.exe] C:\WINDOWS\system32\atlpi.exe
O4 - HKLM\..\RunOnce: [msoy32.exe] C:\WINDOWS\system32\msoy32.exe
O4 - HKLM\..\RunOnce: [sdkcg.exe] C:\WINDOWS\system32\sdkcg.exe
O4 - HKLM\..\RunOnce: [netgs.exe] C:\WINDOWS\system32\netgs.exe
O4 - HKLM\..\RunOnce: [crvh32.exe] C:\WINDOWS\crvh32.exe
O4 - HKLM\..\RunOnce: [syslo.exe] C:\WINDOWS\syslo.exe
O4 - HKLM\..\RunOnce: [atlps32.exe] C:\WINDOWS\atlps32.exe
O4 - HKLM\..\RunOnce: [ntuc32.exe] C:\WINDOWS\system32\ntuc32.exe
O4 - HKLM\..\RunOnce: [mfcss32.exe] C:\WINDOWS\mfcss32.exe
O4 - HKLM\..\RunOnce: [apisi.exe] C:\WINDOWS\system32\apisi.exe
O4 - HKLM\..\RunOnce: [atlai.exe] C:\WINDOWS\atlai.exe
O4 - HKLM\..\RunOnce: [crvt.exe] C:\WINDOWS\system32\crvt.exe
O4 - HKLM\..\RunOnce: [sdkjd32.exe] C:\WINDOWS\sdkjd32.exe
O4 - HKLM\..\RunOnce: [crcw32.exe] C:\WINDOWS\system32\crcw32.exe
O4 - HKLM\..\RunOnce: [apihs32.exe] C:\WINDOWS\system32\apihs32.exe
O4 - HKLM\..\RunOnce: [crce.exe] C:\WINDOWS\crce.exe
O4 - HKLM\..\RunOnce: [ntgq.exe] C:\WINDOWS\ntgq.exe
O4 - HKLM\..\RunOnce: [ievf32.exe] C:\WINDOWS\system32\ievf32.exe
O4 - HKLM\..\RunOnce: [sdkow32.exe] C:\WINDOWS\sdkow32.exe
O4 - HKLM\..\RunOnce: [ntdt32.exe] C:\WINDOWS\system32\ntdt32.exe
O4 - HKLM\..\RunOnce: [atlip32.exe] C:\WINDOWS\system32\atlip32.exe
O4 - HKLM\..\RunOnce: [sdkdb32.exe] C:\WINDOWS\system32\sdkdb32.exe
O4 - HKLM\..\RunOnce: [d3hf32.exe] C:\WINDOWS\d3hf32.exe
O4 - HKLM\..\RunOnce: [d3kw32.exe] C:\WINDOWS\system32\d3kw32.exe
O4 - HKLM\..\RunOnce: [winae.exe] C:\WINDOWS\system32\winae.exe
O4 - HKLM\..\RunOnce: [mfcei32.exe] C:\WINDOWS\mfcei32.exe
O4 - HKLM\..\RunOnce: [apizh.exe] C:\WINDOWS\system32\apizh.exe
O4 - HKLM\..\RunOnce: [winyx32.exe] C:\WINDOWS\system32\winyx32.exe
O4 - HKLM\..\RunOnce: [atlrv.exe] C:\WINDOWS\system32\atlrv.exe
O4 - HKLM\..\RunOnce: [crlh.exe] C:\WINDOWS\system32\crlh.exe
O4 - HKLM\..\RunOnce: [ntaw.exe] C:\WINDOWS\system32\ntaw.exe
O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\mfclp.exe
O4 - HKLM\..\RunOnce: [sysvi32.exe] C:\WINDOWS\system32\sysvi32.exe
O4 - HKLM\..\RunOnce: [winpt32.exe] C:\WINDOWS\system32\winpt32.exe
O4 - HKLM\..\RunOnce: [crup32.exe] C:\WINDOWS\crup32.exe
O4 - HKLM\..\RunOnce: [addpb.exe] C:\WINDOWS\system32\addpb.exe
O4 - HKLM\..\RunOnce: [iesn32.exe] C:\WINDOWS\system32\iesn32.exe
O4 - HKLM\..\RunOnce: [javarc.exe] C:\WINDOWS\javarc.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on the *delete.bat* file to run it. Let it run and it will delete the bad files.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

* If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

* Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder. 
Find shell.dll and right click on it. Choose Copy from the menu. 
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

* control.exe may have been deleted. 
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

* *IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK. 
Now press "Custom Level." 
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I did as you advised me to. As a result the startup procedure is faster now and also IE does not open by itself initially. But I still get the message from Trend Micro saying that "TROJ_STARTPAG.RE" is quarantined, whenever I open IE. I am attaching both the Hijackthis and Active Scan log files. Thank you again for your help.

nv13


----------



## Flrman1 (Jul 26, 2002)

We need to go through basically the same procedure again. I just got in from work and will be online the rest of the evening til at least 11 pm EDT. 

To make sure nothing has changed since the log you posted, please go ahead and rescan with Hijack This and post a new log. We can get this thing cleaned up this evening if you have time to stick here with me a while. Don't restart your computer or do anything else, just wait for my reply with directions. I will be prompt.


----------



## nv13 (Aug 21, 2005)

flrman1,
I am posting the new HijackThis Log file. Thanks for doing this.
nv13


----------



## Flrman1 (Jul 26, 2002)

I'm working on the log now. I'll post directions soon.


----------



## Flrman1 (Jul 26, 2002)

* You don't need to download all the tools you downloaded before again if you still have them all. Make sure you still have them all and redownload any that you have removed.

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
You should re-enable these when we are finished here.

* I am attaching a delete2.zip file to this post. It contains a delete2.bat file. Unzip delete2.zip to extract the delete2.bat file it contains and have it ready to run in safe mode.

***After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*R3 - Default URLSearchHook is missing

O2 - BHO: Class - {39314580-81A5-5B7C-6038-49D3B9341A24} - C:\WINDOWS\appte32.dll

O2 - BHO: Class - {3D04ED84-CB60-D0D7-5B32-B6E17342655A} - C:\WINDOWS\syswy.dll

O2 - BHO: Class - {71831756-0ABA-C479-7A7E-D8EC68EDFB00} - C:\WINDOWS\system32\sdkxh32.dll

O2 - BHO: Class - {7B9F0EE4-BFCC-13BF-7127-EC3A3BA67B92} - C:\WINDOWS\sdkzj32.dll

O2 - BHO: Class - {AC4257E2-6DD2-AEC4-FFD6-D5E44CC39DBE} - C:\WINDOWS\d3bs.dll

O2 - BHO: Class - {DF7B4507-13C3-06E8-197B-D732093994CA} - C:\WINDOWS\system32\apptw32.dll

O2 - BHO: Class - {E6512118-692F-BF80-A97A-75AF1C652A9B} - C:\WINDOWS\atlnl32.dll

O2 - BHO: Class - {EE427AA2-C3A0-EEBC-C139-0A744C94E673} - C:\WINDOWS\atlcc.dll

O2 - BHO: Class - {F043FDC8-1BB2-DD9E-F339-A01E4FC8A75E} - C:\WINDOWS\system32\mfcpn32.dll

O2 - BHO: Class - {FBF430FD-0AC5-CF00-714C-E063038CC69E} - C:\WINDOWS\mfcrw32.dll

O2 - BHO: Class - {FF8D1970-66C7-0067-E933-2FC85DA5DFA5} - C:\WINDOWS\system32\iesf.dll

O4 - HKLM\..\Run: [ippd.exe] C:\WINDOWS\ippd.exe

O4 - HKLM\..\Run: [sdkjs.exe] C:\WINDOWS\system32\sdkjs.exe

O4 - HKLM\..\RunOnce: [appvm.exe] C:\WINDOWS\system32\appvm.exe

O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\system32\mszf32.exe

O4 - HKLM\..\RunOnce: [ipzn.exe] C:\WINDOWS\system32\ipzn.exe

O4 - HKLM\..\RunOnce: [ipjr32.exe] C:\WINDOWS\system32\ipjr32.exe

O4 - HKLM\..\RunOnce: [ipdl.exe] C:\WINDOWS\system32\ipdl.exe

O4 - HKLM\..\RunOnce: [addqf.exe] C:\WINDOWS\system32\addqf.exe

O4 - HKLM\..\RunOnce: [netnh32.exe] C:\WINDOWS\netnh32.exe

O4 - HKLM\..\RunOnce: [netzb.exe] C:\WINDOWS\netzb.exe

O4 - HKLM\..\RunOnce: [sdkyq.exe] C:\WINDOWS\sdkyq.exe

O4 - HKLM\..\RunOnce: [mfcqk32.exe] C:\WINDOWS\system32\mfcqk32.exe

O4 - HKLM\..\RunOnce: [sysvm.exe] C:\WINDOWS\sysvm.exe

O4 - HKLM\..\RunOnce: [netou32.exe] C:\WINDOWS\netou32.exe

O4 - HKLM\..\RunOnce: [appte32.exe] C:\WINDOWS\appte32.exe

O4 - HKLM\..\RunOnce: [ierl32.exe] C:\WINDOWS\system32\ierl32.exe

O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\sdkxv32.exe

O4 - HKLM\..\RunOnce: [ntfw32.exe] C:\WINDOWS\ntfw32.exe

O4 - HKLM\..\RunOnce: [d3er.exe] C:\WINDOWS\d3er.exe

O4 - HKLM\..\RunOnce: [winxq.exe] C:\WINDOWS\winxq.exe

O4 - HKLM\..\RunOnce: [atlbi.exe] C:\WINDOWS\atlbi.exe

O4 - HKLM\..\RunOnce: [apibo.exe] C:\WINDOWS\system32\apibo.exe

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on the *delete2.bat* file to run it. Let it run and it will delete the bad files.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I will work on this right now and let you know.
Thanks
nv13


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## nv13 (Aug 21, 2005)

flrman1,
I could not use the online virus scan. The program just stops after the scan starts.
nv13


----------



## Flrman1 (Jul 26, 2002)

Go ahead and post a new HJT log please.


----------



## nv13 (Aug 21, 2005)

flrman1,
I am attaching the new log file. I know its close to 11:00 pm. We can do this later if you have to leave.
nv13


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
You should re-enable these when we are finished here.

* I am attaching a delete3.zip file to this post. It contains a delete3.bat file. Unzip delete3.zip to extract the delete3.bat file it contains and have it ready to run in safe mode.

***After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*R3 - Default URLSearchHook is missing

O2 - BHO: Class - {6544D292-6022-D0FE-FA2E-EAF197AB6EFF} - C:\WINDOWS\atlmc32.dll

O4 - HKLM\..\Run: [ierw32.exe] C:\WINDOWS\ierw32.exe

O4 - HKLM\..\RunOnce: [mfckm32.exe] C:\WINDOWS\system32\mfckm32.exe
O4 - HKLM\..\RunOnce: [appme.exe] C:\WINDOWS\appme.exe
O4 - HKLM\..\RunOnce: [appgw32.exe] C:\WINDOWS\appgw32.exe
O4 - HKLM\..\RunOnce: [d3uq.exe] C:\WINDOWS\d3uq.exe
O4 - HKLM\..\RunOnce: [nethe.exe] C:\WINDOWS\system32\nethe.exe
O4 - HKLM\..\RunOnce: [javanq32.exe] C:\WINDOWS\javanq32.exe
O4 - HKLM\..\RunOnce: [iess.exe] C:\WINDOWS\system32\iess.exe
O4 - HKLM\..\RunOnce: [mfcco32.exe] C:\WINDOWS\system32\mfcco32.exe
O4 - HKLM\..\RunOnce: [mszm32.exe] C:\WINDOWS\system32\mszm32.exe
O4 - HKLM\..\RunOnce: [ntiu.exe] C:\WINDOWS\system32\ntiu.exe
O4 - HKLM\..\RunOnce: [mspf.exe] C:\WINDOWS\mspf.exe
O4 - HKLM\..\RunOnce: [neton32.exe] C:\WINDOWS\neton32.exe
O4 - HKLM\..\RunOnce: [d3hb32.exe] C:\WINDOWS\system32\d3hb32.exe
O4 - HKLM\..\RunOnce: [winbb32.exe] C:\WINDOWS\winbb32.exe
O4 - HKLM\..\RunOnce: [apiuy32.exe] C:\WINDOWS\system32\apiuy32.exe
O4 - HKLM\..\RunOnce: [iptd.exe] C:\WINDOWS\iptd.exe
O4 - HKLM\..\RunOnce: [winhg.exe] C:\WINDOWS\system32\winhg.exe
O4 - HKLM\..\RunOnce: [crna.exe] C:\WINDOWS\crna.exe
O4 - HKLM\..\RunOnce: [netxv32.exe] C:\WINDOWS\system32\netxv32.exe
O4 - HKLM\..\RunOnce: [addcx32.exe] C:\WINDOWS\system32\addcx32.exe
O4 - HKLM\..\RunOnce: [ntwb32.exe] C:\WINDOWS\ntwb32.exe
O4 - HKLM\..\RunOnce: [atlcd.exe] C:\WINDOWS\atlcd.exe
O4 - HKLM\..\RunOnce: [winrs.exe] C:\WINDOWS\winrs.exe
O4 - HKLM\..\RunOnce: [crem32.exe] C:\WINDOWS\system32\crem32.exe
O4 - HKLM\..\RunOnce: [atleu.exe] C:\WINDOWS\system32\atleu.exe
O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\ieko.exe
O4 - HKLM\..\RunOnce: [winiy.exe] C:\WINDOWS\system32\winiy.exe
O4 - HKLM\..\RunOnce: [msse.exe] C:\WINDOWS\msse.exe
O4 - HKLM\..\RunOnce: [ntxz.exe] C:\WINDOWS\system32\ntxz.exe
O4 - HKLM\..\RunOnce: [d3bf32.exe] C:\WINDOWS\system32\d3bf32.exe
O4 - HKLM\..\RunOnce: [netgz.exe] C:\WINDOWS\netgz.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on the *delete2.bat* file to run it. Let it run and it will delete the bad files.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I am sorry I had to log off before you could reply, so couldnt work on the problem anymore. Also, I won't be able to do it over the weekend. I will attach a file on monday evening. I would greatly appreciate if you could look in to it then.
Thanks
nv13


----------



## nv13 (Aug 21, 2005)

flrman1,
I am attaching a new HijackThis Log file. I hope you can help me with this.
Thanks
nv13


----------



## Flrman1 (Jul 26, 2002)

I'm working on this now. I remind you not to restart your computer or do anything else until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
You should re-enable these when we are finished here.

* I am attaching a delete4.zip file to this post. It contains a delete4.bat file. Unzip delete4.zip to extract the delete4.bat file it contains and have it ready to run in safe mode.

* You do not need to download any of the following tools that you stll have, but you *do need to update AboutBuster.*

* Click here to download cwsserviceremove.zip and unzip it to your desktop.

*Download Cleanup from *Here* 
If that link is down, you can get Cleanup *Here*.

Save the Cleanup40 file to your desktop.
 On your desktop, click on *Cleanup40.exe* icon.
 Then, click *RUN* and place a checkmark beside "*I Agree*"
 Then click *NEXT* followed by *START* and *OK.*
 A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
 Click* OK*
 *DO NOT RUN IT YET*

* *Click Here* and download the new version of Killbox and save it to your desktop.

* *Click here* to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. *Do Not* run it yet.

* Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

* Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

* *Click here* for info on how to boot to safe mode if you don't already know how.

***After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\keojl.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\keojl.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\keojl.dll/sp.html#44768

O2 - BHO: Class - {0427CF01-0410-2654-E229-75B55A233C97} - C:\WINDOWS\apipc.dll

O2 - BHO: Class - {25ADEB1C-223C-2A7D-D3AD-712F742ABDB1} - C:\WINDOWS\mshk32.dll

O2 - BHO: Class - {30D6993A-6A35-373B-3E6E-B557CAEF0E58} - C:\WINDOWS\system32\crnt32.dll

O2 - BHO: Class - {4FD5405E-0C06-B7B6-1BDA-2E2D18C8E9EF} - C:\WINDOWS\ieap.dll

O2 - BHO: Class - {621C5F14-0928-7C3B-745B-DA8F9C0CDA43} - C:\WINDOWS\javaxp32.dll

O2 - BHO: Class - {797CF3F6-DFA4-7C09-D2A7-116A21249ABF} - C:\WINDOWS\system32\ippn32.dll

O2 - BHO: Class - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\javabi32.dll

O2 - BHO: Class - {87679686-A145-9CF2-EC0C-C21005DEE4C8} - C:\WINDOWS\system32\msjl32.dll

O2 - BHO: Class - {BFC8E15D-A9D9-C737-3BFC-6E181D103960} - C:\WINDOWS\apper.dll

O2 - BHO: Class - {BFFB14CE-5DCB-C371-8960-2404CA0FF16A} - C:\WINDOWS\ntrp32.dll

O2 - BHO: Class - {E0BA94C5-0FEC-5E63-30F0-5121AE85E657} - C:\WINDOWS\mslx.dll

O2 - BHO: Class - {F0EE109C-9B59-1D4D-701B-893172B60010} - C:\WINDOWS\sysdj32.dll

O4 - HKLM\..\Run: [addyy.exe] C:\WINDOWS\system32\addyy.exe

O4 - HKLM\..\Run: [sysdg.exe] C:\WINDOWS\sysdg.exe

O4 - HKLM\..\Run: [mslx.exe] C:\WINDOWS\mslx.exe

O4 - HKLM\..\RunOnce: [atlkl.exe] C:\WINDOWS\system32\atlkl.exe
O4 - HKLM\..\RunOnce: [sdkza32.exe] C:\WINDOWS\sdkza32.exe
O4 - HKLM\..\RunOnce: [ipml.exe] C:\WINDOWS\ipml.exe
O4 - HKLM\..\RunOnce: [appjh32.exe] C:\WINDOWS\system32\appjh32.exe
O4 - HKLM\..\RunOnce: [sdkkp.exe] C:\WINDOWS\sdkkp.exe
O4 - HKLM\..\RunOnce: [iece32.exe] C:\WINDOWS\system32\iece32.exe
O4 - HKLM\..\RunOnce: [atlmf32.exe] C:\WINDOWS\atlmf32.exe
O4 - HKLM\..\RunOnce: [ierz32.exe] C:\WINDOWS\system32\ierz32.exe
O4 - HKLM\..\RunOnce: [mfczq.exe] C:\WINDOWS\system32\mfczq.exe
O4 - HKLM\..\RunOnce: [iprm.exe] C:\WINDOWS\system32\iprm.exe
O4 - HKLM\..\RunOnce: [sdkll.exe] C:\WINDOWS\system32\sdkll.exe
O4 - HKLM\..\RunOnce: [netse.exe] C:\WINDOWS\netse.exe
O4 - HKLM\..\RunOnce: [iesm32.exe] C:\WINDOWS\system32\iesm32.exe
O4 - HKLM\..\RunOnce: [addti.exe] C:\WINDOWS\system32\addti.exe
O4 - HKLM\..\RunOnce: [netdb32.exe] C:\WINDOWS\netdb32.exe
O4 - HKLM\..\RunOnce: [sdkql.exe] C:\WINDOWS\system32\sdkql.exe
O4 - HKLM\..\RunOnce: [winar32.exe] C:\WINDOWS\system32\winar32.exe
O4 - HKLM\..\RunOnce: [crzf32.exe] C:\WINDOWS\system32\crzf32.exe
O4 - HKLM\..\RunOnce: [sysys.exe] C:\WINDOWS\system32\sysys.exe
O4 - HKLM\..\RunOnce: [mfcsy32.exe] C:\WINDOWS\mfcsy32.exe
O4 - HKLM\..\RunOnce: [apisg32.exe] C:\WINDOWS\apisg32.exe
O4 - HKLM\..\RunOnce: [javach32.exe] C:\WINDOWS\system32\javach32.exe
O4 - HKLM\..\RunOnce: [javawq.exe] C:\WINDOWS\javawq.exe
O4 - HKLM\..\RunOnce: [ntmf.exe] C:\WINDOWS\ntmf.exe
O4 - HKLM\..\RunOnce: [atley32.exe] C:\WINDOWS\system32\atley32.exe
O4 - HKLM\..\RunOnce: [mfcqr32.exe] C:\WINDOWS\mfcqr32.exe
O4 - HKLM\..\RunOnce: [sysvn32.exe] C:\WINDOWS\sysvn32.exe
O4 - HKLM\..\RunOnce: [apiyz.exe] C:\WINDOWS\system32\apiyz.exe
O4 - HKLM\..\RunOnce: [appud32.exe] C:\WINDOWS\system32\appud32.exe
O4 - HKLM\..\RunOnce: [iess.exe] C:\WINDOWS\iess.exe
O4 - HKLM\..\RunOnce: [ntri32.exe] C:\WINDOWS\ntri32.exe
O4 - HKLM\..\RunOnce: [mfchy32.exe] C:\WINDOWS\system32\mfchy32.exe
O4 - HKLM\..\RunOnce: [apipg.exe] C:\WINDOWS\system32\apipg.exe
O4 - HKLM\..\RunOnce: [mfcqg.exe] C:\WINDOWS\system32\mfcqg.exe
O4 - HKLM\..\RunOnce: [sdkfd.exe] C:\WINDOWS\sdkfd.exe
O4 - HKLM\..\RunOnce: [ipuk32.exe] C:\WINDOWS\system32\ipuk32.exe
O4 - HKLM\..\RunOnce: [ntod.exe] C:\WINDOWS\system32\ntod.exe
O4 - HKLM\..\RunOnce: [d3sh32.exe] C:\WINDOWS\d3sh32.exe
O4 - HKLM\..\RunOnce: [javabi.exe] C:\WINDOWS\system32\javabi.exe
O4 - HKLM\..\RunOnce: [javahf32.exe] C:\WINDOWS\javahf32.exe
O4 - HKLM\..\RunOnce: [javavb32.exe] C:\WINDOWS\system32\javavb32.exe
O4 - HKLM\..\RunOnce: [sdklu32.exe] C:\WINDOWS\sdklu32.exe
O4 - HKLM\..\RunOnce: [javatc.exe] C:\WINDOWS\javatc.exe
O4 - HKLM\..\RunOnce: [sdktc.exe] C:\WINDOWS\system32\sdktc.exe
O4 - HKLM\..\RunOnce: [iejz32.exe] C:\WINDOWS\iejz32.exe
O4 - HKLM\..\RunOnce: [apphh32.exe] C:\WINDOWS\apphh32.exe
O4 - HKLM\..\RunOnce: [mszd.exe] C:\WINDOWS\system32\mszd.exe
O4 - HKLM\..\RunOnce: [ipyt32.exe] C:\WINDOWS\system32\ipyt32.exe
O4 - HKLM\..\RunOnce: [atloi32.exe] C:\WINDOWS\atloi32.exe
O4 - HKLM\..\RunOnce: [mfcoq.exe] C:\WINDOWS\mfcoq.exe
O4 - HKLM\..\RunOnce: [atlwq.exe] C:\WINDOWS\system32\atlwq.exe
O4 - HKLM\..\RunOnce: [ntmo32.exe] C:\WINDOWS\ntmo32.exe
O4 - HKLM\..\RunOnce: [netpp.exe] C:\WINDOWS\netpp.exe
O4 - HKLM\..\RunOnce: [appai32.exe] C:\WINDOWS\system32\appai32.exe
O4 - HKLM\..\RunOnce: [atltb.exe] C:\WINDOWS\system32\atltb.exe
O4 - HKLM\..\RunOnce: [ippf.exe] C:\WINDOWS\ippf.exe
O4 - HKLM\..\RunOnce: [apina.exe] C:\WINDOWS\apina.exe
O4 - HKLM\..\RunOnce: [atlfu.exe] C:\WINDOWS\system32\atlfu.exe
O4 - HKLM\..\RunOnce: [apihm32.exe] C:\WINDOWS\system32\apihm32.exe
O4 - HKLM\..\RunOnce: [crrk.exe] C:\WINDOWS\crrk.exe
O4 - HKLM\..\RunOnce: [iecl32.exe] C:\WINDOWS\iecl32.exe
O4 - HKLM\..\RunOnce: [appas.exe] C:\WINDOWS\appas.exe
O4 - HKLM\..\RunOnce: [netww32.exe] C:\WINDOWS\netww32.exe
O4 - HKLM\..\RunOnce: [atlfx.exe] C:\WINDOWS\atlfx.exe
O4 - HKLM\..\RunOnce: [d3od.exe] C:\WINDOWS\system32\d3od.exe
O4 - HKLM\..\RunOnce: [netnt32.exe] C:\WINDOWS\system32\netnt32.exe
O4 - HKLM\..\RunOnce: [appla.exe] C:\WINDOWS\appla.exe
O4 - HKLM\..\RunOnce: [ipps.exe] C:\WINDOWS\ipps.exe
O4 - HKLM\..\RunOnce: [atlal32.exe] C:\WINDOWS\system32\atlal32.exe
O4 - HKLM\..\RunOnce: [mfctw.exe] C:\WINDOWS\system32\mfctw.exe
O4 - HKLM\..\RunOnce: [ntpa.exe] C:\WINDOWS\ntpa.exe
O4 - HKLM\..\RunOnce: [d3ib32.exe] C:\WINDOWS\system32\d3ib32.exe
O4 - HKLM\..\RunOnce: [ipts32.exe] C:\WINDOWS\ipts32.exe
O4 - HKLM\..\RunOnce: [netho32.exe] C:\WINDOWS\system32\netho32.exe
O4 - HKLM\..\RunOnce: [addml32.exe] C:\WINDOWS\addml32.exe
O4 - HKLM\..\RunOnce: [iphw32.exe] C:\WINDOWS\system32\iphw32.exe
O4 - HKLM\..\RunOnce: [javamb.exe] C:\WINDOWS\javamb.exe
O4 - HKLM\..\RunOnce: [javaos32.exe] C:\WINDOWS\javaos32.exe
O4 - HKLM\..\RunOnce: [netzj32.exe] C:\WINDOWS\system32\netzj32.exe
O4 - HKLM\..\RunOnce: [apiog32.exe] C:\WINDOWS\apiog32.exe
O4 - HKLM\..\RunOnce: [wintc32.exe] C:\WINDOWS\wintc32.exe
O4 - HKLM\..\RunOnce: [addjc32.exe] C:\WINDOWS\addjc32.exe
O4 - HKLM\..\RunOnce: [winho32.exe] C:\WINDOWS\winho32.exe
O4 - HKLM\..\RunOnce: [ntjf.exe] C:\WINDOWS\system32\ntjf.exe
O4 - HKLM\..\RunOnce: [ntqc.exe] C:\WINDOWS\ntqc.exe
O4 - HKLM\..\RunOnce: [syshg.exe] C:\WINDOWS\syshg.exe
O4 - HKLM\..\RunOnce: [msfb.exe] C:\WINDOWS\msfb.exe
O4 - HKLM\..\RunOnce: [addvi32.exe] C:\WINDOWS\addvi32.exe
O4 - HKLM\..\RunOnce: [msuw32.exe] C:\WINDOWS\system32\msuw32.exe
O4 - HKLM\..\RunOnce: [mspn.exe] C:\WINDOWS\mspn.exe
O4 - HKLM\..\RunOnce: [apptj32.exe] C:\WINDOWS\apptj32.exe
O4 - HKLM\..\RunOnce: [ierx32.exe] C:\WINDOWS\ierx32.exe
O4 - HKLM\..\RunOnce: [addua.exe] C:\WINDOWS\addua.exe
O4 - HKLM\..\RunOnce: [netoy32.exe] C:\WINDOWS\netoy32.exe
O4 - HKLM\..\RunOnce: [winua32.exe] C:\WINDOWS\system32\winua32.exe
O4 - HKLM\..\RunOnce: [javaiu.exe] C:\WINDOWS\system32\javaiu.exe
O4 - HKLM\..\RunOnce: [sdkor.exe] C:\WINDOWS\system32\sdkor.exe
O4 - HKLM\..\RunOnce: [mfcct32.exe] C:\WINDOWS\system32\mfcct32.exe
O4 - HKLM\..\RunOnce: [javarg32.exe] C:\WINDOWS\javarg32.exe
O4 - HKLM\..\RunOnce: [appro32.exe] C:\WINDOWS\system32\appro32.exe
O4 - HKLM\..\RunOnce: [ipkl32.exe] C:\WINDOWS\ipkl32.exe
O4 - HKLM\..\RunOnce: [winpj.exe] C:\WINDOWS\system32\winpj.exe
O4 - HKLM\..\RunOnce: [crud.exe] C:\WINDOWS\crud.exe
O4 - HKLM\..\RunOnce: [netnc.exe] C:\WINDOWS\netnc.exe
O4 - HKLM\..\RunOnce: [crox32.exe] C:\WINDOWS\system32\crox32.exe
O4 - HKLM\..\RunOnce: [netcz.exe] C:\WINDOWS\system32\netcz.exe
O4 - HKLM\..\RunOnce: [mswd.exe] C:\WINDOWS\mswd.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [crls.exe] C:\WINDOWS\crls.exe
O4 - HKLM\..\RunOnce: [apiru32.exe] C:\WINDOWS\system32\apiru32.exe
O4 - HKLM\..\RunOnce: [ieru.exe] C:\WINDOWS\ieru.exe
O4 - HKLM\..\RunOnce: [ntww.exe] C:\WINDOWS\ntww.exe
O4 - HKLM\..\RunOnce: [javavg.exe] C:\WINDOWS\system32\javavg.exe
O4 - HKLM\..\RunOnce: [apiaa32.exe] C:\WINDOWS\system32\apiaa32.exe
O4 - HKLM\..\RunOnce: [ntfe.exe] C:\WINDOWS\system32\ntfe.exe
O4 - HKLM\..\RunOnce: [appsg.exe] C:\WINDOWS\system32\appsg.exe
O4 - HKLM\..\RunOnce: [nthw32.exe] C:\WINDOWS\nthw32.exe
O4 - HKLM\..\RunOnce: [appnq.exe] C:\WINDOWS\appnq.exe
O4 - HKLM\..\RunOnce: [cryd.exe] C:\WINDOWS\cryd.exe
O4 - HKLM\..\RunOnce: [netdf32.exe] C:\WINDOWS\system32\netdf32.exe
O4 - HKLM\..\RunOnce: [ipwq.exe] C:\WINDOWS\system32\ipwq.exe
O4 - HKLM\..\RunOnce: [d3su32.exe] C:\WINDOWS\d3su32.exe
O4 - HKLM\..\RunOnce: [sdkcv.exe] C:\WINDOWS\system32\sdkcv.exe
O4 - HKLM\..\RunOnce: [mfcvm.exe] C:\WINDOWS\mfcvm.exe
O4 - HKLM\..\RunOnce: [addzy.exe] C:\WINDOWS\system32\addzy.exe
O4 - HKLM\..\RunOnce: [ipon32.exe] C:\WINDOWS\ipon32.exe
O4 - HKLM\..\RunOnce: [javaeu.exe] C:\WINDOWS\system32\javaeu.exe
O4 - HKLM\..\RunOnce: [ieiy32.exe] C:\WINDOWS\system32\ieiy32.exe
O4 - HKLM\..\RunOnce: [d3sz.exe] C:\WINDOWS\system32\d3sz.exe
O4 - HKLM\..\RunOnce: [d3xv32.exe] C:\WINDOWS\system32\d3xv32.exe
O4 - HKLM\..\RunOnce: [d3ms32.exe] C:\WINDOWS\d3ms32.exe
O4 - HKLM\..\RunOnce: [netrp32.exe] C:\WINDOWS\system32\netrp32.exe
O4 - HKLM\..\RunOnce: [ipzc32.exe] C:\WINDOWS\ipzc32.exe
O4 - HKLM\..\RunOnce: [addkw.exe] C:\WINDOWS\addkw.exe
O4 - HKLM\..\RunOnce: [ntte.exe] C:\WINDOWS\ntte.exe
O4 - HKLM\..\RunOnce: [appse32.exe] C:\WINDOWS\appse32.exe
O4 - HKLM\..\RunOnce: [sdkzt32.exe] C:\WINDOWS\sdkzt32.exe
O4 - HKLM\..\RunOnce: [javagr.exe] C:\WINDOWS\javagr.exe
O4 - HKLM\..\RunOnce: [addka.exe] C:\WINDOWS\system32\addka.exe
O4 - HKLM\..\RunOnce: [d3jq32.exe] C:\WINDOWS\system32\d3jq32.exe
O4 - HKLM\..\RunOnce: [iphf32.exe] C:\WINDOWS\iphf32.exe
O4 - HKLM\..\RunOnce: [netdp.exe] C:\WINDOWS\netdp.exe
O4 - HKLM\..\RunOnce: [javahl32.exe] C:\WINDOWS\system32\javahl32.exe
O4 - HKLM\..\RunOnce: [ipqt.exe] C:\WINDOWS\ipqt.exe
O4 - HKLM\..\RunOnce: [ntwi32.exe] C:\WINDOWS\system32\ntwi32.exe
O4 - HKLM\..\RunOnce: [ipkf32.exe] C:\WINDOWS\ipkf32.exe
O4 - HKLM\..\RunOnce: [apppj32.exe] C:\WINDOWS\apppj32.exe
O4 - HKLM\..\RunOnce: [atlyp.exe] C:\WINDOWS\atlyp.exe
O4 - HKLM\..\RunOnce: [atlsj32.exe] C:\WINDOWS\atlsj32.exe
O4 - HKLM\..\RunOnce: [msdc32.exe] C:\WINDOWS\system32\msdc32.exe
O4 - HKLM\..\RunOnce: [addie32.exe] C:\WINDOWS\addie32.exe
O4 - HKLM\..\RunOnce: [ntws.exe] C:\WINDOWS\ntws.exe
O4 - HKLM\..\RunOnce: [javava.exe] C:\WINDOWS\system32\javava.exe
O4 - HKLM\..\RunOnce: [iegb.exe] C:\WINDOWS\iegb.exe
O4 - HKLM\..\RunOnce: [ipfj32.exe] C:\WINDOWS\ipfj32.exe
O4 - HKLM\..\RunOnce: [netoh.exe] C:\WINDOWS\system32\netoh.exe
O4 - HKLM\..\RunOnce: [javayi32.exe] C:\WINDOWS\system32\javayi32.exe
O4 - HKLM\..\RunOnce: [mspp.exe] C:\WINDOWS\system32\mspp.exe
O4 - HKLM\..\RunOnce: [addtl32.exe] C:\WINDOWS\system32\addtl32.exe
O4 - HKLM\..\RunOnce: [syscu.exe] C:\WINDOWS\system32\syscu.exe
O4 - HKLM\..\RunOnce: [winii32.exe] C:\WINDOWS\system32\winii32.exe
O4 - HKLM\..\RunOnce: [syswf32.exe] C:\WINDOWS\system32\syswf32.exe
O4 - HKLM\..\RunOnce: [addwt.exe] C:\WINDOWS\addwt.exe
O4 - HKLM\..\RunOnce: [iela.exe] C:\WINDOWS\iela.exe
O4 - HKLM\..\RunOnce: [javaet32.exe] C:\WINDOWS\javaet32.exe
O4 - HKLM\..\RunOnce: [crpm.exe] C:\WINDOWS\system32\crpm.exe
O4 - HKLM\..\RunOnce: [systq.exe] C:\WINDOWS\systq.exe
O4 - HKLM\..\RunOnce: [atlej32.exe] C:\WINDOWS\system32\atlej32.exe
O4 - HKLM\..\RunOnce: [addhs32.exe] C:\WINDOWS\addhs32.exe
O4 - HKLM\..\RunOnce: [appte.exe] C:\WINDOWS\appte.exe
O4 - HKLM\..\RunOnce: [ipxi32.exe] C:\WINDOWS\system32\ipxi32.exe
O4 - HKLM\..\RunOnce: [mfcgq.exe] C:\WINDOWS\mfcgq.exe
O4 - HKLM\..\RunOnce: [sysrh.exe] C:\WINDOWS\system32\sysrh.exe
O4 - HKLM\..\RunOnce: [d3vl.exe] C:\WINDOWS\system32\d3vl.exe
O4 - HKLM\..\RunOnce: [d3yc.exe] C:\WINDOWS\d3yc.exe
O4 - HKLM\..\RunOnce: [msdz.exe] C:\WINDOWS\msdz.exe
O4 - HKLM\..\RunOnce: [netjv.exe] C:\WINDOWS\netjv.exe
O4 - HKLM\..\RunOnce: [ipsh32.exe] C:\WINDOWS\system32\ipsh32.exe
O4 - HKLM\..\RunOnce: [ntap32.exe] C:\WINDOWS\system32\ntap32.exe
O4 - HKLM\..\RunOnce: [msjq32.exe] C:\WINDOWS\msjq32.exe
O4 - HKLM\..\RunOnce: [apijy32.exe] C:\WINDOWS\system32\apijy32.exe
O4 - HKLM\..\RunOnce: [d3ej32.exe] C:\WINDOWS\d3ej32.exe
O4 - HKLM\..\RunOnce: [sdkwi32.exe] C:\WINDOWS\sdkwi32.exe
O4 - HKLM\..\RunOnce: [apimx.exe] C:\WINDOWS\system32\apimx.exe
O4 - HKLM\..\RunOnce: [atlqz.exe] C:\WINDOWS\system32\atlqz.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\ipmd32.exe
O4 - HKLM\..\RunOnce: [apiwe.exe] C:\WINDOWS\apiwe.exe
O4 - HKLM\..\RunOnce: [winpc32.exe] C:\WINDOWS\winpc32.exe
O4 - HKLM\..\RunOnce: [netko32.exe] C:\WINDOWS\netko32.exe
O4 - HKLM\..\RunOnce: [sdkws.exe] C:\WINDOWS\system32\sdkws.exe
O4 - HKLM\..\RunOnce: [winsc.exe] C:\WINDOWS\winsc.exe
O4 - HKLM\..\RunOnce: [ieve.exe] C:\WINDOWS\system32\ieve.exe
O4 - HKLM\..\RunOnce: [appzi32.exe] C:\WINDOWS\system32\appzi32.exe
O4 - HKLM\..\RunOnce: [ipez32.exe] C:\WINDOWS\ipez32.exe
O4 - HKLM\..\RunOnce: [apibu32.exe] C:\WINDOWS\apibu32.exe
O4 - HKLM\..\RunOnce: [msqp32.exe] C:\WINDOWS\msqp32.exe
O4 - HKLM\..\RunOnce: [crlb32.exe] C:\WINDOWS\crlb32.exe
O4 - HKLM\..\RunOnce: [syskq.exe] C:\WINDOWS\syskq.exe
O4 - HKLM\..\RunOnce: [winse.exe] C:\WINDOWS\winse.exe
O4 - HKLM\..\RunOnce: [atldf32.exe] C:\WINDOWS\atldf32.exe
O4 - HKLM\..\RunOnce: [netbn.exe] C:\WINDOWS\system32\netbn.exe
O4 - HKLM\..\RunOnce: [javaxr32.exe] C:\WINDOWS\system32\javaxr32.exe
O4 - HKLM\..\RunOnce: [javamg32.exe] C:\WINDOWS\javamg32.exe
O4 - HKLM\..\RunOnce: [d3lt.exe] C:\WINDOWS\system32\d3lt.exe
O4 - HKLM\..\RunOnce: [sdkbi.exe] C:\WINDOWS\system32\sdkbi.exe
O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\mfctb32.exe
O4 - HKLM\..\RunOnce: [winkh32.exe] C:\WINDOWS\system32\winkh32.exe
O4 - HKLM\..\RunOnce: [appda32.exe] C:\WINDOWS\appda32.exe
O4 - HKLM\..\RunOnce: [d3iw32.exe] C:\WINDOWS\d3iw32.exe
O4 - HKLM\..\RunOnce: [sysny.exe] C:\WINDOWS\system32\sysny.exe
O4 - HKLM\..\RunOnce: [syshu32.exe] C:\WINDOWS\system32\syshu32.exe
O4 - HKLM\..\RunOnce: [crfj.exe] C:\WINDOWS\crfj.exe
O4 - HKLM\..\RunOnce: [sdkbl.exe] C:\WINDOWS\sdkbl.exe
O4 - HKLM\..\RunOnce: [msfp32.exe] C:\WINDOWS\system32\msfp32.exe
O4 - HKLM\..\RunOnce: [crop.exe] C:\WINDOWS\crop.exe
O4 - HKLM\..\RunOnce: [d3um32.exe] C:\WINDOWS\system32\d3um32.exe
O4 - HKLM\..\RunOnce: [crjj32.exe] C:\WINDOWS\crjj32.exe
O4 - HKLM\..\RunOnce: [apinf32.exe] C:\WINDOWS\apinf32.exe
O4 - HKLM\..\RunOnce: [d3ir.exe] C:\WINDOWS\d3ir.exe
O4 - HKLM\..\RunOnce: [msjn.exe] C:\WINDOWS\system32\msjn.exe
O4 - HKLM\..\RunOnce: [mfclk.exe] C:\WINDOWS\mfclk.exe
O4 - HKLM\..\RunOnce: [appgu.exe] C:\WINDOWS\system32\appgu.exe
O4 - HKLM\..\RunOnce: [ipky32.exe] C:\WINDOWS\system32\ipky32.exe
O4 - HKLM\..\RunOnce: [apizv32.exe] C:\WINDOWS\system32\apizv32.exe
O4 - HKLM\..\RunOnce: [mfcos32.exe] C:\WINDOWS\mfcos32.exe
O4 - HKLM\..\RunOnce: [apioa32.exe] C:\WINDOWS\apioa32.exe
O4 - HKLM\..\RunOnce: [ntse32.exe] C:\WINDOWS\system32\ntse32.exe
O4 - HKLM\..\RunOnce: [winam.exe] C:\WINDOWS\winam.exe
O4 - HKLM\..\RunOnce: [apizq32.exe] C:\WINDOWS\apizq32.exe
O4 - HKLM\..\RunOnce: [javaii32.exe] C:\WINDOWS\system32\javaii32.exe
O4 - HKLM\..\RunOnce: [atliq.exe] C:\WINDOWS\atliq.exe
O4 - HKLM\..\RunOnce: [sysmu.exe] C:\WINDOWS\system32\sysmu.exe
O4 - HKLM\..\RunOnce: [apicr32.exe] C:\WINDOWS\apicr32.exe
O4 - HKLM\..\RunOnce: [sdksz.exe] C:\WINDOWS\sdksz.exe
O4 - HKLM\..\RunOnce: [mswd32.exe] C:\WINDOWS\system32\mswd32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\javafd.exe
O4 - HKLM\..\RunOnce: [javaax32.exe] C:\WINDOWS\javaax32.exe
O4 - HKLM\..\RunOnce: [apiet32.exe] C:\WINDOWS\apiet32.exe
O4 - HKLM\..\RunOnce: [crhf.exe] C:\WINDOWS\system32\crhf.exe
O4 - HKLM\..\RunOnce: [winga32.exe] C:\WINDOWS\system32\winga32.exe
O4 - HKLM\..\RunOnce: [wingi32.exe] C:\WINDOWS\system32\wingi32.exe
O4 - HKLM\..\RunOnce: [apipb32.exe] C:\WINDOWS\apipb32.exe
O4 - HKLM\..\RunOnce: [javatv.exe] C:\WINDOWS\javatv.exe
O4 - HKLM\..\RunOnce: [winjk32.exe] C:\WINDOWS\system32\winjk32.exe
O4 - HKLM\..\RunOnce: [atlzr.exe] C:\WINDOWS\system32\atlzr.exe
O4 - HKLM\..\RunOnce: [ntdv32.exe] C:\WINDOWS\ntdv32.exe
O4 - HKLM\..\RunOnce: [apimw.exe] C:\WINDOWS\apimw.exe
O4 - HKLM\..\RunOnce: [ienc.exe] C:\WINDOWS\ienc.exe
O4 - HKLM\..\RunOnce: [ntmr32.exe] C:\WINDOWS\ntmr32.exe
O4 - HKLM\..\RunOnce: [mfckh.exe] C:\WINDOWS\system32\mfckh.exe
O4 - HKLM\..\RunOnce: [sysjx32.exe] C:\WINDOWS\system32\sysjx32.exe
O4 - HKLM\..\RunOnce: [crhu.exe] C:\WINDOWS\crhu.exe
O4 - HKLM\..\RunOnce: [ntat32.exe] C:\WINDOWS\ntat32.exe
O4 - HKLM\..\RunOnce: [winab.exe] C:\WINDOWS\system32\winab.exe
O4 - HKLM\..\RunOnce: [msef.exe] C:\WINDOWS\system32\msef.exe
O4 - HKLM\..\RunOnce: [apptc32.exe] C:\WINDOWS\apptc32.exe
O4 - HKLM\..\RunOnce: [netjj.exe] C:\WINDOWS\netjj.exe
O4 - HKLM\..\RunOnce: [javann32.exe] C:\WINDOWS\javann32.exe
O4 - HKLM\..\RunOnce: [ipxo.exe] C:\WINDOWS\ipxo.exe
O4 - HKLM\..\RunOnce: [ntdl32.exe] C:\WINDOWS\ntdl32.exe
O4 - HKLM\..\RunOnce: [iprh32.exe] C:\WINDOWS\iprh32.exe
O4 - HKLM\..\RunOnce: [javarn.exe] C:\WINDOWS\system32\javarn.exe
O4 - HKLM\..\RunOnce: [ipgc.exe] C:\WINDOWS\system32\ipgc.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on the *delete4.bat* file to run it. Let it run and it will delete the bad files.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I could not run the online scan after restarting in normal mode and I still get the message that TROJ_STARTPAG.RE is quarantined from Ttrend Micro AV when I start IE.
nv13
ps: i am attaching the new HijackThis Log file.


----------



## Flrman1 (Jul 26, 2002)

I don't know what is amiss here, but something is. You are either doing something wrong or skipping something because this procedure will work if done correctly.

Are you stopping an disabling the Remote Procedure Call (RPC) Helper service as instruced here?:

* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Remote Procedure Call (RPC) Helper.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

You must make sure to "Click Apply then OK" after it is stopped and disabled. Are you getting that done?


Also do you have the cwssrervicremove.reg file unzipped and are you running it when instructed?


----------



## nv13 (Aug 21, 2005)

flrman1,
I did as you advised me. The only difference being when I went to the properties of Remote Procedure Call (RPC) Helper , it was already stopped. I did select "Disable" from the drop down menu.
nv13


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
You should re-enable these when we are finished here.

* *Click Here* and download the new version of Killbox and save it to your desktop.

***Sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*O2 - BHO: Class - {013A22CB-C720-7FB1-F261-300904C98BFD} - C:\WINDOWS\system32\sdkwr32.dll

O2 - BHO: Class - {1B05716B-5FEA-54F5-0792-D4CE74369E8C} - C:\WINDOWS\mfcdd.dll

O2 - BHO: Class - {3A3C9967-8EA1-CE8A-DDF7-C35F20372D9D} - C:\WINDOWS\sdkyb32.dll

O2 - BHO: Class - {4BE23432-C392-D735-5711-ADB1E652BF8E} - C:\WINDOWS\system32\atlzk.dll

O2 - BHO: Class - {6BE009D7-3A3F-8737-E8A9-71197CD9CF6D} - C:\WINDOWS\javacm32.dll

O2 - BHO: Class - {6F6EC77F-0F1A-6A5F-09FE-E88B9DB709D5} - C:\WINDOWS\atlbt.dll

O2 - BHO: Class - {A22E1013-83C1-DCC1-C0B0-A96565205F55} - C:\WINDOWS\syssg32.dll

O2 - BHO: Class - {CF6FA434-3684-C485-3DA3-457122B7B6C7} - C:\WINDOWS\sdkmq.dll

O2 - BHO: Class - {D04E428A-707D-E0C0-D7C3-53A24CB3DBD1} - C:\WINDOWS\system32\ieem32.dll

O2 - BHO: Class - {D3137D6C-5DB4-2572-904E-47959850B407} - C:\WINDOWS\ntjg.dll

O2 - BHO: Class - {D515FFD7-038F-6ED7-3964-B55DA46F9601} - C:\WINDOWS\system32\ieix32.dll

O2 - BHO: Class - {EBCE64E5-5AEC-5937-A3AE-61D28181775D} - C:\WINDOWS\iegn32.dll

O4 - HKLM\..\Run: [mfcho.exe] C:\WINDOWS\mfcho.exe

O4 - HKLM\..\RunOnce: [javale32.exe] C:\WINDOWS\system32\javale32.exe
O4 - HKLM\..\RunOnce: [nteo32.exe] C:\WINDOWS\system32\nteo32.exe
O4 - HKLM\..\RunOnce: [iphp32.exe] C:\WINDOWS\system32\iphp32.exe
O4 - HKLM\..\RunOnce: [sysfq32.exe] C:\WINDOWS\system32\sysfq32.exe
O4 - HKLM\..\RunOnce: [sdkfc32.exe] C:\WINDOWS\system32\sdkfc32.exe
O4 - HKLM\..\RunOnce: [atlhy32.exe] C:\WINDOWS\system32\atlhy32.exe
O4 - HKLM\..\RunOnce: [d3wz32.exe] C:\WINDOWS\system32\d3wz32.exe
O4 - HKLM\..\RunOnce: [ntvm32.exe] C:\WINDOWS\ntvm32.exe
O4 - HKLM\..\RunOnce: [mfcua.exe] C:\WINDOWS\system32\mfcua.exe
O4 - HKLM\..\RunOnce: [nettf.exe] C:\WINDOWS\nettf.exe
O4 - HKLM\..\RunOnce: [atlgn.exe] C:\WINDOWS\system32\atlgn.exe
O4 - HKLM\..\RunOnce: [ipuv.exe] C:\WINDOWS\ipuv.exe
O4 - HKLM\..\RunOnce: [mfcvo.exe] C:\WINDOWS\system32\mfcvo.exe
O4 - HKLM\..\RunOnce: [ieak.exe] C:\WINDOWS\system32\ieak.exe
O4 - HKLM\..\RunOnce: [apiyl.exe] C:\WINDOWS\apiyl.exe
O4 - HKLM\..\RunOnce: [iewu.exe] C:\WINDOWS\iewu.exe
O4 - HKLM\..\RunOnce: [sysjm.exe] C:\WINDOWS\sysjm.exe
O4 - HKLM\..\RunOnce: [sdkob32.exe] C:\WINDOWS\sdkob32.exe
O4 - HKLM\..\RunOnce: [d3ra32.exe] C:\WINDOWS\d3ra32.exe
O4 - HKLM\..\RunOnce: [addkw.exe] C:\WINDOWS\system32\addkw.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\mfcho.exe

C:\WINDOWS\system32\sdkwr32.dll

C:\WINDOWS\system32\javale32.exe

C:\WINDOWS\mfcdd.dll

C:\WINDOWS\system32\nteo32.exe

C:\WINDOWS\sdkyb32.dll

C:\WINDOWS\system32\atlzk.dll

C:\WINDOWS\javacm32.dll

C:\WINDOWS\system32\sdkfc32.exe

C:\WINDOWS\atlbt.dll

C:\WINDOWS\syssg32.dll

C:\WINDOWS\system32\iphp32.exe

C:\WINDOWS\sdkmq.dll

C:\WINDOWS\system32\ieem32.dll

C:\WINDOWS\ntjg.dll

C:\WINDOWS\system32\sysfq32.exe

C:\WINDOWS\system32\ieix32.dll

C:\WINDOWS\iegn32.dll

C:\WINDOWS\system32\sdkfc32.exe

C:\WINDOWS\system32\atlhy32.exe

C:\WINDOWS\system32\d3wz32.exe

C:\WINDOWS\ntvm32.exe

C:\WINDOWS\system32\mfcua.exe

C:\WINDOWS\nettf.exe

C:\WINDOWS\system32\atlgn.exe

C:\WINDOWS\ipuv.exe

C:\WINDOWS\system32\mfcvo.exe

C:\WINDOWS\system32\ieak.exe

C:\WINDOWS\apiyl.exe

C:\WINDOWS\iewu.exe

C:\WINDOWS\sysjm.exe

C:\WINDOWS\sdkob32.exe

C:\WINDOWS\system32\javale32.exe

C:\WINDOWS\d3ra32.exe

C:\WINDOWS\system32\addkw.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I am sorry to pester you again, but I am having the same problem, cannot do the online scan. I am attaching the log file.
thanks
nv13


----------



## Flrman1 (Jul 26, 2002)

We are going to have to get together here sometime when we both are going to be online at the same time so we can work on this until it is fixed. The weekend will be best for me.


----------



## nv13 (Aug 21, 2005)

flrman1,
I will be online on saturday throughout the day if thats fine with you.
nv13


----------



## Flrman1 (Jul 26, 2002)

Sat. afternoon between 1 and 5 will be good for me.


----------



## nv13 (Aug 21, 2005)

flrman1,
sounds good to me.
thanks
nv13


----------



## nv13 (Aug 21, 2005)

flrman1,
I am attaching the new log file.
Thanks
nv13


----------



## Flrman1 (Jul 26, 2002)

I'm sorry I was unable to get here yesterday as planned. I will definitely be here today from about 1 pm on. If you want to try and continuse this then, please post a new Hijack This log about that time and do not restart your computer after that.

How many user profiles do you have on this computer?


----------



## nv13 (Aug 21, 2005)

flrman1,
There are 2 user accounts o my computer (mine and Guest). I have turned off the Guest account if it helps (neways I dont think neone has ever used it!).
I am attaching the new log file
nv13


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
You should re-enable these when we are finished here.

** First you need to download the following tools and have them ready to run. *Do not* run any of them until instructed to do so:

* Click here to download cwsserviceremove.zip and unzip it to your desktop.

*Download Cleanup from *Here* 
If that link is down, you can get Cleanup *Here*.

Save the Cleanup40 file to your desktop.
 On your desktop, click on *Cleanup40.exe* icon.
 Then, click *RUN* and place a checkmark beside "*I Agree*"
 Then click *NEXT* followed by *START* and *OK.*
 A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
 Click* OK*
 *DO NOT RUN IT YET*

* *Click Here* and download the new version of Killbox and save it to your desktop.

* *Click here* to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. *Do Not* run it yet.

* Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

* Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

* *Click here* for info on how to boot to safe mode if you don't already know how.

***After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Network Security Service (NSS)*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*O2 - BHO: Class - {1CC73956-BD3E-B7C2-91C6-AC8D12653645} - C:\WINDOWS\msuk32.dll

O2 - BHO: Class - {2AF50CC1-26BA-FEB7-E5AD-16A2F8E7D672} - C:\WINDOWS\system32\msqz32.dll

O2 - BHO: Class - {2CE88230-1C35-89B5-88A0-B07ACA0B401D} - C:\WINDOWS\system32\ntkn.dll

O2 - BHO: Class - {397FB9F0-460E-EB6D-9E38-BCAECE1DBD48} - C:\WINDOWS\ntyc.dll

O2 - BHO: Class - {3DBE3B76-3521-BE11-EDF8-9D6FD61F6027} - C:\WINDOWS\apple32.dll

O2 - BHO: Class - {410B27BA-B345-48F4-E620-AAFDD2B7C25A} - C:\WINDOWS\system32\ielo.dll

O2 - BHO: Class - {4AA78A1C-2787-A2EF-75B3-675D072C942A} - C:\WINDOWS\system32\mssi32.dll

O2 - BHO: Class - {714795AE-B851-C38C-644A-A0910EFC29CE} - C:\WINDOWS\system32\apirf32.dll

O2 - BHO: Class - {86D92D6D-DD82-43AA-C7DA-575F6D01DEFC} - C:\WINDOWS\ipur.dll

O2 - BHO: Class - {9E11A6C0-0599-5097-40F9-5B318C705AD1} - C:\WINDOWS\system32\appbv32.dll

O2 - BHO: Class - {AEAC41FA-E8BD-B13D-EE1F-5C3661E7CF47} - C:\WINDOWS\system32\d3we32.dll

O2 - BHO: Class - {C15CF044-2EE2-9DB1-30DA-572AAC2B3508} - C:\WINDOWS\system32\ipwt.dll

O2 - BHO: Class - {EC0BF822-7720-175B-2901-9FA68F761D30} - C:\WINDOWS\d3op.dll

O2 - BHO: Class - {F23DA69D-3800-824F-53AF-DEB5A483DECD} - C:\WINDOWS\system32\d3vi32.dll

O2 - BHO: Class - {FEB759AF-0344-33C1-9B59-C5DB1E7E371F} - C:\WINDOWS\system32\appng.dll

O4 - HKLM\..\Run: [ntsn.exe] C:\WINDOWS\ntsn.exe

O4 - HKLM\..\Run: [addsv32.exe] C:\WINDOWS\system32\addsv32.exe

O4 - HKLM\..\Run: [winib32.exe] C:\WINDOWS\winib32.exe

O4 - HKLM\..\Run: [netnu32.exe] C:\WINDOWS\netnu32.exe

O4 - HKLM\..\RunOnce: [javaqt.exe] C:\WINDOWS\javaqt.exe
O4 - HKLM\..\RunOnce: [mfcvv32.exe] C:\WINDOWS\system32\mfcvv32.exe
O4 - HKLM\..\RunOnce: [msou.exe] C:\WINDOWS\system32\msou.exe
O4 - HKLM\..\RunOnce: [iexn32.exe] C:\WINDOWS\system32\iexn32.exe
O4 - HKLM\..\RunOnce: [windf.exe] C:\WINDOWS\system32\windf.exe
O4 - HKLM\..\RunOnce: [msfi.exe] C:\WINDOWS\msfi.exe
O4 - HKLM\..\RunOnce: [appns.exe] C:\WINDOWS\system32\appns.exe
O4 - HKLM\..\RunOnce: [mspp32.exe] C:\WINDOWS\mspp32.exe
O4 - HKLM\..\RunOnce: [apiky.exe] C:\WINDOWS\apiky.exe
O4 - HKLM\..\RunOnce: [ipyr.exe] C:\WINDOWS\ipyr.exe
O4 - HKLM\..\RunOnce: [iezj.exe] C:\WINDOWS\system32\iezj.exe
O4 - HKLM\..\RunOnce: [ipws.exe] C:\WINDOWS\system32\ipws.exe
O4 - HKLM\..\RunOnce: [winta.exe] C:\WINDOWS\system32\winta.exe
O4 - HKLM\..\RunOnce: [mfchr32.exe] C:\WINDOWS\mfchr32.exe
O4 - HKLM\..\RunOnce: [netpm32.exe] C:\WINDOWS\system32\netpm32.exe
O4 - HKLM\..\RunOnce: [addcx.exe] C:\WINDOWS\system32\addcx.exe
O4 - HKLM\..\RunOnce: [d3ck32.exe] C:\WINDOWS\system32\d3ck32.exe
O4 - HKLM\..\RunOnce: [crxg32.exe] C:\WINDOWS\crxg32.exe
O4 - HKLM\..\RunOnce: [nethz.exe] C:\WINDOWS\system32\nethz.exe
O4 - HKLM\..\RunOnce: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\RunOnce: [ntxu.exe] C:\WINDOWS\system32\ntxu.exe
O4 - HKLM\..\RunOnce: [nttk.exe] C:\WINDOWS\nttk.exe
O4 - HKLM\..\RunOnce: [atlsx.exe] C:\WINDOWS\atlsx.exe
O4 - HKLM\..\RunOnce: [ieyh32.exe] C:\WINDOWS\system32\ieyh32.exe
O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe
O4 - HKLM\..\RunOnce: [appfa32.exe] C:\WINDOWS\system32\appfa32.exe
O4 - HKLM\..\RunOnce: [atlas.exe] C:\WINDOWS\atlas.exe
O4 - HKLM\..\RunOnce: [nteb.exe] C:\WINDOWS\nteb.exe
O4 - HKLM\..\RunOnce: [mfcig.exe] C:\WINDOWS\mfcig.exe
O4 - HKLM\..\RunOnce: [iphv.exe] C:\WINDOWS\system32\iphv.exe
O4 - HKLM\..\RunOnce: [sdkaz32.exe] C:\WINDOWS\sdkaz32.exe
O4 - HKLM\..\RunOnce: [d3rg32.exe] C:\WINDOWS\d3rg32.exe
O4 - HKLM\..\RunOnce: [javams.exe] C:\WINDOWS\system32\javams.exe
O4 - HKLM\..\RunOnce: [apila32.exe] C:\WINDOWS\system32\apila32.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*
C:\WINDOWS\ntsn.exe

C:\WINDOWS\system32\addsv32.exe

C:\WINDOWS\winib32.exe

C:\WINDOWS\netnu32.exe

C:\WINDOWS\javaqt.exe

C:\WINDOWS\system32\mfcvv32.exe

C:\WINDOWS\system32\msou.exe

C:\WINDOWS\system32\iexn32.exe

C:\WINDOWS\system32\windf.exe

C:\WINDOWS\msfi.exe

C:\WINDOWS\system32\appns.exe

C:\WINDOWS\mspp32.exe

C:\WINDOWS\apiky.exe

C:\WINDOWS\ipyr.exe

C:\WINDOWS\system32\iezj.exe

C:\WINDOWS\system32\ipws.exe

C:\WINDOWS\system32\winta.exe

C:\WINDOWS\mfchr32.exe

C:\WINDOWS\system32\netpm32.exe

C:\WINDOWS\system32\addcx.exe

C:\WINDOWS\system32\d3ck32.exe

C:\WINDOWS\crxg32.exe

C:\WINDOWS\system32\nethz.exe

C:\WINDOWS\ipbs32.exe

C:\WINDOWS\system32\ntxu.exe

C:\WINDOWS\nttk.exe

C:\WINDOWS\atlsx.exe

C:\WINDOWS\system32\ieyh32.exe

C:\WINDOWS\system32\sysht.exe

C:\WINDOWS\system32\appfa32.exe

C:\WINDOWS\atlas.exe

C:\WINDOWS\nteb.exe

C:\WINDOWS\mfcig.exe

C:\WINDOWS\system32\iphv.exe

C:\WINDOWS\sdkaz32.exe

C:\WINDOWS\d3rg32.exe

C:\WINDOWS\system32\javams.exe

C:\WINDOWS\system32\apila32.exe

C:\WINDOWS\javaqt.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I can not maximize the scan window and so cannot save the scan results. Also it wont let me see if it has disinfecetd the virus or not.
nv13


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
*Leave it disabled until we are finished here*.

***Sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Network Security Service (NSS)*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*O2 - BHO: Class - {D536553A-8454-B7B7-A46A-2844AD256394} - C:\WINDOWS\system32\sdkbk32.dll

O2 - BHO: Class - {EF309E36-716B-7280-E846-0F0341C2FC93} - C:\WINDOWS\system32\mfcqi32.dll

O4 - HKLM\..\Run: [javanp.exe] C:\WINDOWS\system32\javanp.exe

O4 - HKLM\..\RunOnce: [crow.exe] C:\WINDOWS\system32\crow.exe
O4 - HKLM\..\RunOnce: [ntki.exe] C:\WINDOWS\system32\ntki.exe
O4 - HKLM\..\RunOnce: [d3om.exe] C:\WINDOWS\system32\d3om.exe
O4 - HKLM\..\RunOnce: [atlzy.exe] C:\WINDOWS\system32\atlzy.exe
O4 - HKLM\..\RunOnce: [ntgb.exe] C:\WINDOWS\system32\ntgb.exe
O4 - HKLM\..\RunOnce: [ieih32.exe] C:\WINDOWS\system32\ieih32.exe
O4 - HKLM\..\RunOnce: [sdksa.exe] C:\WINDOWS\sdksa.exe

O4 - HKLM\..\RunOnce: [crdn32.exe] C:\WINDOWS\system32\crdn32.exe
O4 - HKLM\..\RunOnce: [appof32.exe] C:\WINDOWS\system32\appof32.exe
O4 - HKLM\..\RunOnce: [ipms.exe] C:\WINDOWS\system32\ipms.exe
O4 - HKLM\..\RunOnce: [crru.exe] C:\WINDOWS\crru.exe
O4 - HKLM\..\RunOnce: [javaaa.exe] C:\WINDOWS\javaaa.exe
O4 - HKLM\..\RunOnce: [iewg32.exe] C:\WINDOWS\iewg32.exe
O4 - HKLM\..\RunOnce: [javaof.exe] C:\WINDOWS\system32\javaof.exe
O4 - HKLM\..\RunOnce: [crwn32.exe] C:\WINDOWS\system32\crwn32.exe
O4 - HKLM\..\RunOnce: [sdkuo.exe] C:\WINDOWS\system32\sdkuo.exe
O4 - HKLM\..\RunOnce: [appyb.exe] C:\WINDOWS\appyb.exe
O4 - HKLM\..\RunOnce: [netry32.exe] C:\WINDOWS\system32\netry32.exe
O4 - HKLM\..\RunOnce: [apivo32.exe] C:\WINDOWS\apivo32.exe
O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\system32\ieko.exe
O4 - HKLM\..\RunOnce: [iezq.exe] C:\WINDOWS\system32\iezq.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [atlqr.exe] C:\WINDOWS\system32\atlqr.exe
O4 - HKLM\..\RunOnce: [d3vs32.exe] C:\WINDOWS\d3vs32.exe
O4 - HKLM\..\RunOnce: [atlzh.exe] C:\WINDOWS\system32\atlzh.exe
O4 - HKLM\..\RunOnce: [d3nc.exe] C:\WINDOWS\system32\d3nc.exe
O4 - HKLM\..\RunOnce: [apink32.exe] C:\WINDOWS\system32\apink32.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\system32\javanp.exe

C:\WINDOWS\system32\crow.exe

C:\WINDOWS\system32\ntki.exe

C:\WINDOWS\system32\d3om.exe

C:\WINDOWS\system32\atlzy.exe

C:\WINDOWS\system32\ntgb.exe

C:\WINDOWS\system32\ieih32.exe

C:\WINDOWS\sdksa.exe

C:\WINDOWS\system32\crdn32.exe

C:\WINDOWS\system32\appof32.exe

C:\WINDOWS\system32\ipms.exe

C:\WINDOWS\crru.exe

C:\WINDOWS\javaaa.exe

C:\WINDOWS\iewg32.exe

C:\WINDOWS\system32\javaof.exe

C:\WINDOWS\system32\crwn32.exe

C:\WINDOWS\system32\sdkuo.exe

C:\WINDOWS\appyb.exe

C:\WINDOWS\system32\netry32.exe

C:\WINDOWS\apivo32.exe

C:\WINDOWS\system32\ieko.exe

C:\WINDOWS\system32\iezq.exe

C:\WINDOWS\system32\apisa32.exe

C:\WINDOWS\system32\atlqr.exe

C:\WINDOWS\d3vs32.exe

C:\WINDOWS\system32\atlzh.exe

C:\WINDOWS\system32\d3nc.exe

C:\WINDOWS\system32\apink32.exe

C:\WINDOWS\system32\crow.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I regret telling you this, but the housescan didnt work again.
nv13
ps: posting a new log file


----------



## Flrman1 (Jul 26, 2002)

***Sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Workstation NetLogon Service*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bgofm.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bgofm.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bgofm.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bgofm.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bgofm.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bgofm.dll/sp.html#44768

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bgofm.dll/sp.html#44768

O2 - BHO: Class - {75ADD628-AC15-21C5-A0CB-117FD483C169} - C:\WINDOWS\sdkpu.dll

O2 - BHO: Class - {935DFB05-7DED-A169-BFC9-B6F91461D1D1} - C:\WINDOWS\ntjk.dll

O4 - HKLM\..\Run: [ipuu.exe] C:\WINDOWS\system32\ipuu.exe

O4 - HKLM\..\RunOnce: [winwh.exe] C:\WINDOWS\winwh.exe
O4 - HKLM\..\RunOnce: [apiqm32.exe] C:\WINDOWS\apiqm32.exe
O4 - HKLM\..\RunOnce: [addpz.exe] C:\WINDOWS\system32\addpz.exe
O4 - HKLM\..\RunOnce: [ieeq32.exe] C:\WINDOWS\system32\ieeq32.exe
O4 - HKLM\..\RunOnce: [atlof.exe] C:\WINDOWS\atlof.exe
O4 - HKLM\..\RunOnce: [appyl32.exe] C:\WINDOWS\system32\appyl32.exe
O4 - HKLM\..\RunOnce: [mslv32.exe] C:\WINDOWS\system32\mslv32.exe
O4 - HKLM\..\RunOnce: [d3jo.exe] C:\WINDOWS\system32\d3jo.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\system32\ipuu.exe

C:\WINDOWS\winwh.exe

C:\WINDOWS\apiqm32.exe

C:\WINDOWS\system32\addpz.exe

C:\WINDOWS\system32\ieeq32.exe

C:\WINDOWS\atlof.exe

C:\WINDOWS\system32\appyl32.exe

C:\WINDOWS\system32\mslv32.exe

C:\WINDOWS\system32\d3jo.exe

C:\WINDOWS\winwh.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

*Post a new HiJackThis log*


----------



## nv13 (Aug 21, 2005)

thanks
nv13


----------



## Flrman1 (Jul 26, 2002)

***Sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Network Security Service*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*O2 - BHO: Class - {79FF8BA5-13A4-3B7B-94CB-934036477AA3} - C:\WINDOWS\system32\atlrk.dll

O2 - BHO: Class - {C8C9402D-2260-8492-AA3D-8CEE7DD228B1} - C:\WINDOWS\system32\msud32.dll

O2 - BHO: Class - {DE38BD82-BD56-7146-CBF0-79316BD0D85F} - C:\WINDOWS\system32\ntzf.dll

O4 - HKLM\..\Run: [iewn32.exe] C:\WINDOWS\system32\iewn32.exe

O4 - HKLM\..\RunOnce: [ipgq32.exe] C:\WINDOWS\ipgq32.exe

O4 - HKLM\..\RunOnce: [d3ef.exe] C:\WINDOWS\system32\d3ef.exe

O4 - HKLM\..\RunOnce: [winih.exe] C:\WINDOWS\system32\winih.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\system32\atlrk.dll

C:\WINDOWS\system32\msud32.dll

C:\WINDOWS\system32\ntzf.dll

C:\WINDOWS\system32\iewn32.exe

C:\WINDOWS\ipgq32.exe

C:\WINDOWS\system32\d3ef.exe

C:\WINDOWS\system32\winih.exe

C:\WINDOWS\ipgq32.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

*Post a new HiJackThis log*


----------



## nv13 (Aug 21, 2005)

flrman1,
sorry for the delay.
nv13


----------



## Flrman1 (Jul 26, 2002)

***Sign off the internet and remain offline until this procedure is complete*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

** Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

* Run Hijack This and put a check by all of the following entries:

*O2 - BHO: Class - {2DB1C7E6-C436-401E-0374-ECF3202CF49B} - C:\WINDOWS\apphq.dll

O2 - BHO: Class - {4B05C084-12D2-0FF6-D490-A0CF45280E50} - C:\WINDOWS\d3ni.dll

O2 - BHO: Class - {F101F265-732D-2CAC-ECDB-8A41D24BFF99} - C:\WINDOWS\syswf.dll

O4 - HKLM\..\Run: [ipen.exe] C:\WINDOWS\ipen.exe

O4 - HKLM\..\RunOnce: [msox.exe] C:\WINDOWS\msox.exe
O4 - HKLM\..\RunOnce: [javazt.exe] C:\WINDOWS\system32\javazt.exe
O4 - HKLM\..\RunOnce: [syskp.exe] C:\WINDOWS\system32\syskp.exe
O4 - HKLM\..\RunOnce: [ntld32.exe] C:\WINDOWS\system32\ntld32.exe
O4 - HKLM\..\RunOnce: [apias32.exe] C:\WINDOWS\system32\apias32.exe
O4 - HKLM\..\RunOnce: [addbu.exe] C:\WINDOWS\system32\addbu.exe
O4 - HKLM\..\RunOnce: [systq.exe] C:\WINDOWS\systq.exe
O4 - HKLM\..\RunOnce: [ntcw32.exe] C:\WINDOWS\system32\ntcw32.exe
O4 - HKLM\..\RunOnce: [syswf.exe] C:\WINDOWS\syswf.exe*

After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\apphq.dll

C:\WINDOWS\d3ni.dll

C:\WINDOWS\syswf.dll

C:\WINDOWS\ipen.exe

C:\WINDOWS\msox.exe

C:\WINDOWS\system32\javazt.exe

C:\WINDOWS\system32\syskp.exe

C:\WINDOWS\system32\ntld32.exe

C:\WINDOWS\system32\apias32.exe

C:\WINDOWS\system32\addbu.exe

C:\WINDOWS\systq.exe

C:\WINDOWS\system32\ntcw32.exe

C:\WINDOWS\syswf.exe

C:\WINDOWS\msox.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

* Run About Buster one more time.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Restart back into Windows normally now and do the following:

*Post a new HiJackThis log*


----------



## nv13 (Aug 21, 2005)

flrman1,
I didnt get the warning from trend micro this time regarding the Troj when I opened IE. I am attaching the log file. Thank you for your patience.
nv13


----------



## Flrman1 (Jul 26, 2002)

The log looks good now.

Let's see if we can get an online scan to run now.

Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I am attaching the active scan results
nv13


----------



## Flrman1 (Jul 26, 2002)

Post a new Hijack This log too please.


----------



## Flrman1 (Jul 26, 2002)

I am attaching a delete5.zip file to this post. Download it and save it to your desktop. Unzip the delete5.zip file to extract the delete5.bat file it contains.

Restart your computer into safe mode.

Doubleclick on the delete5.bat file and let it run. It will delete the infected files from the Activescan.

After it has finished, restart to Windows normally.

Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## nv13 (Aug 21, 2005)

flrman1,
I am attaching the new Hijackthis log file and the house scan reuslts.
thanks
nv13


----------



## Flrman1 (Jul 26, 2002)

Clean! :up:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## nv13 (Aug 21, 2005)

flrman1,
I appreciate you helping me with my problem and advicing me on secure internet surfing.
nv13


----------



## Flrman1 (Jul 26, 2002)

You're welcome!


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

