Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.
This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).
Right click on this link
http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.
1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question.
2. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete
DateTime
If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.
3. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File'.
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).
Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):
c:\recycler\desktop.ini
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\fn4021hmg.dll
C:\WINDOWS\system32\spOrder.dll
C:\WINDOWS\sixtypopsix.exe
c:\windows\system32\azosev.exe
4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.
5. Run HijackThis and do a scan. Check and fix the following:
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [azosev] c:\windows\system32\azosev.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\fn4021hmg.dll
Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.
Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.
6. Reboot into Normal Mode and post a new HIjackThis log only.
Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:
127.0.0.1 localhost
If you have anything after that, please post them here.