Spy Sherrif - HJT Log attached

Hello bdt279 welcome to TSF

Please read through all the instructions carefully first, before carrying out my instructions

Please post the Headers from the HJT log when posting your next log


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

====================================================

Please make sure you are not using an outdated version of Hijack This. Please download and install the latest version by going to this Site


Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).


===================================================

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Download About Buster and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Download and save to your C: drive http://users.telenet.be/marcvn/regfiles/HSfix.zip
Unzip the contents of HSFix.zip and an HSFix directory will be created
We'll need this later.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download Ewido Security Suite Install & Update it's database but do not run it yet.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

=====================================================

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

Click Start->Run - type SERVICES.MSC & then click on the OK button

• Locate the service - Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I)
• Double-click on it to open the Properties dialog.
  • Stop the service by using the Stop button.
  • Change the Startup type to Disabled & then click on the OK button

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...

• In the popup box that appears, copy and paste Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) into it & then click on the OK button

Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

================================================

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist) (You must kill them one at a time).


C:\winstall.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\WINDOWS\system32\d3wc.exe


Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

SpySheriff


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chwcl.dll/sp.html#93256

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)


R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0FA38F98-1D55-4DB3-50F0-DD4C594E086C} - C:\WINDOWS\system32\mfcxd32.dll
O4 - HKLM\..\Run: [apppz.exe] C:\WINDOWS\apppz.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\DOCUME~1\Barry\LOCALS~1\Temp\32.tmp
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Free WebSite Tools.lnk = ?
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/2...OCX/FlashAX.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3wc.exe

Please remember to close all other windows, including browsers then click Fix checked.

Locate and delete the following folder(s), if present:

* C:\Program Files\SpySheriff


Locate and delete the following file(s), if present:

* C:\WINDOWS\system32\d3wc.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CWShredder & Click the [Fix] button.

Run About Buster and click OK. Click Start > OK and then follow the prompts to scan (Choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. ONLY save the log file and post it here if About Buster does not fix all the problems.

Please go to the HSFix directory and double-click on HSFix.bat.
It will produce a log file, located here: C:\hslog.txt
Please post that log.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply

Reboot to Normal Mode

click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Please save the log to your Desktop

Please post a fresh
Hijack This log,
About Buster log
hslog.txt,
smitfiles.txt
Panda scan
so that we can check if your system is clean.
regards

alba

Hi Alba

OK, no luck again with deleting the NT service but everything else seemed to go fine and (touch wood) there's no sign of Spy Sherrif.

Below are all logs requested.


Thanks again





===========
Hijack This
===========

Scan saved at 18:36:56, on 19/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0FA38F98-1D55-4DB3-50F0-DD4C594E086C} - C:\WINDOWS\system32\mfcxd32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [apppz.exe] C:\WINDOWS\apppz.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\DOCUME~1\Barry\LOCALS~1\Temp\32.tmp
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Motorola Desktop Suite.lnk = C:\Program Files\Motorola\Motorola Desktop Suite\DesktopSuite.exe
O4 - Global Startup: Motorola Desktop Suite mRouter Config.lnk = C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterConfig.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3wc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe



==============
About Buster log
==============

AboutBuster 5.0 reference file 30
Scan started on [19/09/2005] at [18:43:32]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\chwcl.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 18:43:59








==============
hslog.txt,
==============


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
p2.ini
ps.a3d
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-





=============
smitfiles.txt
=============


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!




==============
Panda scan
==============



Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3bb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mssi.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkuk.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mstx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apihu.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\winup32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiia32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkbx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcgz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addyx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apijw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkij32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntgk.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3ko.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appxe.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apprv32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mswa32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ienu.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msdp.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysfm32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appkq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iexy32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysla.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipgk32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javatm.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntrp.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkxd32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\wingk.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addoy.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javajp32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javalg.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipbv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3aj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlya32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javaeb32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iedw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\wingt.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mszg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addyb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crxj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netkj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipoy32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlpt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3xj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netoj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javaoc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msqz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipux32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addlf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netxh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntha32.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\WINDOWS\chwcli.dat
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\WINDOWS\dtpzyo.dat
Adware:adware program No disinfected C:\WINDOWS\System32mscore.bin
Adware:Adware/SearchAid No disinfected C:\WINDOWS\edubis.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\lcqgha.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addwh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntmw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlry32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appnf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcze32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atldu32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winnc.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipon32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crhj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlci.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crog32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apizp32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3oe.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntwf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appmh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msmv32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winbb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apizw32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msri.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atljp.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atldg.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcjd32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntiq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netfl.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipli32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieuo.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysxf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkcb32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javacp.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlhy.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipdc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcnd.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ippz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javaue32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3rs32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkkx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3ae.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javasf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netdl.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javajz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3st32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netmp32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntgb32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apimu32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msrf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipwh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addza32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crzz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apiqh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\windb32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winco32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addep.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlsd32.exe
Dialerialer.BEW No disinfected C:\Documents and Settings\Tammy\Local Settings\Temporary Internet Files\Content.IE5\STU7W9MZ\access[1].cgi
Possible Virus. No disinfected C:\Program Files\HTML Guardian\htmlg.exe
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290609.inf
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290614.inf
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290615.ini
Virus:Trj/Downloader.ECQ Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292950.exe
Virus:Trj/Downloader.ECQ Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292951.exe
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292954.inf
Adware:Adware/Popuper No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300048.dll
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300049.dll
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300050.dll
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300057.dll
Adware:Adware/SearchAid No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300181.dll
Virus:Trj/Microjoin.S Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300182.exe
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300186.exe
Virus:Trj/Downloader.EFA Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300187.dll
Adware:Adware/Spywad No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300188.exe
Adware:Adware/SearchAid No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP454\A0300190.exe
Adware:Adware/SearchAid No disinfected C:\FOUND.052\FILE0000.CHK
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\hjt\backups\backup-20050919-184014-684.dll
Possible Virus. No disinfected C:\installation_files\html_guardian\HTMLGuardian.exe[htmlg.CAB][htmlg.exe]
Possible Virus. No disinfected C:\installation_files\htmlg_pro.zip[pro.exe][htmlg.exe]

Hello and Welcome to TSF!

Your system is still infected with CoolWebShredder , so please carry out my instructions carefully, making sure you run every tool in the order I have given, and do not miss any out

======================================================

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)
and

Download this again and save to your desktop. Unfortunately we ran the wrong one last time.
HSFix.zip

To ensure you have the latest version please download and update.
Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

====================================================

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===================================================

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\DOCUME~1\Barry\LOCALS~1\Temp\32.tmp
O4 - Startup: Free WebSite Tools.lnk = ?

Please remember to close all other windows, including browsers then click Fix checked.

=====================================================


Launch KillBox.exe & select the following options:

• delete on Reboot
• end Explorer shell while killing file
• unregister dlll before deleting * if it's not grayed out

Select all the filenames below & then right-click & select Copy

• 
  C:\WINDOWS\system32\d3bb.exe
  C:\WINDOWS\system32\mssi.exe
  C:\WINDOWS\system32\sdkuk.exe
  C:\WINDOWS\system32\mstx32.exe
  C:\WINDOWS\system32\apihu.exe
  C:\WINDOWS\system32\winup32.exe
  C:\WINDOWS\system32\apiia32.exe
  C:\WINDOWS\system32\sdkbx.exe
  C:\WINDOWS\system32\mfcgz32.exe
  C:\WINDOWS\system32\addyx.exe
  C:\WINDOWS\system32\apijw.exe
  C:\WINDOWS\system32\sdkij32.exe
  C:\WINDOWS\system32\ntgk.exe
  C:\WINDOWS\system32\d3ko.exe
  C:\WINDOWS\system32\sysvh32.exe
  C:\WINDOWS\system32\appxe.exe
  C:\WINDOWS\system32\apprv32.exe
  C:\WINDOWS\system32\mswa32.exe
  C:\WINDOWS\system32\ienu.exe
  C:\WINDOWS\system32\msdp.exe
  C:\WINDOWS\system32\sysfm32.exe
  C:\WINDOWS\system32\appkq.exe
  C:\WINDOWS\system32\iexy32.exe
  C:\WINDOWS\system32\sysla.exe
  C:\WINDOWS\system32\ipgk32.exe
  C:\WINDOWS\system32\javatm.exe
  C:\WINDOWS\system32\ntrp.exe
  C:\WINDOWS\system32\sdkxd32.exe
  C:\WINDOWS\system32\wingk.exe
  C:\WINDOWS\system32\addoy.exe
  C:\WINDOWS\system32\javajp32.exe
  C:\WINDOWS\system32\javalg.exe
  C:\WINDOWS\system32\ipbv.exe
  C:\WINDOWS\system32\d3aj32.exe
  C:\WINDOWS\system32\atlya32.exe
  C:\WINDOWS\system32\javaeb32.exe
  C:\WINDOWS\system32\iedw.exe
  C:\WINDOWS\system32\wingt.exe
  C:\WINDOWS\system32\mszg32.exe
  C:\WINDOWS\system32\addyb.exe
  C:\WINDOWS\system32\crxj32.exe
  C:\WINDOWS\system32\netkj.exe
  C:\WINDOWS\system32\ipoy32.exe
  C:\WINDOWS\system32\atlpt32.exe
  C:\WINDOWS\system32\d3xj.exe
  C:\WINDOWS\system32\netoj32.exe
  C:\WINDOWS\system32\javaoc32.exe
  C:\WINDOWS\system32\msqz32.exe
  C:\WINDOWS\system32\ipux32.exe
  C:\WINDOWS\system32\addlf.exe
  C:\WINDOWS\system32\netxh.exe
  C:\WINDOWS\system32\ntha32.exe
  C:\WINDOWS\mstasks1.exe
  C:\WINDOWS\chwcli.dat
  C:\WINDOWS\dtpzyo.dat
  C:\WINDOWS\System32mscore.bin
  C:\WINDOWS\edubis.dat
  C:\WINDOWS\lcqgha.dat
  C:\WINDOWS\addwh32.exe
  C:\WINDOWS\ntmw.exe
  C:\WINDOWS\atlry32.exe
  C:\WINDOWS\appnf32.exe
  C:\WINDOWS\mfcze32.exe
  C:\WINDOWS\atldu32.exe
  C:\WINDOWS\winnc.exe
  C:\WINDOWS\ipon32.exe
  C:\WINDOWS\crhj.exe
  C:\WINDOWS\atlci.exe
  C:\WINDOWS\crog32.exe
  C:\WINDOWS\apizp32.exe
  C:\WINDOWS\d3oe.exe

* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Click to expand...

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, reboot your computer in SafeMode :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

=================================================

Click Start->Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - Network Security Service (NSS) ( 11Fßä #•ºÄÖ`I )
2. Double-click on it to open the Properties dialog.
   • Under the General tab, note down the name of "Service name". We shall need it later.
   • Stop the service by using the Stop button.
   • Change the Startup type to Disabled & then click on the OK button
3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
4. In the popup box that appears, type in "Service name" & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ==


Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.



================================================


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chwcl.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chwcl.dll/sp.html#93256

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0FA38F98-1D55-4DB3-50F0-DD4C594E086C} - C:\WINDOWS\system32\mfcxd32.dll
O4 - HKLM\..\Run: [apppz.exe] C:\WINDOWS\apppz.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3wc.exe



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = ===


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
  [*]Delete Newsgroup Subscriptions
  [*]Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

==================================================

Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


Make sure You Run this
Run Ewido with it's updated definitions...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


=================================================

REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


=================================================


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


=================================================

In your next post, please include fresh logs from:

1. HiJackThis
   [*] Kaspersky Online scan
   [*] Antispyware.log
   [*] About Buster
   [*] Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now