Please copy these instructions to notepad or print them out. We'll be working in Safe Mode a little later and you may not be able to access the internet.

Please read all the instructions carefully and query anything you're unsure of before starting.

OK, lets get cracking on this, it may take a long time. Regardless of what steps you took before posting your log, please follow all procedures.

Tools you will need to download before starting:-

CWShredder
LSP-Fix.zip



Disable System Restore
Click Start >
Right click on My Computer> Properties> System Restore
and tick the box that says 'Turn off System Restore'

Run an online virus scan at TrendMicro using the 'Autoclean' option and an Online Trojan Scan. Let them fix everything they find.

When you get the all clear,
turn System Restore back on.
Click Start >
Right click on My Computer> Properties> System Restore
and Untick the box that says 'Turn off System Restore'
Then go to
Start> All Programs> Accessories> System Tools> System Restore
and create a new Restore Point.

Re-enable NAV.



Please now run CWShredder.
Close all windows & browsers
click Fix not just ('Scan Only'),
Let it fix everything it finds.


Go to Add/Remove Programs and delete any of the following if found:-

WAST
MSIETS
Internet 404
Tools for Internet Explorer
Search Toolbar

Web Search Toolbar
Win-Tools Easy Installer
DownloadWare
CtxPls
CPR
Wintools

Wintools Easy Installer
Wintools for Internet Explorer
POP
Then doublecheck to make sure you haven't missed any.
Please be sure to have an internet connection while doing this as some cannot be removed without it.. If any of these are still present after the first fix, we may have to remove them manually.

To clear up the remnants of one of the above.
Open a DOS command prompt windows (from Start->Programs->Accessories), and enter the following command lines one by one:-

cd "%WinDir%\System"
regsvr32 /u "..\bxs5.dll"
regsvr32 /u "..\bxxs5.dll"

Exit DOS window.

Then open the registry. Please be careful in here. Only delete what instructed to. Click 'Start', choose 'Run', and enter 'regedit'
Before you edit the registry, you should make a backup
Click ' FILE\Export Registry File'.
Call it REGBACKUP and save it on your desktop.
Now navigate to the following key:-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

and delete 'Bxxs5' or 'Bxsx5' if found.
Exit registry.

Run Ad-Aware SE again but configure it as per the Ad-Aware Tutorial instructions. (link in my signature below)

Go and make yourself a cuppa and take 5



Now close all windows and browsers, run HJT again and check mark the following making sure you don't miss any:-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} -
C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvyel32.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [yesdtma] C:\WINDOWS\System32\hpgxnvwm.exe
O4 - HKLM\..\Run: [C:\WINDOWS\rjojsc.exe] C:\WINDOWS\rjojsc.exe
O4 - HKLM\..\Run: [dzpfrc] C:\WINDOWS\System32\dzpfrc.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\Cache\cxtpls_loader.exe"
/HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [mnktmb] C:\WINDOWS\mnktmb.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [rF9R36T] icwcd.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [aoq5RWf7g] icarage.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll


Click FIX CHECKED



Please now run LSPFix.zip
Disconnect from the Internet and close all Internet Explorer Windows.
Check the "I know what I'm doing" button and move all instances of aklsp.dll from the left panel to the right panel, then click ‘Finish’

(If you lose your internet connection please run HijackThis again and check that 'aklsp.dll' is still the file name at the end of the below blue entry in HJT. If it's changed, follow LSPFix instructions using this new file name in the fix)

O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll



Now Set Windows to 'Show all files & folders'.
Click Start > My Computer> Tools> Folder Options>
On the View tab make sure that you:-

Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.


Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.


Go to C:\WINDOWS and delete the following files/folders if found:-
bsx32
AdRoar.dll
rjojsc.exe
bxxs5.dll
wast2.exe 2
ARUpdate.exe
conscorr.exe
mnktmb.exe
wupdt.exe


Go to C;\WINDOWS\system32 and delete the following files:-
kalvyel32.exe
stcloader.exe
saie.exe
winupdtl.exe
hpgxnvwm.exe
dzpfrc.exe
Cache (containing cxtpls_loader.exe)
icwcd.exe
icarage.exe


Go to C:\Program Files and delete the following folders:-
MySearch
SED
Web_Rebates
AutoUpdate
AdDestroyer

Go to C:\PROGRA~1 and delete the following folders:-
Toolbar
VBOUNCER
ezula
Web Offer

Go to C:\PROGRA~1\COMMON~1 and delete the following folder:-
WinTools


Clean out temporary files:
* Go to Start | Run | type cleanmgr | OK
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the ONLY things checked.
* Let it scan your system for files to remove.
* Press OK to remove them.


Open HijackThis again.
Click 'Config' (bottom right) > Misc Tools > Open Hosts File Manager
Delete everything inside apart from 127.0.0.1 Localhost
Exit HijackThis.


VERY IMPORTANT:
You Need to Update Windows and IE to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.
Please go to Windows Update, download and install the Service Pack and ALL Critical Updates.



Reboot and post a fresh log detailing any problems you encountered.