Winshow.AY Trojan

  1. 25-02-2005  #1
    orthopod
    orthopod is offline Newbie

    Winshow.AY Trojan

    My computer has been infected with Winshow.AY Trojan. Ad-Aware and Pest Patrol don't find it. I also ran TDS-3 in Safe Mode & it couldn't find anything. eTrust EZ Antivirus finds it( usually 3 in System32 and 3 others in the Volume Information files. It deletes them but as soon as I reboot, they are right back with different file names preceeding the Winshow name. How in the world can I get rid of this pest? Here is a HijackThis log from

    Logfile of HijackThis v1.99.1
    Scan saved at 1:44:03 PM, on 2/25/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    C:\Program Files\Childrens Hospital\Childrens Hospital VPN Client\cvpnd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\program files\support.com\client\bin\tgcmd.exe
    C:\paprport\pptd40nt.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
    D:\PROGRA~1\HPDVD~1\Umbrella\DVDTray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\winul32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\WINDOWS\system32\mfcdx32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Marty\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {9661EE88-C705-9B7C-4197-07C69B837D82} - C:\WINDOWS\netdd.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
    O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [DVDTray] d:\PROGRA~1\HPDVD~1\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] d:\PROGRA~1\HPDVD~1\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
    O4 - HKLM\..\Run: [e0zgd2I8l] c:\documents and settings\andy\local settings\temp\e0zgd2I8l.exe
    O4 - HKLM\..\Run: [AjGbgwhQO] c:\documents and settings\andy\local settings\temp\AjGbgwhQO.exe
    O4 - HKLM\..\Run: [2a963951367a] C:\WINDOWS\System32\rasadhlp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [41.tmp] C:\DOCUME~1\Andy\LOCALS~1\Temp\41.tmp.exe 0 10001
    O4 - HKLM\..\Run: [34] C:\documents and settings\andy\local settings\temp\34.exe
    O4 - HKLM\..\Run: [eYS] C:\documents and settings\andy\local settings\temp\eYS.exe
    O4 - HKLM\..\Run: [IqnNN5F] C:\documents and settings\andy\local settings\temp\IqnNN5F.exe
    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
    O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
    O4 - HKLM\..\Run: [winul32.exe] C:\WINDOWS\winul32.exe
    O4 - HKLM\..\Run: [21B.tmp] C:\DOCUME~1\Andy\LOCALS~1\Temp\21B.tmp.exe 1 10001
    O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
    O4 - HKLM\..\RunServices: [Windows Hosts File] WindowsHosts.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: HotSync Manager.lnk = D:\HOTSYNC.EXE
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Children's Hospital Children's Hospital VPN Client.lnk = C:\Program Files\Childrens Hospital\Childrens Hospital VPN Client\ipsecdialer.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\AIM95_c1\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
    O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/74f78d29/enter.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/ga...mmon/ieell.cab
    O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://my.ohiohealth.com/dana-cache...terisSetup.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://my.ohiohealth.com/physician/...vpwo4,CT=java+
    O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/ang...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game13.zylomgames.com/activex...amesplayer.cab
    O16 - DPF: {D965D483-9F35-47D9-AF34-D448CACE97F7} (AAInstall Control) - http://lvaa/accessanyware/AAInstall.ocx
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - Winlogon Notify: Accessibility - C:\WINDOWS\system32\bjotvid.dll (file missing)
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Childrens Hospital\Childrens Hospital VPN Client\cvpnd.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
    O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\mfcdx32.exe
    Last edited by orthopod; 25-02-2005 at 07:45 PM. Reason: Missing Logfile

  3. 28-02-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Hello,
    Please could you download and unzip About:Buster from AboutBuster. Leave it for now, we'll use it later. Also download and install Ad-aware from here.

    Once you have installed Ad-aware, run the program and in the bottom right hand corner click Check For Updates. Update Ad-aware following the prompts and then close the program, we will use it later.

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders beforehand.

    Go to Start> Run and type services.msc.

    Locate Network Security Service (NSS). Double click it and click the Stop button in the Properties window. Select Disabled from the drop down menu next to Startup Type. Click Ok and exit Services.

    Press Ctrl+Alt+Del to get into Task Manager. Once in Task Manager, end the following processes (if they exist):

    mfcdx32.exe

    Restart Hijack This and put a checkmark next to these entries and click Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qmrsy.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {9661EE88-C705-9B7C-4197-07C69B837D82} - C:\WINDOWS\netdd.dll
    O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
    O4 - HKLM\..\Run: [e0zgd2I8l] c:\documents and settings\andy\local settings\temp\e0zgd2I8l.exe
    O4 - HKLM\..\Run: [AjGbgwhQO] c:\documents and settings\andy\local settings\temp\AjGbgwhQO.exe
    O4 - HKLM\..\Run: [2a963951367a] C:\WINDOWS\System32\rasadhlp.exe
    O4 - HKLM\..\Run: [41.tmp] C:\DOCUME~1\Andy\LOCALS~1\Temp\41.tmp.exe 0 10001
    O4 - HKLM\..\Run: [34] C:\documents and settings\andy\local settings\temp\34.exe
    O4 - HKLM\..\Run: [eYS] C:\documents and settings\andy\local settings\temp\eYS.exe
    O4 - HKLM\..\Run: [IqnNN5F] C:\documents and settings\andy\local settings\temp\IqnNN5F.exe
    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
    O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
    O4 - HKLM\..\Run: [winul32.exe] C:\WINDOWS\winul32.exe
    O4 - HKLM\..\Run: [21B.tmp] C:\DOCUME~1\Andy\LOCALS~1\Temp\21B.tmp.exe 1 10001
    O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
    O4 - HKLM\..\RunServices: [Windows Hosts File] WindowsHosts.exe
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O20 - Winlogon Notify: Accessibility - C:\WINDOWS\system32\bjotvid.dll (file missing)
    O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
    O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\mfcdx32.exe

    Delete the following files and folders:

    C:\WINDOWS\System32\rasadhlp.exe
    C:\Program Files\Windows AdStatus
    C:\WINDOWS\winul32.exe
    C:\WINDOWS\system32\mfcdx32.exe

    Now run the file aboutbuster.exe that we downloaded earlier. When the tool is open press the Ok button, then the Start button, then the Ok button, and then finally the Yes button. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.

    Copy the contents of this quote box to Notepad:

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]
    Click File> Save As. Click the drop down arrow next to Save as type: and select all files. In the filename box type fix.reg. Save it to a convenient location. Once saved, double click it and confirm that you want it to merge with the registry.

    Now Start Ad-aware

    We need to configure Ad-aware for a full scan.

    Click on the Gear icon (second from the left) to access the preferences/settings window

    1. In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    2. Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URLs
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
    Click on the Advanced button on the left and select:
    • Include additional process information
    • Include additional file information
    • Include environment information
    Click the Tweak button and select:
    • Under the Scanning Engine:
      • Unload recognized processes & modules during scan
      • Include additional Ad-aware settings in logfile
    • Under the Cleaning Engine:
      • Let Windows remove files in use at next reboot
    Click on Proceed to save the settings.

    Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
    • Use Custom Scanning Options
    Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

    Save the log file when it asks and then click Finish

    When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

    Then go to Start> Run and type cleanmgr.

    Put a checkmark next to:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    Click Ok

    Reboot into Normal Mode.

    Note: Two, possibly three files may have been deleted from your computer by the hijacker and may need to be replaced:

    Control.exe. If control.exe is missing go to merijn and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

    hosts (with no extension). Download the Hoster. Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

    SDHelper.dll (if you are using Spybot Search & Destroy). If you have Spybot S&D installed and SDHelper.dll is missing, replace it with this one. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow all ActiveX. In IE, click Tools> Internet Options and then click the Security tab. Click on Custom Level and make sure that the following settings are correct:

    Download signed ActiveX controls (Prompt)
    Download unsigned ActiveX controls (Disable)
    Initialize and script ActiveX controls not marked as safe (Disable)
    Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    Script ActiveX controls marked safe for scripting (Prompt)

    Pay a visit to http://housecall.trendmicro.com and let it scan for and remove any viruses, worms or trojans you may have.

    Then post a fresh Hijack This log and your About:Buster log here.
+ Reply to Thread
« Trojan horse Downloader.smal.18.T | How do I get rid of Searchweb2. It's driving me crazy ! »