I am having a problem when I try to run the trendmicro housecall website page. It keeps coming up with the 'send error report' 'don't sent' message,
all the the top box says is internet explorer has encountered a problem ans needs to close.

AboutBuster 5.0 reference file 30
Scan started on [11/07/2005] at [10:24:37]
------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:zrzijp
Removed Stream! C:\WINDOWS\cadx2.ini:ssswda
Removed Stream! C:\WINDOWS\myyoh.txt:xkllol
Removed Stream! C:\WINDOWS\ntbtlog.txtlvqqw
Removed Stream! C:\WINDOWS\vuepro32.ini:lkgfob
Removed Stream! C:\WINDOWS\_default.pif:aswvqu
Removed Stream! C:\WINDOWS\_default.pif:avvvpu
Removed Stream! C:\WINDOWS\_default.pif:babsaj
Removed Stream! C:\WINDOWS\_default.pif:bbkhu
------------------------------------------------
Removed File! : C:\Windows\ftmwn.dll
Removed File! : C:\Windows\garcu.dll
Removed File! : C:\Windows\mzugp.dll
Removed File! : C:\Windows\rkyeb.dll
Removed File! : C:\Windows\yxumx.dll
Removed File! : C:\Windows\yzucv.dat
Removed File! : C:\Windows\System32\hgimi.dat
Removed File! : C:\Windows\System32\jwmbp.dat
Removed File! : C:\Windows\System32\neqba.dat
Removed File! : C:\Windows\System32\rhdgf.dll
Removed File! : C:\Windows\System32\sxmrw.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:25:29


AboutBuster 5.0 reference file 30
Scan started on [11/07/2005] at [10:26:38]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:bdulnq
Removed Stream! C:\WINDOWS\_default.pif:benwka
Removed Stream! C:\WINDOWS\_default.pif:bkkjda
Removed Stream! C:\WINDOWS\_default.pif:bmcbu
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:27:13

Logfile of HijackThis v1.99.1
Scan saved at 10:43:18, on 11/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mscx32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\htshu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\htshu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\htshu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.2.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3827C3F7-DFA4-9D8D-9E66-CC737E5E91FF} - C:\WINDOWS\cryh.dll
O2 - BHO: Class - {745A4A9A-ABAF-587F-E22C-67741A0C3A2F} - C:\WINDOWS\system32\winqd.dll
O2 - BHO: Class - {A3A1D3DD-CE5C-50A8-BB1C-D6D51301175C} - C:\WINDOWS\apilb32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FBD81A45-7D6E-CF78-2720-BF05C51B1F0E} - C:\WINDOWS\system32\sdkuq32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [winmd.exe] C:\WINDOWS\system32\winmd.exe
O4 - HKLM\..\Run: [ntcz.exe] C:\WINDOWS\system32\ntcz.exe
O4 - HKLM\..\Run: [sysoy32.exe] C:\WINDOWS\sysoy32.exe
O4 - HKLM\..\Run: [javaej32.exe] C:\WINDOWS\javaej32.exe
O4 - HKLM\..\Run: [ntas.exe] C:\WINDOWS\ntas.exe
O4 - HKLM\..\Run: [mscx32.exe] C:\WINDOWS\system32\mscx32.exe
O4 - HKLM\..\RunOnce: [apirv.exe] C:\WINDOWS\system32\apirv.exe
O4 - HKLM\..\RunOnce: [msou32.exe] C:\WINDOWS\system32\msou32.exe
O4 - HKLM\..\RunOnce: [mfcum.exe] C:\WINDOWS\system32\mfcum.exe
O4 - HKLM\..\RunOnce: [crmi32.exe] C:\WINDOWS\system32\crmi32.exe
O4 - HKLM\..\RunOnce: [ntrp32.exe] C:\WINDOWS\system32\ntrp32.exe
O4 - HKLM\..\RunOnce: [sysek.exe] C:\WINDOWS\sysek.exe
O4 - HKLM\..\RunOnce: [ipaz.exe] C:\WINDOWS\system32\ipaz.exe
O4 - HKLM\..\RunOnce: [apinn.exe] C:\WINDOWS\system32\apinn.exe
O4 - HKLM\..\RunOnce: [ntrj32.exe] C:\WINDOWS\ntrj32.exe
O4 - HKLM\..\RunOnce: [nttv.exe] C:\WINDOWS\system32\nttv.exe
O4 - HKLM\..\RunOnce: [d3lo.exe] C:\WINDOWS\d3lo.exe
O4 - HKLM\..\RunOnce: [winpq.exe] C:\WINDOWS\system32\winpq.exe
O4 - HKLM\..\RunOnce: [cryx.exe] C:\WINDOWS\cryx.exe
O4 - HKLM\..\RunOnce: [javajh32.exe] C:\WINDOWS\javajh32.exe
O4 - HKLM\..\RunOnce: [mfcwv32.exe] C:\WINDOWS\system32\mfcwv32.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apirv.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H9CXDLAH\SFUninstaller[1].exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks once again
iant

Hey,iant

Hmm this one looks like it want's to stay

1. Print out these instructions or save them to your desktop as a text file with Notepad because you will be running the fixes in Safe Mode with IE closed.

2. Prepare CWShredder for use: This is a free stand-alone program from Intermute.

Download CWShredder.
Save CWShredder.exe to a convenient location.
Please do not do anything with it yet.

3. Prepare AboutBuster for use:
Download the free tool AboutBuster

here:
http://malwarebytes.biz/AboutBuster.zip


* Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.

* Navigate to the AboutBuster directory and double-click on AboutBuster.exe.

* Click "OK" at the prompt with instructions.

* Click "Update" and then "Check For Update" to begin the update process.

* If any updates exist please download them by clicking "Download Update".

* You should not run the program yet so click "Exit".

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.


Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

again do not run this just yet

OK lit's move on here

Configure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.


Boot into Safe Mode: (Print out or copy the instructions appropriate for your operating system so have them handy when you need to return to normal mode.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam


Press control-alt-delete to get into the task manager and end the follow processes if they exist:
winmd.exe
ntcz.exe
sysoy32.exe
javaej32.exe
ntas.exe
mscx32.exe
crmi32.exe
ntrp32.exe
sysek.exe
ipaz.exe
apinn.exe
ntrj32.exe
nttv.exe
d3lo.exe
winpq.exe
cryx.exe
javajh32.exe
apirv.exe
mfcwv32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\htshu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\htshu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\htshu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lcwsz.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {3827C3F7-DFA4-9D8D-9E66-CC737E5E91FF} - C:\WINDOWS\cryh.dll
O2 - BHO: Class - {745A4A9A-ABAF-587F-E22C-67741A0C3A2F} - C:\WINDOWS\system32\winqd.dll
O2 - BHO: Class - {A3A1D3DD-CE5C-50A8-BB1C-D6D51301175C} - C:\WINDOWS\apilb32.dll
O2 - BHO: Class - {FBD81A45-7D6E-CF78-2720-BF05C51B1F0E} - C:\WINDOWS\system32\sdkuq32.dll

O4 - HKLM\..\Run: [winmd.exe] C:\WINDOWS\system32\winmd.exe
O4 - HKLM\..\Run: [ntcz.exe] C:\WINDOWS\system32\ntcz.exe
O4 - HKLM\..\Run: [sysoy32.exe] C:\WINDOWS\sysoy32.exe
O4 - HKLM\..\Run: [javaej32.exe] C:\WINDOWS\javaej32.exe
O4 - HKLM\..\Run: [ntas.exe] C:\WINDOWS\ntas.exe
O4 - HKLM\..\Run: [mscx32.exe] C:\WINDOWS\system32\mscx32.exe
O4 - HKLM\..\RunOnce: [crmi32.exe] C:\WINDOWS\system32\crmi32.exe
O4 - HKLM\..\RunOnce: [ntrp32.exe] C:\WINDOWS\system32\ntrp32.exe
O4 - HKLM\..\RunOnce: [sysek.exe] C:\WINDOWS\sysek.exe
O4 - HKLM\..\RunOnce: [ipaz.exe] C:\WINDOWS\system32\ipaz.exe
O4 - HKLM\..\RunOnce: [apinn.exe] C:\WINDOWS\system32\apinn.exe
O4 - HKLM\..\RunOnce: [ntrj32.exe] C:\WINDOWS\ntrj32.exe
O4 - HKLM\..\RunOnce: [nttv.exe] C:\WINDOWS\system32\nttv.exe
O4 - HKLM\..\RunOnce: [d3lo.exe] C:\WINDOWS\d3lo.exe
O4 - HKLM\..\RunOnce: [winpq.exe] C:\WINDOWS\system32\winpq.exe
O4 - HKLM\..\RunOnce: [cryx.exe] C:\WINDOWS\cryx.exe
O4 - HKLM\..\RunOnce: [javajh32.exe] C:\WINDOWS\javajh32.exe
O4 - HKLM\..\RunOnce: [mfcwv32.exe] C:\WINDOWS\system32\mfcwv32.exe

O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apirv.exe" /s (file missing)
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H9CXDLAH\SFUninstaller[1].exe" service (file missing)

Now close out of HijackThis & run these here

Run CWShredder:

* Double-click on CWShredder.exe.

* Click "Fix ->" and click "OK" at the prompt.

* CWShredder will scan and clean your system of CWS files.

* Click "Next->" and then "Exit".


Run AboutBuster and save the logs:


* Browse to where you saved AboutBuster and run AboutBuster.exe.

* Click OK at the directions prompt.

* Click Start and then OK to run

* Click Yes to allow it to shutdown explorer.exe.

* It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.

* When it has finished, click Save Log. We will need you to post a copy of the log after all steps here are finished.


now run Ewido Security Suite with the settings you did when we installed it


Clean out temporary files:

* Start | Run | type cleanmgr | OK

* Let it scan your system for files to remove.

* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

* Click "OK" to remove them.

* Click "Yes" to confirm the deletion.


To turn off Windows XP System Restore

1. Click Start > Programs > Accessories > Windows Explorer

2. Right-click My Computer, and then click Properties.

3. Click the System Restore tab.

4. Check the "Turn off System Restore" or "Turn off System Restore on all drives"

Click Apply.

Click Yes to do this.

Click OK.


To turn on Windows XP System Restore

After you have restarted, turn System Restore back on

1. Click Start.

2. Right-click My Computer, and then click Properties.

3. Click the System Restore tab.

4. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

5. Click Apply, and then click OK.

NOTE

Please create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.

After that do this here

please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\winmd.exe
C:\WINDOWS\system32\ntcz.exe
C:\WINDOWS\sysoy32.exe
C:\WINDOWS\javaej32.exe
C:\WINDOWS\ntas.exe
C:\WINDOWS\system32\mscx32.exe
C:\WINDOWS\system32\crmi32.exe
C:\WINDOWS\system32\ntrp32.exe
C:\WINDOWS\sysek.exe
C:\WINDOWS\system32\ipaz.exe
C:\WINDOWS\system32\apinn.exe
C:\WINDOWS\ntrj32.exe
C:\WINDOWS\system32\nttv.exe
C:\WINDOWS\d3lo.exe
C:\WINDOWS\system32\winpq.exe
C:\WINDOWS\cryx.exe
C:\WINDOWS\javajh32.exe
C:\WINDOWS\system32\mfcwv32.exe
C:\WINDOWS\system32\apirv.exe
C:\WINDOWS\cryh.dll
C:\WINDOWS\system32\winqd.dll
C:\WINDOWS\apilb32.dll
C:\WINDOWS\system32\sdkuq32.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Now once done & you reboot take care of this right away

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.


Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.


Do not open any Windows at all till done with all of
this work & please do this when you have time this
will not work if you start & stop so get it all done at once

& show us the new logfiles

HGD

Hello again.

I have just restarted my pc after following your instructions, I have reset the homepage to google, and this is what opened when I started the internet.

Also a pop up came up straight away titled 'only the best' an advert for pill's

and my norton internet security showed

mssu32.exe is attempting to connect to a dns server.

AboutBuster 5.0 reference file 30
Scan started on [11/07/2005] at [18:06:55]
------------------------------------------------
Removed Stream! C:\WINDOWS\gryfo.dat:nyhclm
Removed Stream! C:\WINDOWS\hrtla.dat:gzspfw
Removed Stream! C:\WINDOWS\n_qejlnn.txt:rfiawl
Removed Stream! C:\WINDOWS\wininit.ini:vfchws
Removed Stream! C:\WINDOWS\wjpvo.dat:nyvnqu
Removed Stream! C:\WINDOWS\_default.pif:arsmzx
------------------------------------------------
Removed File! : C:\Windows\lqlmn.dat
Removed File! : C:\Windows\System32\ryxmc.dat
Removed File! : C:\Windows\System32\ukrok.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 18:07:35


Logfile of HijackThis v1.99.1
Scan saved at 1937, on 11/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mssu32.exe
C:\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hdhxu.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.2.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {55C12F70-E431-397D-CD01-A19248DFCBC1} - C:\WINDOWS\sdkrg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mssu32.exe] C:\WINDOWS\system32\mssu32.exe
O4 - HKLM\..\RunOnce: [nthx32.exe] C:\WINDOWS\nthx32.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apirv.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H9CXDLAH\SFUninstaller[1].exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thanks again for your time and effort

Hi,iant

Wow what is this thing doing lit's try this

Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip
1. Reboot into safe mode
2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt
3. Reboot back to Normal Mode.
4. Post the log

HGD

Hope this brings more luck,

C:\Documents and Settings\Administrator\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\addfh32.dll: UPX!
C:\WINDOWS\system32\addjw.dll: UPX!
C:\WINDOWS\system32\addjw.exe: UPX!
C:\WINDOWS\system32\addly.exe: UPX!
C:\WINDOWS\system32\addma32.exe: UPX!
C:\WINDOWS\system32\addot.exe: UPX!
C:\WINDOWS\system32\addqa32.exe: UPX!
C:\WINDOWS\system32\addti32.dll: UPX!
C:\WINDOWS\system32\addtj.exe: UPX!
C:\WINDOWS\system32\apial32.exe: UPX!
C:\WINDOWS\system32\apihr32.dll: UPX!
C:\WINDOWS\system32\apiph32.exe: UPX!
C:\WINDOWS\system32\apith.exe: UPX!
C:\WINDOWS\system32\apiul.exe: UPX!
C:\WINDOWS\system32\apixc.exe: UPX!
C:\WINDOWS\system32\apizv32.dll: UPX!
C:\WINDOWS\system32\apizv32.exe: UPX!
C:\WINDOWS\system32\appex.dll: UPX!
C:\WINDOWS\system32\appku32.dll: UPX!
C:\WINDOWS\system32\appvm32.dll: UPX!
C:\WINDOWS\system32\atlaj32.dll: UPX!
C:\WINDOWS\system32\atlkg32.exe: UPX!
C:\WINDOWS\system32\atlln.dll: UPX!
C:\WINDOWS\system32\atlly.exe: UPX!
C:\WINDOWS\system32\atlno.exe: UPX!
C:\WINDOWS\system32\atltg32.exe: UPX!
C:\WINDOWS\system32\atlyf32.exe: UPX!
C:\WINDOWS\system32\crka.exe: UPX!
C:\WINDOWS\system32\crsy32.dll: UPX!
C:\WINDOWS\system32\crsy32.exe: UPX!
C:\WINDOWS\system32\d3ac32.exe: UPX!
C:\WINDOWS\system32\d3ej.exe: UPX!
C:\WINDOWS\system32\d3fj.exe: UPX!
C:\WINDOWS\system32\d3hb.exe: UPX!
C:\WINDOWS\system32\d3hi32.dll: UPX!
C:\WINDOWS\system32\d3io.dll: UPX!
C:\WINDOWS\system32\d3io.exe: UPX!
C:\WINDOWS\system32\d3jc32.exe: UPX!
C:\WINDOWS\system32\d3op32.dll: UPX!
C:\WINDOWS\system32\d3px32.dll: UPX!
C:\WINDOWS\system32\d3su32.exe: UPX!
C:\WINDOWS\system32\d3wq32.dll: UPX!
C:\WINDOWS\system32\d3wq32.exe: UPX!
C:\WINDOWS\system32\d3ys.exe: UPX!
C:\WINDOWS\system32\d3zd.exe: UPX!
C:\WINDOWS\system32\iegg.dll: UPX!
C:\WINDOWS\system32\iegl32.exe: UPX!
C:\WINDOWS\system32\ieho32.dll: UPX!
C:\WINDOWS\system32\ieln32.exe: UPX!
C:\WINDOWS\system32\iemh32.exe: UPX!
C:\WINDOWS\system32\iemm32.dll: UPX!
C:\WINDOWS\system32\ieni32.dll: UPX!
C:\WINDOWS\system32\ieph32.exe: UPX!
C:\WINDOWS\system32\ierj.exe: UPX!
C:\WINDOWS\system32\iexx.dll: UPX!
C:\WINDOWS\system32\iexz32.dll: UPX!
C:\WINDOWS\system32\iezk.exe: UPX!
C:\WINDOWS\system32\ipbg32.dll: UPX!
C:\WINDOWS\system32\ipce.exe: UPX!
C:\WINDOWS\system32\ipdl.exe: UPX!
C:\WINDOWS\system32\iper32.exe: UPX!
C:\WINDOWS\system32\ipjz.dll: UPX!
C:\WINDOWS\system32\ipmk.dll: UPX!
C:\WINDOWS\system32\ipnt.dll: UPX!
C:\WINDOWS\system32\ipnx.dll: UPX!
C:\WINDOWS\system32\iptv32.exe: UPX!
C:\WINDOWS\system32\ipxa.dll: UPX!
C:\WINDOWS\system32\ipyk32.exe: UPX!
C:\WINDOWS\system32\javael.exe: UPX!
C:\WINDOWS\system32\javafi32.exe: UPX!
C:\WINDOWS\system32\javakl.dll: UPX!
C:\WINDOWS\system32\javala.exe: UPX!
C:\WINDOWS\system32\javans32.exe: UPX!
C:\WINDOWS\system32\javapq.dll: UPX!
C:\WINDOWS\system32\javaqv32.dll: UPX!
C:\WINDOWS\system32\javatb.dll: UPX!
C:\WINDOWS\system32\javatb.exe: UPX!
C:\WINDOWS\system32\javaux.dll: UPX!
C:\WINDOWS\system32\javawi32.dll: UPX!
C:\WINDOWS\system32\mfcfg32.exe: UPX!
C:\WINDOWS\system32\mfchs.dll: UPX!
C:\WINDOWS\system32\mfcpu32.exe: UPX!
C:\WINDOWS\system32\mfcqg32.exe: UPX!
C:\WINDOWS\system32\mfcuk32.exe: UPX!
C:\WINDOWS\system32\mfcxt.dll: UPX!
C:\WINDOWS\system32\mfcxt.exe: UPX!
C:\WINDOWS\system32\mfcze.exe: UPX!
C:\WINDOWS\system32\mfczs.dll: UPX!
C:\WINDOWS\system32\msac.exe: UPX!
C:\WINDOWS\system32\msdb.exe: UPX!
C:\WINDOWS\system32\msgo32.dll: UPX!
C:\WINDOWS\system32\msjb32.dll: UPX!
C:\WINDOWS\system32\msnd.dll: UPX!
C:\WINDOWS\system32\mssy.dll: UPX!
C:\WINDOWS\system32\mswu.exe: UPX!
C:\WINDOWS\system32\mszp32.dll: UPX!
C:\WINDOWS\system32\mszz32.exe: UPX!
C:\WINDOWS\system32\netbk.dll: UPX!
C:\WINDOWS\system32\netdu32.exe: UPX!
C:\WINDOWS\system32\netdv.exe: UPX!
C:\WINDOWS\system32\netir32.dll: UPX!
C:\WINDOWS\system32\netjr32.exe: UPX!
C:\WINDOWS\system32\netkb32.dll: UPX!
C:\WINDOWS\system32\netmp.exe: UPX!
C:\WINDOWS\system32\netmr.exe: UPX!
C:\WINDOWS\system32\netnf32.exe: UPX!
C:\WINDOWS\system32\netpw.exe: UPX!
C:\WINDOWS\system32\netst32.exe: UPX!
C:\WINDOWS\system32\netyi32.dll: UPX!
C:\WINDOWS\system32\ntkr32.exe: UPX!
C:\WINDOWS\system32\ntmj.dll: UPX!
C:\WINDOWS\system32\ntmm.exe: UPX!
C:\WINDOWS\system32\ntqp32.exe: UPX!
C:\WINDOWS\system32\ntsb.dll: UPX!
C:\WINDOWS\system32\ntvn32.dll: UPX!
C:\WINDOWS\system32\ntys.exe: UPX!
C:\WINDOWS\system32\sdkbt32.dll: UPX!
C:\WINDOWS\system32\sdked.dll: UPX!
C:\WINDOWS\system32\sdkhs.exe: UPX!
C:\WINDOWS\system32\sdkrq.exe: UPX!
C:\WINDOWS\system32\sysak32.dll: UPX!
C:\WINDOWS\system32\sysbf32.dll: UPX!
C:\WINDOWS\system32\syscn.exe: UPX!
C:\WINDOWS\system32\sysdr32.exe: UPX!
C:\WINDOWS\system32\sysdz32.exe: UPX!
C:\WINDOWS\system32\sysfb32.exe: UPX!
C:\WINDOWS\system32\sysfu32.dll: UPX!
C:\WINDOWS\system32\sysmx32.dll: UPX!
C:\WINDOWS\system32\sysmx32.exe: UPX!
C:\WINDOWS\system32\syspg.dll: UPX!
C:\WINDOWS\system32\systh32.dll: UPX!
C:\WINDOWS\system32\sysxv.dll: UPX!
C:\WINDOWS\system32\UninstXviDDec.exe: UPX!
C:\WINDOWS\system32\winbf.exe: UPX!
C:\WINDOWS\system32\wincm32.dll: UPX!
C:\WINDOWS\system32\winej32.dll: UPX!
C:\WINDOWS\system32\winfs.exe: UPX!
C:\WINDOWS\system32\winjp32.exe: UPX!
C:\WINDOWS\system32\winlb32.dll: UPX!
C:\WINDOWS\system32\winnx32.exe: UPX!
C:\WINDOWS\system32\winrl32.exe: UPX!
C:\WINDOWS\system32\winwd.dll: UPX!
C:\WINDOWS\system32\winyp32.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\addag.dll: UPX!
C:\WINDOWS\addjf.exe: UPX!
C:\WINDOWS\addki32.dll: UPX!
C:\WINDOWS\addmt.exe: UPX!
C:\WINDOWS\addvw32.exe: UPX!
C:\WINDOWS\addxe.dll: UPX!
C:\WINDOWS\addzd.dll: UPX!
C:\WINDOWS\apidl.dll: UPX!
C:\WINDOWS\apidp.exe: UPX!
C:\WINDOWS\apifo.exe: UPX!
C:\WINDOWS\apify.dll: UPX!
C:\WINDOWS\apihs.dll: UPX!
C:\WINDOWS\apihw32.dll: UPX!
C:\WINDOWS\apijc.exe: UPX!
C:\WINDOWS\apirc.exe: UPX!
C:\WINDOWS\apitk.exe: UPX!
C:\WINDOWS\apizn.dll: UPX!
C:\WINDOWS\appal32.exe: UPX!
C:\WINDOWS\appgi.dll: UPX!
C:\WINDOWS\apphe32.exe: UPX!
C:\WINDOWS\apphn32.exe: UPX!
C:\WINDOWS\appqc.dll: UPX!
C:\WINDOWS\appxv.dll: UPX!
C:\WINDOWS\appyl32.exe: UPX!
C:\WINDOWS\appyt32.dll: UPX!
C:\WINDOWS\atlay32.exe: UPX!
C:\WINDOWS\atlbm32.dll: UPX!
C:\WINDOWS\atljd32.dll: UPX!
C:\WINDOWS\atlkk32.dll: UPX!
C:\WINDOWS\atlok.dll: UPX!
C:\WINDOWS\atlsb32.dll: UPX!
C:\WINDOWS\atlsk.exe: UPX!
C:\WINDOWS\atlyz32.dll: UPX!
C:\WINDOWS\crae32.dll: UPX!
C:\WINDOWS\crav32.exe: UPX!
C:\WINDOWS\crbl.exe: UPX!
C:\WINDOWS\crlh.dll: UPX!
C:\WINDOWS\crpk.dll: UPX!
C:\WINDOWS\crqo32.exe: UPX!
C:\WINDOWS\crtb32.exe: UPX!
C:\WINDOWS\cruu.dll: UPX!
C:\WINDOWS\d3ee32.dll: UPX!
C:\WINDOWS\d3iq32.exe: UPX!
C:\WINDOWS\d3iw.dll: UPX!
C:\WINDOWS\d3jr32.dll: UPX!
C:\WINDOWS\d3mc.dll: UPX!
C:\WINDOWS\d3ms.dll: UPX!
C:\WINDOWS\d3nt32.exe: UPX!
C:\WINDOWS\d3qx32.exe: UPX!
C:\WINDOWS\d3uh.exe: UPX!
C:\WINDOWS\d3wn32.exe: UPX!
C:\WINDOWS\d3ya32.dll: UPX!
C:\WINDOWS\ieby32.exe: UPX!
C:\WINDOWS\iemf32.dll: UPX!
C:\WINDOWS\ieow32.dll: UPX!
C:\WINDOWS\iern32.dll: UPX!
C:\WINDOWS\ieyj32.dll: UPX!
C:\WINDOWS\ipae.exe: UPX!
C:\WINDOWS\ipef.exe: UPX!
C:\WINDOWS\ipfo32.dll: UPX!
C:\WINDOWS\iphe32.exe: UPX!
C:\WINDOWS\iphx.dll: UPX!
C:\WINDOWS\ipio.exe: UPX!
C:\WINDOWS\ipli.dll: UPX!
C:\WINDOWS\ipnr.exe: UPX!
C:\WINDOWS\ippc.exe: UPX!
C:\WINDOWS\ippp.dll: UPX!
C:\WINDOWS\iptj.dll: UPX!
C:\WINDOWS\iptk.exe: UPX!
C:\WINDOWS\ipwm32.dll: UPX!
C:\WINDOWS\javaej32.dll: UPX!
C:\WINDOWS\javafa.exe: UPX!
C:\WINDOWS\javafn32.exe: UPX!
C:\WINDOWS\javagt32.exe: UPX!
C:\WINDOWS\javanv32.exe: UPX!
C:\WINDOWS\javaoh.exe: UPX!
C:\WINDOWS\javapn32.exe: UPX!
C:\WINDOWS\javaqh.exe: UPX!
C:\WINDOWS\javaqi.dll: UPX!
C:\WINDOWS\javarr.exe: UPX!
C:\WINDOWS\javart32.exe: UPX!
C:\WINDOWS\javasn.dll: UPX!
C:\WINDOWS\javauy.dll: UPX!
C:\WINDOWS\javayj32.dll: UPX!
C:\WINDOWS\mfcex32.exe: UPX!
C:\WINDOWS\mfcfe.dll: UPX!
C:\WINDOWS\mfclq32.exe: UPX!
C:\WINDOWS\mfcwv.exe: UPX!
C:\WINDOWS\mfcxt32.dll: UPX!
C:\WINDOWS\msai.exe: UPX!
C:\WINDOWS\msow.exe: UPX!
C:\WINDOWS\mspd32.exe: UPX!
C:\WINDOWS\mspf32.dll: UPX!
C:\WINDOWS\msqb.exe: UPX!
C:\WINDOWS\msqe.exe: UPX!
C:\WINDOWS\msut32.exe: UPX!
C:\WINDOWS\msxa32.exe: UPX!
C:\WINDOWS\netao.exe: UPX!
C:\WINDOWS\netdu.dll: UPX!
C:\WINDOWS\netgr.exe: UPX!
C:\WINDOWS\netht.exe: UPX!
C:\WINDOWS\netog.dll: UPX!
C:\WINDOWS\netoj32.exe: UPX!
C:\WINDOWS\netol32.exe: UPX!
C:\WINDOWS\netor32.exe: UPX!
C:\WINDOWS\netsn32.dll: UPX!
C:\WINDOWS\ntdq.exe: UPX!
C:\WINDOWS\ntej.dll: UPX!
C:\WINDOWS\nthm.exe: UPX!
C:\WINDOWS\ntmh.dll: UPX!
C:\WINDOWS\ntpr32.exe: UPX!
C:\WINDOWS\ntsf.dll: UPX!
C:\WINDOWS\ntvh.dll: UPX!
C:\WINDOWS\sdkdm.exe: UPX!
C:\WINDOWS\sdkoe.exe: UPX!
C:\WINDOWS\sdkon.dll: UPX!
C:\WINDOWS\sdkqp.dll: UPX!
C:\WINDOWS\sdkrg.dll: UPX!
C:\WINDOWS\sdkso.dll: UPX!
C:\WINDOWS\sdksr32.dll: UPX!
C:\WINDOWS\sdksr32.exe: UPX!
C:\WINDOWS\sdkto.dll: UPX!
C:\WINDOWS\syseh32.exe: UPX!
C:\WINDOWS\syshe32.dll: UPX!
C:\WINDOWS\sysmt32.dll: UPX!
C:\WINDOWS\sysnw32.dll: UPX!
C:\WINDOWS\sysoy32.dll: UPX!
C:\WINDOWS\syssj.exe: UPX!
C:\WINDOWS\sysxl32.dll: UPX!
C:\WINDOWS\syszv32.dll: UPX!
C:\WINDOWS\wincf32.exe: UPX!
C:\WINDOWS\winme32.dll: UPX!
Finished
bye

Hi,iant

Ok from what i am looking at the fix should have worked
lit me ask are you running as the Admins of this PC & are
there more then just one user on the PC????

HGD

Hello,

I am sorry to keep on but I am still getting the about:blank homepage. I also have various links in my favourite folder, and im being attaked with a lot of pop ups.

The computer is in my home and as far as im aware I am the only user.

I'm in work at the moment but as soon as I get a chance I will post a new hijackthis log.

If there is anything else I can do to help you first please let me know.

Thanks for your patience.

Iant

Here is the latest hlt log

once again sorry to be a pain

Logfile of HijackThis v1.99.1
Scan saved at 07:06:55, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mssu32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.2.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {55C12F70-E431-397D-CD01-A19248DFCBC1} - C:\WINDOWS\sdkrg.dll
O2 - BHO: Class - {831710E3-7E06-570C-3083-83DF47D1F1A7} - C:\WINDOWS\sysjd32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E5BA8ACF-C2BF-8C35-2A93-0CAF53F6A229} - C:\WINDOWS\sdkef32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mssu32.exe] C:\WINDOWS\system32\mssu32.exe
O4 - HKLM\..\RunOnce: [nthx32.exe] C:\WINDOWS\nthx32.exe
O4 - HKLM\..\RunOnce: [mfcej32.exe] C:\WINDOWS\system32\mfcej32.exe
O4 - HKLM\..\RunOnce: [mfcab.exe] C:\WINDOWS\mfcab.exe
O4 - HKLM\..\RunOnce: [iezl32.exe] C:\WINDOWS\iezl32.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apirv.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H9CXDLAH\SFUninstaller[1].exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hey,iant

First thing you are not being a pain your here because you need
help & i'm here to try & do just that so lit's help each other out

please do each step try not to go to fast take your time
& make sure that someone is not using the PC as we are
try to fix it what i am saying is don't goto get the Phone
& someone jumps on the PC as they try doing here

** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:

* Note: You don't have to redownload all these tools if you still have them. You do need to update AboutBuster again.


* Click here to download cwsserviceremove.zip and unzip it to your desktop.


* Go here to download CCleaner.

* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.


* Click Here and download the new version of Killbox and save it to your desktop.


* Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Do Not run it yet.


* Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


**After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I ) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.


** Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.



* Run Hijack This and put a check by all of the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avhpu.dll/sp.html#55135

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {55C12F70-E431-397D-CD01-A19248DFCBC1} - C:\WINDOWS\sdkrg.dll

O2 - BHO: Class - {831710E3-7E06-570C-3083-83DF47D1F1A7} - C:\WINDOWS\sysjd32.dll

O2 - BHO: Class - {E5BA8ACF-C2BF-8C35-2A93-0CAF53F6A229} - C:\WINDOWS\sdkef32.dll

O4 - HKLM\..\Run: [mssu32.exe] C:\WINDOWS\system32\mssu32.exe

O4 - HKLM\..\RunOnce: [nthx32.exe] C:\WINDOWS\nthx32.exe

O4 - HKLM\..\RunOnce: [mfcej32.exe] C:\WINDOWS\system32\mfcej32.exe

O4 - HKLM\..\RunOnce: [mfcab.exe] C:\WINDOWS\mfcab.exe

O4 - HKLM\..\RunOnce: [iezl32.exe] C:\WINDOWS\iezl32.exe

O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apirv.exe" /s (file missing)

O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H9CXDLAH\SFUninstaller[1].exe" service (file missing)


After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\mssu32.exe
C:\WINDOWS\nthx32.exe
C:\WINDOWS\system32\mfcej32.exe
C:\WINDOWS\mfcab.exe
C:\WINDOWS\iezl32.exe
C:\WINDOWS\system32\apirv.exe
C:\WINDOWS\sdkrg.dll
C:\WINDOWS\sysjd32.dll
C:\WINDOWS\sdkef32.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.


* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


** Restart back into Windows normally now and do the following:


* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


* Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.


* control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.


* IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

HGD