Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HJK Log File

  • Please log in to reply
1 reply to this topic

#1 genehackman


  • Members
  • 2 posts
  • Local time:06:43 PM

Posted 27 July 2005 - 06:59 PM

Can someone give my log file a look over and recommend what I should do?

Logfile of HijackThis v1.99.1
Scan saved at 7:54:19 PM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Documents and Settings\STEG\Desktop\Sort\Anit Vie\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tnbbp.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aliaswavefront.com/maya/bonustools
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {193E2789-81D0-3180-EBA7-955C06C40ED9} - C:\WINDOWS\system32\apitm32.dll
O2 - BHO: Class - {1BB06227-02D6-8AE4-475A-58D02CC66F9A} - C:\WINDOWS\crqt.dll
O2 - BHO: Class - {1BE43463-6324-C9B7-B83D-DBC91ECFF44C} - C:\WINDOWS\system32\winaq32.dll
O2 - BHO: Class - {450A0139-EE98-149B-D4CA-65522E7424A7} - C:\WINDOWS\javadi.dll
O2 - BHO: Class - {4A5ABB53-102D-C19C-B368-482572DCB536} - C:\WINDOWS\apivo32.dll
O2 - BHO: Class - {95C6CC09-197A-2E0B-08A2-31A543B88320} - C:\WINDOWS\mfcht32.dll
O2 - BHO: Class - {B7B61BBF-CABA-4915-1461-125C38D24A73} - C:\WINDOWS\system32\javazp32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C517872A-6D77-8E92-F227-B5714851DA13} - C:\WINDOWS\system32\apijd32.dll
O2 - BHO: Class - {C7427A19-B915-D5BE-B565-B3E65E1FF4AB} - C:\WINDOWS\system32\syswx.dll
O2 - BHO: Class - {F101F265-732D-2CAC-ECDB-8A41D24BFF99} - C:\WINDOWS\sysuv.dll
O2 - BHO: Class - {FF8F3EAB-3991-A7D5-F170-5ED0347927A1} - C:\WINDOWS\appfn.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [addyp32.exe] C:\WINDOWS\addyp32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [winuu.exe] C:\WINDOWS\system32\winuu.exe
O4 - HKLM\..\Run: [iesr.exe] C:\WINDOWS\iesr.exe
O4 - HKLM\..\Run: [winig.exe] C:\WINDOWS\winig.exe
O4 - HKLM\..\Run: [adddt.exe] C:\WINDOWS\adddt.exe
O4 - HKLM\..\Run: [ipxx32.exe] C:\WINDOWS\system32\ipxx32.exe
O4 - HKLM\..\Run: [netlv.exe] C:\WINDOWS\netlv.exe
O4 - HKLM\..\Run: [atlzi32.exe] C:\WINDOWS\system32\atlzi32.exe
O4 - HKLM\..\Run: [winck.exe] C:\WINDOWS\winck.exe
O4 - HKLM\..\Run: [netea32.exe] C:\WINDOWS\system32\netea32.exe
O4 - HKLM\..\Run: [addsb32.exe] C:\WINDOWS\addsb32.exe
O4 - HKLM\..\Run: [ievy.exe] C:\WINDOWS\system32\ievy.exe
O4 - HKLM\..\Run: [crmp.exe] C:\WINDOWS\system32\crmp.exe
O4 - HKLM\..\Run: [addsk.exe] C:\WINDOWS\addsk.exe
O4 - HKLM\..\Run: [winhf32.exe] C:\WINDOWS\system32\winhf32.exe
O4 - HKLM\..\Run: [ntfb32.exe] C:\WINDOWS\ntfb32.exe
O4 - HKLM\..\Run: [msfi32.exe] C:\WINDOWS\system32\msfi32.exe
O4 - HKLM\..\Run: [iejw32.exe] C:\WINDOWS\iejw32.exe
O4 - HKLM\..\Run: [javafk.exe] C:\WINDOWS\system32\javafk.exe
O4 - HKLM\..\RunOnce: [sdknu32.exe] C:\WINDOWS\system32\sdknu32.exe
O4 - HKLM\..\RunOnce: [netma32.exe] C:\WINDOWS\system32\netma32.exe
O4 - HKLM\..\RunOnce: [iexy32.exe] C:\WINDOWS\iexy32.exe
O4 - HKLM\..\RunOnce: [mfctv32.exe] C:\WINDOWS\mfctv32.exe
O4 - HKLM\..\RunOnce: [apiyd32.exe] C:\WINDOWS\system32\apiyd32.exe
O4 - HKLM\..\RunOnce: [apiqw32.exe] C:\WINDOWS\apiqw32.exe
O4 - HKLM\..\RunOnce: [d3cj32.exe] C:\WINDOWS\system32\d3cj32.exe
O4 - HKLM\..\RunOnce: [ipae.exe] C:\WINDOWS\ipae.exe
O4 - HKLM\..\RunOnce: [atlwe.exe] C:\WINDOWS\system32\atlwe.exe
O4 - HKLM\..\RunOnce: [nethu.exe] C:\WINDOWS\nethu.exe
O4 - HKLM\..\RunOnce: [mfckk.exe] C:\WINDOWS\mfckk.exe
O4 - HKLM\..\RunOnce: [sysoz32.exe] C:\WINDOWS\system32\sysoz32.exe
O4 - HKLM\..\RunOnce: [ipvi.exe] C:\WINDOWS\system32\ipvi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/147a14c3306d82...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipvi.exe" /s (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 PM

Posted 27 July 2005 - 11:32 PM

Hello genehackman,

NOTE: This infection is complex and can be difficult to remove. Use this removal procedure at your own risk. In order for this malware removal procedure to be successful:



Any connectivity to the Internet during the removal process will only re-infect the PC and delay the procedure. The easiest disconnection method is to simply remove the network cable from the Network Interface Card on the back of the PC.


(Click on Print this topic in the upper RH corner.)

First let's build a parking place for all the spyware tools you will need.1.) Create a new folder on the desktop and name it Spyware Tools.
2.) Now move this folder to the root of the C:\drive. Right-click on the Spyware Tools folder and choose Cut.
3.) Double-click My Computer, double click the hard drive icon usually the C:\drive, right-click and choose Paste.
The Spyware Tools folder placed at the root of the C:\drive is where you will place all the spyware tools you download.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here.

Please download Trend Micro CWShredder here.
In the Save in: window, find C:\Spyware Tools and click the Save button.
Inside the Spyware Tools folder, move cwshredder.exe in its own folder named CWShredder.
Don't run it yet, we will use it later.

Download AboutBuster from RubbeR DuckY here
In the Save in: window, find C:\Spyware Tools and click the Save button.
Inside the Spyware Tools folder, extract all files from AboutBuster5.zip inside its own folder named AboutBuster.
Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.
NOTE: You might want to view this AboutBuster tutorial here first before running the tool.
Don't run it yet, we will use it later.

Download hsafix.zip from here and save the file inside the Spyware Tools folder placed at the root of the C:\drive.
In the Save in: window, find C:\Spyware Tools and click the Save button.
Inside the Spyware Tools folder, extract the hsafix.reg file from hsafix.zip and place it inside its own folder named hsafix.
Don't double-click yet, we will use it later.

Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

Download the eScan Antivirus Toolkit here.
In the Save in: window, find C:\Spyware Tools and click the Save button. Inside the Spyware Tools folder, move mwav.exe in its own folder named eScan.
This program is over 10MB in size. (But worth it.)
Don't run it yet, we will use it later.

Download and install the Ewido Security Suite
NOTE: The Ewido Security Suite utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite is: Windows 2000 or Windows XP. 1.) Download and install the Ewido Security Suite here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
For Windows 98 / ME only:
Download and install the free version of the a-squared (a) Malware Remover.1.) Please download and install the free version of the a-squared (a) Malware Remover here.
2.) To be able to use it, you'll have to set up a free a account to get access to their update server.
3.) Download their help file here and place it inside the C:\Program Files\a2 folder.
4.) Now please double-click the shortcut icon to open the a2 program and click Update a2 online.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 10:
If you are using Windows 2000 or XP, you must first STOP and DISABLE the rogue service:
This is the Display Names to look for:
  • Network Security Service
Go to Start => Run and type "Services.msc" (without quotes) then click Ok. 1.) Scroll down and find the bad service described above: Network Security Service
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 11:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 12:
From Safe Mode, double-click on cwshredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 13:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. 1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK. It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.
STEP 14:
From Safe Mode double-click on the hsafix.reg file you saved in Spyware Tools folder and when it prompts to merge say Yes. This will clear registry entries left behind by the malware infections.

STEP 15:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the Spyware Tools folder, a WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "1xx file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 16:
From Safe Mode, run the Ewido Security Suite.
NOTE: Windows 2000 and XP only. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click the Settings button, under What to scan? click Scan every file, click OK.
4.) Click the Complete System Scan button.
5.) Have the program delete everything it finds.
STEP 17:
For Windows 98 / ME only:
From Safe Mode, run the a-squared (a) Malware Remover.
  • 1.) Open the a2 program and click Scan your computer for malware infections.
    2.) Under Settings: Make sure these 3 are checked:
  • Scan Memory
  • Scan for riskware
  • Scan for unknown malware
    3.) Click Scan selected folders.
    4.) When the scan has completed, click the Save HTML-Report button to save the scan results.
    5.) To disinfect the PC, click the Remove Selected Malware button.
    6.) Click the Quit button.
STEP 18:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

STEP 19:
From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).

STEP 20:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 21:
This infection may delete the Windows shell.dll file and the control.exe file. Make sure you always perform a Windows search for these files after the cleanup. If you are using Windows 2000, or XP, go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows 2000, it will be found here:
  • C:\WINNT\System32
  • C:\WINNT\System
For Windows XP, it will be found here:
  • C:\Windows\System32
  • C:\Windows\System
Now look for the control.exe file.
For Windows 2000 it will be found here:
  • C:\WINNT\System32
For Windows XP it will be found here:
  • C:\Windows\System32
If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.
For Windows 2000, a replacement can be found here:
  • C:\WINNT\System32\dllcache
For Windows XP, a replacement can be found here:
  • C:\Windows\System32\dllcache
Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here.
Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.
If you are using Windows 98, ME please download shell.dll or control.exe from here.
Once the file(s) are downloaded extract the file and copy it to the following locations:
Place control.exe here:
  • C:\Windows
Place shell.dll here:
  • C:\Windows\System
Please post your HijackThis log for review.

Edited by SifuMike, 27 July 2005 - 11:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users