will i now attempt to follow the steps in crunchies most recent post?
Yes- please do that.
If after completing the steps crunchie posted, a subsequent scan with HJT still shows signs of the items we're trying to kill, please do the following:
1. Download the trial version of Ewido Security Suite from here:
http://www.ewido.net/en/download/
Install it, and while installing, under
Additional Options,
uncheck Install background guard and
Install scan via context menu.
From the main Ewido screen, click on
Update in the left menu, and then click the
Start update button. After the update finishes (the status bar at the bottom will display
Update successful), close the program (
don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/
Note -- When you do run Ewido for the first time, you will get a warning
Database could not be found!, click
OK when you do; the message is non-critical.
2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and run a full scan with ewido. Save the log it generates; you'll need to post it in your next response here.
While still in safe mode:
- Run HJT and have it fix any of the following entries which still exist (ewido may have cleaned some of these up already):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uyodr.dll/sp.html#58582
O2 - BHO: Class - {D51E979D-50CF-FE60-FC95-BB27DAA2EE39} - C:\WINDOWS\system32\netgx.dll (file missing)
O4 - HKLM\..\Run: [crry.exe] C:\WINDOWS\system32\crry.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crru.exe
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files if they still exist:
C:\WINDOWS\uyodr.dll
C:\WINDOWS\system32\netgx.dll
C:\WINDOWS\system32\crry.exe
C:\WINDOWS\crru.exe
- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):
Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!
1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files
- Delete the entire content of your C:\Windows\Temp folder.
- Delete the entire content of your C:\Windows\Prefetch folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
3. Reboot normally run HJT again, and post a new log. Also post the scan log that ewido generated.
Marked Solved 
.
Offline 
