Please download and unzip
AboutBuster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
1.
Download & instal Adaware from here
&
update it before scanning.
Do not run yet.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object.
2. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service" (it may also be listed as Remote Procedure Call (RPC) Helper or Workstation NetLogon Service)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donĀ“t find this service listed go ahead with the next steps.
3. Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here
http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
4.
Reboot into safe mode following the instructions
here
5. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:
apiel.exe
If you find the it, click on it, and then click End Process => Exit the Task Manager.
6. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about
:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ewffr.dll/sp.html#37049
O2 - BHO: (no name) - {3D102E3D-FBCD-8150-F6D0-6FBEF039C214} - C:\WINDOWS\addjv.dll
O4 - HKLM\..\Run: [winii32.exe] C:\WINDOWS\system32\winii32.exe
O4 - HKLM\..\Run: [apiel.exe] C:\WINDOWS\system32\apiel.exe
7. Delete the following files if present:
C:\WINDOWS\system32\
ewffr.dll
C:\WINDOWS\
addjv.dll
C:\WINDOWS\system32\
winii32.exe
C:\WINDOWS\system32\
apiel.exe
(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - apiel.exe, apiel.dll, apiel.dat)
8.
Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
9.
Scan with AdAware and let it remove any bad files found.
10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
11. Click here
http://www.davehigham.zen.co.uk/downloads/cwsuninst.zip to download cwsuninst.zip.
Extract cwsuninst.reg from the zip file and save it to the desktop.
When done, double-click the cwsuninst.reg and when asked to merge say yes.
12. Download the Hoster from here
http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.
13. Download and run this online virus scan:
http://housecall.trendmicro.com/hous...start_corp.asp
Make sure you check "AutoClean"
14.
Reboot to normal mode and post a fresh HJT log.
You also need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go
here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
Unsolved 
Offline 
