0

Can anyone help with this? PC will not open any of these... wordpad, notepad, windows explorer.
The machine is running NoAdware version 4 but something must have made it past the antispyware program.

I tried to update NoAdware but even THAT fails with a MFC error.

This is the logfile from Hijack This. If anyone sees something that doesn't look like it belongs there,
let me know and THANKS IN ADVANCE.

I'm new to daniweb...
Jim

Logfile of HijackThis v1.99.1
Scan saved at 2:10:15 PM, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\atlij32.exe
C:\WINDOWS\system32\pb367jld.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\msjo32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Jim\HiJackThis\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C19B9125-B9FB-3BFD-7568-61F62B879410} - C:\WINDOWS\system32\apipt32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [2931.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2931.tmp.exe 3 10001
O4 - HKLM\..\Run: [2937.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2937.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [2937.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\2937.tmp.exe 0 10001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [atlij32.exe] C:\WINDOWS\system32\atlij32.exe
O4 - HKLM\..\Run: [pb367jld] C:\WINDOWS\system32\pb367jld.exe
O4 - HKLM\..\Run: [msot.exe] C:\WINDOWS\system32\msot.exe
O4 - HKLM\..\Run: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
O4 - HKLM\..\Run: [winyy.exe] C:\WINDOWS\system32\winyy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [netxf32.exe] C:\WINDOWS\system32\netxf32.exe
O4 - HKLM\..\Run: [netjh32.exe] C:\WINDOWS\system32\netjh32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [d3rw32.exe] C:\WINDOWS\system32\d3rw32.exe
O4 - HKLM\..\Run: [mfcvl.exe] C:\WINDOWS\system32\mfcvl.exe
O4 - HKLM\..\Run: [crrg.exe] C:\WINDOWS\system32\crrg.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [sysum.exe] C:\WINDOWS\system32\sysum.exe
O4 - HKLM\..\Run: [d3sb32.exe] C:\WINDOWS\system32\d3sb32.exe
O4 - HKLM\..\Run: [msyd32.exe] C:\WINDOWS\system32\msyd32.exe
O4 - HKLM\..\Run: [addsu32.exe] C:\WINDOWS\system32\addsu32.exe
O4 - HKLM\..\Run: [appgy.exe] C:\WINDOWS\system32\appgy.exe
O4 - HKLM\..\Run: [apilc32.exe] C:\WINDOWS\system32\apilc32.exe
O4 - HKLM\..\Run: [crhm32.exe] C:\WINDOWS\system32\crhm32.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msjo32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

2
Contributors
2
Replies
3
Views
11 Years
Discussion Span
Last Post by JimmyL
0

Hi,
Download these tools:-
1] CCleaner and install it. Do not run it now.

2] CWShredder

3] SpSeHjfix for 2K/XP. Save to your desktop. Right click a blank part of desktop, select new folder and name it spfix. Unzip the file into that folder. DO NOT run it yet.

4] KillBox, extract it to your desktop.


You may want to save/print this webpage (File Menu > Save (save the complete page)), as some removal procedures are carried in Safe Mode.
=============================================

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named Remote Procedure Call (RPC) Helper and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\roxhj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C19B9125-B9FB-3BFD-7568-61F62B879410} - C:\WINDOWS\system32\apipt32.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [2931.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2931.tmp.exe 3 10001
O4 - HKLM\..\Run: [2937.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2937.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [2937.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\2937.tmp.exe 0 10001
O4 - HKLM\..\Run: [atlij32.exe] C:\WINDOWS\system32\atlij32.exe
O4 - HKLM\..\Run: [pb367jld] C:\WINDOWS\system32\pb367jld.exe
O4 - HKLM\..\Run: [msot.exe] C:\WINDOWS\system32\msot.exe
O4 - HKLM\..\Run: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
O4 - HKLM\..\Run: [winyy.exe] C:\WINDOWS\system32\winyy.exe
O4 - HKLM\..\Run: [netxf32.exe] C:\WINDOWS\system32\netxf32.exe
O4 - HKLM\..\Run: [netjh32.exe] C:\WINDOWS\system32\netjh32.exe
O4 - HKLM\..\Run: [d3rw32.exe] C:\WINDOWS\system32\d3rw32.exe
O4 - HKLM\..\Run: [mfcvl.exe] C:\WINDOWS\system32\mfcvl.exe
O4 - HKLM\..\Run: [crrg.exe] C:\WINDOWS\system32\crrg.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [sysum.exe] C:\WINDOWS\system32\sysum.exe
O4 - HKLM\..\Run: [d3sb32.exe] C:\WINDOWS\system32\d3sb32.exe
O4 - HKLM\..\Run: [msyd32.exe] C:\WINDOWS\system32\msyd32.exe
O4 - HKLM\..\Run: [addsu32.exe] C:\WINDOWS\system32\addsu32.exe
O4 - HKLM\..\Run: [appgy.exe] C:\WINDOWS\system32\appgy.exe
O4 - HKLM\..\Run: [apilc32.exe] C:\WINDOWS\system32\apilc32.exe
O4 - HKLM\..\Run: [crhm32.exe] C:\WINDOWS\system32\crhm32.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msjo32.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.
=========================================

Next, close HijackThis and run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.


Run CWShredder and click "Fix". Allow it to complete the process.


Next, open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\atlij32.exe
C:\WINDOWS\system32\pb367jld.exe
C:\WINDOWS\msjo32.exe
C:\WINDOWS\system32\msot.exe
C:\WINDOWS\system32\atlnw32.exe
C:\WINDOWS\system32\winyy.exe
C:\WINDOWS\system32\netxf32.exe
C:\WINDOWS\system32\netjh32.exe
C:\WINDOWS\system32\d3rw32.exe
C:\WINDOWS\system32\mfcvl.exe
C:\WINDOWS\system32\crrg.exe
C:\WINDOWS\system32\sysum.exe
C:\WINDOWS\system32\d3sb32.exe
C:\WINDOWS\system32\msyd32.exe
C:\WINDOWS\system32\addsu32.exe
C:\WINDOWS\system32\appgy.exe
C:\WINDOWS\system32\apilc32.exe
C:\WINDOWS\system32\crhm32.exe

Then in Killbox click File > Paste from Clipboard. At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

[If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.]
=============================================

After the reboot, run SpSeHjfix and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it does not find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

[Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel > Internet Options > Programs & press reset web settings, then you can set your home page to what you want on the general tab.]
============================================

Finally, run HijackThis and please post a new log.

0

Thanks SwatKat!!
I printed your response and downloaded the programs. I'll stop by my friends house in a day or two to work on his machine. I'll post the HiJack this log as you requested.

Thanks again!
Jim

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.