C:\WINDOWS\system32\rdriv.sys

It could be running as a System Service. Follow the steps below:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Not quite. You are running HJT directly from the ZIP file using WinRar to extract it. This is what we specifically request you not do. You must extract the hijackthis.exe file into the folder requested (or another similar folder - just do not use the Desktop or any subfolder of C:\documents and settings)

You must fix this before continuing.

 

Download LSP - Fix

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the ypclsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move ypclsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to find AOL Instant Messenger then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

AOL Instant Messenger

Now exit HJT.

Open Control Panel and run Add/Remove programs and uninstall WinTools if found.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\aims.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
Is this next R1 line valid?? If not, fix it too.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://myhomepage.capitan-trash.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Mpjhasa] C:\Program Files\Qpqnifh\Ydvhv.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAccess/ie/bridge-c8.cab
O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\aims.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Common Files\WinTools <-- the whole folder
C:\Program Files\AWS <-- the whole folder
C:\Program Files\Qpqnifh <-- the whole folder
C:\WINDOWS\aims.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're welcome! But we do not normally close threads. I would still recommend posting the followup HJT log requested to make sure you are clean.

 

You should uninstall the below item:

O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe

You may be able to find it in Add/Remove programs.

See the below link for more info:
http://www.liutilities.com/products/wintaskspro/processlibrary/navapp/

You need to use LSP-fix as I previously gave you because there is still a broken LSP chain.